Obtaining user information via SNMP

From Alpine Linux
Revision as of 09:47, 26 March 2012 by Dubiousjim (talk | contribs) (Category:Monitoring)

This doc has been tested to work on alpine-2.3.2 (squark-0.4-r0, net-snmp-5.7.1-r1)

Introduction

This document describes how to use 'squark-auth-snmp' as a squid authentication helper to obtain a username or other useful information from a switch.
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.
The information is then injected into the squid access logs (which can help auditors when analyzing the logs).

Switches that confirmed to function (at least in some degree):

  • HP Procurve 5400zl
  • HP Procurve 1810G 24GE
  • HP Procurve 2150-48
  • HP Procurve 2650
Note: The below examples will create/use a community called 'public'. You can replace each occurrence of 'public' with something that suits your needs.
In some examples an IP address might be mentioned. Change those to reflect your configuration.
Values such as <ip.of.switch> and other values marked as <something> should be replaced appropriately.

Configuring the switch

Enable SNMP Lookups

We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).
If your switch does not have such an 'SNMP community', you will need to create one.

Tip: Procedures on how to view/modify/create SNMP communities on a switch vary on depending on brand or model of the switch.
You will benefit from reading your manual to figure out how to apply the changes to your own switch.
Note: The upcoming examples assume you are using a "HP Procurve" switch.

Start by logging on to your switch (use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch).

View your snmp-server settings

Run the following command to view your current snmp-settings

show snmp-server

Create an SNMP community

In this case we will create an SNMP community called "public" and give it "restricted" rights.
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.

configure snmp-server community "public" restricted snmp-server response-source dst-ip-of-request exit

Run the above commands (exactly as they appear above) on all switches that the squark-auth-snmp plugin will run snmp queries against.

Warning: Your switch might need to be rebooted in order to apply the 'dst-ip-of-request' setting.


Link Layer Discovery Protocol

If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for 'squark-auth-snmp' to work properly.
If the switch that you specify in the squark config below is a core switch (such as in a star topology network), and all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.

web-based authentication

Tip: It is possible to configure HP Procurve switches to do port-based web authentication.

A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access.
A browser needs to be opened, and the user is given a user-name and password prompt.

For more information on configuring web-based authentication on an HP switch, see this link.

Configure squid & squark

Install squark

apk add squark

Configure squid

We assume you have installed squid and done some initial configuration to get it working.
The below examples should replace or append values to your working '/etc/squid/squid.conf'.

Tip: Consult http://wiki.squid-cache.org/ when configuring squid

General squid.conf modifications

Change (or edit) '/etc/squid/squid.conf' to reflect the following:

# Logging
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG
access_log /var/log/squid/access.log squark

# Permissions
cache_effective_user squid
cache_effective_group squid

# Allow hosts on <some.zone> to access internet
http_access allow <some.zone> Zone_SquarkAuth

As you can see in the above example, we refer to the acl "Zone_SquarkAuth" which is not yet created.
The following examples will describe how to create it, depending on your needs.

Configure squark-auth-snmp to use SNMPv2c

Change (or edit) '/etc/squid/squid.conf' to reflect the following:

# External ACL squid auth helper
external_acl_type squark_auth children-startup=1 children-max=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 \
  %SRC /usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.96.1 -i eth1.96 -R 10.82.72.226 -v 96
acl Zone_SquarkAuth external squark_auth
Tip: For more information on the 'squark_auth' options available, run the command 'man squark-auth-snmp' in your terminal or browse the squark git tree.

Configure net-snmp

Install net-snmp

apk add net-snmp

Configure net-snmp

Basic configuration

Modify '/etc/snmp/snmpd.conf' to reflect at least the following:

rocommunity public default
syslocation  "Location of our equipment"
sysservices  15
syscontact  "ComputerDept <computerdept@foo.bar>"

SNMPv3 Configuration (optional)

Squark will use the configuration specified in '/etc/snmp/snmp.conf' when snmpv3 is specified as the preferred version of SNMP to use. Ensure that you have at least the following in /etc/snmp/snmp.conf:

defContext none
defSecurityName <username>
defAuthPassphrase <password>
defVersion 3
defAuthType MD5
defSecurityLevel authNoPriv
Note: Adjust the above as dictated by the SNMPv3 configuration on your switch.

Start using it

Start it all up

/etc/init.d/squid start /etc/init.d/snmpd start

Make sure to configure you services to autostart at next reboot

rc-update add squid default rc-update add snmpd default

Debugging

Squark

If you are having trouble getting 'squark-auth-snmp' to give you the data you are wanting to see, you could run 'squark-auth-snmp' standalone in a terminal to debug your syntax.

Run the 'squark-auth-snmp' command with the options you are planning to use (below is just a example on how that might look):

/usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.72.221 -i eth1.96 -v 96

Note: Running 'squark-auth-snmp' standalone in a terminal will not give you information on nearby switches. You would need to configure 'squark-auth-snmp' to ask a specific switch in order to query it for valid results.

You will end up in the squark-proxy-cli mode.
Feed the CLI with 2 values separated with a whitespace.

  1. An index (this could basically be anything without a whitespace)
  2. An IP address of a host connected to your switch(es)

The command entered in the CLI could look like this:

a 10.82.96.123

Either you get "a ERR" or "a OK user=<switchname>_<portname>_<mac address>" result which will help you in your debugging.