On 16/02/2012 9:31 a.m., Mr J Potter wrote: > Hi Alex, > > I've got it working fine on domain members. I should have explained > better - I'm setting up a guest wireless network in a school, so all > devices that attach will be personal, non domain, and as a rule I > won't get the chance to configure them before they connect. > > The devices that I want to connect will be mostly student laptops, > smartphones and visitors' devices. > > The plan is to set up proxy DHCP autoconfig and/or transparent port > forwarding trick to point people towards the proxy (https is likely > not to like this I know), but I want a way of getting people to say > who they are and give them internet access accordingly. I;m using > squid/squidguard to great effect for the domain machines, and I'd like > to use the same set of rules for folks connecting their own devices. > > How has anyone else done this? the options I've found are basic, > digest or NTLM all of which have major issues in terms of security, > configuration or usability respectively. Ah. "Transparent" interception proxy is not able to do HTTP authentication. http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F You can use WPAD "transparent" configuration, to make them actually configured after which authenticatino can be used. Or you can use external_acl_type helper to try and determine whether the request is legit or not and allow/deny it. Amos
