NeDi Community

NeDi Software Specific => Installation => Topic started by: A-Zed on October 22, 2014, 04:33:47 AM

Title: An SNMPv3 question.
Post by: A-Zed on October 22, 2014, 04:33:47 AM
I have an issue with using SNMP v3 on Nedi 1.0.9.

Due to our security requirements, we had to change from SNMP v2 and move onto v3. Now I get "SNMP failed" errors.
 
Using snmpwalk from the server running Nedi I have no issues. The following is the SNMP command that works fine:

snmpwalk -v 3 -l authPriv -a MD5 -x AES -u userid -A aprotpass -X pprotpass 192.168.x.x

This spits out all the info of the targeted device.

This is my SNMP section of nedi.conf :

    # Set SNMP communities (preferred ones first).
    # If authentication protocol is set, it will be treated as v3
    #
    #   name   aprot    apass      pprot   ppass
    comm   public
    comm   private
    comm   userid   md5   aprotpass   aes   pprotpass


I can't find anything online that states how the authPriv parameter gets set and I'm wondering if that's my issue.


I've searched fruitlessly through the forums so that is why I am here. Can someone point me to an answer if it has already been addressed because I can't find one.

Thanks in advance.
A-Zed
Title: Re: An SNMPv3 question.
Post by: A-Zed on October 23, 2014, 11:26:06 PM
Nice to see so many views and no responses.

Searching the forums on "authPriv" only brings up someone in 2009 that had something similar and his last comment was that he was going to stick to v2. I don't have that luxury due to our security policy.

So come on guys.... what's the secret in getting v3 working?
Title: Re: An SNMPv3 question.
Post by: Grisu on October 24, 2014, 09:13:13 AM
we use sha and aes
This works with cisco and hp well

regards
Title: Re: An SNMPv3 question.
Post by: A-Zed on October 27, 2014, 01:01:10 AM
Thanks for the reply Grisu. My system uses AES as you can see from my nedi.conf but my issue lies somewhere lower.
Title: Re: An SNMPv3 question.
Post by: titanium on January 09, 2015, 04:54:15 PM
A-Zed you fixed your problem?
I have the same issue.

my snmp config:
snmp-server group SNMP-GROUP v3 priv
snmp-server user SNMP-USER SNMP-GROUP v3 auth sha xxx priv aes 128 xxxxx

my nedi.conf
comm   SNMP-GROUP  sha xxx  aes   xxxxx
Title: Re: An SNMPv3 question.
Post by: A-Zed on January 13, 2015, 04:57:39 AM
Hi titanium,

No I haven't resolved my issue. I sent a message to Rickli and he responded with the following:

You can add print statements to the Connect function in libsnmp.pm, where either pprot is used and in the "else" section. Simply print those $misc::comm3{$comm}{apass} and $misc::comm3{$comm}{aprot} etc. variables the see what's effectively used...

Good luck
-Remo


Not being up on Php programming, it's more than my worth to troubleshoot this problem. I can't go back to v2 as my IT Sec team says v2 is not secure enough so I have given up on using Nedi. As there is nothing else out there as good as this product, I am in limbo and I am reduced to snmpwalk as required.

I can't determine how the coding discerns between "priv"/"authpriv". I would have thought another variable within need.conf would be required, but nothing sticks out.

If you find an answer let me know.

Regards
A-Zed
Title: Re: An SNMPv3 question.
Post by: tristanbob on January 13, 2015, 03:24:21 PM
A-Zed,

Sorry to hear your problems.  I have SNMPv3 on my list of things to test this year.  If I run into problems with Nedi, I will post back here.

In the meantime, you could try Observium which has many similarities to Nedi. Each tool does something better than the other, so we run both.

http://www.observium.org/

Cheers,

Tristan
Title: Re: An SNMPv3 question.
Post by: rickli on January 13, 2015, 04:38:06 PM
A-Zed, sad to hear that! BTW the discovery runs in Perl. PHP is only used for the GUI...

This is from http://search.cpan.org/~dtown/Net-SNMP-v6.0.1/lib/Net/SNMP.pm:

By specifying the arguments -privkey or -privpassword the securityLevel associated with the object becomes 'authPriv'. According to SNMPv3, privacy requires the use of authentication. Therefore, if either of these two arguments are present and the -authkey or -authpassword arguments are missing, the creation of the object fails. The -privkey and -privpassword arguments expect the same input as the -authkey and -authpassword arguments respectively.

Not sure, but to me it sounds like 'authPriv' is automatically assumed with privpw supplied (which you did). Also that's the way I've implemented it. Do you have any syslog events on the device? Last but not least are all dependencies (libcrypt etc.) installed?
Title: Re: An SNMPv3 question.
Post by: titanium on January 20, 2015, 10:11:50 AM
I've tried some settings on my cisco switch. Some SNMP v3 settings work without problems.
Rickli Maybe you are right... something with my libcrypt aren't correct? ;)
I don't know, but now I have one way to use SNMPv3. A-Zed maybe that help's you? let me know...

SNMP v3 configuration with authentication

snmp-server engineID local XXXXXXX (created automaticaly on cisco)
snmp-server group SNMPGRUPPE v3 auth
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv des PRIVPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv aes 128 PRIVPASS (does't work)
snmp-server host X.X.X.X version 3 auth SNMPUSER

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:55:32 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     HOSTNAME1     v38 i11    j1   p0  m1          f985    0/1-3s
===============================================================================
Building nodes
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq done
END :Took 0 minutes

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:56:48 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     10.1.0.60 SNMP failed             0/0-0s
===============================================================================
Nothing discovered, nothing written...
END :Took 0 minutes
Title: Re: An SNMPv3 question.
Post by: titanium on January 20, 2015, 10:45:43 AM
With this SNMP settings SNMPv3 does't work on NeDi 1.55 beta.
I think there is a problem with the priv setting.

snmp-server group SNMPGRUPPE v3 priv
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS priv aes 128 PRIVPASS


With snmpwalks it work's fine.
snmpwalk -v 3 -l authPriv -a MD5 -x AES -u SNMPUSER -A AUTHPASS -X PRIVPASS 10.1.0.60
Title: Re: An SNMPv3 question.
Post by: rickli on January 20, 2015, 07:33:40 PM
Ok, I'll try to reproduce this...

tx for investigating!
Title: Re: An SNMPv3 question.
Post by: rickli on January 25, 2015, 02:19:47 AM
As soon as I find the time, I'll look into perl's SNMP (rather than NET::SNMP) module. It might just be the answer to this problem....and the one I'm having with monitoring thousands of SNMP targets...

If tests are successful, I'll have to rewrite my libsnmp completely!
Title: Re: An SNMPv3 question.
Post by: A-Zed on February 26, 2015, 01:40:58 AM
I've tried some settings on my cisco switch. Some SNMP v3 settings work without problems.
Rickli Maybe you are right... something with my libcrypt aren't correct? ;)
I don't know, but now I have one way to use SNMPv3. A-Zed maybe that help's you? let me know...

SNMP v3 configuration with authentication

snmp-server engineID local XXXXXXX (created automaticaly on cisco)
snmp-server group SNMPGRUPPE v3 auth
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv des PRIVPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv aes 128 PRIVPASS (does't work)
snmp-server host X.X.X.X version 3 auth SNMPUSER

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:55:32 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     HOSTNAME1     v38 i11    j1   p0  m1          f985    0/1-3s
===============================================================================
Building nodes
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq done
END :Took 0 minutes

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:56:48 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     10.1.0.60 SNMP failed             0/0-0s
===============================================================================
Nothing discovered, nothing written...
END :Took 0 minutes


As suggested above, I tried configuring my switch as per below and tested my NEDI install as well as adjusting need.conf appropriately with results:
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS (NEDI doesn't work nor did SNMPWALK)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv des PRIVPASS (NEDI doesn't work, SNMPWALK does)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv aes 128 PRIVPASS (NEDI does't work, SNMPWALK does)

Sorry it took so long to test this bit out but there's my result at the moment.
Title: Re: An SNMPv3 question.
Post by: A-Zed on February 26, 2015, 01:54:51 AM
With this SNMP settings SNMPv3 does't work on NeDi 1.55 beta.
I think there is a problem with the priv setting.

snmp-server group SNMPGRUPPE v3 priv
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS priv aes 128 PRIVPASS


With snmpwalks it work's fine.
snmpwalk -v 3 -l authPriv -a MD5 -x AES -u SNMPUSER -A AUTHPASS -X PRIVPASS 10.1.0.60

Just to quantify, my snmp settings are as per yours Titanium, so there's no typos.

Regards
A-Zed
Title: Re: An SNMPv3 question.
Post by: rickli on February 26, 2015, 04:26:08 PM
I suspect something wrong with your installation. Can you try with the NeDiO14 VM?
Title: Re: An SNMPv3 question.
Post by: A-Zed on February 27, 2015, 04:51:07 AM
And the Doofus of the year award goes to.....drum roll....... (envelope please).................

A-Zed!.......Accepting the award humbly is A-Zed.... So tell us, what led you to achieving this award tonight?

Well, what can I say? The simple thing of making sure that in your switch config you have the line:
snmp-server community <string>

and that in your nedi.conf file you have the community string set:
comm   <string>

then it all works well.

Rickli, I didn't use Nedio14, I amended my nedi.conf as well as ensuring the snmp community string was set in my switches. Once this was done, it all worked as expected. Sorry for wasting time, but I guess that's the cost of learning.

Thank you all for your comments and assistance.

A-Zed
Title: Re: An SNMPv3 question.
Post by: rickli on February 27, 2015, 05:14:01 PM
Glad it works now and thanks for the entertaining post ;)
Title: Re: An SNMPv3 question.
Post by: angrybutler on May 20, 2015, 08:58:04 PM
A-Zed,

I know this thread is a bit dated, but for the possible benefit of others....

I think what you did to resolve the SNMPv3 problem was effectively disable SNMPv3 and go back to SNMPv2c.

The "snmp-server community <string> " command you entered on the switch is a 2c community, not v3.

I just finished struggling with this on 1.4, and it appears that you *need* to install the perl modules for the appropriate encryption/hash functions.  See the requirements section in this page:

http://search.cpan.org/~dtown/Net-SNMP-v6.0.1/lib/Net/SNMP.pm

"The non-core modules Crypt::DES, Digest::MD5, Digest::SHA1, and Digest::HMAC are required to support SNMPv3."

To fix this on my debian/ubuntu install, I did the following:

Code: [Select]
sudo apt-get install libcrypt-cbc-perl libcrypt-des-per libdigest-perl-md5-perl libdigest-sha-perl
The way I discovered this, was to do a packet capture of snmp traffic to my device using wireshark.  Until I installed these packages, I was seeing *no* attempt by nedi/snmpnet to send the credentials to the test device.

Best regards,
Tom Sutherland