search

Cacti / cacti

Cacti ™
http://www.cacti.net
GNU General Public License v2.0
1.65k stars 406 forks source link

AES256 / AES256C Privacy Protocol missing in GUI when using net-snmp-1:5.9 - aka Cisco support for Cisco-AES-256 Privacy Type SNMPv3 #5687

Closed richud closed 8 months ago

richud commented 8 months ago

Hi, My workplace is shifting everything over to SNMPv3 almost entirely with Cisco equipment. They have standardised with 'Privacy Type' Cisco-AES-256 & 'Auth type' HMAC-SHA. (a common scenario?)

Currently the GUI 'SNMP Privacy Protocol (v3)' doesn't have the 'special?!' Cisco 'C' type selectable, could this please be added as net-snmp in the backend supports it ok? (although snmpget CLI help doesn't mention them) I started changing the GUI PHP initially, then found snmp_priv_protocol is char(6) in DB - and went for a simpler option to test...

So I bodged lib/snmp.php at line 413 with a simple change for testing , and it now can talk OK to the test device (responds with uptime, with the 'SNMP uptime' under Downed Device Detection' selected on GUI. so assume nothing too complicated needs fixing/changing?

lib/snmp.php:413:               if($priv_proto=="AES256"){ $priv_proto = "AES256C"; }
lib/snmp.php-414-               $priv_pass = '-X ' . snmp_escape_string($priv_pass) . ' -x ' . snmp_escape_string($priv_proto);

Rocky Linux 9 net-snmp-1:5.9.1-11.el9_3.1.x86_64 cacti-1.2.25-1.el9.noarch (not using php-snmp)

Sort of related to

5504

and net-snmp/net/snmp#524

TheWitness commented 8 months ago

We do accept pull requests.

richud commented 8 months ago

:) Increasing the char size in the DB seemed the last hurdle after changing the PHP, put in pull request against 1.2.27, hope that ok.

arno-st commented 8 months ago

Quick question: Are you sure that changing AES256 to a Cisco specific version AES256C won't break the usage of AES256 in other manufacturer ? Don't you think it will be better to add the AES256C in the list of privacy Protocol ?

xmacan commented 8 months ago

Quick question: Are you sure that changing AES256 to a Cisco specific version AES256C won't break the usage of AES256 in other manufacturer ? Don't you think it will be better to add the AES256C in the list of privacy Protocol ?

@richud add 2 new options. AES256 is kept, check https://github.com/Cacti/cacti/pull/5688/files

richud commented 8 months ago

There are both AES256 and AES256C options? (if you are referring to my quick kludge override in lib/snmp.php, that was just to test it worked initially)

TheWitness commented 8 months ago

This is resolved now. We just need to make sure that spine is working.

richud commented 8 months ago

It was polling ok with a real Cisco 2960 switch & data into the rrd - I've hopefully pushed another change just a bit ago as realised the char size needed incrementing in a few places, hopefully in right branch this time.

Can be tested with linux snmpd, just needs two lines in a config, like /etc/snmp/snmpd.conf.d/test.conf 

CreateUser shaaes256c SHA SNMPv3SHAPass AES256C SNMPv3AESPass
rouser     shaaes256c     priv      .1

$ snmpwalk -v 3 -l authPriv -u shaaes256c -a sha -A SNMPv3SHAPass -x AES256C -X SNMPv3AESPass 192.168.122.1 1.3.6.1.2.1.1.1.0 SNMPv2-MIB::sysDescr.0 = STRING: Linux R830 6.5.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Mar 12 10:22:43 UTC 2 x86_64

TheWitness commented 8 months ago

Perfect. Thanks again for your contribution @richud.