The snmp-agent usm-user command adds a user to an SNMP group.
The undo snmp-agent usm-user command deletes a user from an SNMP group.
By default, no user is added to an SNMP group.
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl acl-number ] *
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv4 acl-number } [ acl-ipv6 acl-number ]
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv6 acl-number
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha | sha2-256 } [ [ localized-configuration ] cipher password ]
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { 3des | aes128 | aes192 | aes256 | des56 } [ [ localized-configuration ] cipher password ]
undo snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group | authentication-mode | privacy-mode | acl ]
| Parameter | Description | Value |
|---|---|---|
remote-engineid engineid |
Specifies the ID of the engine associated with a user. NOTE:
remote-engineid engineid must be set to the engine ID of the destination host that receives alarms. The engine IDs of the source and destination hosts must be different. |
The value is a string of 10 to 64 case-insensitive characters without spaces. |
v3 |
Indicates the V3 security mode that a user uses. |
- |
user-name |
Specifies the user name. |
The value is a string of 1 to 32 case-sensitive characters, with spaces supported. NOTE:
If a user name contains a space, the user name must be placed into a pair of double quotation marks. Only one pair of double quotation marks can be used for each user name. |
group group-name |
Specifies the name of the SNMP group to which a user belongs. |
The value is a string of 1 to 32 case-insensitive characters without spaces. NOTE:
When double quotation marks are used around the string, spaces are allowed in the string. |
acl acl-number |
Specifies the basic or advanced ACL number corresponding to the user name. NOTE:
If acl-ipv4 or acl-ipv6 is not specified, the ACL configured by the acl acl-name parameter takes effect on both IPv4 and IPv6 networks. |
The value is an integer ranging from 2000 to 3999. |
acl-ipv4 |
Indicates a basic or advanced IPv4 ACL. |
- |
acl-ipv6 |
Indicates a basic or advanced IPv6 ACL. |
- |
authentication-mode |
Indicates that the security level is Authentication. |
- |
md5 | sha | sha2-256 |
Specifies the authentication algorithm.
|
- |
localized-configuration |
Indicates the localized password configuration mode. NOTE:
After authentication and encryption passwords are configured through MIB, this keyword is displayed in the commands recorded in configuration files. After authentication and encryption passwords are configured through command line, you are not advised to use this keyword. If this keyword is used, the cipher text passwords configured later use the local format. As a password with the localized-configuration keyword is related to the engine ID, copying configurations with this keyword from one device to another causes the password to be invalid. |
- |
cipher password |
Indicates the cipher authentication. |
The value is a case-insensitive string without spaces. It must be in cipher text format with 32 to 108 characters. NOTE:
The password cannot be the same as the user name, or in reverse order with the user name. The password must contain at least two of the following characters: upper-case character, lower-case character, digit, and special character including a hyphen (-), comma (,), and an underscore (_). |
privacy-mode |
Indicates that the security level is Encryption. |
- |
3des | aes128 | aes192 | aes256 | des56 |
Specifies the encryption algorithm.
|
- |
Usage Scenario
In SNMPv3 networking scenarios, the snmp-agent usm-user command is used to create a user and perform authentication and encryption on the user's identity.
To limit the NMS for a device within a certain range, run the snmp-agent usm-user command to associate an ACL with an SNMP user. If no ACL is associated, the associated ACL does not exist, or no rule is configured in the associated ACL, the SNMP user is not limited by an ACL.
After you create an SNMPv3 user, configure an authorization password and an encrypted password for the user. If no authorization password or encrypted password is configured, the user can only query nodes of the MIB-2 sub-tree.
To ensure that the NMS correctly receives the alarm in Inform mode sent by the device, specify the NMS engine ID on the host. Therefore, the remote-engineid parameter must be the engine ID of the destination host that receives the alarm. The NMS verifies the received packets to improve security.
After the snmp-agent remote-engineid usm-user command is run, the host encapsulates the NMS engine ID in the Authoritative Engine ID field of the SNMPv3 alarm packet before sending the alarm in Inform mode. After receiving the alarm, the NMS compares the engine ID carried in the received packet with its own engine ID. If the two IDs match, the NMS sends a response to the alarm host. If the two IDs do not match, the NMS discards the packet.
Prerequisites
An SNMP user group has been created using the snmp-agent group command. If no SNMP user group has been created, an SNMP user can be created but does not take effect.
Precautions
The user security level must be higher than or equal to the security level of the SNMP user group to which the user is added.
For example, if the security level of an SNMP user group is level 1, the security level of the user that is added to the group must be level 1; if the security level of an SNMP user group is level 2, the security level of the user that is added to the group can be level 1 or level 2.
If neither authentication nor encryption is configured for a user, the user's access permission is limited within the MIB-2 range, and the user has only the read-only permission.
All SNMPv3 users correspond to an engine ID. You can create SNMPv3 users with the same name for different engine IDs. The snmp-agent local-engineid command can be used to change a device's engine ID. The engine ID that takes effect currently is also called a local engine ID. When you create an SNMPv3 user, the user is always associated with the local engine ID. You can delete SNMPv3 users related to a specified engine ID. If local is specified or engineid engineid-string is not specified, the users associated with the local engine ID are deleted.
The password specified in the snmp-agent usm-user command has a minimum length of eight characters. If the password length set using the set password min-length command is greater than eight characters, the minimum length of the password specified in the snmp-agent usm-user command is the password length set using the set password min-length command.
The snmp-agent remote-engineid usm-user command can be configured only on the device that is configured with SNMPv3. The host does not encapsulate the NMS engine ID before sending an alarm in trap mode.
Users of the same name can only belong to one user group. If you add a user to a user group, delete a user from a user group, or change a user to another group, the operation takes effect for other users with the same name.
The minimum length of a user password in the snmp-agent usm-user command is 8 characters. If the length of the password is set greater than 8 characters using the set password min-length command, the configuration takes effect for the minimum length of the user password configured using the snmp-agent usm-user command.
If non encryption is configured for an SNMPv3 user, or the configured DES-56/3DES brings security risks, configuring a more secure AES encryption mode is recommended. By default, the device does not support the 3des and des56 encryption algorithms. To use these algorithms, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.
To improve system security, you are advised to configure different authentication and encryption passwords for an SNMP user. In addition, do not configure authentication or encryption passwords in which the same string of characters is repeated, such as Huawei-1234Huawei-1234. By default, the device does not support the md5 authentication algorithms. To use the algorithm, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.
When a user with a level lower than the level configured using this command queries the password configured using the display this or display current-configuration command, the password is displayed as asterisks (******).
To specify the same ACL on IPv4 and IPv6 networks, you can only run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl acl-number ] * command.
If the snmp-agent usm-user command is run more than once to specify ACLs for the same SNMPv3 user, the latest configuration overrides the previous one.
# Add the user named John to the SNMP group named Johngroup. Set the security level to authentication, and authentication protocol to HMAC-SHA2-256-192, and password to Hello@123.
<sysname> system-view [sysname] snmp-agent usm-user v3 John group Johngroup [sysname] snmp-agent usm-user v3 john authentication-mode sha2-256 Enter Password: Confirm Password: