Setting up SNMPv3 Groups and Access

SNMPv3 allows you to set up and assign groups and access with differing levels of security. Object IDs are associated with various levels of permissions, and a single view can be assigned to multiple objects. The figure below shows how access for groups and users are associated with these different permission levels.

SNMPv3 Group Access with Different Permission Levels

Topics:
What is a View?
View Table
Configuring Object IDs for SNMPv3 Views
Modifying SNMPv3 Views.
Deleting Views
User/Group Table
Creating Groups
Deleting Groups
Creating Users
What is an Access Object?
Adding Access
Modifying an Access Object
Deleting Access Objects.
What is a View?

A View shows access settings for Users or Groups. You create settings for users and groups; these security settings are not User-modifiable. A View defines the Object IDs (OIDs) and Object ID Groups (OID Groups), and is sometimes known as the SNMPv3 Access Object.

The initial set of default views cannot be changed or deleted. The OIDs for the default views are pre-assigned, and they reflect the most often used views: root, system, IP, interfaces, ICMP, TCP, UDP, and ifMIB.

View Table

The View section of the System > SNMP page lists both default and custom views by name and OID.

Configuring Object IDs for SNMPv3 Views
To create a custom view for specific users and groups:
1
To add a view, under View, click Add. The Add SNMP View dialog displays.

2
Enter a name for the view in the View Name field. The default name is New SNMP View.
3
Enter an unassigned OID in the OID Associated with the View field.
4
Click Add OID. The new view appears in OID List.
5
Add any more new views with associated OIDs by repeating Step 3 and Step 4.
6
Click OK. The new views are added to the view in the View section.
Modifying SNMPv3 Views.
To modify a custom view:
1
To modify a view, under View, click the Edit icon for the view to be modified. The Edit SNMP View dialog displays.

 
* 
NOTE: The name is not be editable.
2
Enter an unassigned OID in the OID Associated with the View field.
3
Click Add OID. The new view appears in OID List.

4
Add any more associated OIDs by repeating Step 2 and Step 3.

To delete an OID, select it in the OID List and then click the Delete button.

5
Click OK. The new OIDs are added to the View table.

Deleting Views

To delete a View, click its check box in the View table, and then click the Delete Selected button.

User/Group Table

The User/Group table lists the Users and Groups to which they belong. For each user, the table displays the Groups and Users by Name, the number of users in each Group, and, for Users, the Security Level (if any), the Authentication mode (if any), and the Privacy mode (if any). There is a default Group of “No Group”, which initially has no Users. You can add Users to this default group or to custom Groups you’ve created.

To display the users in a Group, click the triangle before the Group’s name.

Creating Groups
1
To create a Group, click Add Group under the User/Group table. The Add SNMP Group dialog displays.

2
Enter a name for the Group in the Group Name field. The group name can contain up to 32 alphanumeric characters.
3
Click OK.

The Group is added to the User/Group table:

Deleting Groups

To delete a Group, either:
Select its checkbox and then click Delete Selected.
Click the Delete icon for the Group.
 
* 
NOTE: “No Group” cannot be modified or deleted. A Group that has associated Users cannot be deleted.
Creating Users
To add a user:
1
In the User/Group section, click the Add User button. The Add SNMP User dialog displays.

2
Enter the User Name in the User Name field. The default name is New SNMP User.
3
Select the security level from the Security Level drop-down menu:
None (default)
Authentication – If selected, the options expand and you will be asked for an Authentication Method and Authentication Key.

From the Authentication Method drop-down menu, select from MD5 or SHA1.
In the Authentication Key field, enter the authentication key. The key can be any string of printable characters
Authentication and Privacy – if selected, the options expand and you will be asked for an Encryption Method and Privacy Key as well as the authentication options.

From the Encryption Method drop-down menu, select either AES or DES encryption,
In the Privacy Key field, enter the encryption key. The key can be any string of printable characters, but they will be displayed as bullets in the window.
4
Optionally, select a Group of which the User will be a member from the Group drop-down menu. If you do not select a Group, the user will be associated with the default Group, “No Group”.
5
Click OK when finished.

The user is added to the list and to the appropriate group. If “No Group” is selected as the Group, the user is added as a member of “No Group”.

Deleting Users

To delete a User, click its Delete icon in the Configure column.

* 
NOTE: Before a Group can be deleted, all its Users must be deleted first.
What is an Access Object?

SNMPv3 Access is an object that:
Defines the read/write access rights of an SNMPv3 View
Can be assigned to an SNMPv3 Group.

Multiple groups can be assigned to the same Access object. An Access object can also have multiple views assigned to it.

Access objects are shown in the Access table, which shows this information about each Access object:
Name
Read View
Master Group
Security Level (if any)

Adding Access
To create an access object:
1
Under the Access table, click on the Add button. The Add SNMP Access dialog displays.

2
Enter a name in the Access Name field.
3
Select the Read View from the drop-down menu. The menu lists both default and custom Views.
4
Select a Master SNMPv3 Group from the drop-down menu.
 
* 
NOTE: Access can be assigned to only one SNMPv3 Group, but a Group can be associated with up to three Access objects.
5
Select a security level for the Access Security Level drop-down menu: None, Authentication Only, or Authentication and Privacy.
 
* 
NOTE: If a Group is associated with multiple Access objects, each Access object must have a different Access Security Level. As there are only three Access Security Levels, a Group can be associated with a maximum of three Access objects.
6
When done, click OK. The Access object is added to the Access table.

Modifying an Access Object
To modify an access object:
1
In the Access table, click the Edit icon for the Access object you wish to modify. The Edit SNMP Access dialog displays.

2
Make the necessary changes.
* 
NOTE: Changing an Access Security Level can be done only if the Group does not already have an associated Access with that Access Security Level.
3
Click OK. The Access table is updated.
Deleting Access Objects.

To delete an Access object, click the Delete icon for that Access object.

To delete multiple Access objects, select their check boxes and then click the Delete Selected button under the Access table.

To delete all Access objects, click the check box in the header for the Access table and then click the Delete Selected button under the Access table.