cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

SNMPv3 on Juniper JUNOS

Jump to solution

I have played with various configurations on the Juniper platform as well as Solarwinds and I can't seem to get SNMPv3 auth working.

Anyone have a working config on Juniper and a screenshot of how that maps to Solarwinds?

1 Solution
Level 12

Update:

The configuration I provided in fact works for JUNOS on Solarwinds if you don't fill out the second authentication section when managing a node.  Only fill out the top section title "SNMPV3 Credentials" and not the bottom "Read/Write SNMPv3 Credentials".

With config like this:

set snmp v3 usm local-engine user user1 authentication-sha authentication-password <password goes here>

set snmp v3 usm local-engine user user1 privacy-aes128 privacy-password <password goes here>

set snmp v3 vacm security-to-group security-model usm security-name user1 group group1

set snmp v3 vacm access group group1 default-context-prefix security-model usm security-level privacy read-view view-all

set snmp v3 target-address allow-1 address x.x.x.x

set snmp v3 target-address allow-1 address-mask x.x.x.x

set snmp v3 target-address allow-1 target-parameters tp1

set snmp v3 target-address allow-2 address x.x.x.x

set snmp v3 target-address allow-2 address-mask x.x.x.x

set snmp v3 target-address allow-2 target-parameters tp1

set snmp v3 target-parameters tp1 parameters message-processing-model v3

set snmp v3 target-parameters tp1 parameters security-model usm

set snmp v3 target-parameters tp1 parameters security-level privacy

set snmp v3 target-parameters tp1 parameters security-name user1

set snmp engine-id local 62

set snmp view view-all oid 1 include

Username is "user1" and replace the target address sections with your SNMP polling ips/ranges.  When filling out Solarwinds use "user1" as the user and choose the proper authentication method (above is sha for auth and aes128 for privacy).

Type in your passwords you set above and you will have a working SNMPv3 node.

View solution in original post

7 Replies
Level 8

Works for me:

set snmp v3 usm local-engine user JOHNNY authentication-sha authentication-password MACK&JACK

set snmp v3 usm local-engine user JOHNNY privacy-aes128 privacy-password JACK&MACK

set snmp v3 vacm security-to-group security-model usm security-name JOHNNY group SOLARWINDS

set snmp v3 vacm access group SOLARWINDS default-context-prefix security-model usm security-level privacy read-view GLOBAL

set snmp v3 vacm access group SOLARWINDS default-context-prefix security-model usm security-level privacy write-view GLOBAL

set snmp v3 vacm access group SOLARWINDS default-context-prefix security-model usm security-level privacy notify-view GLOBAL

set snmp engine-id use-default-ip-address

set snmp view GLOBAL oid internet include

0 Kudos
Level 11

Hi Brian,

Unfortunotly I never integrate Juniper using snmp v3 on Orion, but I'll try to find the correct way.

I sugess to focus on each part deeply, so make sure the way you set parameters is the corrcet one, then focus on Junos configuration side.

Regards.

Salah

0 Kudos
Level 12

I thought I was going crazy so I used another snmp scanning tool against my SNMPv3 configuration on JUNOS and that works fine so now it is something with the Solarwinds platform.

Here is my JUNOS configuration:

set snmp v3 usm local-engine user user1 authentication-sha authentication-key <key>

set snmp v3 usm local-engine user user1 privacy-aes128 privacy-key <key>

set snmp v3 vacm security-to-group security-model usm security-name user1 group group1

set snmp v3 vacm access group group1 default-context-prefix security-model usm security-level privacy read-view view-all

set snmp v3 target-address allow-1 address x.x.x.x

set snmp v3 target-address allow-1 address-mask x.x.x.x

set snmp v3 target-address allow-1 target-parameters tp1

set snmp v3 target-address allow-2 address x.x.x.x

set snmp v3 target-address allow-2 address-mask x.x.x.x

set snmp v3 target-address allow-2 target-parameters tp1

set snmp v3 target-parameters tp1 parameters message-processing-model v3

set snmp v3 target-parameters tp1 parameters security-model usm

set snmp v3 target-parameters tp1 parameters security-level privacy

set snmp v3 target-parameters tp1 parameters security-name user1

set snmp engine-id local 62

set snmp view view-all oid 1 include

If I use this configuration I am able to poll with SNMP using the user1 credentials as desired.  If I try to update Solarwinds to use SNMPv3 and hit test it fails using the same information.  In the other tool it doesn't require I fill out the context field.  If I try to it breaks in that tool as well.  So I decided to leave the context fields blank in Solarwinds but it still doesn't work.

I will ask again why does Solarwinds have two authentication sections to fill out when choosing SNMPv3???  Other tools only require you enter the user, contect, auth password, and privacy password.  Why enter two times?  Is there something I am doing wrong there?

If anyone can assist that would be great.

0 Kudos
Level 12

Update:

The configuration I provided in fact works for JUNOS on Solarwinds if you don't fill out the second authentication section when managing a node.  Only fill out the top section title "SNMPV3 Credentials" and not the bottom "Read/Write SNMPv3 Credentials".

With config like this:

set snmp v3 usm local-engine user user1 authentication-sha authentication-password <password goes here>

set snmp v3 usm local-engine user user1 privacy-aes128 privacy-password <password goes here>

set snmp v3 vacm security-to-group security-model usm security-name user1 group group1

set snmp v3 vacm access group group1 default-context-prefix security-model usm security-level privacy read-view view-all

set snmp v3 target-address allow-1 address x.x.x.x

set snmp v3 target-address allow-1 address-mask x.x.x.x

set snmp v3 target-address allow-1 target-parameters tp1

set snmp v3 target-address allow-2 address x.x.x.x

set snmp v3 target-address allow-2 address-mask x.x.x.x

set snmp v3 target-address allow-2 target-parameters tp1

set snmp v3 target-parameters tp1 parameters message-processing-model v3

set snmp v3 target-parameters tp1 parameters security-model usm

set snmp v3 target-parameters tp1 parameters security-level privacy

set snmp v3 target-parameters tp1 parameters security-name user1

set snmp engine-id local 62

set snmp view view-all oid 1 include

Username is "user1" and replace the target address sections with your SNMP polling ips/ranges.  When filling out Solarwinds use "user1" as the user and choose the proper authentication method (above is sha for auth and aes128 for privacy).

Type in your passwords you set above and you will have a working SNMPv3 node.

View solution in original post

Do you have VRFs? -> with snmpv2 the community name is prefixed by the VRF-name to give the VRF-view of the data (e.g. the ARP subtree is per-VRF instead of per-router)

do you know how that changes for the snmpV3?

answer: use the context: Identifying a Routing Instance - Technical Documentation - Support - Juniper Networks

Level 12

Thanks Salah.

I  found those exact articles and followed them exactly and still couldn't get Solarwinds to authenticate.

What I need to understand is why does Solarwinds have you type the authentication for SNMPv3 in twice?  What is difference between SNMPv3 auth and read/write SNMPv3 auth?  I tried filling out one section at time and both with the username "user1" and group/context "group1" with no luck.

That is why I asked if someone could provide a known working JUNOS config and a screenshot to show how the information maps to what Solarwinds is asking would be great.  Obviously passwords/sensitive information can be greyed out but I just need to see one example that works and I can run with it.

0 Kudos