Obtaining user information via SNMP: Difference between revisions
Dubiousjim (talk | contribs) (Delete H1) |
Dubiousjim (talk | contribs) (Category:Monitoring) |
||
Line 143: | Line 143: | ||
[[Category:Networking]] | [[Category:Networking]] | ||
[[Category:Server]] | [[Category:Server]] | ||
[[Category:Monitoring]] |
Revision as of 09:47, 26 March 2012
This doc has been tested to work on alpine-2.3.2 (squark-0.4-r0, net-snmp-5.7.1-r1)
Introduction
This document describes how to use 'squark-auth-snmp' as a squid authentication helper to obtain a username or other useful information from a switch.
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.
The information is then injected into the squid access logs (which can help auditors when analyzing the logs).
Switches that confirmed to function (at least in some degree):
- HP Procurve 5400zl
- HP Procurve 1810G 24GE
- HP Procurve 2150-48
- HP Procurve 2650
In some examples an IP address might be mentioned. Change those to reflect your configuration.
Values such as <ip.of.switch> and other values marked as <something> should be replaced appropriately.
Configuring the switch
Enable SNMP Lookups
We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).
If your switch does not have such an 'SNMP community', you will need to create one.
You will benefit from reading your manual to figure out how to apply the changes to your own switch.
Start by logging on to your switch (use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch).
View your snmp-server settings
Run the following command to view your current snmp-settings
show snmp-server
Create an SNMP community
In this case we will create an SNMP community called "public" and give it "restricted" rights.
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.
configure snmp-server community "public" restricted snmp-server response-source dst-ip-of-request exit
Run the above commands (exactly as they appear above) on all switches that the squark-auth-snmp plugin will run snmp queries against.
Link Layer Discovery Protocol
If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for 'squark-auth-snmp' to work properly.
If the switch that you specify in the squark config below is a core switch (such as in a star topology network), and all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.
web-based authentication
A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access.
A browser needs to be opened, and the user is given a user-name and password prompt.
Configure squid & squark
Install squark
apk add squark
Configure squid
We assume you have installed squid and done some initial configuration to get it working.
The below examples should replace or append values to your working '/etc/squid/squid.conf'.
General squid.conf modifications
Change (or edit) '/etc/squid/squid.conf' to reflect the following:
# Logging logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG access_log /var/log/squid/access.log squark # Permissions cache_effective_user squid cache_effective_group squid # Allow hosts on <some.zone> to access internet http_access allow <some.zone> Zone_SquarkAuth
As you can see in the above example, we refer to the acl "Zone_SquarkAuth" which is not yet created.
The following examples will describe how to create it, depending on your needs.
Configure squark-auth-snmp to use SNMPv2c
Change (or edit) '/etc/squid/squid.conf' to reflect the following:
# External ACL squid auth helper external_acl_type squark_auth children-startup=1 children-max=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 \ %SRC /usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.96.1 -i eth1.96 -R 10.82.72.226 -v 96 acl Zone_SquarkAuth external squark_auth
Configure net-snmp
Install net-snmp
apk add net-snmp
Configure net-snmp
Basic configuration
Modify '/etc/snmp/snmpd.conf' to reflect at least the following:
rocommunity public default syslocation "Location of our equipment" sysservices 15 syscontact "ComputerDept <computerdept@foo.bar>"
SNMPv3 Configuration (optional)
Squark will use the configuration specified in '/etc/snmp/snmp.conf' when snmpv3 is specified as the preferred version of SNMP to use. Ensure that you have at least the following in /etc/snmp/snmp.conf:
defContext none defSecurityName <username> defAuthPassphrase <password> defVersion 3 defAuthType MD5 defSecurityLevel authNoPriv
Start using it
Start it all up
/etc/init.d/squid start /etc/init.d/snmpd start
Make sure to configure you services to autostart at next reboot
rc-update add squid default rc-update add snmpd default
Debugging
Squark
If you are having trouble getting 'squark-auth-snmp' to give you the data you are wanting to see, you could run 'squark-auth-snmp' standalone in a terminal to debug your syntax.
Run the 'squark-auth-snmp' command with the options you are planning to use (below is just a example on how that might look):
/usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.72.221 -i eth1.96 -v 96
You will end up in the squark-proxy-cli mode.
Feed the CLI with 2 values separated with a whitespace.
- An index (this could basically be anything without a whitespace)
- An IP address of a host connected to your switch(es)
The command entered in the CLI could look like this:
a 10.82.96.123
Either you get "a ERR" or "a OK user=<switchname>_<portname>_<mac address>" result which will help you in your debugging.