Adding Networking Services to a VM and Integration with Junos

This post shows a guideline for basic installation of an Ubuntu VM in order to provide basic networking services like NTP, Syslog, RADIUS, FTP, and Cacti Monitoring server for Juniper SRX Router/Firewall. It’s going to be a long post so you’d better fasten your seat belt.

Prerequisites

  • vMX/vSRX
  • Any Linux based image
  • VMware/Virtual Box/ESXi

Here we’ll be using vSRX image and Ubuntu Desktop emulated on VMware workstation, below you can find how to setup vSRX on VMware if you needed a reference.

Installation

First we’ll start by preparing the VM so as to be able to provide these services.

You’ll need to add 2 NIC for the Ubuntu VM so that you can get Internet access from one NIC and to connect to the SRX via the other NIC. Here we have adapter1 connected as NAT interface, and adapter 2 in connected to the same VMNET/LAN segment of the SRX.

Capture.JPGNotice that we have subnet 10.100.1/24 as our MGM subnet that SRX will be connected on to reach the server

Once you have connectivity to the internet, you can begin installing and configuring the services of the Ubuntu VM .

NTP Server

All we need to have NTP up and running is the daemon and we can get it using

sudo apt-get install ntp

FTP Server

sudo apt-get install proftpd

once you have it installed you need to edit /etc/proftpd/proftpd.conf and config the server to listen on 10.100.1.102. You can use vi command or gedit to add this, well use gedit for sake of simplicity

sudo gedit /etc/proftpd/proftpd.conf

then add

DefaultAddress   10.100.1.102
SocketBindTight     on

Radius Server

sudo apt-get install freeradius

Once installed, edit /etc/freeradius/radiusd.conf– You’ll just need to edit the log section of the config file as follow in order to log correct and wrong attempts.

log {
 destination = files
 file = ${logdir}/radius.log
 syslog_facility = daemon
 stripped_names = no
 auth = yes
 auth_badpass = yes
 auth_goodpass = yes
}

Edit /etc/freeradius/clients.conf as this is the file that shall contains the clients of the server aka your router.

client 0/0 { 
secret = juniper 
shortname = JUNOS-devices
}

Then you’ll need to create  users that we’ll authenticate from the server. add the below to  /etc/freeradius/users

ali Cleartext-Password := "root" 
Service-Type = Login-User, 
Juniper-Local-User-Name := "super-users",

The VSA (vendor specific attribute) “Juniper-Local-User-Name” is used here. This VSA is already present in file /usr/share/freeradius/dictionary.juniper by default and does not need to be configured.

After the configuration change restart the service:

sudo /etc/init.d/freeradius restart 
[ ok ] Restarting freeradius (via systemctl): freeradius.service.

Syslog server

sudo apt-get install syslog-ng

Now we’ll configure the server in order to Have a folder for each device with a new file every day, nested in folders for year and month.

we need to generate a new configuration file called firewalls.conf in subfolder /etc/syslog-ng/conf.d/

sudo nano /etc/syslog-ng/conf.d/firewalls.conf

Then we’ll add the below to that file

options { 
          create_dirs(yes); 
          owner(root); 
          group(root); 
          perm(0640); 
          dir_owner(root); 
          dir_group(root); 
          dir_perm(0750); 
}; 
source s_udp { 
           network ( 
               ip-protocol(6) 
               transport("udp") 
               port(514) 
          ); 
          network ( 
               transport("udp") 
               port(514) 
          ); 
};

destination d_host-specific {
 file("/var/log/firewalls/$HOST/$HOST-$YEAR-$MONTH-$DAY.log");
};
log {
 source(s_udp);
 destination(d_host-specific);
};

Then we’ll restart the service

sudo service syslog-ng restart

Cacti SNMP server

This is going to be a little bit tough but sweet, 1st we need to get these packages.

sudo apt-get install apache2 snmpd snmp

Through the installation process you’ll be asked to create a DB for cacti and to set username/password 2 times I simply used root/root

Here’s a video tutorial for cacti setup in case you need it 🙂

Once you’re done with the installation, you can access cacti through 10.100.1.102/cacti, default password is admin/admin, you’ll be asked to change it once authenticated.

Capture.JPG

Now let’s Configure and test these services on our SRX.

NTP

root> show configuration system ntp 
boot-server 10.100.1.102; 
server 10.100.1.102; 
root> set date ntp 
root> show ntp associations
remote           refid        st t when  poll reach  delay  offset  jitter 
============================================================================== 
10.100.1.102    91.189.89.198  3 - 408   1024  377  1.136   80.518 3043611 
root>

FTP

We’ll configure basic system archival and check if we can see the files on the server.

root# show system archival 
configuration { 
      transfer-on-commit;
      archive-sites { 
          "ftp://ali:root@10.100.1.102"; 
      }
} 
[edit] root#

 

On Ubuntu

Capture.JPG

Radius

For Radius to work we need to configure the following

  • a user name that corresponds to the Juniper-Local-User-Name configured on the server.
  • Optionally create a login class or assign user to one of the default classes.
  • Configure the radius server and the authentication order.
root# show system login 
user super-users { 
       uid 2001;
       class super-user;
       } 
[edit] 
root# show system radius-server 
10.100.1.102 secret "$9$-hbYoDi.z39JG39ApREdbs"; ## SECRET-DATA 
[edit] 
root# show system authentication-order 
authentication-order [ radius password ]; 
[edit]

Now let’s try to ssh the SRX and see what happens

Capture.JPG

and we can see the logs of authentication attempts on the RADIUS

Capture.JPG

Syslog

we’ll just configure the SRX to log any message with any severity to our server.

root# show system syslog 
host 10.100.1.102 { 
       any any; 
       source-address 
       10.100.1.1; 
       }

let’s check the files created in the /firewalls folder that we configured earlier on the Ubuntu machine.

Capture.JPG

Cacti

And now finally we’ll configure our router to send snmp traps to our server then cacti will use traps in order to create graphs for the monitored objects.

root# show snmp 
community ali { 
     authorization read-only; 
     clients { 
          10.100.1.102/32; 
          } 
     } 
trap-group Test { 
     categories { 
         chassis; 
         link; 
         routing; 
         startup; 
         configuration; 
         services; 
     } 
    targets {
         10.100.1.102;
     } 
} 

I got an SRX host script that I loaded to cacti and then I added the device details as follow.

Capture.JPG

To create graph you’d just click on create graphs for this host on the top right corner, then you can choose what you need to draw and voila.

Capture

I wish this was informative to you and thanks for viewing.

 

Advertisements

Posted on January 4, 2018, in Juniper and tagged , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: