I saw Jake's statement that he couldn't get SNMP v3 working with Cisco 3560 switches. I banged my head against that wall for a few days in our test environment and I finally got it working. It was a bear but it works great now that I got it all figured out. The main problem is that the packetfence admin guide is not correct in the setup of v3. Here is my setup:
PF switches.conf: (I have this under the default section but you could make it for a single switch if you wanted to test it) # SNMP section # # PacketFence -> Switch SNMPVersion=3 #SNMPCommunityRead=public #SNMPCommunityWrite=private #SNMPEngineID = 0000000000000 SNMPUserNameRead=readUser SNMPAuthProtocolRead=MD5 SNMPAuthPasswordRead=authpwdread SNMPPrivProtocolRead=AES SNMPPrivPasswordRead=privpwdread SNMPUserNameWrite=writeUser SNMPAuthProtocolWrite=MD5 SNMPAuthPasswordWrite=authpwdwrite SNMPPrivProtocolWrite=AES SNMPPrivPasswordWrite=privpwdwrite # Switch -> PacketFence SNMPVersionTrap=3 #SNMPCommunityTrap=public SNMPAuthProtocolTrap=MD5 SNMPAuthPasswordTrap=authpwdread SNMPPrivProtocolTrap=AES SNMPPrivPasswordTrap=privpwdread Cisco 3560 config: snmp-server engineID local AA5ED139B81D4A328D18ACD1 snmp-server group readGroup v3 priv snmp-server group writeGroup v3 priv read v1default write v1default snmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdread snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwrite snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host "IP of PF server" version 3 priv readUser port-security Your show run on the switch should look something like this: snmp-server engineID local AA5ED139B81D4A328D18ACD1 snmp-server group readUser v3 priv notify *tv.00000000.00000000.00000000.000002000F snmp-server group readGroup v3 priv notify *tv.00000001.00000000.00000020.000002000F snmp-server group writeGroup v3 priv write v1default snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.1.5 version 3 priv readUser port-security The only way to see the users is with a show snmp user command and should look like this: User name: readUser Engine ID: AA5ED139B81D4A328D18ACD1 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: AES128 Group-name: readGroup User name: writeUser Engine ID: AA5ED139B81D4A328D18ACD1 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: AES128 Group-name: writeGroup The biggest difference in the setup is using AES 128 for the encryption for the user on the Cisco switch instead of the des56 it shows in the admin guide. I haven't run through it yet with my own usernames and passwords but it should be a straightforward replacement of those values in the configs. NATE RENBARGER NETWORK ADMINISTRATOR, UNIVERSITY INFORMATION TECHNOLOGY INDIANA WESLEYAN UNIVERSITY 4201 S. WASHINGTON ST. MARION, IN 46953 765.677.2340 | 765.677.2020 FAX [email protected] INDWES.EDU/IT ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
