SNMP v3?

[perldork]

Hi,

Anyone working on adding SNMP v3 support to Cacti? I understand that I can write a custom script that will do SNMP v3 myself for now .. just curious if anyone knows if this is a feature that will be added to Cacti's built-in SNMP client anytime soon .. if not, I could take a crack at it .. or does the php-snmp module not support SNMP v3 yet?

[TheWitness]

Yes php does. Unfortunately, we have not been focusing on SNMP v3. Could you please provide user interface design information for us to help with the design?

I know that the following may be required:

UserID, Password, Passphrase, ????

Then, in addition to the above, could you please research the php.net website for documentation and provide sample code for producing a snmpv3 call. If you can do that much, I can program the rest.

TheWitness

[perldork]

Be glad to help if I can.

In addition to UserID

* engineId (optional)
* contextName (optional)
* Authentication passphrase - password
* Privacy passphrase - (for using encrypted PDUs)

Where did you see information for using the above SNMP v3 specific fields with PHP? I didn't see any mention of SNMP v3 in the php.net docs beyond that it supports v3 .. I will search again, but please let me know if you remember where you saw docs that talked about using the full SNMP v3 feature set! I did a bunch of Net::SNMP scripts with perl using SNMP v3 today that I could call for use in data templates to build my own SNMP v3 input data methods/graph/host templates and data templates .. scripts were easy to build.

By user interface design, do you mean a static HTML mockup?

[TheWitness]

It does not appear well documented on the PHP Web site. It looks like they need some contribs. Here is the source code.

Larry

[perldork]

Working examples for all retrieval functions done:
* snmp3_get
- returns single value as string
* snmp3_getnext
- returns single value as string or null if no more values
* snmp3_walk
- returns array of values
* snmp3_real_walk
- returns associative array of OID/value pairs

Argument list for all above functions:

[perldork]

So, additions to the user interface design (different than what I initially thought):

Drop down lists:

Security level:
* noAuthNoPriv - No authentication, no privacy
* authNoPriv - Authentication, no privacy
* authPriv - Authentication and privacy

Authentication protocol:
* MD5 (default)
* SHA

Privacy protocol:
* DES (default) - only one that works with net-SNMP as of version 5.1.2
* AES128
* AES192
* AES256

Text input boxes:

Authentication passphrase (plain text, not hex string)
Privacy passphrases (plain text, not hex string)
Authentication username[/url][/b]

[TheWitness]

Should the SNMP options be on a per-host basis?

Great work thus far.

TheWitness

[perldork]

I am enjoying this , thank you for giving me the chance to help out.

I noticed that the php-snmp module is not very fault tolerant; I accidentally passed an OID to the snmp_walk() function that didn't have any children and php segfaulted and dumped core :p.

SNMP v3 users are configured on a per-agent basis.

I wrote a little wrapper class for the snmp3 functions .. here it is, following the code examples refactored to use it.

[TheWitness]

For some reason I think that the the Authentication and Privacy Protocols can be system wide settings. Also, what about the two passphrases?

Thanks Again,

TheWitness

[TheWitness]

Here is the "New" SNMP Defaults Screen. What do you think?

TheWitness

[perldork]

Nice! I really like Cacti's UI design .

How come each passphrase has two text input boxes on your screen shot? Was that intentional?

Yes, for most installations, like with SNMP 1/2c, people will use common credentials across all managed devices.

However, I would definitely make sure that there is the ability to override these settings on a device-by-device basis as there is with SNMP 1/2c.

Managed hosting providers, for example, may have each agent set up with a different username and password for security purposes. Some network security policies will also undoubtably require that every agent use a unique username and passphrase.

Will you be including javascript to enable/disable the authentication/privacy related input widgets on the screen based on the user's security level choice or some kind of visual clue to tell a user what is required and what is not based on their security level choice?

[perldork]

I was thinking about this a bit more .. instead of having the security level drop down, how about designing the GUI so that the user's choice to enable authentication/privacy let you know implicitly which mode to choose without the additional select box .. or is this making the UI logic too complex?

I have the javascript and bare-bones HTML for this mocked up here ..
* Privacy options only available for selection if authentication chosen
* Authentication username/password only available if authentication is chosen
* Privacy username/password only available if privacy is chosen

http://ensim.webscorpion.com/scripts/cacti/snmp.html

[TheWitness]

Are you suggesting that there are two possible usernames? I like the interface. I don't beleive that this is supportable in native PHP. However, we can get close or possibly integrate the Javascript right in the hosts page. Let's keep it up.

TheWitness

[TheWitness]

Also, if there is no authentication or privacy protocol, is the device just open to users to poll?

TheWitness

[TheWitness]

Also,

The reason for the two boxes is to both Hide and double check the passphrases so you don't get them wrong. It is a default PHP form for Passwords.

Here is my latest cut. Although Java is kool. It's a major change to the UI that I don't want to spend time on now. Therefore, this will have to do for now.

TheWitness