[INFO] Does Cacti Support snmpV3 and AES192 or AES256 - YES!!

[TheWitness]

All,

This question gets asked more an more these days. So, here is a quick writeup. Let me first state, does Cacti support snmpV3. Yes. However, it's a qualified yes. Let me explain. I'll first start with Windows.

WINDOWS
In Windows, as of this writing, if you are using PHP's snmp support, you will not get snmpV3 support. This is due to the fact that the PHP development team is using a rather dated implementation of the snmp protocol on Windows. I have created a bug report here Bug to PHP Devel Team If you want to see it fixed, please add comments to the bug. It's a trivial fix.

The workaround for this is to simply use the net-snmp binaries instead of php-snmp. This is not a good solution since it slows things down though.

Linux/UNIX
In this platform, PHP supports snmpV3, with the exception of SNMP Context's. Which are not supported. If you are using Contexts, if you upgrade to 0.8.7c++ of Cacti, we have incorporated a workaround to this problem so that you can continue to use php-snmp.

Spine
There have been some complaints of late relative to snmpV3 support in Spine, and I can say that it works fine for DES and should have worked for AES (again) as of 0.8.7e. This applies equally to Windows and Linux/UNIX. However, I found an issue working with a user today that requires some changes to snmp.c, which I will post elsewhere. In addition, there is one exception which I explain below.

Net-SNMP
Net-SNMP Supports snmpV3, now supports both AES192 or AES256 as of Net-SNMP 5.8!!! Cacti 1.2.21+ also support these versions of snmpv3 as well, but you have to uninstall php-snmp.

I hope that helps those of you who have been experiencing problems adopting snmpV3.

Regards,

TheWitness

[TheWitness]

I have an update on the support of snmpV3 on Windows. I had worked with one of the PHP Lead Developers for Windows, and we have resolved the PHP snmp issues on Windows.

You should be able to use PHP 5.3.2++ and have a fully functional PHP snmp module with snmpV3.

TheWitness

[gbcfkf]

Three years have passed since the last post
Aes 256 still not working..
Any plans to add support for this feature in the future releases?

[JJX]

AES 256 is still not supported.
Is that correct?

[Osiris]

Until net-snmp supports it, I think the answer is no. I was reading on this the other day and Cisco has created their own non standard standard.

[JJX]

Until net-snmp supports it, I think the answer is no. I was reading on this the other day and Cisco has created their own non standard standard.

Exactly.
Even if Cisco supports it to the new IOS, cacti cannot poll it as net-snmp doesn not support it yet

[andermat]

Any update on AES support in Cacti? I see that net-snmp 5.8 supports it but the Cacti build appears to still use 5.5.

[Osiris]

Agree that now, since net-snmp 5.8 supports this, that Cacti can now too. Likely, it'll have to wait for version 1.3 to incorporate due to the scope of the change. It looks like net-snmp added a lot of options.

[EricTheGreat]

Many devices - not only Cisco ones - suppport now SHA+3DES and also SHA256+AES256.

I found an RFC about SNMPv3 SHA256:
https://tools.ietf.org/html/rfc7860

But no RFC yet for AES256 (at least not beyond a draft). Net-SNMP supports up to AES512 according to their webpage (http://www.net-snmp.org/wiki/index.php/ ... Encryption).

It is a strange situation where devices have already new SNMPv3 features but monitoring tools do not support those features probably because there is no clear RFC.

My question is for the Cacti Team: do you have new authentication and cryptography protocoles in the roadmap of Cacti for SNMPv3?

[Moegoe]

Hi. I have Cacti 1.2.4 with net snmp 5.9. I can execute an snmpwalk with the V3 credentials fine - get information back but when i do it through the Cacti interface on the same pc i get no response(SNMP error) from that same device. This seems to make me think that cacti`s command line does not have the right format. What do i need to edit? The command that works looks like this: snmpwalk -v3 -a sha -A '*PASSWORD' -x aes -X 'PASSWORD' -u "USERNAME" "IP ADDRESS TO BE QUERIED"

I use spine as my poller. Everything runs on Ubuntu 16

[netniV]

1.2.4 is an older version. I can't be specific but I'm sure there have been some updates to make things work better for most of the basic v3 auth since then.

[TheWitness]

Cacti 1.2.20++ supports the various higher level encryption now.

[Moegoe]

Hi all. I am still struggling with V3, new install Net-SNMP 5.8, Ubuntu 20 and Cacti ver 1.2.20. I can query a V3 device with: snmpwalk -v3 -a sha -A 'PASSWORD' -3x aes -X 'PASSWORD' -u "USERNAME" "IP ADDRESS OF ROUTER".
That works fine. When i do a debug of cmd.php i get the following error: Invalid privacy protocol specified after -3x flag: AES256.
It seems that cacti somehow "adds" the 256 after the -3x flag and the router does not like it as when i change the 1st query and add 256 after the aes i get a failed query.
What can i go and edit to prevent cacti to add the '256'? I have disabled the php-snmp module as it does not work either.

[netniV]

You are using purely aes on the command line but that's not clear how many bits that's using?

[TheWitness]

I think we've ironed out all the wrinkles for the advanced SNMP options. Again, the requirements for both high end SNMPv3 settings and IPV6 include:

- Uninstalling php-snmp
- Having your net-snmp toolset and development libraries at 5.8++
- Upgrading Cacti and spine to 1.2.21++