User:Mhavela/squark-auth-snmp: Difference between revisions

From Alpine Linux
(Introduction)
 
No edit summary
Line 5: Line 5:
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.<BR>
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.<BR>
The information is then injected into the squid access logs ''(which can help auditors when analysing the logs)''.<BR>
The information is then injected into the squid access logs ''(which can help auditors when analysing the logs)''.<BR>
{{todo|Mention lldp above?}}


Switches that confirmed to function at least in some degree:<BR>
Switches that confirmed to function (at least in some degree):<BR>
* HP Procurve 5400zl
* HP Procurve 5400zl
* HP Procurve 1810G 24GE
* HP Procurve 1810G 24GE
Line 15: Line 14:
{{Note|For more information see the 'squark-auth-snmp' documentation [http://git.alpinelinux.org/cgit/squark/tree/ here] ''(git tree)''}}
{{Note|For more information see the 'squark-auth-snmp' documentation [http://git.alpinelinux.org/cgit/squark/tree/ here] ''(git tree)''}}


=== Enable SNMP Lookups on HP Procurve Device ===
== Configuring the switch ==
{{todo|We need to mention/document "lldp" somewhere}}


Create an SNMP read-only community on your HP Procurve Switch, or use one that already exists (the following example uses "public" as a community name - adjust as you like):
=== Enable SNMP Lookups ===
We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).<BR>
If your switch does not have such 'SNMP community', you will need to create one.
{{Note|Procedures on how to view/modify/create SNMP communities on a switch varies on depending on brand or model of the switch.<BR>You will need to read you manual to figure out how to apply the changes to your own switch.<BR>The upcoming examples assumes you are using a "HP Procurve" switch.}}
 
Start by loggin on to your switch ''(use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch)''.
 
==== View your snmp-server settings ====
Run the following command to view your current snmp-settings
{{cmd|show snmp-server}}
 
==== Create a SNMP community ====
In this case we will create a SNMP community called "public" and giving it "restricted" rights.<BR>
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.


{{cmd|configure
{{cmd|configure
Line 24: Line 37:
exit }}
exit }}


The 2nd last command ensures that the SNMP replies are always returned from the switch's primary management interface. Run the above commands on all switches that the squark-auth plugin will run snmp queries against. Run them exactly as they appear.
Run the above commands ''(exactly as they appear above)'' on all switches that the squark-auth-snmp plugin will run snmp queries against.


=== Install Squark and Configure Squid ===
== Configure squid & squark ==


=== Install and configure squark ===
{{cmd|apk add squark}}
{{cmd|apk add squark}}


The squark-auth binary used by squid is copied into the /usr/local/bin directory. All further configuration is done in /etc/squid/squid.conf:
=== Install and configure squid ===


{{Note| The following configuration assumes that you are using SNMPv2c}}
{{Todo|What does "The following configuration assumes that you are using SNMPv2c" mean?}}


<pre>
<pre>
Line 54: Line 68:
{{Note| If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for squark-auth to work properly. If the IP of the switch that you have specified is a core switch (such as in a star topology network, and the all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.}}
{{Note| If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for squark-auth to work properly. If the IP of the switch that you have specified is a core switch (such as in a star topology network, and the all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.}}


{{Note| For more information on the squark_auth options available, run the command '''man squark-auth'''.}}
{{Note| For more information on the squark_auth options available, run the command '''man squark-auth-snmp'''.}}


=== Optional: SNMP v3 Configuration ===
=== Optional: SNMP v3 Configuration ===

Revision as of 07:50, 22 December 2011

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Mhavela on 22 Dec 2011.)

Using squark-auth-snmp

Introduction

This document describes how to use 'squark-auth-snmp' as squid authentication helper to obtain a username or other useful information from a switch.
'squark-auth-snmp' queries the switch via SNMP using standard MIBs to obtain various information.
The information is then injected into the squid access logs (which can help auditors when analysing the logs).

Switches that confirmed to function (at least in some degree):

  • HP Procurve 5400zl
  • HP Procurve 1810G 24GE
Todo: Confirm if "HP Procurve 2150-48" works


Todo: Confirm if "HP Procurve 2650" works


Note: For more information see the 'squark-auth-snmp' documentation here (git tree)

Configuring the switch

Todo: We need to mention/document "lldp" somewhere


Enable SNMP Lookups

We need a 'SNMP community' configured on the switch (which has at least 'read-only' or 'restricted' permissions).
If your switch does not have such 'SNMP community', you will need to create one.

Note: Procedures on how to view/modify/create SNMP communities on a switch varies on depending on brand or model of the switch.
You will need to read you manual to figure out how to apply the changes to your own switch.
The upcoming examples assumes you are using a "HP Procurve" switch.

Start by loggin on to your switch (use telnet, ssh or a serial cable. The manual that came with your switch will describe how this is done for your switch).

View your snmp-server settings

Run the following command to view your current snmp-settings

show snmp-server

Create a SNMP community

In this case we will create a SNMP community called "public" and giving it "restricted" rights.
We will also configure the switch to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received.

configure snmp-server community "public" restricted snmp-server response-source dst-ip-of-request exit

Run the above commands (exactly as they appear above) on all switches that the squark-auth-snmp plugin will run snmp queries against.

Configure squid & squark

Install and configure squark

apk add squark

Install and configure squid

Todo: What does "The following configuration assumes that you are using SNMPv2c" mean?


#external ACL squid auth helper
# Squark authentication external acl
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c <communityname> -r <ip.of.switch> -i VLAN<id> -v <id>
acl Zone_D_SquarkAuth external squark_auth

Replace <communityname> with the SNMPv2 community name you have configured on your switch. Replace <ip.of.switch> with the IP of your switch, and replace <id> with the VLAN Id number of the VLAN that the clients will be connected to.

Here is an example to illustrate how the above configuration could look:

#external ACL squid auth helper
# Squark authentication external acl
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c public -r 192.168.0.1 -i VLAN5 -v 5
acl Zone_D_SquarkAuth external squark_auth
Note: If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for squark-auth to work properly. If the IP of the switch that you have specified is a core switch (such as in a star topology network, and the all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.
Note: For more information on the squark_auth options available, run the command man squark-auth-snmp.

Optional: SNMP v3 Configuration

Squark will use the configuration specified in /etc/snmp/snmp.conf when snmpv3 is specified as the preferred version of SNMP to use.

Ensure that you have at least the following in /etc/snmp/snmp.conf:

defContext none
defSecurityName <username>
defAuthPassphrase <password>
defVersion 3
defAuthType MD5
defSecurityLevel authNoPriv

Adjust the above as dictated by the SNMP v3 configuration on your switch.