SNMPv3 on Juniper JUNOS

I have played with various configurations on the Juniper platform as well as Solarwinds and I can't seem to get SNMPv3 auth working.

Anyone have a working config on Juniper and a screenshot of how that maps to Solarwinds?

  • Thanks Salah.

    I  found those exact articles and followed them exactly and still couldn't get Solarwinds to authenticate.

    What I need to understand is why does Solarwinds have you type the authentication for SNMPv3 in twice?  What is difference between SNMPv3 auth and read/write SNMPv3 auth?  I tried filling out one section at time and both with the username "user1" and group/context "group1" with no luck.

    That is why I asked if someone could provide a known working JUNOS config and a screenshot to show how the information maps to what Solarwinds is asking would be great.  Obviously passwords/sensitive information can be greyed out but I just need to see one example that works and I can run with it.

  • Hi Brian,

    Unfortunotly I never integrate Juniper using snmp v3 on Orion, but I'll try to find the correct way.

    I sugess to focus on each part deeply, so make sure the way you set parameters is the corrcet one, then focus on Junos configuration side.

    Regards.

    Salah

  • I thought I was going crazy so I used another snmp scanning tool against my SNMPv3 configuration on JUNOS and that works fine so now it is something with the Solarwinds platform.

    Here is my JUNOS configuration:

    set snmp v3 usm local-engine user user1 authentication-sha authentication-key <key>

    set snmp v3 usm local-engine user user1 privacy-aes128 privacy-key <key>

    set snmp v3 vacm security-to-group security-model usm security-name user1 group group1

    set snmp v3 vacm access group group1 default-context-prefix security-model usm security-level privacy read-view view-all

    set snmp v3 target-address allow-1 address x.x.x.x

    set snmp v3 target-address allow-1 address-mask x.x.x.x

    set snmp v3 target-address allow-1 target-parameters tp1

    set snmp v3 target-address allow-2 address x.x.x.x

    set snmp v3 target-address allow-2 address-mask x.x.x.x

    set snmp v3 target-address allow-2 target-parameters tp1

    set snmp v3 target-parameters tp1 parameters message-processing-model v3

    set snmp v3 target-parameters tp1 parameters security-model usm

    set snmp v3 target-parameters tp1 parameters security-level privacy

    set snmp v3 target-parameters tp1 parameters security-name user1

    set snmp engine-id local 62

    set snmp view view-all oid 1 include

    If I use this configuration I am able to poll with SNMP using the user1 credentials as desired.  If I try to update Solarwinds to use SNMPv3 and hit test it fails using the same information.  In the other tool it doesn't require I fill out the context field.  If I try to it breaks in that tool as well.  So I decided to leave the context fields blank in Solarwinds but it still doesn't work.

    I will ask again why does Solarwinds have two authentication sections to fill out when choosing SNMPv3???  Other tools only require you enter the user, contect, auth password, and privacy password.  Why enter two times?  Is there something I am doing wrong there?

    If anyone can assist that would be great.

  • Update:

    The configuration I provided in fact works for JUNOS on Solarwinds if you don't fill out the second authentication section when managing a node.  Only fill out the top section title "SNMPV3 Credentials" and not the bottom "Read/Write SNMPv3 Credentials".

    With config like this:

    set snmp v3 usm local-engine user user1 authentication-sha authentication-password <password goes here>

    set snmp v3 usm local-engine user user1 privacy-aes128 privacy-password <password goes here>

    set snmp v3 vacm security-to-group security-model usm security-name user1 group group1

    set snmp v3 vacm access group group1 default-context-prefix security-model usm security-level privacy read-view view-all

    set snmp v3 target-address allow-1 address x.x.x.x

    set snmp v3 target-address allow-1 address-mask x.x.x.x

    set snmp v3 target-address allow-1 target-parameters tp1

    set snmp v3 target-address allow-2 address x.x.x.x

    set snmp v3 target-address allow-2 address-mask x.x.x.x

    set snmp v3 target-address allow-2 target-parameters tp1

    set snmp v3 target-parameters tp1 parameters message-processing-model v3

    set snmp v3 target-parameters tp1 parameters security-model usm

    set snmp v3 target-parameters tp1 parameters security-level privacy

    set snmp v3 target-parameters tp1 parameters security-name user1

    set snmp engine-id local 62

    set snmp view view-all oid 1 include

    Username is "user1" and replace the target address sections with your SNMP polling ips/ranges.  When filling out Solarwinds use "user1" as the user and choose the proper authentication method (above is sha for auth and aes128 for privacy).

    Type in your passwords you set above and you will have a working SNMPv3 node.

  • Do you have VRFs? -> with snmpv2 the community name is prefixed by the VRF-name to give the VRF-view of the data (e.g. the ARP subtree is per-VRF instead of per-router)

    do you know how that changes for the snmpV3?

    answer: use the context: Identifying a Routing Instance - Technical Documentation - Support - Juniper Networks

  • Works for me:

    set snmp v3 usm local-engine user JOHNNY authentication-sha authentication-password MACK&JACK

    set snmp v3 usm local-engine user JOHNNY privacy-aes128 privacy-password JACK&MACK

    set snmp v3 vacm security-to-group security-model usm security-name JOHNNY group SOLARWINDS

    set snmp v3 vacm access group SOLARWINDS default-context-prefix security-model usm security-level privacy read-view GLOBAL

    set snmp v3 vacm access group SOLARWINDS default-context-prefix security-model usm security-level privacy write-view GLOBAL

    set snmp v3 vacm access group SOLARWINDS default-context-prefix security-model usm security-level privacy notify-view GLOBAL

    set snmp engine-id use-default-ip-address

    set snmp view GLOBAL oid internet include