AP7920 with snmpv3

BillP · ‎2021-06-28

Hello,

I have an AP7920 and I cannot get snmpv3 working with it. snmpv1 works fine

I have in the Snmp > Settings menu

SNMPv3 Access : Enabled

Snmp > SNMPv3 User Profile 1

User Name = mytest1234

Access Type = No Auth/No Priv

But it fails

$ snmpwalk -v 3 -u mytest1234 -l NoauthNoPriv 192.168.1.1

snmpwalk: Unknown user name

And it's the same with Auth/No Priv

$ snmpwalk -v 3 -u mytest1234 -a MD5 -A mystring123456789 -l authNoPriv 192.168.1.1

snmpwalk: Authentication failure (incorrect password, community or key)

And with Auth/Priv

$ snmpwalk -v 3 -u mytest1234 -a MD5 -A mystring123456789 -x AES -X azertyuiopqsdfghjklm -l authPriv 192.168.1.1

Timeout: No Response from 192.168.1.1

I accept changes after every change and logout before testing. I use the latest firmware version aos 374

Also the APC implementation looks like it doesn't comply fully with RFC2574. It specifies that passwords are at least 8 characters long but the AOS APC expects much more.

If we enter a 8 character strings for the passwords it displays "bad data" after we accept changes.

Has anyone succeed in making snmpv3 working ?

Anonymous user · ‎2021-06-28

Mik,

It's a shame this thread was dropped. Did you ever get v3 working?

I'm having issue with it as well, this implemention is horrid.

~Desert

See Answer In Context

BillP · ‎2021-06-28

Are you limited to trying this snmpwalk utility?

I am able to add/monitor a PDU using authentication/privacy on SNMPv3 to be monitored by a StruxureWare Data Center Expert - that is the only thing I currently have access to in order to speak SNMPv3 to devices. I added a PDU using the same firmware you mentioned. I used a 20 character authentication and privacy passphrase.

BillP · ‎2021-06-28

Hello Angela,

I use snmpwalk, snmpget, snmpbulkwalk, snmpgetbulk. Actually it's all the commands that most monitoring application use to retrieve informations on *nix platforms.

In my previous message I wrote that I used AES but actually I tested it with DES. The AP7920 supports only DES.

However I just found where was the problem. The ACL needs to be enabled explicitly. That is very strange because with most other vendors (Cisco for example) no filtering is applied when the ACL is disabled. Here yes

So it works but the snmpwalk very very slow when snmpv3 is used.

The full snmpwalk takes 7s with snmpv1 and...x with snmpv3. The overhead is very important.

I wondering if you could test it and let the developpers know about it.

Also regarding the password and passphrase length because the password according to RFC2574 should be at least 8 characters long. So most people expect their password between 8 and 14 characters to work fine.

But APC devices require 15 characters minimum. I think this is not right.

In a production network you tend to configure one snmp user that will poll (read) all the devices (APC, Cisco, Juniper, etc) so the same login/password is used. Now if one day a customer (who use a 8 characters long password) buys APC devices and want to poll them in snmpv3 (with security of course) he will have either, to create a specific use a new login/password to monitor APC devices only or change the password on all of his other devices so that the password length will be 15 characters long at least.

Moreover, when you configure a 9 character passwords in CLI, the system write "bad data" after you apply the changes. "bad data" is not very very explicit, at least it should return a message saying "password should be minimum 15 characters long"

Fourth point DES is not considered as secured. People tend to use 3DES or AES

If you could transmit this to the developpers, I'm sure APC clients will enjoy these improvements.

Anonymous user · ‎2021-06-28

Mik,

It's a shame this thread was dropped. Did you ever get v3 working?

I'm having issue with it as well, this implemention is horrid.

~Desert