[INFO] Does Cacti Support snmpV3 and AES192 or AES256 - YES!!

If you figure out how to do something interesting/cool in Cacti and want to share it with the community, please post your experience here.

Moderators: Developers, Moderators

User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

[INFO] Does Cacti Support snmpV3 and AES192 or AES256 - YES!!

Post by TheWitness »

All,

This question gets asked more an more these days. So, here is a quick writeup. Let me first state, does Cacti support snmpV3. Yes. However, it's a qualified yes. Let me explain. I'll first start with Windows.

WINDOWS
In Windows, as of this writing, if you are using PHP's snmp support, you will not get snmpV3 support. This is due to the fact that the PHP development team is using a rather dated implementation of the snmp protocol on Windows. I have created a bug report here Bug to PHP Devel Team If you want to see it fixed, please add comments to the bug. It's a trivial fix.

The workaround for this is to simply use the net-snmp binaries instead of php-snmp. This is not a good solution since it slows things down though.

Linux/UNIX
In this platform, PHP supports snmpV3, with the exception of SNMP Context's. Which are not supported. If you are using Contexts, if you upgrade to 0.8.7c++ of Cacti, we have incorporated a workaround to this problem so that you can continue to use php-snmp.

Spine
There have been some complaints of late relative to snmpV3 support in Spine, and I can say that it works fine for DES and should have worked for AES (again) as of 0.8.7e. This applies equally to Windows and Linux/UNIX. However, I found an issue working with a user today that requires some changes to snmp.c, which I will post elsewhere. In addition, there is one exception which I explain below.

Net-SNMP
Net-SNMP Supports snmpV3, now supports both AES192 or AES256 as of Net-SNMP 5.8!!! Cacti 1.2.21+ also support these versions of snmpv3 as well, but you have to uninstall php-snmp.

I hope that helps those of you who have been experiencing problems adopting snmpV3.

Regards,

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

I have an update on the support of snmpV3 on Windows. I had worked with one of the PHP Lead Developers for Windows, and we have resolved the PHP snmp issues on Windows.

You should be able to use PHP 5.3.2++ and have a fully functional PHP snmp module with snmpV3.

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
gbcfkf
Posts: 3
Joined: Mon Aug 12, 2013 5:37 pm

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by gbcfkf »

Three years have passed since the last post
Aes 256 still not working..
Any plans to add support for this feature in the future releases?
JJX
Cacti User
Posts: 402
Joined: Thu Oct 06, 2005 5:03 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by JJX »

AES 256 is still not supported.
Is that correct?
cacti rulez!
User avatar
Osiris
Cacti Guru User
Posts: 1424
Joined: Mon Jan 05, 2015 10:10 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by Osiris »

Until net-snmp supports it, I think the answer is no. I was reading on this the other day and Cisco has created their own non standard standard.
Before history, there was a paradise, now dust.
JJX
Cacti User
Posts: 402
Joined: Thu Oct 06, 2005 5:03 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by JJX »

Osiris wrote:Until net-snmp supports it, I think the answer is no. I was reading on this the other day and Cisco has created their own non standard standard.
Exactly.
Even if Cisco supports it to the new IOS, cacti cannot poll it as net-snmp doesn not support it yet :(
cacti rulez!
andermat
Posts: 22
Joined: Thu Mar 02, 2017 3:30 pm

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by andermat »

Any update on AES support in Cacti? I see that net-snmp 5.8 supports it but the Cacti build appears to still use 5.5.
User avatar
Osiris
Cacti Guru User
Posts: 1424
Joined: Mon Jan 05, 2015 10:10 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by Osiris »

Agree that now, since net-snmp 5.8 supports this, that Cacti can now too. Likely, it'll have to wait for version 1.3 to incorporate due to the scope of the change. It looks like net-snmp added a lot of options.
Before history, there was a paradise, now dust.
EricTheGreat
Posts: 10
Joined: Thu Mar 26, 2020 4:12 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by EricTheGreat »

Many devices - not only Cisco ones - suppport now SHA+3DES and also SHA256+AES256.

I found an RFC about SNMPv3 SHA256:
https://tools.ietf.org/html/rfc7860

But no RFC yet for AES256 (at least not beyond a draft). Net-SNMP supports up to AES512 according to their webpage (http://www.net-snmp.org/wiki/index.php/ ... Encryption).

It is a strange situation where devices have already new SNMPv3 features but monitoring tools do not support those features probably because there is no clear RFC.

My question is for the Cacti Team: do you have new authentication and cryptography protocoles in the roadmap of Cacti for SNMPv3?
Moegoe
Posts: 16
Joined: Sun Aug 04, 2019 7:13 am

SNMP V3 support

Post by Moegoe »

Hi. I have Cacti 1.2.4 with net snmp 5.9. I can execute an snmpwalk with the V3 credentials fine - get information back but when i do it through the Cacti interface on the same pc i get no response(SNMP error) from that same device. This seems to make me think that cacti`s command line does not have the right format. What do i need to edit? The command that works looks like this: snmpwalk -v3 -a sha -A '*PASSWORD' -x aes -X 'PASSWORD' -u "USERNAME" "IP ADDRESS TO BE QUERIED"

I use spine as my poller. Everything runs on Ubuntu 16
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by netniV »

1.2.4 is an older version. I can't be specific but I'm sure there have been some updates to make things work better for most of the basic v3 auth since then.
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by TheWitness »

Cacti 1.2.20++ supports the various higher level encryption now.
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Moegoe
Posts: 16
Joined: Sun Aug 04, 2019 7:13 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?(HELP PLSE)

Post by Moegoe »

Hi all. I am still struggling with V3, new install Net-SNMP 5.8, Ubuntu 20 and Cacti ver 1.2.20. I can query a V3 device with: snmpwalk -v3 -a sha -A 'PASSWORD' -3x aes -X 'PASSWORD' -u "USERNAME" "IP ADDRESS OF ROUTER".
That works fine. When i do a debug of cmd.php i get the following error: Invalid privacy protocol specified after -3x flag: AES256.
It seems that cacti somehow "adds" the 256 after the -3x flag and the router does not like it as when i change the 1st query and add 256 after the aes i get a failed query.
What can i go and edit to prevent cacti to add the '256'? I have disabled the php-snmp module as it does not work either.
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by netniV »

You are using purely aes on the command line but that's not clear how many bits that's using?
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: [INFO] Does Cacti Support snmpV3 and AES192 or AES256?

Post by TheWitness »

I think we've ironed out all the wrinkles for the advanced SNMP options. Again, the requirements for both high end SNMPv3 settings and IPV6 include:

- Uninstalling php-snmp
- Having your net-snmp toolset and development libraries at 5.8++
- Upgrading Cacti and spine to 1.2.21++
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests