topic Re: DNAC API - createSNMPv3Credential in Network Platform API

DNAC API - createSNMPv3Credential

dmcdonald — Thu, 06 Feb 2025 21:22:23 GMT

We are hoping to on-board a large number of systems into DNAC. Currently we use unique SNMP credentials per device. Rather than manually enter all of those credentials, I had hoped to pre-populate the credential table using post into /dna/intent/api/v1/global-credential/snmpv3, using the credentials from our existing credential stores.

However, when I try to create a credential, I get a status of 202. When I look at the status of the task object that is retrieved, it returns a 423 status error code. No credentials show up even after several hours.

Has anyone successfully used the createSNMPv3Credential method and do you have any tips or troubleshooting steps that might make this successful?

Alternatively, has anyone found a way for DNAC to reference cyberark for snmpv3 credentials?

Re: DNAC API - createSNMPv3Credential

bigevilbeard — Fri, 07 Feb 2025 11:13:21 GMT

By no means an expert here, looking at the docs, the payload should look like

{ "snmpV3Credentials": [ { "description": "SNMPv3 Credential for Device MOO", "username": "snmpuser", "authType": "SHA", "authPassword": "authpassword123", "privacyType": "AES128", "privacyPassword": "privacypassword123", "snmpMode": "AUTHPRIV", "comments": "Credential for network device MOO", "credentialType": "GLOBAL" } ] }

Its odd you get the 403 (locked out) message. Can you share your code here, DNAC version etc?

From what i read, Cat Centre (DNAC) does not natively integrate with CyberArk for retrieving SNMPv3 credentials, you would need to create a script/app that would retrieve your SNMPv3 credentials from CyberArk and then uses the Cat Centre API to create the credentials.

Re: DNAC API - createSNMPv3Credential

Torbjørn — Mon, 10 Feb 2025 10:24:22 GMT

Can you post the Cat-C version and a request body you tried? I just tested this minimal request body on 2.3.7.7 with success:

[ { "snmpMode": "NOAUTHNOPRIV", "username": "userName" } ]

There is no Cat-C <-> Cyberark integration unfortunately.

Re: DNAC API - createSNMPv3Credential

dmcdonald — Tue, 18 Feb 2025 16:56:02 GMT

DNAC version 2.3.5.6-70143

I'm using an USM object that works with the pysnmp library, so I have to translate some of the values to a format that DNAC can understand.

new_cred = [ {
'authPassword': user_data.authKey,
'authType': credentials.auth_OID_to_DNAC(user_data.authProtocol),
'comments': 'imported ' + host,
'credentialType': 'GLOBAL',
'description': host,
'privacyPassword': user_data.privKey,
'privacyType': credentials.priv_OID_to_DNAC(user_data.privProtocol),
'snmpMode': 'AUTHPRIV',
'username': user_data.securityName,
}, ]

Here is the data I am sending, with sensitive information redacted:

(Pdb) new_cred
[{'authPassword': '<mumble>', 'authType': 'SHA', 'comments': 'imported for somehostname', 'credentialType': 'GLOBAL', 'description': 'somehostname.somedomain.net', 'privacyPassword': '<mumble>', 'privacyType': 'AES128', 'snmpMode': 'AUTHPRIV', 'username': 'public'}]

(Pdb) l
78 'privacyType': credentials.priv_OID_to_DNAC(user_data.privProtocol),
79 'snmpMode': 'AUTHPRIV',
80 'username': user_data.securityName,
81 }, ]
82 create_url = dnac_url + '/dna/intent/api/v1/global-credential/snmpv3'
83 B-> response = requests.post(create_url,headers=headers, json=new_cred,verify=True)
84 if response.status_code == 201:
85 return True
86 elif response.status_code == 202:
87 while True:
88 task_status = requests.get(dnac_url + response.json()['response']['url'], headers=headers, verify=True)
(Pdb)

The original passwords are a more reasonable length than the word "<mumble>":

(Pdb) len(new_cred[0]['authPassword'])
34
(Pdb) len(new_cred[0]['privacyPassword'])
32
(Pdb)

Re: DNAC API - createSNMPv3Credential

john-p — Thu, 06 Mar 2025 19:09:27 GMT

It sounds to me like you are trying to create a credential set in the network settings and then apply it to the device. The credentials in the network settings are more for using standard configurations at a site or globally. you do not need to save any of your device credentials in the global network settings. This just makes it easier for people who use a limited set of credentials to manage them via Catalyst center.

The solution you are looking for is probably to set the "Update Device Details" API call. A PUT to '/network-device'

The sample of the PUT body is below and as you can see, the SNMP settings are listed. You should be able to remove any of the optional settings that you are not updating. The IP of the device is the only required field. Many fields also have the option of using the string 'NO!$DATA!$' if they do not require an update. This should allow you to set set the SNMP credentials per-device.

{
"cliTransport": "string",
"computeDevice": "boolean",
"enablePassword": "string",
"extendedDiscoveryInfo": "string",
"httpPassword": "string",
"httpPort": "string",
"httpSecure": "boolean",
"httpUserName": "string",
"ipAddress": [
"string"
],
"merakiOrgId": [
"string"
],
"netconfPort": "string",
"password": "string",
"serialNumber": "string",
"snmpAuthPassphrase": "string",
"snmpAuthProtocol": "string",
"snmpMode": "string",
"snmpPrivPassphrase": "string",
"snmpPrivProtocol": "string",
"snmpROCommunity": "string",
"snmpRWCommunity": "string",
"snmpRetry": "integer",
"snmpTimeout": "integer",
"snmpUserName": "string",
"snmpVersion": "string",
"type": "string",
"updateMgmtIPaddressList": [
{
"existMgmtIpAddress": "string",
"newMgmtIpAddress": "string"
}
],
"userName": "string"
}

On a side note. If you want to integrate with something like cyber ark, I would recommend having cyber ark push the credential updates to a Flask server and then having the Flask server manage your Cat-C integration.

Re: DNAC API - createSNMPv3Credential

Torbjørn — Fri, 07 Mar 2025 09:32:49 GMT

Hello @dmcdonald,

Sorry for the late response! I unfortunately missed your reply.

Your payload works if you replace all single quotes with double quotes. I tested with the following payload:

[ { "authPassword": "mumblemumble", "authType": "SHA", "comments": "imported for somehostname", "credentialType": "GLOBAL", "description": "somehostname.somedomain.net", "privacyPassword": "mumblemumble", "privacyType": "AES128", "snmpMode": "AUTHPRIV", "username": "public" } ]