User:Mhavela/squark-auth-snmp: Difference between revisions

From Alpine Linux
No edit summary
(Various modifications)
Line 1: Line 1:
{{draft}}
{{draft}}
= Using squark-auth-snmp =
= Using squark-auth-snmp =
{{Todo|Mention what versions of alpine/squark this document applies to?}}
== Introduction ==
== Introduction ==
This document describes how to use 'squark-auth-snmp' as squid authentication helper to obtain a username or other useful information from a switch.<BR>
This document describes how to use 'squark-auth-snmp' as squid authentication helper to obtain a username or other useful information from a switch.<BR>
Line 9: Line 10:
* HP Procurve 5400zl
* HP Procurve 5400zl
* HP Procurve 1810G 24GE
* HP Procurve 1810G 24GE
{{Todo|Confirm if "HP Procurve 2150-48" works}}
{{Todo|Confirm if "HP Procurve 2150-48" works<BR>
{{Todo|Confirm if "HP Procurve 2650" works}}
Confirm if "HP Procurve 2650" works}}


{{Note|For more information see the 'squark-auth-snmp' documentation [http://git.alpinelinux.org/cgit/squark/tree/ here] ''(git tree)''}}
{{Note|The below examples will create/use a community called 'public'. You can replace each occurance of 'public' with something that suits your needs.<BR>In some examples a IP-address might be mentioned. Change those to reflect your configuration.<BR>
Values such as <ip.of.switch> and other values marked as <something> should be replaced appropriately.}}


== Configuring the switch ==
== Configuring the switch ==
{{todo|We need to mention/document "lldp" somewhere}}


=== Enable SNMP Lookups ===
=== Enable SNMP Lookups ===
We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).<BR>
We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).<BR>
If your switch does not have such 'SNMP community', you will need to create one.
If your switch does not have such 'SNMP community', you will need to create one.
{{Note|Procedures on how to view/modify/create SNMP communities on a switch varies on depending on brand or model of the switch.<BR>You will need to read you manual to figure out how to apply the changes to your own switch.<BR>The upcoming examples assumes you are using a "HP Procurve" switch.}}
{{Tip|Procedures on how to view/modify/create SNMP communities on a switch varies on depending on brand or model of the switch.<BR>You will benefit in reading you manual to figure out how to apply the changes to your own switch.}}
{{Note|The upcoming examples assumes you are using a "HP Procurve" switch.}}


Start by loggin on to your switch ''(use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch)''.
Start by loggin on to your switch ''(use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch)''.
Line 38: Line 40:


Run the above commands ''(exactly as they appear above)'' on all switches that the squark-auth-snmp plugin will run snmp queries against.
Run the above commands ''(exactly as they appear above)'' on all switches that the squark-auth-snmp plugin will run snmp queries against.
=== Link Layer Discovery Protocol ===
If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for 'squark-auth-snmp' to work properly.<BR>
If the IP of the switch that you have specified is a core switch ''(such as in a star topology network)'', and all the switches in your network have LLDP enabled ''(usually enabled by default)'', then your network topology should be automatically discoverable.
{{Todo|Document how to configure and debug lldp}}


== Configure squid & squark ==
== Configure squid & squark ==


=== Install and configure squark ===
=== Install squark ===
{{cmd|apk add squark}}
{{cmd|apk add squark}}


=== Install and configure squid ===
=== Configure squid ===
 
We assume you installed squid and done some initial configuration to get it working.<BR>
{{Todo|What does "The following configuration assumes that you are using SNMPv2c" mean?}}
The below examples should replace or append values to your working '/etc/squid/squid.conf'.
{{Tip|Consult http://wiki.squid-cache.org/ when configuring squid}}


==== General squid.conf modifications ====
Change ''(or edit)'' '/etc/squid/squid.conf' to reflect the following:
<pre>
<pre>
#external ACL squid auth helper
# Logging
# Squark authentication external acl
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c <communityname> -r <ip.of.switch> -i VLAN<id> -v <id>
access_log /var/log/squid/access.log squark
acl Zone_D_SquarkAuth external squark_auth
</pre>


Replace <communityname> with the SNMPv2 community name you have configured on your switch. Replace <ip.of.switch> with the IP of your switch, and replace <id> with the VLAN Id number of the VLAN that the clients will be connected to.
# Permissions
cache_effective_user squid
cache_effective_group squid


Here is an example to illustrate how the above configuration could look:
# Allow hosts on <some.zone> to access internet
http_access allow <some.zone> Zone_SquarkAuth
</pre>
As you can see in the above example, we refer to the acl "Zone_SquarkAuth" which is not yet created.<BR>
Below examples will describe how to create it depending on your needs.


==== Configure squark-auth-snmp to use SNMPv2c ====
Change ''(or edit)'' '/etc/squid/squid.conf' to reflect the following:
<pre>
<pre>
#external ACL squid auth helper
# External ACL squid auth helper
# Squark authentication external acl
external_acl_type squark_auth children-startup=1 children-max=1 ttl=5 negative_ttl=2 concurrency=128 grace=10 \
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c public -r 192.168.0.1 -i VLAN5 -v 5
  %SRC /usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.96.1 -i eth1.96 -R 10.82.72.226 -v 96
acl Zone_D_SquarkAuth external squark_auth
acl Zone_SquarkAuth external squark_auth
</pre>
</pre>


{{Note| If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for squark-auth to work properly. If the IP of the switch that you have specified is a core switch (such as in a star topology network, and the all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.}}
{{Tip|For more information on the 'squark_auth' options available, run the command 'man squark-auth-snmp' in your terminal or browse the [http://git.alpinelinux.org/cgit/squark/tree/ squark git tree].}}


{{Note| For more information on the squark_auth options available, run the command '''man squark-auth-snmp'''.}}
== Configure net-snmp ==
{{todo|This might only be related to SNMPv3 usage.<BR>
Describe this section in a way so the user understands if this is needed or not.}}
=== Install net-snmp ===
{{cmd|apk add net-snmp}}


=== Optional: SNMP v3 Configuration ===
=== Configure net-snmp ===
 
==== Basic configuration ====
Squark will use the configuration specified in '''/etc/snmp/snmp.conf''' when snmpv3 is specified as the preferred version of SNMP to use.
Modify '/etc/snmp/snmpd.conf' to reflect at least the following:
<pre>
rocommunity public default
syslocation  "Location of our equipment"
sysservices  15
syscontact  "ComputerDept <computerdept@foo.bar>"
</pre>


==== SNMPv3 Configuration (optional) ====
Squark will use the configuration specified in '/etc/snmp/snmp.conf' when snmpv3 is specified as the preferred version of SNMP to use.
Ensure that you have at least the following in '''/etc/snmp/snmp.conf''':
Ensure that you have at least the following in '''/etc/snmp/snmp.conf''':
<pre>
<pre>
defContext none
defContext none
Line 85: Line 113:
</pre>
</pre>


Adjust the above as dictated by the SNMP v3 configuration on your switch.
{{Note|Adjust the above as dictated by the SNMPv3 configuration on your switch.}}
 
== Start using it ==
Start it all up
{{cmd|/etc/init.d/squid start
/etc/init.d/snmpd start}}
 
Make sure to configure you services to autostart at next reboot
{{cmd|rc-update add squid default
rc-update add snmpd default}}

Revision as of 09:23, 22 December 2011

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Mhavela on 22 Dec 2011.)

Using squark-auth-snmp

Todo: Mention what versions of alpine/squark this document applies to?


Introduction

This document describes how to use 'squark-auth-snmp' as squid authentication helper to obtain a username or other useful information from a switch.
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.
The information is then injected into the squid access logs (which can help auditors when analysing the logs).

Switches that confirmed to function (at least in some degree):

  • HP Procurve 5400zl
  • HP Procurve 1810G 24GE
Todo: Confirm if "HP Procurve 2150-48" works
Confirm if "HP Procurve 2650" works


Note: The below examples will create/use a community called 'public'. You can replace each occurance of 'public' with something that suits your needs.
In some examples a IP-address might be mentioned. Change those to reflect your configuration.
Values such as <ip.of.switch> and other values marked as <something> should be replaced appropriately.

Configuring the switch

Enable SNMP Lookups

We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).
If your switch does not have such 'SNMP community', you will need to create one.

Tip: Procedures on how to view/modify/create SNMP communities on a switch varies on depending on brand or model of the switch.
You will benefit in reading you manual to figure out how to apply the changes to your own switch.
Note: The upcoming examples assumes you are using a "HP Procurve" switch.

Start by loggin on to your switch (use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch).

View your snmp-server settings

Run the following command to view your current snmp-settings

show snmp-server

Create a SNMP community

In this case we will create a SNMP community called "public" and giving it "restricted" rights.
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.

configure snmp-server community "public" restricted snmp-server response-source dst-ip-of-request exit

Run the above commands (exactly as they appear above) on all switches that the squark-auth-snmp plugin will run snmp queries against.

Link Layer Discovery Protocol

If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for 'squark-auth-snmp' to work properly.
If the IP of the switch that you have specified is a core switch (such as in a star topology network), and all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.

Todo: Document how to configure and debug lldp


Configure squid & squark

Install squark

apk add squark

Configure squid

We assume you installed squid and done some initial configuration to get it working.
The below examples should replace or append values to your working '/etc/squid/squid.conf'.

Tip: Consult http://wiki.squid-cache.org/ when configuring squid

General squid.conf modifications

Change (or edit) '/etc/squid/squid.conf' to reflect the following:

# Logging
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG
access_log /var/log/squid/access.log squark

# Permissions
cache_effective_user squid
cache_effective_group squid

# Allow hosts on <some.zone> to access internet
http_access allow <some.zone> Zone_SquarkAuth

As you can see in the above example, we refer to the acl "Zone_SquarkAuth" which is not yet created.
Below examples will describe how to create it depending on your needs.

Configure squark-auth-snmp to use SNMPv2c

Change (or edit) '/etc/squid/squid.conf' to reflect the following:

# External ACL squid auth helper
external_acl_type squark_auth children-startup=1 children-max=1 ttl=5 negative_ttl=2 concurrency=128 grace=10 \
  %SRC /usr/bin/squark-auth-snmp -f "%N-%i-%M" -c public -r 10.82.96.1 -i eth1.96 -R 10.82.72.226 -v 96
acl Zone_SquarkAuth external squark_auth
Tip: For more information on the 'squark_auth' options available, run the command 'man squark-auth-snmp' in your terminal or browse the squark git tree.

Configure net-snmp

Todo: This might only be related to SNMPv3 usage.
Describe this section in a way so the user understands if this is needed or not.


Install net-snmp

apk add net-snmp

Configure net-snmp

Basic configuration

Modify '/etc/snmp/snmpd.conf' to reflect at least the following:

rocommunity public default
syslocation  "Location of our equipment"
sysservices  15
syscontact  "ComputerDept <computerdept@foo.bar>"

SNMPv3 Configuration (optional)

Squark will use the configuration specified in '/etc/snmp/snmp.conf' when snmpv3 is specified as the preferred version of SNMP to use. Ensure that you have at least the following in /etc/snmp/snmp.conf:

defContext none
defSecurityName <username>
defAuthPassphrase <password>
defVersion 3
defAuthType MD5
defSecurityLevel authNoPriv
Note: Adjust the above as dictated by the SNMPv3 configuration on your switch.

Start using it

Start it all up

/etc/init.d/squid start /etc/init.d/snmpd start

Make sure to configure you services to autostart at next reboot

rc-update add squid default rc-update add snmpd default