On Tue, Jul 19, 2005 at 09:16:01AM +0200, Matus UHLAR - fantomas wrote: > On 18.07 13:45, Lucia Di Occhi wrote: > > Has anyone implemented a captive portal registration/authentication system > > with squid in transparent mode? > > No. read the FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ.html > especially: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 You are too quick to dismiss the request. I have seen such systems implemented. He isn't talking about combining transparent proxying with 407 auth. If I was going to make another such system I'd probably just use a redirector. Squid already sends the client IP, and the redirector can just lookup a database to check session validity, redirecting to a local web server otherwise. Don't hotels do this routinely? At its simplest this can all be on the one box. Note that such systems are susceptible to IP address spoofing. A fully secured implementation would link DHCP-assigned IP address to switch port somehow, with the switch/router filtering appropriately. Doing this with 802.1q VLANs would also ensure a single broadcast domain per client, avoiding some security pitfalls of mutually distrusting systems on a single network. Alternatively, noting that the Cisco DHCP Relay Agent is documented to add per-lease static routes, you might then also use Cisco's Unicast RPF (reverse path forwarding), assuming the right hardware, network architecture, and IOS level. Depending on architecture and business requirements, you could just do a 802.1x deployment instead. Joshua. -- Joshua Goodall "as modern as tomorrow afternoon" joshua@xxxxxxxxxxxxxx - FW109
