Troubleshooting SNMPv3 Encryption and Authentication Issue on Cisco Router
Explore the challenges faced in enabling SNMPv3 encryption and authentication on a Cisco router, affecting communication with a radio device. Learn how Wireshark analysis revealed the lack of security measures, hindering successful data transmission.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Setup a Cisco router to SNMPv3 query a 117G running ANW2 for a oid value Cisco 891 router running Version 15.1(4)M4 117G radios running ODIA code for ANW2C Radios already configured for SNMPv3 operation and working with SNMPc manager (IP 192.168.1.103/24) Router interface (192.168.1.254/24) is connected to Radio 01 interface (192.168.1.1/24)
Cisco configuration (in theory all that is needed for this to work) #Enable SNMP manager service conf t snmp-server manage #Setup SNMP management all done under conf t #Set up "View1" as a view for use by users and groups and allow it to query top of the tree snmp-server view view1 1.3.6.1.4* included #Setup the group "test" and set the security for the group to SNMPv3, point to view1 for views snmp-server group test v3 priv read view1 write view1 #Setup the user using same info SNMP manager is successfully using #user = sysadmin authpw = thisisauthstring and privpw = thisisprivstring snmp-server user sysadmin test v3 auth sha thisisauthstring priv aes 128 thisisprivstring
Cisco configuration continued #Maybe specifics to target host need to be set (didn t resolve issue) snmp-server host 192.168.1.1 version 3 priv sysadmin #Maybe EngineID cannot be default command to change EngineID to 1234567890 (didn t resolve issue) snmp-server engineID remote 192.168.1.1 udp-port 161 1234567890
The problem appears to be that the Cisco is not encrypting the packet payload or including Auth/Priv information #Command to router to send query to radio using SNMPv3, use sysadmin as user and poll for the oid value snmp get v3 192.168.1.1 sysadmin oid 1.3.6.1.4.1.290.3.5.1.2.2.1.3 Router responds with Request Failed #turning on debug snmp headers the following comes in after an attempt. The problem field Bolded and underlined Outgoing SNMP packet Mar 4 14:21:23.315: v3 packet security model: v3 security level: noauth Mar 4 14:21:23.315: username: sysadmin Mar 4 14:21:23.315: snmpEngineID: 800000090300E4D3F1741948 Mar 4 14:21:23.315: snmpEngineBoots: 1 snmpEngineTime: 67086 Mar 4 14:21:23.319: Incoming SNMP packet Mar 4 14:21:23.319: v3 packet security model: v3 security level: noauth Mar 4 14:21:23.319: username: sysadmin Mar 4 14:21:23.319: snmpEngineID: 800000090300E4D3F1741948 Mar 4 14:21:23.319: snmpEngineBoots: 0 snmpEngineTime: 0
Looking at the exchange using Wireshark, the router is indeed not using the Auth/Priv security level for some reason
Here is a packet capture from an exchange between the SNMP manager and the radio showing the proper encryption and auth/priv
Subsequent testing using the SNMPc manager to poll the router shows the router using SNMPv3 with auth/priv correctly (verified with debug and Wireshark). This outgoing issue seems to be either an IOS bug or some configuration that is missed that is hidden. In the router, the feature does not seem as complete as other features. The tried and true ? doesn t work for some commands and configurations and documentation is very spotty.
