SNMPv3 via RADIUS

NetworkGroover · January 26, 2016, 10:10:06 AM

Anyone done this before? Anyone mind providing what a sample config would look like? Trying to wrap my head around this. Thanks.

dlots · January 26, 2016, 12:26:52 PM

I didn't even know this was possible, but it looks cool!!

Everything I can find says that it might be possible but no one knows how. If you figure it out please let us know!!

NetworkGroover · January 26, 2016, 12:51:21 PM

Quote from: dlots on January 26, 2016, 12:26:52 PM
I didn't even know this was possible, but it looks cool!!

Everything I can find says that it might be possible but no one knows how. If you figure it out please let us know!!

Haha - yeah it's defined in RFC 5608 but having a heck of a time finding out how it's actually done. Seems like this customer found an RFC and was interested in it... seems as though it's not commonly deployed.

deanwebb · January 26, 2016, 01:14:08 PM

On what vendor's equipment? Is it even supported on that platform?

NetworkGroover · January 26, 2016, 01:44:12 PM

Quote from: deanwebb on January 26, 2016, 01:14:08 PM
On what vendor's equipment? Is it even supported on that platform?

Any? lol

deanwebb · January 26, 2016, 01:51:24 PM

Did a little googling... vendors and experts seem to like to mention that the RFC exists, but everyone only defines a local user in their SNMPv3 examples. Even Arista.

NetworkGroover · January 26, 2016, 02:59:01 PM

Quote from: deanwebb on January 26, 2016, 01:51:24 PM
Did a little googling... vendors and experts seem to like to mention that the RFC exists, but everyone only defines a local user in their SNMPv3 examples. Even Arista.

Yeah I've seen the same. I'm wondering if you just configure the user as part of a group, but the user exists on a RADIUS server, does it use your aaa config groups (like... aaa authentication group radius local bla bla) instead of considering it to be a local account? Good times.

TheGreatDoc · January 27, 2016, 01:16:27 AM

Quote from: AspiringNetworker on January 26, 2016, 12:51:21 PM
Haha - yeah it's defined in RFC 5608 but having a heck of a time finding out how it's actually done. Seems like this customer found an RFC and was interested in it... seems as though it's not commonly deployed.

Dude, you have customers looking for randoms RFCs or what?

Otanx · January 27, 2016, 09:26:10 AM

Quote from: TheGreatDoc on January 27, 2016, 01:16:27 AM
Quote from: AspiringNetworker on January 26, 2016, 12:51:21 PM
Haha - yeah it's defined in RFC 5608 but having a heck of a time finding out how it's actually done. Seems like this customer found an RFC and was interested in it... seems as though it's not commonly deployed.
Dude, you have customers looking for randoms RFCs or what?

It is probably someone like me who hates managing all their SNMP users on every box. Changing that password is a beast because of it even scripting the changes. If I could centralize the credentials it would be much easier. Unfortunately none of our gear supports it. I don't think anyone does right now.

-Otanx

NetworkGroover · January 27, 2016, 10:06:17 AM

Quote from: TheGreatDoc on January 27, 2016, 01:16:27 AM
Quote from: AspiringNetworker on January 26, 2016, 12:51:21 PM
Haha - yeah it's defined in RFC 5608 but having a heck of a time finding out how it's actually done. Seems like this customer found an RFC and was interested in it... seems as though it's not commonly deployed.
Dude, you have customers looking for randoms RFCs or what?

Aside from the usefulness Otanx mentioned, this particular group - yes this is common practice for them. They always want to be bleeding edge which makes it challenging, but at the same time very educational and a lot of fun tinkering with stuff.

Right now I know of one vendor discussing this internally to see if it can be done.