Welcome, Guest. Please login or register.

Author Topic: An SNMPv3 question.  (Read 10931 times)

A-Zed

  • Newbie
  • *
  • Posts: 7
    • View Profile
An SNMPv3 question.
« on: October 22, 2014, 04:33:47 AM »
I have an issue with using SNMP v3 on Nedi 1.0.9.

Due to our security requirements, we had to change from SNMP v2 and move onto v3. Now I get "SNMP failed" errors.
 
Using snmpwalk from the server running Nedi I have no issues. The following is the SNMP command that works fine:

snmpwalk -v 3 -l authPriv -a MD5 -x AES -u userid -A aprotpass -X pprotpass 192.168.x.x

This spits out all the info of the targeted device.

This is my SNMP section of nedi.conf :

    # Set SNMP communities (preferred ones first).
    # If authentication protocol is set, it will be treated as v3
    #
    #   name   aprot    apass      pprot   ppass
    comm   public
    comm   private
    comm   userid   md5   aprotpass   aes   pprotpass


I can't find anything online that states how the authPriv parameter gets set and I'm wondering if that's my issue.


I've searched fruitlessly through the forums so that is why I am here. Can someone point me to an answer if it has already been addressed because I can't find one.

Thanks in advance.
A-Zed

A-Zed

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: An SNMPv3 question.
« Reply #1 on: October 23, 2014, 11:26:06 PM »
Nice to see so many views and no responses.

Searching the forums on "authPriv" only brings up someone in 2009 that had something similar and his last comment was that he was going to stick to v2. I don't have that luxury due to our security policy.

So come on guys.... what's the secret in getting v3 working?

Grisu

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: An SNMPv3 question.
« Reply #2 on: October 24, 2014, 09:13:13 AM »
we use sha and aes
This works with cisco and hp well

regards

A-Zed

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: An SNMPv3 question.
« Reply #3 on: October 27, 2014, 01:01:10 AM »
Thanks for the reply Grisu. My system uses AES as you can see from my nedi.conf but my issue lies somewhere lower.

titanium

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: An SNMPv3 question.
« Reply #4 on: January 09, 2015, 04:54:15 PM »
A-Zed you fixed your problem?
I have the same issue.

my snmp config:
snmp-server group SNMP-GROUP v3 priv
snmp-server user SNMP-USER SNMP-GROUP v3 auth sha xxx priv aes 128 xxxxx

my nedi.conf
comm   SNMP-GROUP  sha xxx  aes   xxxxx

A-Zed

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: An SNMPv3 question.
« Reply #5 on: January 13, 2015, 04:57:39 AM »
Hi titanium,

No I haven't resolved my issue. I sent a message to Rickli and he responded with the following:

You can add print statements to the Connect function in libsnmp.pm, where either pprot is used and in the "else" section. Simply print those $misc::comm3{$comm}{apass} and $misc::comm3{$comm}{aprot} etc. variables the see what's effectively used...

Good luck
-Remo


Not being up on Php programming, it's more than my worth to troubleshoot this problem. I can't go back to v2 as my IT Sec team says v2 is not secure enough so I have given up on using Nedi. As there is nothing else out there as good as this product, I am in limbo and I am reduced to snmpwalk as required.

I can't determine how the coding discerns between "priv"/"authpriv". I would have thought another variable within need.conf would be required, but nothing sticks out.

If you find an answer let me know.

Regards
A-Zed

tristanbob

  • Full Member
  • ***
  • Posts: 150
    • View Profile
Re: An SNMPv3 question.
« Reply #6 on: January 13, 2015, 03:24:21 PM »
A-Zed,

Sorry to hear your problems.  I have SNMPv3 on my list of things to test this year.  If I run into problems with Nedi, I will post back here.

In the meantime, you could try Observium which has many similarities to Nedi. Each tool does something better than the other, so we run both.

http://www.observium.org/

Cheers,

Tristan
Please visit "Other"->"Invoices" on your NeDi installation to make an annual contribution and support Nedi!

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2633
    • View Profile
    • NeDi
Re: An SNMPv3 question.
« Reply #7 on: January 13, 2015, 04:38:06 PM »
A-Zed, sad to hear that! BTW the discovery runs in Perl. PHP is only used for the GUI...

This is from http://search.cpan.org/~dtown/Net-SNMP-v6.0.1/lib/Net/SNMP.pm:

By specifying the arguments -privkey or -privpassword the securityLevel associated with the object becomes 'authPriv'. According to SNMPv3, privacy requires the use of authentication. Therefore, if either of these two arguments are present and the -authkey or -authpassword arguments are missing, the creation of the object fails. The -privkey and -privpassword arguments expect the same input as the -authkey and -authpassword arguments respectively.

Not sure, but to me it sounds like 'authPriv' is automatically assumed with privpw supplied (which you did). Also that's the way I've implemented it. Do you have any syslog events on the device? Last but not least are all dependencies (libcrypt etc.) installed?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

titanium

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: An SNMPv3 question.
« Reply #8 on: January 20, 2015, 10:11:50 AM »
I've tried some settings on my cisco switch. Some SNMP v3 settings work without problems.
Rickli Maybe you are right... something with my libcrypt aren't correct? ;)
I don't know, but now I have one way to use SNMPv3. A-Zed maybe that help's you? let me know...

SNMP v3 configuration with authentication

snmp-server engineID local XXXXXXX (created automaticaly on cisco)
snmp-server group SNMPGRUPPE v3 auth
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv des PRIVPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv aes 128 PRIVPASS (does't work)
snmp-server host X.X.X.X version 3 auth SNMPUSER

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:55:32 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     HOSTNAME1     v38 i11    j1   p0  m1          f985    0/1-3s
===============================================================================
Building nodes
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq done
END :Took 0 minutes

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:56:48 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     10.1.0.60 SNMP failed             0/0-0s
===============================================================================
Nothing discovered, nothing written...
END :Took 0 minutes

titanium

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: An SNMPv3 question.
« Reply #9 on: January 20, 2015, 10:45:43 AM »
With this SNMP settings SNMPv3 does't work on NeDi 1.55 beta.
I think there is a problem with the priv setting.

snmp-server group SNMPGRUPPE v3 priv
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS priv aes 128 PRIVPASS


With snmpwalks it work's fine.
snmpwalk -v 3 -l authPriv -a MD5 -x AES -u SNMPUSER -A AUTHPASS -X PRIVPASS 10.1.0.60

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2633
    • View Profile
    • NeDi
Re: An SNMPv3 question.
« Reply #10 on: January 20, 2015, 07:33:40 PM »
Ok, I'll try to reproduce this...

tx for investigating!
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2633
    • View Profile
    • NeDi
Re: An SNMPv3 question.
« Reply #11 on: January 25, 2015, 02:19:47 AM »
As soon as I find the time, I'll look into perl's SNMP (rather than NET::SNMP) module. It might just be the answer to this problem....and the one I'm having with monitoring thousands of SNMP targets...

If tests are successful, I'll have to rewrite my libsnmp completely!
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

A-Zed

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: An SNMPv3 question.
« Reply #12 on: February 26, 2015, 01:40:58 AM »
I've tried some settings on my cisco switch. Some SNMP v3 settings work without problems.
Rickli Maybe you are right... something with my libcrypt aren't correct? ;)
I don't know, but now I have one way to use SNMPv3. A-Zed maybe that help's you? let me know...

SNMP v3 configuration with authentication

snmp-server engineID local XXXXXXX (created automaticaly on cisco)
snmp-server group SNMPGRUPPE v3 auth
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv des PRIVPASS (it work's)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv aes 128 PRIVPASS (does't work)
snmp-server host X.X.X.X version 3 auth SNMPUSER

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:55:32 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     HOSTNAME1     v38 i11    j1   p0  m1          f985    0/1-3s
===============================================================================
Building nodes
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qDqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqDqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq done
END :Took 0 minutes

root@HOSTNAME1:~# /var/nedi/nedi.pl -a 10.1.0.60  -V3

Discovery (1.1.155) /var/nedi/nedi.pl -a 10.1.0.60 -V3
Started with 1 seeds at Tue Jan 20 09:56:48 2015
-------------------------------------------------------------------------------
Device                          Status                          Todo/Done-Time
===============================================================================
10.1.0.60     10.1.0.60 SNMP failed             0/0-0s
===============================================================================
Nothing discovered, nothing written...
END :Took 0 minutes


As suggested above, I tried configuring my switch as per below and tested my NEDI install as well as adjusting need.conf appropriately with results:
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS (NEDI doesn't work nor did SNMPWALK)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv des PRIVPASS (NEDI doesn't work, SNMPWALK does)
snmp-server user SNMPUSER SNMPGRUPPE v3 auth sha AUTHPASS priv aes 128 PRIVPASS (NEDI does't work, SNMPWALK does)

Sorry it took so long to test this bit out but there's my result at the moment.

A-Zed

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: An SNMPv3 question.
« Reply #13 on: February 26, 2015, 01:54:51 AM »
With this SNMP settings SNMPv3 does't work on NeDi 1.55 beta.
I think there is a problem with the priv setting.

snmp-server group SNMPGRUPPE v3 priv
snmp-server user SNMPUSER SNMPGRUPPE v3 auth md5 AUTHPASS priv aes 128 PRIVPASS


With snmpwalks it work's fine.
snmpwalk -v 3 -l authPriv -a MD5 -x AES -u SNMPUSER -A AUTHPASS -X PRIVPASS 10.1.0.60

Just to quantify, my snmp settings are as per yours Titanium, so there's no typos.

Regards
A-Zed

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2633
    • View Profile
    • NeDi
Re: An SNMPv3 question.
« Reply #14 on: February 26, 2015, 04:26:08 PM »
I suspect something wrong with your installation. Can you try with the NeDiO14 VM?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo