HP ProCurve 9304M Security Manual page 162

Security Guide for ProCurve 9300/9400 Series Routing Switches
NOTE: If you will be using a view other than the "v1default" view, that view must be configured before creating
the user group. See the section "Defining SNMP Views" on page 10-10, especially for details on the include |
exclude parameters.
Defining an SNMP User Account
The snmp-server user command does the following:
• Creates an SNMP user.
• Defines the group to which the user will be associated.
• Defines the type of authentication to be used for SNMP access by this user.
Here is an example of how to create the account:
ProCurveRS(config)# snmp-s user bob admin v3 access 2 auth md5 bobmd5 priv des
bobdes
The CLI for creating SNMP version 3 users has been updated as follows.
Syntax: [no] snmp-server user <name> <groupname> v3
[[access <standard-acl-id>] [encrypted] [auth md5 <md5-password> | sha <sha-password>]
[priv [encrypted] des <des-password>]]
The <name> parameter defines the SNMP user name or security name used to access the management module.
The <groupname> parameter identifies the SNMP group to which this user is associated or mapped. All users
must be mapped to an SNMP group. Groups are defined using the snmp-server group command.
NOTE: The SNMP group to which the user account will be mapped should be configured before creating the
user accounts; otherwise, the group will be created without any views. Also, ACL groups must be configured
before configuring user accounts.
The v3 parameter is required.
The access <standard-acl-id> parameter is optional. It indicates that incoming SNMP packets are filtered based
on the ACL attached to the user account.
NOTE: The ACL specified in a user account overrides the ACL assigned to the group to which the user is
mapped. If no ACL is entered for the user account, then the ACL configured for the group will be used to filter
packets.
The encrypted parameter means that the MD5 or SHA password will be a digest value. MD5 has 16 octets in the
digest. SHA has 20. The digest string has to be entered as a hexadecimal string. In this case, the agent need not
generate any explicit digest. If the encrypted parameter is not used, the user is expected to enter the
authentication password string for MD5 or SHA. The agent will convert the password string to a digest, as
described in RFC 2574.
The auth md5 | sha parameter is optional. It defines the type of encryption that the user must have to be
authenticated. Choose between MD5 or SHA encryption. MD5 and SHA are two authentication protocols used in
SNMP version 3.
The <md5-password> and <sha-password> define the password the user must use to be authenticated. These
password must have a minimum of 8 characters. If the encrypted parameter is used, then the digest has 16 octets
for MD5 or 20 octets for SHA.
NOTE: Once a password string is entered, the generated configuration displays the digest (for security reasons),
not the actual password.
The priv [encrypted] des <des-password> parameter is optional. It defines the type of encryption that will be
used to encrypt the privacy password. If the "encryption" keyword is used, enter a 16-octet DES key in
10 - 8 June 2005