Device I am trying to poll requires SHA512 - Authorization Error using HMAC384SHA512

EdPhoenix · January 5, 2024, 11:18am

Hello there!

I am trying to poll a netgear switch using SNMPv3 - The netgear switch only provides support for SHA512, however when I set the auth protocol on my manager setup to HMAC384SHA512 my requests consistently fail with “Authorization Error”.

I have confirmed that the security name and auth password is set correctly and I am using the correct engine ID.

When I use my SNMP manager to poll my custom SNMP agent with the same protocol (HMAC384SHA512) it works just fine, which suggests to me that HMAC384SHA512 isn’t compatible with the SHA512 algorithm on the switch.

I’m not too sure what else to try, and I’m really hoping that HMAC384SHA512 is compatible with plain SHA512.

Do you have any suggestions on how this can be resolved or what I could be doing wrong?

Many thanks!

AGENTPP · January 5, 2024, 11:45am

Thinks to check:

See the DEBUG log of SNMP4J for messages concerning your local security setup. Maybe there something goes wrong already
Is the HMAC384SHA512 added to your local USM security protocol set and is the USM user setup correctly with (localised) engine ID?
Check the securityLevel you specified. Is it authNoPriv?
Are you accessing the right OID?

Hope this helps.

Best regards,
Frank

EdPhoenix · January 5, 2024, 12:04pm

I am using SNMP++ (apologies if I put this in the wrong section)

I get the following messages when trying to issue the requests:
05/01/2024 11:55:41.926 3992958528 DBG Attempting ‘get_bulk’ request on 6 entries
20240105.11:55:41: 139869602952768: (5)DEBUG : v3MP: Building message with (SecurityEngineID) (securityName) (securityLevel) (contextEngineID) (contextName): ( 80 00 11 AE 03 E0 46 EE 32 2E 4D …F.2.M
), (testuser), (1), ( 80 00 11 AE 03 E0 46 EE 32 2E 4D …F.2.M
), ()
20240105.11:55:41: 139869602952768: (A)DEBUG : ASN1: coding (context engine id) (context name): ( 80 00 11 AE 03 E0 46 EE 32 2E 4D …F.2.M
), ()
20240105.11:55:41: 139869602952768: (A)DEBUG : ASN1: Encoding scoped PDU sequence (len): (137)
20240105.11:55:41: 139869602952768: (8)INFO : v3MP::Cache: adding new entry (n) (msg id) (req id) (type): (0), (1180079), (27256), (local)
20240105.11:55:41: 139869602952768: (3)INFO : v3MP: Message built OK
20240105.11:55:41: 139869602952768: (4)DEBUG : SNMPMessage: return value for build message: (-1401)
20240105.11:55:41: 139869602952768: (A)DEBUG : MsgQueue: Adding entry (req id) (count): (27256), (1)
20240105.11:55:41: 139869602952768: (9)INFO : USMUserNameTable: Translated (user name) to (security name): (testuser), (testuser)
20240105.11:55:41: 139869602952768: (8)INFO : v3MP::Cache: Found entry (n) (msg id) (type): (0), (1180079), (local)
20240105.11:55:41: 139869602952768: (A)DEBUG : MsgQueue: Response received (req id) (status) (msg id): (27256), (16), (1180079)
20240105.11:55:41: 139869602952768: (E)DEBUG : MsgQueue: Adding engine id to table (addr) (id): (169.254.100.100/161), ( 80 00 11 AE 03 E0 46 EE 32 2E 4D …F.2.M
)
20240105.11:55:41: 139869602952768: (9)INFO : v3MP::EngineIdTable: adding new entry (id) (host) (port): ( 80 00 11 AE 03 E0 46 EE 32 2E 4D …F.2.M
), (169.254.100.100), (161)
20240105.11:55:41: 139869602952768: (2)INFO : v3MP::EngineIdTable: replace entry (old id) (old host) (old port) (id) (host) (port): ( 80 00 11 AE 03 E0 46 EE 32 2E 4D …F.2.M
), (169.254.100.100), (161), ( 80 00 11 AE 03 E0 46 EE 32 2E 4D …F.2.M
), (169.254.100.100), (161)
20240105.11:55:41: 139869602952768: (A)DEBUG : MsgQueue: Removed entry (req id): (27256)
05/01/2024 11:55:41.928 3992958528 DBG Failed to issue ‘get_bulk’ request on 6 entries: SNMP: Cannot perform operation, Authorization Error

I am fairly sure I’m setting up the USM user correctly since SNMPv3 requests issued to my SNMP agent are working just fine:
m_usm->add_usm_user(“testuser”, SNMP_AUTH_PROTOCOL_HMAC384SHA512, SNMP_PRIVPROTOCOL_NONE, “testpassword”, “”);

I am also fairly sure the engine ID would be correct as I’m getting it by polling the OID “1.3.6.1.6.3.10.2.1.1” using SNMPv2c prior to issuing SNMPv3 requests (which works fine when testing against my agent implementation)

The securityLevel is definitely being set to authNoPriv (2)

And I am certain that the OID is correct since polling the same OIDs with SNMPv2c is consistently successful.

I feel like I might be missing something… but can you confirm that HMAC384SHA512 should work fine with the netgear switch that only specifies SHA512?

Thanks for your help!
Eddie

EdPhoenix · January 5, 2024, 12:23pm

I have found the cause of the issue!

It turns out the security level was in fact not being set correctly… I had some functionality for setting the security level based on the set auth and priv protocols and thought that it was being applied to the pdu, but the default security level (NOAUTH_NOPRIV) was actually being applied to the pdu.

I am now correctly assigning the security level and it’s working nicely.

Thank you so much for your help!