SNMP v3 with AES or DES but with same community name

[ghermant]

Hello,

We have some devices that were configured to use SNMP v3 with AES encryption and some other older devices with DES.

For both of these devices, we used the same community name and the only difference between them is the encryption method (AES or DES).

I found an issue in Nedi (1.7) that does not allow to have both of these SNMP communities defined in the nedi.conf file.

Like this:
#           name   aprot   apass      pprot   ppass
comm   mycomm   sha           ver3pa55           aes           ver3pa55
comm   mycomm   sha           ver3pa55           des           ver3pa55

If I test the above config for a discovery on a DES device, it fails and Nedi do not even test the second community.
It looks like Nedi considers the second one using AES as the same one as the DES one.

It is even worst as this look also that the encryption method is not stored in the database and associated to a device:
If a device were discovered using DES but the nedi.conf file contains the AES one, refreshing the device fails as it read the encryption method indicated in the nedi.conf file.

Would you know how to update the libsnmp.pl lib so that Nedi first test in AES and fallback in DES if needed or store this parameter by device in the DB?

Thanks & Brgds,
Gaël

[rickli]

Different PW with same username is supported for CLI credentials but not SNMPv3 yet. I could implement it with an official feature request, if that's something you'd be willing to sponsor?

Alternatively you could change the community-name for those with less occurences (could be automated with NeDi too).