Send netdisco-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."
Today's Topics:
1. AD/LDAP support for Netdisco (Michael Dano)
2. Re: AD/LDAP support for Netdisco (Oliver Gorwits)
3. Re: ArpNipping Linux Net-SNMP fails (Oliver Gorwits)
4. Re: ArpNipping Linux Net-SNMP fails (David Baldwin)
5. Re: AD/LDAP support for Netdisco (Natxo Asenjo)
6. Re: Cisco 877 MacSucks and Arpnips not working (Jeroen van Ingen)
--- Begin Message ---
I have deployed Netdisco 2 successfully in our environment and I’m now
trying to integrate the authentication into our AD. I have AD
authentication working via the default IP:port site, but the issue is that
the traffic from that site is clear text. Looking in the documentation I
found that it is suggested to use Apache as a SSL Reverse Proxy for
securing this. I have set up Apache on the box and have the proxy working
(I think). My issue currently is after following the documentation the LDAP
auth still seems to be clear text. So I then tried to set up the LDAP Auth
to be passed through Apache2 to the netdisco box but that does not seem to
be working at all.
So my question is does anybody have directions that they have followed to
link Netdisco to Active Directory via Secure LDAP. I’m not really strong in
the Linux department, better with Windows and Network hardware so any help
would be great.
Mike Dano
IT Engineer
Security Services
Baker College
Information Technology
--- End Message ---
--- Begin Message ---
Hi Mike,
On 2015-03-05 16:06, Michael Dano wrote:
So my question is does anybody have directions that they have
followed
to link Netdisco to Active Directory via Secure LDAP. I’m not really
strong in the Linux department, better with Windows and Network
hardware so any help would be great.
I don't have a recipe, but I see two ways of doing it:
1. As you've configured, run HTTPS reverse proxy on Apache, and have
Netdisco do LDAP auth. Netdisco's LDAP config is really the same as the
Net::LDAP config.
See the LDAPS details here:
https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod
2. Run HTTPS reverse proxy on Apache and add to that Apache LDAP
authentication. This means Apache will prompt the user for their
credentials and use LDAPS to authenticate. In addition, pass the
username from Apache to Netdisco and tell Netdisco to trust this
username.
See the mod_authz_ldap docs:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#usingssl
The Netdisco docs for passing trusted username from Apache:
https://metacpan.org/pod/distribution/App-Netdisco/lib/App/Netdisco/Manual/Configuration.pod#trust_x_remote_user
I hope this helps,
regards,
oliver.
--- End Message ---
--- Begin Message ---
Hi Peter,
On 2015-03-05 14:21, Soppe, Peter wrote:
What do I need to change on the linux server, that netdisco thinks it
is arpnip-able?
Erm, I _think_ you can add some config to snmp.conf but I've never done
this myself:
https://metacpan.org/pod/SNMP::Info::Layer3::NetSNMP#NOTES
You can test by asking Netdisco for the "layers" response. This is a
bitmask mapping OSI layers to bits:
~netdisco/bin/netdisco-do show -d <IP-of-device> -e layers
and could successfully start the ssh-collector (after installing some
dependencies)
This works now, thanks.
That's good news, many thanks for letting us know :)
regards,
oliver.
--- End Message ---
--- Begin Message ---
On 6/03/15 4:11 AM, Oliver Gorwits wrote:
Hi Peter,
On 2015-03-05 14:21, Soppe, Peter wrote:
What do I need to change on the linux server, that netdisco thinks it
is arpnip-able?
I think the magic is in SNMPv2-MIB::sysServices
From man snmpd.conf:
sysServices NUMBER
sets the value of the sysServices.0 object. For a host
system, a good value is 72 (application + end-to-end layers). If this
directive is not specified, then no value will be reported for the
sysServices.0 object.
$ snmptranslate -Td SNMPv2-MIB::sysServices
SNMPv2-MIB::sysServices
sysServices OBJECT-TYPE
-- FROM SNMPv2-MIB, RFC1213-MIB
SYNTAX INTEGER (0..127)
MAX-ACCESS read-only
STATUS current
DESCRIPTION "A value which indicates the set of services that this
entity may potentially offer. The value is a sum.
This sum initially takes the value zero. Then, for
each layer, L, in the range 1 through 7, that this node
performs transactions for, 2 raised to (L - 1) is added
to the sum. For example, a node which performs only
routing functions would have a value of 4 (2^(3-1)).
In contrast, a node which is a host offering application
services would have a value of 72 (2^(4-1) + 2^(7-1)).
Note that in the context of the Internet suite of
protocols, values should be calculated accordingly:
layer functionality
1 physical (e.g., repeaters)
2 datalink/subnetwork (e.g., bridges)
3 internet (e.g., supports the IP)
4 end-to-end (e.g., supports the TCP)
7 applications (e.g., supports the SMTP)
For systems including OSI protocols, layers 5 and 6
may also be counted."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) 7 }
Erm, I _think_ you can add some config to snmp.conf but I've never done
this myself:
https://metacpan.org/pod/SNMP::Info::Layer3::NetSNMP#NOTES
You can test by asking Netdisco for the "layers" response. This is a
bitmask mapping OSI layers to bits:
~netdisco/bin/netdisco-do show -d <IP-of-device> -e layers
and could successfully start the ssh-collector (after installing some
dependencies)
This works now, thanks.
That's good news, many thanks for letting us know :)
regards,
oliver.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Netdisco mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/netdisco-users
--
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Information and Communication Technology Services
Australian Sports Commission http://ausport.gov.au
Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
[email protected] 1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE
-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit
http://www.ausport.gov.au
This message is intended for the addressee named and may contain confidential
and privileged information. If you are not the intended recipient please note
that any form of distribution, copying or use of this communication or the
information in it is strictly prohibited and may be unlawful. If you receive
this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------
--- End Message ---
--- Begin Message ---
Hi,
On Thu, Mar 5, 2015 at 5:06 PM, Michael Dano <[email protected]> wrote:
>
> I have deployed Netdisco 2 successfully in our environment and I’m now
> trying to integrate the authentication into our AD. I have AD
> authentication working via the default IP:port site, but the issue is that
> the traffic from that site is clear text. Looking in the documentation I
> found that it is suggested to use Apache as a SSL Reverse Proxy for
> securing this. I have set up Apache on the box and have the proxy working
> (I think). My issue currently is after following the documentation the LDAP
> auth still seems to be clear text. So I then tried to set up the LDAP Auth
> to be passed through Apache2 to the netdisco box but that does not seem to
> be working at all.
>
>
you need to show the (sanitized) apache ldap config then. If you do ldap
instead of ldaps of ldap+tls then it will still be just ldap withouth
encryption even though the web session between the apache host and the
browser will be secure (so the insecure connection will be between the
apache reverse proxy and the AD ldap servers (which might be more
acceptable if you trust your server lan, although I would go with secure
connections everywhere).
--
Groeten,
natxo
--- End Message ---
--- Begin Message ---
Hi Muris,
Looks like the arpnip is working:
> [10.16.192.118] 10.17.170.23 : b8:ca:3a:78:54:3d
> [10.16.192.118] 00:1b:90:cb:ea:e8 is a port on device 10.16.192.118 ...
> skipping
> [10.16.192.118] 10.17.170.22 : 00:23:24:2f:8f:cc
> [10.16.192.118] 10.17.170.24 : 64:51:06:3c:9c:cc
> [10.16.192.118] 10.17.170.21 : 18:03:73:c9:c0:75
> [10.16.192.118] Processed 4 ARP Cache entries.
...but the macsuck gets SNMP timeouts:
> SNMP::Info::_load_attr qb_fw_port : Q-BRIDGE-MIB::dot1qTpFdbPort :
> .1.3.6.1.2.1.17.7.1.2.2.1.2
> SNMP::Info::_load_atrr: BULKWALK Timeout at /usr/sbin/netdisco line 3170
> SNMP::Info::_load_attr orig_fw_port : BRIDGE-MIB::dot1dTpFdbPort :
> .1.3.6.1.2.1.17.4.3.1.2
> SNMP::Info::_load_atrr: BULKWALK Timeout at /usr/sbin/netdisco line 3170
and Netdisco has to know where a MAC is located before it will display
the corresponding ARP data. So once the macsuck issue is fixed you'll
probably see the connected hosts.
Could you try using snmpwalk and snmpbulkwalk from the command line to
see if the 877 returns any data?
snmpwalk -v2c -c <community> 10.16.192.118 .1.3.6.1.2.1.17.7.1.2.2.1.2
snmpbulkwalk -v2c -c <community> 10.16.192.118 .1.3.6.1.2.1.17.7.1.2.2.1.2
If snmpwalk works and snmpbulkwalk doesn't, iirc you can use
"bulkwalk_no" in netdisco.conf to force normal snmpwalks when retrieving
data from this device.
Regards,
Jeroen van Ingen
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
On 03/04/2015 06:51 AM, Muris wrote:
Hello,
I am trying to run a arpnip/macsuck from Cisco 877's however i am unable
to do so in Netdisco 1.3.
For some reason Cisco 877's do not work with Macsucks and arpnips, and
show connected hosts. Is there any reason why it should not work on
Cisco 877s? Has anyone come accross this?
I had suggestions to change it from being detected as Layer3::Cisco
device to Layer3::C3550 or Layer3::C6500 but still dont pickup anything
Here is a debug of macsuck and arpnip off a 877. Anyone can give any
clue to get the hosts working and displaying as connected devices?
Thanks in advance
netdisco -D -A 10.16.192.118
n e t d i s c o
--------------------------------------------------
Using Config File : /usr/share/netdisco/netdisco.conf
arpnip(10.16.192.118) :
get_device(10.16.192.118)
get_device(10.16.192.118) - Connecting using cached info:
10.16.192.118/e/2 <http://10.16.192.118/e/2>
create_device(10.16.192.118,e,2*,AutoSpecify,bw:default)
SNMP::Info::_global layers : SNMPv2-MIB::sysServices.0 : .1.3.6.1.2.1.1.7.0
SNMP::Info::_global description : SNMPv2-MIB::sysDescr.0 :
.1.3.6.1.2.1.1.1.0
SNMP::Info::_global id : SNMPv2-MIB::sysObjectID.0 : .1.3.6.1.2.1.1.2.0
SNMP::Info 3.11
SNMP::Info::device_type() layers:00000110 id:9 sysDescr:"Cisco IOS
Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(6)T7,
RELEASE SOFTWARE (fc5) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco
Systems, Inc. Compiled Thu 29-Mar-07 11:37 by khuie"
SNMP::Info::specify() - Changed Class to SNMP::Info::Layer3::C6500.
SNMP::Info::_global layers : SNMPv2-MIB::sysServices.0 : .1.3.6.1.2.1.1.7.0
SNMP::Info::_global description : SNMPv2-MIB::sysDescr.0 :
.1.3.6.1.2.1.1.1.0
[10.16.192.118] Device Type : SNMP::Info::Layer3::C6500
mac_getportmacs() ... found 97688 MACs.
SNMP::Info::_load_attr orig_at_paddr : IP-MIB::ipNetToMediaPhysAddress :
.1.3.6.1.2.1.4.22.1.2
SNMP::Info::_load_attr orig_at_netaddr : IP-MIB::ipNetToMediaNetAddress
: .1.3.6.1.2.1.4.22.1.3
[10.16.192.118] 10.17.170.23 : b8:ca:3a:78:54:3d
[10.16.192.118] 00:1b:90:cb:ea:e8 is a port on device 10.16.192.118 ...
skipping
[10.16.192.118] 10.17.170.22 : 00:23:24:2f:8f:cc
[10.16.192.118] 10.17.170.24 : 64:51:06:3c:9c:cc
[10.16.192.118] 10.17.170.21 : 18:03:73:c9:c0:75
[10.16.192.118] Processed 4 ARP Cache entries.
SNMP::Info::_load_attr ip_netmask : IP-MIB::ipAdEntNetMask :
.1.3.6.1.2.1.4.20.1.3
Found subnet 10.17.170.0/26 <http://10.17.170.0/26>
arpnip6(10.16.192.118) :
get_device(10.16.192.118)
get_device(10.16.192.118) - Connecting using cached info:
10.16.192.118/e/2 <http://10.16.192.118/e/2>
create_device(10.16.192.118,e,2*,AutoSpecify,bw:default)
SNMP::Info::_global layers : SNMPv2-MIB::sysServices.0 : .1.3.6.1.2.1.1.7.0
SNMP::Info::_global description : SNMPv2-MIB::sysDescr.0 :
.1.3.6.1.2.1.1.1.0
SNMP::Info::_global id : SNMPv2-MIB::sysObjectID.0 : .1.3.6.1.2.1.1.2.0
SNMP::Info 3.11
SNMP::Info::device_type() layers:00000110 id:9 sysDescr:"Cisco IOS
Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(6)T7,
RELEASE SOFTWARE (fc5) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco
Systems, Inc. Compiled Thu 29-Mar-07 11:37 by khuie"
SNMP::Info::specify() - Changed Class to SNMP::Info::Layer3::C6500.
SNMP::Info::_global layers : SNMPv2-MIB::sysServices.0 : .1.3.6.1.2.1.1.7.0
SNMP::Info::_global description : SNMPv2-MIB::sysDescr.0 :
.1.3.6.1.2.1.1.1.0
[10.16.192.118] Device Type : SNMP::Info::Layer3::C6500
SNMP::Info::_load_attr ip_n2p_phys_addr :
IP-MIB::ipNetToPhysicalPhysAddress : .1.3.6.1.2.1.4.35.1.4
SNMP::Info::_load_attr c_inet_phys_addr :
CISCO-IETF-IP-MIB::cInetNetToMediaPhysAddress :
.1.3.6.1.4.1.9.10.86.1.1.3.1.3
SNMP::Info::_load_attr i6_n2p_phys_addr :
IPV6-MIB::ipv6NetToMediaPhysAddress : .1.3.6.1.2.1.55.1.12.1.2
SNMP::Info::IPv6::ipv6_n2p_mac: data comes from none of the MIBs.
SNMP::Info::_load_attr ip_n2p_phys_addr :
IP-MIB::ipNetToPhysicalPhysAddress : .1.3.6.1.2.1.4.35.1.4
SNMP::Info::_load_attr c_inet_phys_addr :
CISCO-IETF-IP-MIB::cInetNetToMediaPhysAddress :
.1.3.6.1.4.1.9.10.86.1.1.3.1.3
SNMP::Info::_load_attr i6_n2p_phys_addr :
IPV6-MIB::ipv6NetToMediaPhysAddress : .1.3.6.1.2.1.55.1.12.1.2
SNMP::Info::IPv6::ipv6_n2p_addr: data comes from none of the MIBs.
[10.16.192.118] Processed 0 IPv6 Neighbor Cache entries.
netdisco -D -M 10.16.192.118
n e t d i s c o
--------------------------------------------------
Using Config File : /usr/share/netdisco/netdisco.conf
macsuck(10.16.192.118) :
load_old_devices()
mac_getportmacs() ... found 97688 MACs.
get_device(10.16.192.118)
get_device(10.16.192.118) - Connecting using cached info:
10.16.192.118/e/2 <http://10.16.192.118/e/2>
create_device(10.16.192.118,e,2*,AutoSpecify,bw:default)
SNMP::Info::_global layers : SNMPv2-MIB::sysServices.0 : .1.3.6.1.2.1.1.7.0
SNMP::Info::_global description : SNMPv2-MIB::sysDescr.0 :
.1.3.6.1.2.1.1.1.0
SNMP::Info::_global id : SNMPv2-MIB::sysObjectID.0 : .1.3.6.1.2.1.1.2.0
SNMP::Info 3.11
SNMP::Info::device_type() layers:00000110 id:9 sysDescr:"Cisco IOS
Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(6)T7,
RELEASE SOFTWARE (fc5) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco
Systems, Inc. Compiled Thu 29-Mar-07 11:37 by khuie"
SNMP::Info::specify() - Changed Class to SNMP::Info::Layer3::C6500.
SNMP::Info::_global layers : SNMPv2-MIB::sysServices.0 : .1.3.6.1.2.1.1.7.0
SNMP::Info::_global description : SNMPv2-MIB::sysDescr.0 :
.1.3.6.1.2.1.1.1.0
[10.16.192.118] Device Type : SNMP::Info::Layer3::C6500
SNMP::Info::_load_attr i_index : IF-MIB::ifIndex : .1.3.6.1.2.1.2.2.1.1
SNMP::Info::_load_attr i_description : IF-MIB::ifDescr :
.1.3.6.1.2.1.2.2.1.2
SNMP::Info::_load_attr qb_fw_port : Q-BRIDGE-MIB::dot1qTpFdbPort :
.1.3.6.1.2.1.17.7.1.2.2.1.2
SNMP::Info::_load_attr orig_fw_mac : BRIDGE-MIB::dot1dTpFdbAddress :
.1.3.6.1.2.1.17.4.3.1.1
SNMP::Info::_load_attr qb_fw_port : Q-BRIDGE-MIB::dot1qTpFdbPort :
.1.3.6.1.2.1.17.7.1.2.2.1.2
SNMP::Info::_load_attr orig_fw_port : BRIDGE-MIB::dot1dTpFdbPort :
.1.3.6.1.2.1.17.4.3.1.2
SNMP::Info::_load_attr bp_index : BRIDGE-MIB::dot1dBasePortIfIndex :
.1.3.6.1.2.1.17.1.4.1.2
[10.16.192.118] Device supports Cisco community string indexing.
Connecting to each VLAN:
SNMP::Info::_load_attr vtp_trunk_native :
CISCO-VTP-MIB::vlanTrunkPortNativeVlan : .1.3.6.1.4.1.9.9.46.1.6.1.1.5
SNMP::Info::_load_attr i_vlan2 : CISCO-VLAN-MEMBERSHIP-MIB::vmVlan :
.1.3.6.1.4.1.9.9.68.1.2.2.1.2
SNMP::Info::_load_attr vtp_trunk_dyn_stat :
CISCO-VTP-MIB::vlanTrunkPortDynamicStatus : .1.3.6.1.4.1.9.9.46.1.6.1.1.14
SNMP::Info::_load_attr v_cvi_if :
CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB::cviRoutedVlanIfIndex :
.1.3.6.1.4.1.9.9.128.1.1.1.1.3
SNMP::Info::_load_attr v_name : CISCO-VTP-MIB::vtpVlanName :
.1.3.6.1.4.1.9.9.46.1.3.1.1.4
[10.16.192.118] VLANS : 1,1002,1003,1004,1005
create_device(10.16.192.118,e,2*,SNMP::Info::Layer3::C6500,bw:default)
SNMP::Info::_global layers : SNMPv2-MIB::sysServices.0 : .1.3.6.1.2.1.1.7.0
SNMP::Info::_global description : SNMPv2-MIB::sysDescr.0 :
.1.3.6.1.2.1.1.1.0
[10.16.192.118] Device Type : SNMP::Info::Layer3::C6500
[10.16.192.118] VLAN:default (1) :
SNMP::Info::clear_cache() - Cache Cleared.
SNMP::Info::_load_attr qb_fw_port : Q-BRIDGE-MIB::dot1qTpFdbPort :
.1.3.6.1.2.1.17.7.1.2.2.1.2
SNMP::Info::_load_atrr: BULKWALK Timeout at /usr/sbin/netdisco line 3169
SNMP::Info::_load_attr orig_fw_mac : BRIDGE-MIB::dot1dTpFdbAddress :
.1.3.6.1.2.1.17.4.3.1.1
SNMP::Info::_load_atrr: BULKWALK Timeout at /usr/sbin/netdisco line 3169
SNMP::Info::_load_attr qb_fw_port : Q-BRIDGE-MIB::dot1qTpFdbPort :
.1.3.6.1.2.1.17.7.1.2.2.1.2
SNMP::Info::_load_atrr: BULKWALK Timeout at /usr/sbin/netdisco line 3170
SNMP::Info::_load_attr orig_fw_port : BRIDGE-MIB::dot1dTpFdbPort :
.1.3.6.1.2.1.17.4.3.1.2
SNMP::Info::_load_atrr: BULKWALK Timeout at /usr/sbin/netdisco line 3170
SNMP::Info::_load_attr bp_index : BRIDGE-MIB::dot1dBasePortIfIndex :
.1.3.6.1.2.1.17.1.4.1.2
SNMP::Info::_load_atrr: BULKWALK Timeout at /usr/sbin/netdisco line 3171
[10.16.192.118] VLAN:fddi-default (1002) Skipped by configuration file.
[10.16.192.118] VLAN:token-ring-default (1003) Skipped by configuration
file.
[10.16.192.118] VLAN:fddinet-default (1004) Skipped by configuration file.
[10.16.192.118] VLAN:trnet-default (1005) Skipped by configuration file.
SNMP::Info::_validate_autoload_method(cd11_txrate) Unable to resolve method.
Saw : 0 forwarding table entries. Took 22 seconds.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Netdisco mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/netdisco-users
--- End Message ---
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Netdisco mailing list - Digest Mode
[email protected]
https://lists.sourceforge.net/lists/listinfo/netdisco-users
