This don't work for me. I have a dynamic list of users in active directory, with dynamic access to Internet. I must query an external database for know if an user have access to Internet. But thanks Chris, your help don't help me. I have resolved my problem, so this is my solution for somebody who need it. -------------------- auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp DOMAIN.LOCAL\\10.0.0.1 DOMAIN.LOCAL\\10.0.0.2 DOMAIN.LOCAL\\10.0.0.3 DOMAIN.LOCAL\\10.0.0.4 auth_param ntlm children 40 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp DOMAIN.LOCAL\\10.0.0.1 DOMAIN.LOCAL\\10.0.0.2 DOMAIN.LOCAL\\10.0.0.3 DOMAIN.LOCAL\\10.0.0.4 auth_param basic children 10 auth_param basic realm Internet authorization auth_param basic credentialsttl 1800 seconds acl auth_users proxy_auth REQUIRED external_acl_type checkip children=5 ttl=1800 %LOGIN %SRC /etc/squid/squid_checkip acl accesssource external checkip http_access allow localnet accesssource -------------------- I configured squid to work with ntlm auth, and I based the authorization in an perl script who check the login against an oracle database based on Login an source IP. If my user access from an lan IP, normal check is done, but if my user access from an mobile IP he need additional permission to navigate outside my company. On Thu, Jan 8, 2009 at 10:26 PM, Chris Robertson <crobertson@xxxxxxx> wrote: > > David Rodríguez Fernández wrote: >> >> Hi, >> >> I have my own auth_param basic program script to authenticate my squid >> users. My perl script is working fine. I do an autentication based on >> login/password and a query to an oracle database. >> >> I have a squid server for all mi organization. All the users are >> browsing the web through this server. The users need an username and >> password to access Internet and a valid record on the oracle database. >> I have a vpn users who connect with the organization net over gprs/3g >> mobiles and laptops. All of these users have access to squid, but I >> don't want that all mobile users to browse the Internet over a mobile >> connection, only the VIPs ones (we pay for total bytes transferred). >> The vpn don't know nothing about limit user access based on login >> username, so I need to limit this on squid config. All the mobile >> connection comes to squid from a separate IP network, so I can decide >> if a user have access to squid based in IP source/login/password. >> >> There's some configuration that I can have 2 separate auth_param basic >> program scripts based on source IP? >> >> I can change the behavior of data entry? >> from: >> login password >> to: >> IP login password >> >> There's another more simple solution? >> > > acl norm_auth proxy_auth REQUIRED > acl moble_auth proxy_auth bob jane me > acl moble src 10.10.10.5/32 > acl mynet src 10.10.10.0/24 > > # Deny access to traffic sourced from 10.10.5 unless it's bob, jane or me > http_access deny !moble_auth moble > ...other http_access rules go here... > http_access deny all > > Chris >