On 13/05/2013 5:54 p.m., Alex Domoradov wrote:
You can use acl apr, for example
acl BIG_BOSS arp 01:02:03:04:05:06
On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote:
Assume your executive of corporation, sit on his clerk desk PC, and
login to his username on the network (authenticate with Active
Directory), of course he wants his full access to internet, but he
can't because his IP address is different from what we set in squid
for his PC.
we authenticate users in Active Directory, and set their gateways to
squid server so we have a Transparent squid. we don't want our users
to be authenticate for second time in Browser...
This makes no sense at all. It is a simple matter for the browser to
send the already authenticated AD credentials to Squid for Squid to
conform them with AD. It's called single-sign-on to most people familiar
with MS products, and works with all forms of HTTP auth.
It is also a simple matter for Squid helpers to take the IP (or EUI /
MAC address even) and verify them against AD to confirm there is a user
logged in on that machine and retrieve the details of said user back to
Squid. The external ACL helpers routinely do this for group checks.
However, if you base the Squid security all on the IP or MAC you
*always* run the risk of an attacker hijacking the machine or even just
spoofing that clients IP/MAC details to bypass your Squid security controls.
Somehow I want to set acl to be 'username base' and then set the delay
pools and classes we define to the IP of his computer, Is there a
solution to this problem?
The only "problem" is the policy of avoiding HTTP auth, and you already
know the answer to that one. ;-)
Amos
