Cisco Cisco IOS Software Release 12.4(2)T
AES and 3-DES Encryption Support for SNMP Version 3
snmp-server user
12
Multiple Cisco IOS Releases
SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For
informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent’s
SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.
informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent’s
SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.
Working with Passwords and Digests
No default values exist for authentication or privacy algorithms when you configure the command. Also,
no default passwords exist. The minimum length for a password is one character, although Cisco
recommends using at least eight characters for security. If you forget a password, you cannot recover it
and will need to reconfigure the user. You can specify either a plain-text password or a localized message
digest 5 (MD5) digest.
no default passwords exist. The minimum length for a password is one character, although Cisco
recommends using at least eight characters for security. If you forget a password, you cannot recover it
and will need to reconfigure the user. You can specify either a plain-text password or a localized message
digest 5 (MD5) digest.
If you have the localized MD5 or SHA digest, you can specify that string instead of the plain-text
password. The digest should be formatted as aa:bb:cc:dd where aa, bb, and cc are hex values. Also, the
digest should be exactly 16 octets long.
password. The digest should be formatted as aa:bb:cc:dd where aa, bb, and cc are hex values. Also, the
digest should be exactly 16 octets long.
Examples
The following example shows how to add the user abcd to the public SNMP server group. In this
example, no access list is specified for the user, so the standard named access list applied to the group
applies to the user.
example, no access list is specified for the user, so the standard named access list applied to the group
applies to the user.
Router(config)# snmp-server user abcd public v2c
The following example shows how to add the user abcd to the public group. In this example, access rules
from the standard named access list qrst apply to the user.
from the standard named access list qrst apply to the user.
Router(config)# snmp-server user abcd public v2c access qrst
In the following example, the plain-text password “cisco123” is configured for the user “abcd” in the
SNMPv3 group “public”:
SNMPv3 group “public”:
Router(config)# snmp-server user abcd public v3 auth md5 cisco123
When you enter a show running-config command, a line for this user will be displayed. To learn if this
user has been added to the configuration, type the show snmp user command.
user has been added to the configuration, type the show snmp user command.
If you have the localized MD5 or Secure Hash Algorithm (SHA) digest, you can specify that string
instead of the plain-text password. The digest should be formatted as aa:bb:cc:dd where aa, bb, and cc
are hex values. Also, the digest should be exactly 16 octets long.
instead of the plain-text password. The digest should be formatted as aa:bb:cc:dd where aa, bb, and cc
are hex values. Also, the digest should be exactly 16 octets long.
In the following example, the MD5 digest string is used instead of the plain text password:
Router(config)# snmp-server user abcd public v3 encrypted auth md5
00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF
Table 2
snmp-server user Default Descriptions
Characteristic
Default
encryption
Not present by default. The encrypted keyword is used to
specify that the passwords are MD5 digests and not text
passwords.
specify that the passwords are MD5 digests and not text
passwords.
passwords
Assumed to be text strings.
access lists
Access from all IP access lists is permitted.
remote users
All users are assumed to be local to this SNMP engine unless
you specify they are remote with the remote keyword.
you specify they are remote with the remote keyword.