Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
motorbass
New Contributor II

Created on ‎04-05-2024 01:39 AM

Can't use SNMPv3 on Meraki AP on FortiNAC

Hi

We're currently trying FortiNAC v7.2.5.0101, everything runs smoothly for most of our devices except for Meraki AP.

 

We follow this guide for configuring/adding the AP https://docs.fortinet.com/document/fortinac-f/7.2.0/network-device-modeling/785561/cisco-meraki-ms-s...

 

Indeed, even though SNMPv3 is enabled on our Meraki oraganization and so AP ( snmpwalk -v3 is ok) FortiNAC always throws an error while trying to add it using S/N as UserName and API Key as Password as you can see below:

fortinac_meraki.png

 

From a firewall perspective we got not deny or any filtering, proof is we can add the same AP using SNMPv2c for instance.

 

From a FortiNAC perspective, there's no such log or information that may helps to troubleshoot this.

 

Any of you guys succeed to use SNMPv3 between FortiNAC and Meraki ?

Thanks a lot for your help & advices

 

FortiNAC  

 

 

 

Labels:
890
0 Kudos
1 Solution
motorbass
New Contributor II

Created on ‎04-05-2024 07:42 AM

I finally found the solution from here https://support.auvik.com/hc/en-us/articles/204356740-How-to-enable-SNMP-on-Meraki-devices

 

So credentials to use are those from Network-wide, we agree, but in any case, it has to be SHA1 & DES.

It works pretty smooth, happy to have learnt something today ! :)

View solution in original post

702
27 REPLIES 27
ozkanaltas
Contributor III

Created on ‎04-05-2024 01:52 AM

Hello @motorbass ,

 

I think it's related to SNMP_Protocol. Can you change SNMP_Protocol with SNMPv3 AuthNoPriv.

 

Or you need to fill the privacy password area with the password. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
400
motorbass
New Contributor II
In response to ozkanaltas

Created on ‎04-05-2024 01:57 AM

Hi

Just gave a try and same error.

UserName is still S/N and Authentication Password is my API Key

397
0 Kudos
ozkanaltas
Contributor III
In response to motorbass

Created on ‎04-05-2024 02:09 AM

Hi @motorbass , 

 

Firstly you need to add a Meraki device with snmp credentials. You can configure this credential on a Meraki device.

 

SNMP

Configure SNMP access to allow for FortiNAC device discovery. Under the Network-wide > General > SNMP section, allow either v1/v2 or v3 access

 

After adding the Meraki device on FortiNAC, you can configure the username and API key in the model configuration menu on FortiNac

 

But first, you need to add the Meraki device to FortiNac with SNMP credentials. 

 

I found one document about how to configure SNMPv3 credentials on the Meraki MS switch. You can review this document.

 

https://support.auvik.com/hc/en-us/articles/204356740-How-to-enable-SNMP-on-Meraki-devices

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
391
motorbass
New Contributor II
In response to ozkanaltas

Created on ‎04-05-2024 03:00 AM

Hi

Sorry but i don't understand this answer, this is what I did and what I explain in my original post. I'm currently trying to add my device with SNMP credentials + as mentionned SNMPv3 is already properly configured on Meraki as I can reach it through snmpwalk -v3..

374
0 Kudos
ozkanaltas
Contributor III
In response to motorbass

Created on ‎04-05-2024 03:02 AM

Hello @motorbass ,

 

Can you share the full command of the snmp walk you tested? You can mask credentials. I just want to see the parameters in your command. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
371
motorbass
New Contributor II
In response to ozkanaltas

Created on ‎04-05-2024 06:30 AM

Sure here it is

```

snmpwalk -v3 -l authPriv -u "XXXXX" -a SHA -A "YYYY" -x des -X "YYYY" 10.10.10.10

```

 

316
ozkanaltas
Contributor III
In response to motorbass

Created on ‎04-05-2024 06:44 AM

Hello @motorbass ,

 

Can you fill the FortiNAC snmp area with these information? 

 

Username : -u "XXXXX"

Authentication Protocol : -a SHA

Authentication Password : -A "YYYY"

Privacy Protocol : -x des

Privacy Password : -X "YYYY" 

 

image.png

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
309
motorbass
New Contributor II
In response to ozkanaltas

Created on ‎04-05-2024 07:09 AM

Great idea,

Just tried, same error unfortunately...

I think we're close to it

297
0 Kudos
ndumaj
Staff
Staff

Created on ‎04-05-2024 06:29 AM

Hello,
According to the Error, FNAC sends SNMPv3 requests to get sysobjectID from the device but the switch does not respond with the appropriate parameters and FNAC states -> "Unable to contact"
It looks to be a misconfiguration of SNMPv3.
Article:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-SNMP-communication-issues/t...

Check on Meraki  if there is any indication why it is refusing the FNAC request.

BR

- Happy to help, hit like and accept the solution -
317
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.