How to configure SNMPv3 with `authentication` and `encryption`?
TheRealBecks opened this issue · 3 comments
SUMMARY
I'm already using SNMPv3 as a manual configuration on my IOS 15.x devices. I now want to use Ansible for this configuration task:
- name: SNMP test
tags:
- snmp_test
cisco.ios.ios_snmp_server:
state: "rendered"
config:
engine_id:
- id: 8000000903000014F1470600
local: true
groups:
- group: read-only-group
version: v3
version_option: priv
read: read-all-view
acl_v4: snmp-ipv4-acl
acl_v6: snmp-ipv6-acl
hosts:
- host: 192.0.2.1
version: 3
version_option: priv
community_string: monitoring
users:
- username: monitoring
group: read-only-group
version: v3
version_option: encrypted
authentication:
algorithm: sha
password: authtest1234
encryption:
priv: aes
priv_option: 128
password: privtest1234
views:
- name: read-all-view
family_name: iso
included: true
I tested two approaches:
-
Without
encrypted: true: The commands get inserted, so it looks like that's working :) -
With
encrypted: true:
The problem is about the user authentication and encryption:
fatal: [sw-cisco-test4.11.example.com]: FAILED! => {
"changed": false,
"module_stderr": "snmp-server user monitoring read-only-group v3 encrypted auth sha authtest1234 priv aes 128 privtest1234\r\n%Error in Authentication password\r\nsw-cisco-test4(config)#",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
The generated command is with encrypted, so no plaintext passwords can be used on the command line. But as we can see there's also no hashing and encryption done be Ansible.
What do I need to do to configure the YAML file with the correct values? If I try the Linux command sha1sum for the authentication: password I will get the same error message as before. I also found no command to encrypt the password as AES under Linux.
Do you have a working example? As far as I know there's also no way to extract the hashed or encrypted SNMP user credentials under IOS.
ISSUE TYPE
- Documentation Report
COMPONENT NAME
ios_snmp_server
@TheRealBecks, consider utilizing Ansible Vault for encrypting sensitive data in the provided playbook. You can refer to the documentation here. An example of using Ansible Vault syntax is as follows:
password: !vault |
$ANSIBLE_VAULT;1.1;AES256Additionally, it's important to note that 15.x devices are not supported. If you have further questions or require clarification, please don't hesitate to reach out.
@roverflow You misunderstood my question: I'm talking about a Cisco IOS command and not Ansible encryption with the vault.
With this command you can configure an SNMPv3 user with plaintext passwords:
snmp-server user monitoring read-only-group v3 auth sha testauth1234 priv aes 128 testpriv1234 access snmp-acl
And that way you can use the encrypted hashes:
snmp-server user monitoring read-only-group v3 encrypted auth sha <this is a hash> priv aes 128 <this is a hash> access snmp-acl
I already got in touch with the Cisco IOS support and I will share what I have found out, but I will not be able to provide the results this week, but next week.
@TheRealBecks thank you for clarifying. Looking forward to hearing your findings