Does any of the authentication methods include the computer name in the authentication tokens?? I can setup any auth method if any of it supports it. I basically want to authenticate client computers by the hostname as registered in the AD. Thanks everyone. On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar <manoj.rajkarnikar@xxxxxxxxx> wrote: > Hi Matus. > > On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas > <uhlar@xxxxxxxxxxx> wrote: >> On 15.09.10 12:59, Manoj Rajkarnikar wrote: >>> Thanks for the quick response Marcus. >>> >>> The reason I need to limit computer account and not user account is >>> that people here move out to distant branches and the internet access >>> policy is to allow to the position they hold, and thus the computer >>> they will use. >> >> I somehow don't understand this. Maybe it's my english. >> Do you need to control access for the user+computer combination? > > I need to control access based on computer account as registered in > the AD server. > >> >>> I've successfully setup the kerberos authentication but I don't see >>> how squid will fetch the computer information from client request and >>> authorize it based on the group membership in AD. What I wish to >>> accomplish is: >>> >>> 1. create a security group in AD >>> 2. add computer accounts to this security group >>> 3. squid checks if the computer trying to access internet is member of >>> this security group. >>> 4. if not, don't allow access to internet or request of AD user login >>> that is allowed. >> >> This seems that you want to allow access from some computers to the net, no >> matter which user is logged in. Why not use ip-based or maybe >> hardware_address-based authentication then? > > That is correct. > We have dhcp all over our network so ip-based is a bad idea. > For hardware_address-based auth, will have to maintain a very large > list of hardware addresses.. not a good idea but considerable (if > computer account based auth don't work).. > > Also to be noted that computer account based authentication would be > more secure as only a handful of admins have domain administrator > level access, so it will be hard to spoof. > >> >> -- >> Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ >> Warning: I wish NOT to receive e-mail advertising to this address. >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >> Quantum mechanics: The dreams stuff is made of. >> >
