HomeCactiSNMP v3 and Cacti

SNMP v3 and Cacti

Software Effect Enterprises, Inc Posted on by

A quick synopsis on setting up a Cisco ASA and a Centos 6 or 7 system to use SNMP v3 to be monitored by Cacti

Cisco ASA

en
conf t

# create a snmp-server group (needed for SNMP v3)
# SNMPV3-GROUP – what you want to name the group

snmp-server group SNMPV3-GROUP v3 priv

# set the passwords
# SNMPUSER – snmp username used to connect to ASA
# MyMD5Password – replace with password to be used for authntication
# MyAESPassword – replace with password to be use for encryption
# SNMPV3-GROUP – same value as selected from group name in the command “snmp-server group” above

snmp-server user SNMPUSER SNMPV3-GROUP v3 auth md5 MyMD5Password priv aes MyAESPassword

# permit the system doing queries to connect
# InterfaceWeAreUsing – the name of the interface you are connecting to on the ASA (as named in the ASA configuration, i.e. Inside, Managment, etc)
# IP.Of.Monitoring.System – ip address of system connecting to the ASA
# SNMPUSER – must match the username selected in the “snmp-server user” command above

snmp-server host InterfaceWeAreUsing IP.Of.Monitoring.System version 3 SNMPUSER

Juniper SRX

set snmp location "My Server Room"
set snmp contact "hostmaster@myemail.com"
set snmp v3 usm local-engine user SNMPUSER authentication-md5 authentication-password "MyMD5Password"
set snmp v3 usm local-engine user SNMPUSER privacy-aes privacy-password "MyAESPassword"
set snmp v3 vacm security-to-group security-model usm security-name SNMPUSER group SNMPV3GROUP
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level \
      privacy read-view SNMPVIEW
set snmp view SNMPVIEW oid .1 include

Linux (Centos 6/7)

su –

service snmpd stop
Stopping snmpd: [ OK ]

net-snmp-create-v3-user -A MyMD5Password -a MD5 -X MyPrivPassword -x AES SNMPUSER

adding the following line to /etc/snmp/snmpd.conf:
rwuser SNMPUSER

# service snmpd start

Starting snmpd: [ OK ]

Cacti

To set up a device using SNMP v3 enter the values you used above for SNMP Username, SNMP Password and SNMP Privacy Password. Make sure you set the SNMP Auth Protocol to MD5 and the SNMP Privacy Protocol to AES

Cacti SNMP v3 Configuration Example

Cacti SNMP v3 Configuration Example

Cisco SG-300 Ethernet Switch

Cacti does not utilize the engine SNMP engine ID, but you have to set it in the Cisco SG300 switch in order to configure the snmp V3 parameters. If you are not using the engine ID for other SNMP applications on your network, you can just pick a random 9 digit hex number for the engine IDs.

snmp-server server
snmp-server engineID local 9DigitHexEngineID
snmp-server view SNMPUserName iso included
snmp-server group SNMPGroupName v3 priv read SNMPUserName
snmp-server engineid remote IPAddressOfCactiSystem 9DigitHexEngineID
encrypted snmp-server user SNMPUserName SNMPGroupName v3 auth md5 MD5Password priv AESPassword

Windows 2000-2008

only supports SNMP v1 and v2c

Windows 2012-2016

Official support for SNMP has been dropped by Microsoft – but SNMP v2c is supported

Other options to look at for windows

https://espincorp.wordpress.com/2015/06/24/how-to-achieve-windows-server-snmp-v3-security-compliance/

Testing SNMP v3 using snmpwalk

snmpwalk -v 3 -u SNMPUSER -l authPriv -a MD5 -A MyMD5Password \
-x AES -X MyAESPassword ip.address.of.device system

Comments are closed.