Discussion:
[Observium] SNMPv3 with AES256
Thiedek, Vic
2015-06-15 15:37:45 UTC
Permalink
Greetings!

Does Observium support AES256 for SNMPv3 for Cisco Devices?

Testing with SHA / AES128 SNMPv3 Authentication Successful
Testing with SHA / AES256 SNMPv3 Authentication Fails

I would use AES128, but the environment (750+ devices) was already setup for AES256.

Thanks in advance!

Vic
Adam Armstrong
2015-06-15 15:56:02 UTC
Permalink
We don't support anything. We only pass parameters to the net-snmp
binaries, which handle all of the SNMP communication.

It seems that net-snmp doesn't support aes 192 and aes 256 since they were
never properly standardised in the rfcs.

I would suggest that using something that net-snmp doesn't support might
bite you in the future, whether you use observium or not. :)

Adam.

Sent with AquaMail for Android
http://www.aqua-mail.com
Post by Thiedek, Vic
Greetings!
Does Observium support AES256 for SNMPv3 for Cisco Devices?
Testing with SHA / AES128 SNMPv3 Authentication Successful
Testing with SHA / AES256 SNMPv3 Authentication Fails
I would use AES128, but the environment (750+ devices) was already setup for AES256.
Thanks in advance!
Vic
----------
_______________________________________________
observium mailing list
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Thiedek, Vic
2015-06-15 18:26:24 UTC
Permalink
Thanks Adam, your explanation helps me better understand how Observium interacts with SNMP!


Thanks Mike, Here are the answers to your questions:

We definitely do not need this level of encryption! I inherited these devices.
SNMPv3 with AES256 is functioning correctly as SolarWinds currently polls these devices. We are looking to move away from SW.

Sample Devices:
WS-C2960S-24TS-L: Cisco IOS Software, C2960S Software (C2960S-UN​IVERSALK9-M), Version 12.2(58)SE​2,
CISCO1921/K9: Cisco IOS Software, C1900 Software (C1900-UNI​VERSALK9-M), Version 15.1(4)M4,

Sanitized Configs:

This works for SolarWinds (256)
snmp-server user xxxuser xxxreadgroup v3 auth sha xxxpass priv aes 256 xxxpass access xxxx-RO
snmp-server group xxxreadgroup v3 priv read xxxview access xxxx-RO
snmp-server view xxxview internet included
snmp-server view xxxview mib-2 included

This works for Observium (128)
snmp-server user xxxuser xxxreadgroup v3 auth sha xxxpass priv aes 128 xxxpass access xxxx-RO
snmp-server group xxxreadgroup v3 priv read xxxview access xxxx-RO
snmp-server view xxxview internet included
snmp-server view xxxview mib-2 included

I just wanted to verify that this configuration will not work with net-snmp and my Observium setup so I can move on to plan B.

Thanks!


From: observium [mailto:observium-***@observium.org] On Behalf Of Mike Stupalov
Sent: Monday, June 15, 2015 11:10 AM
To: Observium Network Observation System
Subject: Re: [Observium] SNMPv3 with AES256

Hi,

many questions :)

* You are working in FBI? Why do you need this level of encryption :D
* On which cisco device/model you configure aes256? Show config example pls.
* Can be bug not in net-snmp, but on your devices? See https://tools.cisco.com/bugsearch/bug/CSCui94875/

My best solution - just use aes128 and READ ONLY view on your devices ;)

Observium support any snmp auth settings supported in net-snmp (snmpwalk/snmpget commands), see 'man snmpcmd'.

On Mon, Jun 15, 2015 at 6:37 PM, Thiedek, Vic <***@vgt.net<mailto:***@vgt.net>> wrote:
Greetings!

Does Observium support AES256 for SNMPv3 for Cisco Devices?

Testing with SHA / AES128 SNMPv3 Authentication Successful
Testing with SHA / AES256 SNMPv3 Authentication Fails

I would use AES128, but the environment (750+ devices) was already setup for AES256.

Thanks in advance!

Vic




_______________________________________________
observium mailing list
***@observium.org<mailto:***@observium.org>
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
--
Mike Stupalov
http://observium.org/
Loading...