SNMP Reason: authorizationError (access denied to that object)

[duwijakarta]

hello, please help

Can anyone help with the following case?
when I create a new device on the cacti server it says

xxxx@cacti-explore:~$ snmpwalk -v3 -l authPriv -u xxxx -a MD5 -A 'xxxxx' -x AES -X 'xxxx' 1xx.x.x.x
snmpwalk: Unknown user name

but if I set it with version 2 the results are successful
snmpwalk -c xxxx -v 2c

even though the settings on my switch are for version 3
snmp-server group xxxx v3 auth
snmp-server group xxxx v3 priv
snmp-server community xxxx RO
snmp-server host 1x.x.x version 3 priv xxxx udp-port 161

why does it always say "Unknown user name" when I set snmp version 3?
Are there any settings that need to be added?
Thank You

[Rno]

Don't cross post

Just 1 post on 1 forum should be fine

[macan]

is it cisco? You created group but you have to create user in group. It will be something like this:
snmp-server user your_user your_group v3 auth md5 password

[duwijakarta]

Don't cross post

Just 1 post on 1 forum should be fine

Sorry in advance, I made more than 1 post,
for the answer in the previous post, I have snmp, if you use snmpv2 it works but if you use snmpv3 it says Unknown user name, I use a C9300 type switch device

[duwijakarta]

is it cisco? You created group but you have to create user in group. It will be something like this:
snmp-server user your_user your_group v3 auth md5 password

yes, I use Cisco type C9300,
so I need to add cli in switch like this:
example
snmp server user snmpuser groupuser v3 auth md5 xxxxx?

[Rno]

That's the command:
snmp-server user <uername> network-admin auth sha <password> priv aes-128 <auth key> localizedV2key

The 'network-admin' is the group you want, you can see them with: show snmp group

And this example is with authpriv mode

I take this config from a C9336 and NXos 10.3.4a

[duwijakarta]

That's the command:
snmp-server user <uername> network-admin auth sha <password> priv aes-128 <auth key> localizedV2key

The 'network-admin' is the group you want, you can see them with: show snmp group

And this example is with authpriv mode

I take this config from a C9336 and NXos 10.3.4a

Thank you for the suggestion, I'll try it, what is the localizedV2key function for?

[duwijakarta]

That's the command:
snmp-server user <uername> network-admin auth sha <password> priv aes-128 <auth key> localizedV2key

The 'network-admin' is the group you want, you can see them with: show snmp group

And this example is with authpriv mode

I take this config from a C9336 and NXos 10.3.4a

after adding the result is like this, Error in packet.
Reason: authorizationError (access denied to that object)

[Rno]

That's the command:
snmp-server user <uername> network-admin auth sha <password> priv aes-128 <auth key> localizedV2key

The 'network-admin' is the group you want, you can see them with: show snmp group

And this example is with authpriv mode

I take this config from a C9336 and NXos 10.3.4a

Thank you for the suggestion, I'll try it, what is the localizedV2key function for?

Specifies whether the passwords are in encrypted key format
So you don't enter it when you create your user
Maybe it's why the access is refuse !
Sorry for that

[duwijakarta]

That's the command:
snmp-server user <uername> network-admin auth sha <password> priv aes-128 <auth key> localizedV2key

The 'network-admin' is the group you want, you can see them with: show snmp group

And this example is with authpriv mode

I take this config from a C9336 and NXos 10.3.4a

Thank you for the suggestion, I'll try it, what is the localizedV2key function for?

Specifies whether the passwords are in encrypted key format
So you don't enter it when you create your user
Maybe it's why the access is refuse !
Sorry for that

Yes, for access the key format is encrypted, is there a format that I haven't configured enough?

[Rno]

Ok, so authentication is working, I think authorization is based on the group.
What group did you provide ?

My config is the one I provide you, and I don't have any snmp trouble.

Can you give the 'show run | inc SNMP' with the part for user and group, if you have any group.

Can you try a debug snmp ? (it' will give many information, so after one error issue the undebug all)

and see waht it say

[duwijakarta]

Ok, so authentication is working, I think authorization is based on the group.
What group did you provide ?

My config is the one I provide you, and I don't have any snmp trouble.

Can you give the 'show run | inc SNMP' with the part for user and group, if you have any group.

Can you try a debug snmp ? (it' will give many information, so after one error issue the undebug all)

and see waht it say

example
sh snmp user

User name: switchsnmp
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: SnmpSwitch

snmp-server group SnmpSwitch v3 priv
snmp-server host xx.xx.xx.xx version 3 priv switchsnmp udp-port 161

Is the setting correct like this?

[Rno]

Hmm I was looking to a wrong IOS. That should have be my first question: what device, what OS.

So can you try something like that:
snmp-server group SnmpSwitch v3 priv read ViewDefault write ViewDefault

If you don't want you SNMP user to be able to write to your switch, jut forget about the 'write ViewDefault '


my config is that:
! necessary to make it work
snmp-server group SnmpSwitch v3 priv read ViewDefault write ViewDefault
! used to pool the MAC adress by vlan
snmp-server group SnmpSwitch v3 priv context vlan- match prefix
! default view, used in the group, define at what level your SNMP polling is possible. mine is ISO (root of the snmp OID)
snmp-server view ViewDefault iso included

!And the username part
snmp-server user <username> <group> v3 auth sha <Password> priv aes 128 <SnmpPassword>

[duwijakarta]

Hmm I was looking to a wrong IOS. That should have be my first question: what device, what OS.

So can you try something like that:
snmp-server group SnmpSwitch v3 priv read ViewDefault write ViewDefault

If you don't want you SNMP user to be able to write to your switch, jut forget about the 'write ViewDefault '


my config is that:
! necessary to make it work
snmp-server group SnmpSwitch v3 priv read ViewDefault write ViewDefault
! used to pool the MAC adress by vlan
snmp-server group SnmpSwitch v3 priv context vlan- match prefix
! default view, used in the group, define at what level your SNMP polling is possible. mine is ISO (root of the snmp OID)
snmp-server view ViewDefault iso included

!And the username part
snmp-server user <username> <group> v3 auth sha <Password> priv aes 128 <SnmpPassword>

For my settings, does it need to be changed to v3 auth sha or stay on md5?
Cisco Catalys 9300L Version 17.6.x

[Rno]

No you can keep your settings, my config is an example, and a format that is working.