On 19/10/10 01:31, ayman bs wrote:
Hi, Suppose I have a wireless network, with different AP linked to a router-modem (same device). I decided that, internet access should be granted to only clients with logins. I don't want them to exchange logins (so 1 MAC to 1 Logins). I thought about installing squid as an Authentication proxy and the idea of the transparent mode is really tempting me, although I found many people denying its possibility... So what about the IP tables prerouting technique, I didn't test it but what do you think about it? I read about https issues too, any guidance?
Yes "transparent mode", or correctly named *NAT* interception has many limits.
Security or interception: pick one. Sadly a lot of people seem to think it *is* a type of security.
Anyway, so I'll need to generate logins, and choose an expiry duration... So my question is, if squid accepted a client for valid logins, after how long time it will recheck again if they're still valid? Is it with every Http request? (I need to know when expired logins will stop working)
Browser is required to send them in every HTTP request. How often Squid re-checks with the backend for changes to the "account" depends on the authentication protocol and the auth_param settings in squid.conf. credentials stop working at most TTL seconds after you make them invalid. Except NTLM and Kerberos credentials. Which are valid for the lifetime of the TCP connection they sign.
Besides, could you suggest an implementation of this system, how will expired accounts get deleted? and how I will implement 1 Mac<=> 1 account, without asking the client for his mac address beforehand. I know you hate lazy people, so I'll give you my modest approach: I believe Auth helper could be functioning with Mysql database so I'll add mac@ field and it gets populated in the first authentication, and from that step a valid account will be correct user+password+mac@. Will the proxy receive the mac of the cient with each request? Then, I'll make a thread that will keep checking for expired accounts and deletes them from the MySql DB. I would be pleased with any of your suggestions and advices, I'm sure there's always a more efficient way to do it!
Similar to whats popular in captive portals. db_auth or squid_session helpers can help with that design. The squid-3.2 EUI stuff was added to help portals play with EUI-48 (aka MAC) addresses like that. Although sightly incomplete.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2