Re: [Packetfence-users] SNMP v3 connection problems

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Adam,

Adam Brinker wrote:
> Hello,
> 
> I recently set up a basic Packetfence server to use with vlan isolation 
> and snmp v2c.  After I got this implementation up and running, my 
> superior asked me to look into the possibility of using snmp v3 for 
> security purposes.
> I have set up a catalyst 2950 as a test switch, and configured it for 
> use with v3; I have also used a simple graphical snmp scanner to test 
> the device's settings and to make sure authentication works, which it did.
> 
> My problem lies with Packetfence, either through some conf file that I 
> may have overlooked or some oddball quirk.  When I test the operation of 
> PF with the pfcmd_vlan -getMAC command, I will see an initial burst of 
> 2-way snmp traffic, followed by a series of retries from the server to 
> the switch every second, but with no response from the switch.
> 
> I ran the command with a verbose level of 4, and this is what it is 
> returning:
> 
> [root@packetfence bin]# ./pfcmd_vlan -getMAC -switch 192.168.1.100 
> -verbose 4 -ifIndex 7
...
> 2010/03/18 10:12:52 (365) pf::SNMP::Cisco::getMacBridgePortHash
>      SNMP v3 get_table for dot1dBasePortIfIndex: 1.3.6.1.2.1.17.1.4.1.2

We have seen SNMPv3 work on Cisco hardware however it is not something 
that is quite popular in our customer base.

getMacBridgePortHash needs to do things differently between v3 and 
earlier versions. This is because of Cisco's way of exposing MAC 
addresses / ifIndexes per VLAN called SNMP Community String Indexing[1].

On v3, the way to do this is by setting the contextName (a v3 property). 
We are doing this in the code.

Reading here I see that you might need to expose your specific VLAN 
contexts but to me, it's not clear if you need to activate it or not.
https://supportforums.cisco.com/message/640192?tstart=0

What I would suggest:

- First make sure you can authenticate and read on your switch with SNMP 
walk:
snmpwalk -v 3 -a <authProtocol> -x <privProtocol> -l authPriv <switch 
ip> sysDescr.0

Note: You might have to mess a bit with that command, I haven't tested. 
Check `man snmpcmd`.

- If the above worked then try adding the context by hand (like 
packetfence does for getMacBridgePortHash) and see the error or result 
you get. For example, to get the table for vlan 20:
snmpwalk ... -n vlan_20 1.3.6.1.2.1.17.1.4.1.2

(-n sets the contextName)

Send us your result of this step please, I could trap the error and 
output in the logs relevant information.

- If the above didn't work, I would try the recommendation in the above 
post adding (in vlan 20's example):

snmp-server group v3group v3 auth context vlan-20

then try the walk again.

> 
> Are there any other fields that would conflict with these settings?
> 
Not to my knowledge.

Let us know how it goes. I would be very interested to know and I would 
modify the code or documentation according to your findings.

Thanks,

[1] 
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801576ff.shtml
-- 
Olivier Bilodeau
obi...@in...  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and 
PacketFence (www.packetfence.org)