On 05/10/2012 06:27 AM, [email protected] wrote: > According to the admin guide and this mail : > http://www.mail-archive.com/[email protected]/msg00661.html > I try to make SNMPv3 work, but I dont have crypto on my Cisco 3560... > So I try this : > > On PacketFence: > > [IP of switch] > type=Cisco::Catalyst_3560 > mode=production > vlans=10,20,30 > normalVlan=10 > registrationVlan=20 > isolationVlan=30 > > SNMPVersion=3 > SNMPEngineID = XXXXXXXXXXX (obtain with "show snmp engineid") > SNMPUserNameRead=readUser > SNMPAuthProtocolRead=MD5 > SNMPAuthPasswordRead=authpwdread > SNMPPrivProtocolRead= > SNMPPrivPasswordRead= > SNMPUserNameWrite=writeUser > SNMPAuthProtocolWrite=MD5 > SNMPAuthPasswordWrite=authpwdwrite > SNMPPrivProtocolWrite= > SNMPPrivPasswordWrite= > SNMPVersionTrap=3 > SNMPAuthProtocolTrap=MD5 > SNMPAuthPasswordTrap=authpwdread > SNMPPrivProtocolTrap= > SNMPPrivPasswordTrap= > > > Cisco 3560 config (ios : c3560-ipbase-mz.122-50.SE5.bin): > service encryption > snmp-server group readGroup v3 auth > snmp-server group writeGroup v3 auth read v1default write v1default > snmp-server user readUser readGroup v3 auth md5 authpwdread > snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite > snmp-server enable traps port-security > snmp-server enable traps port-security trap-rate 1 > snmp-server host "IP my PF Server" version 3 auth readUser port-security > > > show snmp user's command : > User name: readUser > Engine ID: XXXXXXXXXXXXXXXXXXX > storage-type: nonvolatile active > Authentication Protocol: MD5 > Group-name: readGroup > > User name: writeUser > Engine ID: XXXXXXXXXXXXXXXXXXX > storage-type: nonvolatile active > Authentication Protocol: MD5 > Group-name: writeGroup > > and show run command : > snmp-server group readGroup v3 auth notify > *tv.00000000.00000000.00000000.000002000F > snmp-server group writeGroup v3 auth write v1default > snmp-server enable traps port-security > snmp-server enable traps port-security trap-rate 1 > snmp-server host "IP of PF" version 3 auth readUser port-security > > When I am restarting PackteFence I have some warning about > switches.conf and this line : > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/services/snmptrapd.pm line 92. > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/services/snmptrapd.pm line 92. > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/services/snmptrapd.pm line 92. > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/services/snmptrapd.pm line 92. > > So can I use SNMPv3 without AES or DES ? > >
I don't think we support SNMPv3 without priv or auth. The 'uninitialized value' are definitely coming from your empty SNMPv3 Priv parameters in conf/switches.conf. You are sure that this switch doesn't support DES or 3DES? Without Priv I see no reason to go with SNMPv3 and I would advise to switch to v2c for this switch type. If you absolutely need SNMPv3 even if not secure, then open a feature ticket on http://packetfence.org/bugs and we'll try to add a support for it. It shouldn't be too hard. -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
