On 2/10/2012 4:45 p.m., Eliezer Croitoru wrote:
The current authenticators for squid using ntlm\kerb etc but based on
forward connection to the proxy.
how about using 802.1x authentication to radius? what i mean is as
transparent authenticator that dosnt require the user to configure
something in his browser but just connect the cable to the network and
the rest will be done by the dhcp+radius+some helper?
Supported. Although we do not bundle a helper for it. (Contributions
welome).
That rides the fine line between authentication and authorization - and
the other fine line whether it is validating a machine client or a user
client. HTTP authentication requires the credentials to be contained
within the HTTP message itself, otherwise one cannot guarantee that the
client sending the message is the client originating the message. For
example all requests coming out of your Squid would be from a RADIUS
authenticated machines, but what user account gets credited? two
requests on the same TCP connection relayed through another proxy before
they arrive has the same issues.
Squid external ACL is the interface for side-band authorization to
permit/deny through Squid based on some non-credentials criteria
(possibly the side-band 802.1x information). With user= password= helper
response keys it can be used to assign Squid some credentials for real
authentication with down-stream servers on the clients behalf. Even then
that still rides the fine line as to whether it is machine client,
software client or user client credentials being used.
Amos
