Obtaining user information via SNMP: Difference between revisions

From Alpine Linux
(web-based-authentication is not a requirement to get this working (it might not even relate to this wiki-doc))
(replace /etc/init.d with rc-service)
 
(12 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{draft}}
= Using squark-auth-snmp =
This doc has been tested to work on alpine-2.3.2 ''(squark-0.4-r0, net-snmp-5.7.1-r1)''
This doc has been tested to work on alpine-2.3.2 ''(squark-0.4-r0, net-snmp-5.7.1-r1)''


== Introduction ==
== Introduction ==
This document describes how to use 'squark-auth-snmp' as squid authentication helper to obtain a username or other useful information from a switch.<BR>
This document describes how to use 'squark-auth-snmp' as a squid authentication helper to obtain a username or other useful information from a switch.<BR>
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.<BR>
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.<BR>
The information is then injected into the squid access logs ''(which can help auditors when analysing the logs)''.<BR>
The information is then injected into the squid access logs ''(which can help auditors when analyzing the logs)''.<BR>


Switches that confirmed to function (at least in some degree):<BR>
Switches that confirmed to function (at least in some degree):<BR>
Line 14: Line 12:
* HP Procurve 2650
* HP Procurve 2650


{{Note|The below examples will create/use a community called 'public'. You can replace each occurance of 'public' with something that suits your needs.<BR>In some examples a IP-address might be mentioned. Change those to reflect your configuration.<BR>
{{Note|The below examples will create/use a community called 'public'. You can replace each occurrence of 'public' with something that suits your needs.<BR>In some examples an IP address might be mentioned. Change those to reflect your configuration.<BR>
Values such as <ip.of.switch> and other values marked as <something> should be replaced appropriately.}}
Values such as <ip.of.switch> and other values marked as <something> should be replaced appropriately.}}


Line 21: Line 19:
=== Enable SNMP Lookups ===
=== Enable SNMP Lookups ===
We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).<BR>
We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).<BR>
If your switch does not have such 'SNMP community', you will need to create one.
If your switch does not have such an 'SNMP community', you will need to create one.
{{Tip|Procedures on how to view/modify/create SNMP communities on a switch varies on depending on brand or model of the switch.<BR>You will benefit in reading you manual to figure out how to apply the changes to your own switch.}}
{{Tip|Procedures on how to view/modify/create SNMP communities on a switch vary on depending on brand or model of the switch.<BR>You will benefit from reading your manual to figure out how to apply the changes to your own switch.}}
{{Note|The upcoming examples assumes you are using a "HP Procurve" switch.}}
{{Note|The upcoming examples assume you are using a "HP Procurve" switch.}}


Start by loggin on to your switch ''(use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch)''.
Start by logging on to your switch ''(use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch)''.


==== View your snmp-server settings ====
==== View your snmp-server settings ====
Line 31: Line 29:
{{cmd|show snmp-server}}
{{cmd|show snmp-server}}


==== Create a SNMP community ====
==== Create an SNMP community ====
In this case we will create a SNMP community called "public" and giving it "restricted" rights.<BR>
In this case we will create an SNMP community called "public" and give it "restricted" rights.<BR>
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.


Line 45: Line 43:
=== Link Layer Discovery Protocol ===
=== Link Layer Discovery Protocol ===
If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for 'squark-auth-snmp' to work properly.<BR>
If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for 'squark-auth-snmp' to work properly.<BR>
If the IP of the switch that you have specified is a core switch ''(such as in a star topology network)'', and all the switches in your network have LLDP enabled ''(usually enabled by default)'', then your network topology should be automatically discoverable.
If the switch that you specify in the squark config below is a core switch ''(such as in a star topology network)'', and all the switches in your network have LLDP enabled ''(usually enabled by default)'', then your network topology should be automatically discoverable.


=== web-based authentication ===
=== web-based authentication ===
{{tip|It is possible to configure HP Procurve switches to do port-based web authentication.<BR>
{{tip|It is possible to configure HP Procurve switches to do port-based web authentication.<BR>
A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access.<BR>
A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access.<BR>
A browser needs to be opened, and the user is given a user-name and password prompt.<BR>
A browser needs to be opened, and the user is given a user-name and password prompt.
For more information on configuring web-based authentication on an HP switch, see [http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S1_Web-Authentication-final-080608.pdf this link].}}


== Configure squid & squark ==
== Configure squid & squark ==
Line 59: Line 56:


=== Configure squid ===
=== Configure squid ===
We assume you installed squid and done some initial configuration to get it working.<BR>
We assume you have installed squid and done some initial configuration to get it working.<BR>
The below examples should replace or append values to your working '/etc/squid/squid.conf'.
The below examples should replace or append values to your working '/etc/squid/squid.conf'.
{{Tip|Consult http://wiki.squid-cache.org/ when configuring squid}}
{{Tip|Consult https://wiki.squid-cache.org/ when configuring squid}}


==== General squid.conf modifications ====
==== General squid.conf modifications ====
Line 78: Line 75:
</pre>
</pre>
As you can see in the above example, we refer to the acl "Zone_SquarkAuth" which is not yet created.<BR>
As you can see in the above example, we refer to the acl "Zone_SquarkAuth" which is not yet created.<BR>
Below examples will describe how to create it depending on your needs.
The following examples will describe how to create it, depending on your needs.


==== Configure squark-auth-snmp to use SNMPv2c ====
==== Configure squark-auth-snmp to use SNMPv2c ====
Line 89: Line 86:
</pre>
</pre>


{{Tip|For more information on the 'squark_auth' options available, run the command 'man squark-auth-snmp' in your terminal or browse the [http://git.alpinelinux.org/cgit/squark/tree/ squark git tree].}}
{{Tip|For more information on the 'squark_auth' options available, run the command 'man squark-auth-snmp' in your terminal or browse the [https://git.alpinelinux.org/aports/tree/main/squark?h=master squark git tree].


== Configure net-snmp ==
== Configure net-snmp ==
Line 121: Line 118:
== Start using it ==
== Start using it ==
Start it all up
Start it all up
{{cmd|/etc/init.d/squid start
{{cmd|rc-service squid start
/etc/init.d/snmpd start}}
rc-service snmpd start}}


Make sure to configure you services to autostart at next reboot
Make sure to configure you services to autostart at next reboot
Line 134: Line 131:
Run the 'squark-auth-snmp' command with the options you are planning to use ''(below is just a example on how that might look)'':
Run the 'squark-auth-snmp' command with the options you are planning to use ''(below is just a example on how that might look)'':
{{cmd|/usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.72.221 -i eth1.96 -v 96}}
{{cmd|/usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.72.221 -i eth1.96 -v 96}}
{{Note|Running 'squark-auth-snmp' standalone in a termnial will not give you information on nearby switches. You would need to configure 'squark-auth-snmp' to ask a specific switch in order to query it for valid results.}}
{{Note|Running 'squark-auth-snmp' standalone in a terminal will not give you information on nearby switches. You would need to configure 'squark-auth-snmp' to ask a specific switch in order to query it for valid results.}}
You will end up in the squark-proxy-cli mode.<BR>
You will end up in the squark-proxy-cli mode.<BR>
Feed the CLI with 2 values separated with a whitespace.
Feed the CLI with 2 values separated with a whitespace.
# A index ''(this could basically be anything without a whitespace)''
# An index ''(this could basically be anything without a whitespace)''
# A IP-address of a host connected to your switch(es)
# An IP address of a host connected to your switch(es)
The command entered in the CLI could look like this:
The command entered in the CLI could look like this:
{{cmd|a 10.82.96.123}}
{{cmd|a 10.82.96.123}}
Either you get a "a ERR" or "a OK user=<switchname>_<portname>_<mac address>" result which will help you in your debugging.
Either you get "a ERR" or "a OK user=<switchname>_<portname>_<mac address>" result which will help you in your debugging.
 
[[Category:Networking]]
[[Category:Server]]
[[Category:Monitoring]]

Latest revision as of 10:40, 17 November 2023

This doc has been tested to work on alpine-2.3.2 (squark-0.4-r0, net-snmp-5.7.1-r1)

Introduction

This document describes how to use 'squark-auth-snmp' as a squid authentication helper to obtain a username or other useful information from a switch.
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.
The information is then injected into the squid access logs (which can help auditors when analyzing the logs).

Switches that confirmed to function (at least in some degree):

  • HP Procurve 5400zl
  • HP Procurve 1810G 24GE
  • HP Procurve 2150-48
  • HP Procurve 2650
Note: The below examples will create/use a community called 'public'. You can replace each occurrence of 'public' with something that suits your needs.
In some examples an IP address might be mentioned. Change those to reflect your configuration.
Values such as <ip.of.switch> and other values marked as <something> should be replaced appropriately.

Configuring the switch

Enable SNMP Lookups

We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).
If your switch does not have such an 'SNMP community', you will need to create one.

Tip: Procedures on how to view/modify/create SNMP communities on a switch vary on depending on brand or model of the switch.
You will benefit from reading your manual to figure out how to apply the changes to your own switch.
Note: The upcoming examples assume you are using a "HP Procurve" switch.

Start by logging on to your switch (use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch).

View your snmp-server settings

Run the following command to view your current snmp-settings

show snmp-server

Create an SNMP community

In this case we will create an SNMP community called "public" and give it "restricted" rights.
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.

configure snmp-server community "public" restricted snmp-server response-source dst-ip-of-request exit

Run the above commands (exactly as they appear above) on all switches that the squark-auth-snmp plugin will run snmp queries against.

Warning: Your switch might need to be rebooted in order to apply the 'dst-ip-of-request' setting.


Link Layer Discovery Protocol

If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for 'squark-auth-snmp' to work properly.
If the switch that you specify in the squark config below is a core switch (such as in a star topology network), and all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.

web-based authentication

{{tip|It is possible to configure HP Procurve switches to do port-based web authentication.
A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access.
A browser needs to be opened, and the user is given a user-name and password prompt.

Configure squid & squark

Install squark

apk add squark

Configure squid

We assume you have installed squid and done some initial configuration to get it working.
The below examples should replace or append values to your working '/etc/squid/squid.conf'.

Tip: Consult https://wiki.squid-cache.org/ when configuring squid

General squid.conf modifications

Change (or edit) '/etc/squid/squid.conf' to reflect the following:

# Logging
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG
access_log /var/log/squid/access.log squark

# Permissions
cache_effective_user squid
cache_effective_group squid

# Allow hosts on <some.zone> to access internet
http_access allow <some.zone> Zone_SquarkAuth

As you can see in the above example, we refer to the acl "Zone_SquarkAuth" which is not yet created.
The following examples will describe how to create it, depending on your needs.

Configure squark-auth-snmp to use SNMPv2c

Change (or edit) '/etc/squid/squid.conf' to reflect the following:

# External ACL squid auth helper
external_acl_type squark_auth children-startup=1 children-max=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 \
  %SRC /usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.96.1 -i eth1.96 -R 10.82.72.226 -v 96
acl Zone_SquarkAuth external squark_auth

{{Tip|For more information on the 'squark_auth' options available, run the command 'man squark-auth-snmp' in your terminal or browse the squark git tree.

Configure net-snmp

Install net-snmp

apk add net-snmp

Configure net-snmp

Basic configuration

Modify '/etc/snmp/snmpd.conf' to reflect at least the following:

rocommunity public default
syslocation  "Location of our equipment"
sysservices  15
syscontact  "ComputerDept <computerdept@foo.bar>"

SNMPv3 Configuration (optional)

Squark will use the configuration specified in '/etc/snmp/snmp.conf' when snmpv3 is specified as the preferred version of SNMP to use. Ensure that you have at least the following in /etc/snmp/snmp.conf:

defContext none
defSecurityName <username>
defAuthPassphrase <password>
defVersion 3
defAuthType MD5
defSecurityLevel authNoPriv
Note: Adjust the above as dictated by the SNMPv3 configuration on your switch.

Start using it

Start it all up

rc-service squid start rc-service snmpd start

Make sure to configure you services to autostart at next reboot

rc-update add squid default rc-update add snmpd default

Debugging

Squark

If you are having trouble getting 'squark-auth-snmp' to give you the data you are wanting to see, you could run 'squark-auth-snmp' standalone in a terminal to debug your syntax.

Run the 'squark-auth-snmp' command with the options you are planning to use (below is just a example on how that might look):

/usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.72.221 -i eth1.96 -v 96

Note: Running 'squark-auth-snmp' standalone in a terminal will not give you information on nearby switches. You would need to configure 'squark-auth-snmp' to ask a specific switch in order to query it for valid results.

You will end up in the squark-proxy-cli mode.
Feed the CLI with 2 values separated with a whitespace.

  1. An index (this could basically be anything without a whitespace)
  2. An IP address of a host connected to your switch(es)

The command entered in the CLI could look like this:

a 10.82.96.123

Either you get "a ERR" or "a OK user=<switchname>_<portname>_<mac address>" result which will help you in your debugging.