Allied-Telesis AT-iMG624A Router Manual PDF (Setup & Configuration Guide)

Page 121 / 998 Scroll up to view Page 116 - 120

SNMP configuration within the SNMPv3 administration framework

SNMP

1-89

iMG/RG Software Reference Manual (System Configuration)

usmUserEngineID

is an

OctetString

which is the authoritative SNMP engine’s administratively-unique identifier. For a detailed

explanation of

snmpEngineID

, refer to the next section.

For

Get, GetNext, GetBulk

, and

Set

requests, the SNMP entity containing the command responder

application is authoritative. Therefore, the value of the

usmUserEngineID

field of the

usmUserEntry

in

the agent ’s configuration file will be

localSnmpID

.

For

Trap

messages, the SNMP entity containing the notification generator application is authoritative. There-

fore, the value of the

usmUserEngineID

field of the

usmUserEntry

in the agent’s configuration file will be

localSnmpID

.

usmUserName

is a human readable string representing the name of the user. This is the user-based security model dependent

security ID.

UsmUserAuthProtocol

is an OBJECT IDENTIFIER that indicates whether messages sent on behalf of this user to or from the SNMP

engine identified by

usmUserEngineID

can be authenticated, and if so, the type of authentication protocol

which is used. The value of

usm-UserAuthProtocol

can be

usmNoAuthProtocol

or

usmHMACMD5AuthProtocol

.

usmUserPrivProtocol

is an OBJECT IDENTIFIER that indicates whether messages sent on behalf of this user to or from the SNMP

engine identified by

usmUserEngineID

can be protected from disclosure, and if so, the type of privacy pro-

tocol which is used. The value of

usmUserPrivProtocol

must be

usmNoPrivProtocol

.

UsmUserStorageType

is

nonVolatile

,

permanent

, or

readOnly

.

usmTargetTag

is a human readable string that is used to select a set of entries in the

snmpTargetAddrTable

for source

address checking. If the SNMP entity should not perform source address checking, then this field should contain

a dash (-).

AuthKey

is an

OctetString

represented as a sequence of hexadecimal numbers separated by colons. Each octet is

within the range 0x00 through 0x. If

usmUserAuthProtocol

is

usmNoAuthProtocol

, this user does

not have an

AuthKey

, and this field should contain a dash (-).

This field can also be set to a human readable string representing the user’s authentication password; the pass-

word will be converted to a key at run time.

It's possible define more than one SNMPv3 user. The list of all the SNMPv3 user entries is named

usmUserT-

able

.

Page 122 / 998

SNMP

SNMP configuration within the SNMPv3 adminis-

iMG/RG Software Reference Manual (System Configuration)

1-90

1.6.1.5.2 Breakdown of an snmpEngineID

An

snmpEngineID

is a globally unique identifier for an SNMP entity. All SNMPv3 entities must possess an

snmpEngineID

. The

snmpEngineID

of an SNMP agent can be retrieved by sending a

Get

request to the

agent for the MIB object

snmpEngineID.

The following

snmpEngineID

are registered for Allied gateways models:

Model

OID

Model

OID

AT-RG613

1.3.6.1.4.1.207.1.17.1

AT-iMG634B

1.3.6.1.4.1.207.1.17.45

AT-RG623

1.3.6.1.4.1.207.1.17.4

AT-iMG634WA

1.3.6.1.4.1.207.1.17.46

AT-RG613TXJ

1.3.6.1.4.1.207.1.17.5

AT-iMG634WB

1.3.6.1.4.1.207.1.17.47

AT-RG656

1.3.6.1.4.1.207.1.17.6

AT-iMG664WA

1.3.6.1.4.1.207.1.17.50

AT-RG613LH

1.3.6.1.4.1.207.1.17.7

AT-iMG664WB

1.3.6.1.4.1.207.1.17.51

AT-RG613SH

1.3.6.1.4.1.207.1.17.8

AT-iMG664A

1.3.6.1.4.1.207.1.17.48

AT-RG623LH

1.3.6.1.4.1.207.1.17.9

AT-iMG664B

1.3.6.1.4.1.207.1.17.49

AT-RG623SH

1.3.6.1.4.1.207.1.17.10

AT-iMG616RF+

1.3.6.1.4.1.207.1.17.54

AT-RG613BD

1.3.6.1.4.1.207.1.17.11

AT-iMG646MOD

1.3.6.1.4.1.207.1.17.55

AT-RG623BD

1.3.6.1.4.1.207.1.17.12

AT-iMG626MOD

1.3.6.1.4.1.207.1.17.64

AT-RG624A

1.3.6.1.4.1.207.1.17.13

AT-iMG616SRF

1.3.6.1.4.1.207.1.17.62

AT-RG624B

1.3.6.1.4.1.207.1.17.14

AT-iMG616SRF+

1.3.6.1.4.1.207.1.17.63

AT-RG634A

1.3.6.1.4.1.207.1.17.15

AT-iBG915FX

1.3.6.1.4.1.207.1.17.65

AT-RG634B

1.3.6.1.4.1.207.1.17.16

AT-iMG624A-R2

1.3.6.1.4.1.207.1.17.66

AT-RG656LH

1.3.6.1.4.1.207.1.17.17

AT-iMG624B-R2

1.3.6.1.4.1.207.1.17.67

AT-RG656SH

1.3.6.1.4.1.207.1.17.18

AT-iMG634A-R2

1.3.6.1.4.1.207.1.17.68

AT-RG656TX

1.3.6.1.4.1.207.1.17.19

AT-iMG634B-R2

1.3.6.1.4.1.207.1.17.69

AT-RG644A

1.3.6.1.4.1.207.1.17.20

AT-iMG634WA-R2

1.3.6.1.4.1.207.1.17.70

AT-RG644B

1.3.6.1.4.1.207.1.17.21

AT-iMG634WB-R2

1.3.6.1.4.1.207.1.17.71

AT-RG646BD

1.3.6.1.4.1.207.1.17.24

AT-iMG616W

1.3.6.1.4.1.207.1.17.72

AT-RG632SA

1.3.6.1.4.1.207.1.17.25

AT-iMG616CRF

1.3.6.1.4.1.207.1.17.73

AT-RG632SB

1.3.6.1.4.1.207.1.17.26

AT-iMG616CRFW

1.3.6.1.4.1.207.1.17.74

AT-RG613RF

1.3.6.1.4.1.207.1.17.30

AT-iMG616TX

1.3.6.1.4.1.207.1.17.75

Page 123 / 998

SNMP configuration within the SNMPv3 administration framework

SNMP

1-91

iMG/RG Software Reference Manual (System Configuration)

1.6.1.5.3 Configuring an agent to receive requests and send traps

This section describes how to configure SNMPv3 user information only. Additional configuration is required for

an SNMP agent to actually receive SNMP requests and send SNMP Traps.

When an SNMP agent receives an SNMPv3 request from an SNMP manager, the user sending the message must

be known to the agent’s SNMP engine. If the request is sent in a secure packet, the agent must use the use’s

security key to authenticate the message. For this operation, the keys must be pre-configured in the

snmpd.cnf

con figuration file.

When an SNMP agent sends an SNMPv3 Trap to an SNMP manager, the recipient user must be known to the

agent’s SNMP engine. If the Trap is sent in a secure packet, the agent must use the user’s security key to com-

pute an authentication digest for the message. For this operation, the keys must be pre-configured in the

snmpd.cnf

configuration file.

Note:

For each the following examples, the

snmpEngineID

for the agent is used (

localSnmpID

),

because the receiving SNMP engine is authoritative for the security of SNMP request messages, and the

sending SNMP engine is authoritative for the security of SNMP Trap messages.

1.6.1.5.4 Configuration for authentication

The following

usmUserEntry

configures an SNMP agent engine with information about an SNMPv3 user

whose name is “myV3AuthNoPrivUser”. This entry contains the user’s authentication password. An SNMP

AT-iMG606TX

1.3.6.1.4.1.207.1.17.31

AT-iMG616TXW

1.3.6.1.4.1.207.1.17.76

AT-iMG606BD

1.3.6.1.4.1.207.1.17.32

AT-iMG616LHW

1.3.6.1.4.1.207.1.17.77

AT-iMG606LH

1.3.6.1.4.1.207.1.17.33

AT-iMG616BD-R2

1.3.6.1.4.1.207.1.17.78

AT-iMG606SH

1.3.6.1.4.1.207.1.17.34

AT-iMG616LH-R2

1.3.6.1.4.1.207.1.17.79

AT-iMG646BD-ON

1.3.6.1.4.1.207.1.17.35

AT-iMG606W

1.3.6.1.4.1.207.1.17.80

AT-iMG646PX-ON

1.3.6.1.4.1.207.1.17.36

AT-iMG606CRF

1.3.6.1.4.1.207.1.17.81

AT-iMG616RF

1.3.6.1.4.1.207.1.17.38

AT-iMG606TX-R2

1.3.6.1.4.1.207.1.17.82

AT-iMG616BD

1.3.6.1.4.1.207.1.17.39

AT-iMG606TXW

1.3.6.1.4.1.207.1.17.83

AT-iMG616LH

1.3.6.1.4.1.207.1.17.40

AT-iMG606LHW

1.3.6.1.4.1.207.1.17.84

AT-iMG616SH

1.3.6.1.4.1.207.1.17.41

AT-iMG606BD-R2

1.3.6.1.4.1.207.1.17.85

AT-iMG624A

1.3.6.1.4.1.207.1.17.42

AT-iMG606LH-R2

1.3.6.1.4.1.207.1.17.86

AT-iMG624B

1.3.6.1.4.1.207.1.17.43

AT-iMG746MOD

1.3.6.1.4.1.207.1.17.72

AT-iMG634A

1.3.6.1.4.1.207.1.17.44

AT-iMG726MOD

1.3.6.1.4.1.207.1.17.73

Model

OID

Model

OID

Page 124 / 998

SNMP

Additional configuration for SNMPv3 agent enti-

iMG/RG Software Reference Manual (System Configuration)

1-92

request message from this user (originating from another SNMP entity) can be received if the message was sent

using no security or using MD5 authentication. The SNMP agent can send Trap messages to this user using no

security or using MD5 authentication.

usmUserEntry localSnmpID myV3AuthNoPrivUser usmHMACMD5AuthProtocol

usmNoPrivProtocol nonVolatile whereValidRequestsOriginate

myV3UserAuthPassword

1.6.1.5.5 Configuration for no authentication

The following

usmUserEntry

configures an SNMP agent engine with information about an SNMPv3 user

whose name is “myV3NoAuthNoPrivUser”. This user does not have an authentication password, so the last

field contains a dash (-). An SNMP request message from this user (originating from another SNMP entity) can

be received if the message was sent using no security.

The SNMP agent can send Trap messages to this user using no security.

usmUserEntry localSnmpID myV3NoAuthNoPrivUser usmNoAuthProtocol usm-

NoPrivProtocol nonVolatile whereValidRequestsOriginate –

1.6.2

Additional configuration for SNMPv3 agent entities

Certain SNMP applications (which are normally associated with an SNMP entity acting in the "agent” role)

require more information in addition to the information about SNMPv3 users.

1.6.2.1 Configuring view-based access control

Configuration of view-based access control must be provided for the SNMP engine to correctly process

SNMPv1, SNMPv2c, or SNMPv3 messages. Configuring view-based access control is a process that requires

three steps:

•

Define a family of view subtrees.

•

Define a group and its associated access rights.

•

Assign an SNMPv3 user (or SNMPv1 community string, etc.) to the group defined in step2.

The following sections describe each step of this process in more detail.

1.6.2.2 Defining families of view subtrees

To configure an view tree family, add an

vacmViewTreeFamily

definition in the

snmpd.cnf

file accord-

ingly the following syntax:

vacmViewTreeFamily <vacmViewTreeFamilyViewName> <vacmViewTreeFam-

ilySubtree> <vacmViewTreeFamilyMask> <vacmViewTreeFamilyType> <vacm-

ViewTreeFamilyStorageType>

Page 125 / 998

Additional configuration for SNMPv3 agent entities

SNMP

1-93

iMG/RG Software Reference Manual (System Configuration)

vacmViewTreeFamilyViewName

is a human readable string representing the name of this family of view subtrees.

vacmViewTreeFamilySubtree

is an OBJECT IDENTIFIER that identifies a subtree of the MIB; e.g. enterprises.207. This value and

vacm-

ViewTreeFamilyMask

are used to determine if an OBJECT IDENTIFIER is in this family of view subtrees.

vacmViewTreeFamilyMask

is an

OctetString

represented as a sequence of hexadecimal numbers separated by colons. Each octet is

within the range 0x00 through 0xFF. A zero length

OctetString

is represented with a dash (-).

vacmViewTreeFamilyType

is included or excluded and indicates if the

vacmViewTreeFamilySubtree

is explicitly accessible or not

accessible in this family of view subtrees.

VacmViewTreeFamilyStorageType

is

nonVolatile

,

permanent

, or

readOnly

.

It's possible define more than one

vacmTreeFamily

. The list of all the

vacmTreeFamily

entries is named

vacmTreeFamilyTable

.

Example:

vacmViewTreeFamilyEntry All iso - included non-Volatile

defines a subtree for the view named “All” that includes the entire set of MIB objects (iso is the root node of

the MIB tree).

The

vacmViewTreeFamilyMask

field allows restriction of the MIB view at a finer granularity than that of

the

vacmViewTreeFamilySubtree

and

vacmViewTreeFamilyType

pair. For instance, a view can be

restricted to one row of a table (see the example below).

The value - causes the corresponding

vacmViewTreeFamilyMask

to be a NULL string, which in turn

allows all entries ‘below’ the

vacmViewTreeFamilySubtree

entry to be visible, unless cancelled by

another

vacmViewTreeFamilyEntry

.

The

vacmViewTreeFamilyMask

is built using octets that correspond to the OID being restricted. For

example, one may wish to restrict a user’s view of the

ifTable

to only the second row, all columns. The OID

for

ifEntry.0.2

is:

1.3.6.1.2.1.2.2.1.0.2

The

vacmViewTreeFamilyMask

is a series of ones and zeros used for masking out parts of the tree. A

zero indicates a

WILD

CARD

(i.e, matches anything), and a one indicates an exact match must be made. So:

Rate

Popular Allied-Telesis Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share