Obtaining user information via SNMP: Difference between revisions

From Alpine Linux
(added some configuration.)
m (Changed squark-auth doc link to git instead of parked ad page)
Line 5: Line 5:
It is possible to configure HP Procurve switches to do port-based web authentication. A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access. A browser needs to be opened, and the user is given a user-name and password prompt. For more information on configuring web-based authentication on an HP switch, see [http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S1_Web-Authentication-final-080608.pdf this link].
It is possible to configure HP Procurve switches to do port-based web authentication. A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access. A browser needs to be opened, and the user is given a user-name and password prompt. For more information on configuring web-based authentication on an HP switch, see [http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S1_Web-Authentication-final-080608.pdf this link].


The squark-auth squid authentication helper queries the HP switch via SNMP using standard MIBs to obtain the user-name associated with the IP address, which it injects into the squid access logs, which can help web-log auditors analyse . For more information see the squark-auth documentation [http://insert.reallink.com here].
The squark-auth squid authentication helper queries the HP switch via SNMP using standard MIBs to obtain the user-name associated with the IP address, which it injects into the squid access logs, which can help web-log auditors analyse . For more information see the squark-auth documentation (current link to squark-auth git tree) [http://git.alpinelinux.org/cgit/squark/tree/ here].


=== Enable SNMP Lookups on HP Procurve Device ===
=== Enable SNMP Lookups on HP Procurve Device ===

Revision as of 22:05, 5 October 2010

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Jbilyk on 5 Oct 2010.)

This documents how to use the squark-auth squid authentication helper to obtain a user-name or other information from via SNMP from a switch. The example uses an HP Procurve 5400zl switch.

It is possible to configure HP Procurve switches to do port-based web authentication. A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access. A browser needs to be opened, and the user is given a user-name and password prompt. For more information on configuring web-based authentication on an HP switch, see this link.

The squark-auth squid authentication helper queries the HP switch via SNMP using standard MIBs to obtain the user-name associated with the IP address, which it injects into the squid access logs, which can help web-log auditors analyse . For more information see the squark-auth documentation (current link to squark-auth git tree) here.

Enable SNMP Lookups on HP Procurve Device

Create an SNMP read-only community on your HP Procurve Switch, or use one that already exists (the following example uses "public" as a community name - adjust as you like):

configure snmp-server community "public" restricted snmp-server response-source dst-ip-of-request exit

The 2nd last command ensures that the SNMP replies are always returned from the switch's primary management interface. Run the above commands on all switches that the squark-auth plugin will run snmp queries against. Run them exactly as they appear.

Install Squark and Configure Squid

apk add squark

The squark-auth binary used by squid is copied into the /usr/local/bin directory. All further configuration is done in /etc/squid/squid.conf:

Note: The following configuration assumes that you are using SNMPv2c
#external ACL squid auth helper
# Squark authentication external acl
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c <communityname> -r <ip.of.switch> -i VLAN<id> -v <id>
acl Zone_D_SquarkAuth external squark_auth

Replace <communityname> with the SNMPv2 community name you have configured on your switch. Replace <ip.of.switch> with the IP of your switch, and replace <id> with the VLAN Id number of the VLAN that the clients will be connected to.

Here is an example to illustrate how the above configuration could look: 

#external ACL squid auth helper
# Squark authentication external acl
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c public -r 192.168.0.1 -i VLAN5 -v 5
acl Zone_D_SquarkAuth external squark_auth
Note: If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for squark-auth to work properly. If the IP of the switch that you have specified is a core switch (such as in a star topology network, and the all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.
Note: For more information on the squark_auth options available, run the command man squark-auth.

Optional: SNMP v3 Configuration

Squark will use the configuration specified in /etc/snmp/snmp.conf when snmpv3 is specified as the preferred version of SNMP to use.

Ensure that you have at least the following in /etc/snmp/snmp.conf: 

defContext none
defSecurityName <username>
defAuthPassphrase <password>
defVersion 3
defAuthType MD5
defSecurityLevel authNoPriv

Adjust the above as dictated by the SNMP v3 configuration on your switch.

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Obtaining_user_information_via_SNMP&oldid=4446"