I work as the lead developer for an ISP in Houston TX. I am developing a transparent bridge/filter/firewall for our customers where we map each customers IP/MAC/etc (and other information depending on the type of account and whats available to 'map' them) to their account, and using that as 'authentication' for who they are. After they are mapped to their account, we use a user/pass combo stored in an SQL database through a web interface so that customers can select what kind of filtering/etc they desire. The customers mapping is re-evaluated every 30 seconds or so (through a background accounting daemon), to make sure that the correct settings/firewall/etc are in place for 'their' IP(s) the account is currently using (we update periodically because we have many customers which are dynamic DSL which we map using their vp/vc pair info, and to generally ensure people are configured correctly). It is still in the final phases of development, but it all appears to be going well thus far (after a few hiccups that had to be cured here and there, of course). By keeping track of this information we can also see if any customers are misconfigured, or connected to the network through our in-house web based management software. Another nice benefit of this method that might be something to consider. This works on a per-ip basis, so if you have several customers connecting behind a NAT box or something similar, you are out of luck as far as controlling each person independently. Just thought I'd offer a perspective on what one company is doing to get around these issues. -Jon -- Jon Newman (jnewman@xxxxxxxxxx) Technical Solutions Manager / Senior software Engineer The Optimal Link (http://www.oplink.net) > > This solution only works when there is a one-to-one > mapping between users and ip addresses but imagine > circumstances where all users have same ip addresses( > e.g. terminal server users). > > The definite solution to this problem is > "cookie-based authentication" which is implemented by > some commercial products like bluecoat ProxySG > (http://www.bluecoat.com/downloads/support/BCS_tb_enabling_transparent_auth.pdf) > and Novell BoarderManager > (http://support.novell.com/techcenter/articles/cfa03332.html) > > > --- Henrik Nordstrom <hno@xxxxxxxxxxxxxxx> wrote: >> On Sat, 30 Apr 2005, Varun wrote: >> >> > Is it possible to have any sort of >> > authentication with squid running as >> > transparent proxy. >> >> Yes, but not the HTTP authentication. >> >> To make authenitcation in a transparent proxy you >> need to figure out some >> way of authenticating the user based on his IP. The >> external_acl interface >> of Squid-2.5 or later allows you to plug this into >> Squid. >> >> Regards >> Henrik >> > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- Jon Newman (jnewman@xxxxxxxxxx) Technical Solutions Manager / Senior software Engineer The Optimal Link (http://www.oplink.net)
