Search squid archive

Re: Transparent, Authentication proxy + addons

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19/10/10 01:31, ayman bs wrote:
Hi,

Suppose I have a wireless network, with different AP linked to a
router-modem (same device). I decided that, internet access should be
granted to only clients with logins. I don't want them to exchange
logins (so 1 MAC to 1 Logins).

I thought about installing squid as an Authentication proxy and the
idea of the transparent mode is really tempting me, although I found
many people denying its possibility... So what about the IP tables
prerouting technique, I didn't test it but what do you think about it?
I read about https issues too, any guidance?

Yes "transparent mode", or correctly named *NAT* interception has many limits.
 Security or interception: pick one.

Sadly a lot of people seem to think it *is* a type of security.


Anyway, so I'll need to generate logins, and choose an expiry
duration... So my question is, if squid accepted a client for valid
logins, after how long time it will recheck again if they're still
valid? Is it with every Http request? (I need to know when expired
logins will stop working)

Browser is required to send them in every HTTP request. How often Squid re-checks with the backend for changes to the "account" depends on the authentication protocol and the auth_param settings in squid.conf. credentials stop working at most TTL seconds after you make them invalid. Except NTLM and Kerberos credentials. Which are valid for the lifetime of the TCP connection they sign.


Besides, could you suggest an implementation of this system, how will
expired accounts get deleted? and how I will implement 1 Mac<=>  1
account, without asking the client for his mac address beforehand.

I know you hate lazy people, so I'll give you my modest approach:
I believe Auth helper could be functioning with Mysql database so I'll
add mac@ field and it gets populated in the first authentication, and
from that step a valid account will be correct user+password+mac@.
Will the proxy receive the mac of the cient with each request?

Then, I'll make a thread that will keep checking for expired accounts
and deletes them from the MySql DB.

I would be pleased with any of your suggestions and advices, I'm sure
there's always a more efficient way to do it!

Similar to whats popular in captive portals. db_auth or squid_session helpers can help with that design. The squid-3.2 EUI stuff was added to help portals play with EUI-48 (aka MAC) addresses like that. Although sightly incomplete.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux