Obtaining user information via SNMP: Difference between revisions
(began work on squark-auth squid helper documentation) |
(added some configuration.) |
||
| Line 1: | Line 1: | ||
{{Draft}} | |||
This documents how to use the squark-auth squid authentication helper to obtain a user-name or other information from via SNMP from a switch. The example uses an HP Procurve 5400zl switch. | This documents how to use the squark-auth squid authentication helper to obtain a user-name or other information from via SNMP from a switch. The example uses an HP Procurve 5400zl switch. | ||
| Line 11: | Line 11: | ||
Create an SNMP read-only community on your HP Procurve Switch, or use one that already exists (the following example uses "public" as a community name - adjust as you like): | Create an SNMP read-only community on your HP Procurve Switch, or use one that already exists (the following example uses "public" as a community name - adjust as you like): | ||
{{cmd|configure | |||
snmp-server community "public" restricted | |||
snmp-server response-source dst-ip-of-request | |||
exit }} | |||
The 2nd last command ensures that the SNMP replies are always returned from the switch's primary management interface. Run the above commands on all switches that the squark-auth plugin will run snmp queries against. Run them exactly as they appear. | The 2nd last command ensures that the SNMP replies are always returned from the switch's primary management interface. Run the above commands on all switches that the squark-auth plugin will run snmp queries against. Run them exactly as they appear. | ||
| Line 20: | Line 20: | ||
=== Install Squark and Configure Squid === | === Install Squark and Configure Squid === | ||
{{cmd|apk add squark}} | |||
The squark-auth binary used by squid is copied into the /usr/local/bin directory. All further configuration is done in /etc/squid/squid.conf: | The squark-auth binary used by squid is copied into the /usr/local/bin directory. All further configuration is done in /etc/squid/squid.conf: | ||
{{Note| The following configuration assumes that you are using SNMPv2c}} | |||
<pre> | |||
#external ACL squid auth helper | |||
# Squark authentication external acl | |||
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c <communityname> -r <ip.of.switch> -i VLAN<id> -v <id> | |||
acl Zone_D_SquarkAuth external squark_auth | |||
</pre> | |||
Replace <communityname> with the SNMPv2 community name you have configured on your switch. Replace <ip.of.switch> with the IP of your switch, and replace <id> with the VLAN Id number of the VLAN that the clients will be connected to. | |||
Here is an example to illustrate how the above configuration could look: | |||
<pre> | <pre> | ||
#external ACL squid auth helper | #external ACL squid auth helper | ||
# Squark authentication external acl | |||
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c public -r 192.168.0.1 -i VLAN5 -v 5 | |||
acl Zone_D_SquarkAuth external squark_auth | |||
</pre> | |||
{{Note| If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for squark-auth to work properly. If the IP of the switch that you have specified is a core switch (such as in a star topology network, and the all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.}} | |||
{{Note| For more information on the squark_auth options available, run the command '''man squark-auth'''.}} | |||
=== Optional: SNMP v3 Configuration === | |||
Squark will use the configuration specified in '''/etc/snmp/snmp.conf''' when snmpv3 is specified as the preferred version of SNMP to use. | |||
Ensure that you have at least the following in '''/etc/snmp/snmp.conf''': | |||
<pre> | |||
defContext none | |||
defSecurityName <username> | |||
defAuthPassphrase <password> | |||
defVersion 3 | |||
defAuthType MD5 | |||
defSecurityLevel authNoPriv | |||
</pre> | </pre> | ||
Adjust the above as dictated by the SNMP v3 configuration on your switch. | |||
Revision as of 03:29, 30 July 2010
 Do not follow instructions here until this notice is removed. |
This documents how to use the squark-auth squid authentication helper to obtain a user-name or other information from via SNMP from a switch. The example uses an HP Procurve 5400zl switch.
It is possible to configure HP Procurve switches to do port-based web authentication. A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access. A browser needs to be opened, and the user is given a user-name and password prompt. For more information on configuring web-based authentication on an HP switch, see this link.
The squark-auth squid authentication helper queries the HP switch via SNMP using standard MIBs to obtain the user-name associated with the IP address, which it injects into the squid access logs, which can help web-log auditors analyse . For more information see the squark-auth documentation here.
Enable SNMP Lookups on HP Procurve Device
Create an SNMP read-only community on your HP Procurve Switch, or use one that already exists (the following example uses "public" as a community name - adjust as you like):
configure snmp-server community "public" restricted snmp-server response-source dst-ip-of-request exit
The 2nd last command ensures that the SNMP replies are always returned from the switch's primary management interface. Run the above commands on all switches that the squark-auth plugin will run snmp queries against. Run them exactly as they appear.
Install Squark and Configure Squid
apk add squark
The squark-auth binary used by squid is copied into the /usr/local/bin directory. All further configuration is done in /etc/squid/squid.conf:
#external ACL squid auth helper # Squark authentication external acl external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c <communityname> -r <ip.of.switch> -i VLAN<id> -v <id> acl Zone_D_SquarkAuth external squark_auth
Replace <communityname> with the SNMPv2 community name you have configured on your switch. Replace <ip.of.switch> with the IP of your switch, and replace <id> with the VLAN Id number of the VLAN that the clients will be connected to.
Here is an example to illustrate how the above configuration could look:
#external ACL squid auth helper # Squark authentication external acl external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c public -r 192.168.0.1 -i VLAN5 -v 5 acl Zone_D_SquarkAuth external squark_auth
Optional: SNMP v3 Configuration
Squark will use the configuration specified in /etc/snmp/snmp.conf when snmpv3 is specified as the preferred version of SNMP to use.
Ensure that you have at least the following in /etc/snmp/snmp.conf:
defContext none defSecurityName <username> defAuthPassphrase <password> defVersion 3 defAuthType MD5 defSecurityLevel authNoPriv
Adjust the above as dictated by the SNMP v3 configuration on your switch.