In case anyone is trying to get SNMPv3 working, I created a tutorial for our engineers and thought I would post the link for people here. packetpros.com/.../SNMPv3_Orion.html [updated link]
Sort of, you can save your SNMPv3 Credential Set. Then you have to open the node details and change from your current SNMP version to the version 3 and specify the saved credential set. Of course you still have to configure your equipment, but thats what Cirrus is for!
Does anyone know if you can use AAA to authenticate SNMPv3 on a Cisco switch/router?
I don't see anything on Cisco nor looking on a router :-(
Thank you
Sav.
That was helpful. Thank you!
Here's a more detailed example config for a Cisco 2612 at IOS v12.2 that also covers NTP, NAT, SSH, and DHCP (if it pastes OK here):
! SEE ALSO:
! www.cisco.com/.../! 120t/120t3/snmp3.htm
!
! www.cisco.com/.../
! ccmigration_09186a008011dff4.pdf
! NOTE!!! NOTE!!! NOTE!!!
! NOTE!!!! For snmpv3 (but not ssh) you must first verify that the
! IOS supports encryption. Use “sho version” to check this. The output
! from the "sho version" command must include a paragraph beginning with:
! "This product contains cryptographic features and is subject
! to United States and local country laws governing import,
! export, transfer and use ………."
! NOTE ALSO!!! You may have to redo the "crypto key generate rsa usage-keys"
! command after configuring snmpv3. That was one of the last few things I
! did before orion/snmpv3 starting working with rtrxy.
! Cisco 2621 Router
version 12.2
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname rtr
logging buffered 65536 debugging
aaa new-model
enable secret 5 xxx
username sss password 7 xxx
username ssss password 7 xxx
username sssss password 7 xxx
username ssssss password 7 xxx
clock timezone CST -6
clock summer-time EDST recurring
ip subnet-zero
ip domain-name mil.foo.org
ip name-server 111.157.208.200
ip name-server 111.157.254.1
ip name-server 111.157.254.2
no ip dhcp conflict logging
ip dhcp excluded-address 10.1.1.1 10.1.1.25
ip dhcp pool wireless_clients
network 10.1.1.0 255.255.255.0
dns-server 111.157.208.200 111.157.254.1
default-router 10.1.1.2
domain-name mil.foo.org
lease 10
! before the following ip ssh command, generate rsa key
! at CLI "rtr(config)# crypto key generate rsa usage-keys",
! isn't seen in run or start config (needed for ssh & snmpv3)
ip ssh authentication-retries 2
call rsvp-sync
interface FastEthernet0/0
ip address 111.157.208.250 255.255.255.0
ip nat outside
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
interface FastEthernet0/1
ip address 10.1.1.2 255.255.255.0
ip broadcast-address 10.1.1.255
ip nat inside
interface Serial0/1
ip nat inside source list 22 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 111.157.208.1
no ip http server
logging 111.157.7.102
access-list 22 permit 10.1.1.0 0.0.0.255
snmp-server engineID local 0000000xxxxxxxxxxxxxB780 !! (THIS LINE IS …
!! AUTOMATICALLY GENERATED BY THE DEVICE when other snmpv3 cmds entered!)
snmp-server group orion v3 priv
snmp-server view Orion_view internet included
snmp-server view Orion_view system included
snmp-server view Orion_view interfaces included
snmp-server view Orion_view chassis included
snmp-server enable traps tty
! also, enter the snmp user definition at CLI, not seen in config,
! "rtr(config)#snmp-server user orionu orion v3 auth
! md5 orion_001 priv des56 orion_001"
tacacs-server host 111.157.254.6
tacacs-server directed-request
tacacs-server key 7 xxx
dial-peer cor custom
line con 0
session-timeout 600
history size 256
line aux 0
line vty 0 4
ntp clock-period 17179825
ntp master 3
ntp server 111.157.208.1
ntp server 111.157.254.3 prefer
end
--
SNMPv3 does not use a community string but SNMPv1 and SNMPv2 _require_ a community string. To disable v1 and v2, use the “no” form of the snmp-server community and group commands (see below).
To discover if snmpv3 and ssh are properly configured and if snmpv1 and snmpv2 need to be removed from the device configuration, use the CLI commands:
# show run !! to discover and (later) remove all snmp community entries
# show snmp group !! to discover and (later) remove all snmpv1 and v2 groups
# show snmp user !! to verify that the snmpv3 user exists
# debug snmp headers !! to send snmp info to the logging buffer
# debug snmp packets !! (ditto, use both snmp debug commands)
# debug ip ssh !! to send ssh info to the logging buffer
# show logging !! to view the debug output
# u all !!to turn off all debugging – IMPORTANT!
#<config> no snmp-server community communitystring
#<config> no snmp-server group v1 groupname
#<config> no snmp-server group v2 groupname
Thanks for the it will be very useful.
We are in the process of migrating to v8.1 and would like to use SNMP v3 with all our Cisco kit, is there an easy way of cofiguring it for multiple devices in Orion or is it a DB hack?
Thanks
Jon
worked like a champ, thanks
In case anyone is trying to get SNMPv3 working, I created a tutorial for our engineers and thought I would post the link for people here. kb.packetpros.com/ [updated link]
I believe this is the link he created.
packetpros.com/.../How_do_I_configure_SNMPv3_on_a_router?
Link for this appears to be dead, does anyone have a copy of this doc?
Thanks.
Is this any help? http://zmq503o1.spaces.live.com/blog/cns!2DE8BC7CE0181410!213.entry
Hey has this link changed?
TIA
Here is a newer paper specifically on SNMP v3 and SolarWinds products.
http://www.solarwinds.com/support/Orion/docs/Implementing_SNMPv3r1.pdf
Thanks Andy
The doc is now at http://www.solarwinds.com/documentation/Orion/docs/Implementing_SNMPv3r1.pdf
