On 16/06/2016 1:50 a.m., nilesh.gavali wrote: > Hi Team; > I have setup as below- > Squid Kerberos authentication with windows AD 2012r2. - works fine. > Now need to restrict access based on AD Group membership. > > Below configuration done but no luck. when try to access with user who is > not part of the group mention, still he is able to browse Internet. > This is because: <snip> Step 0) check the basic security rules that deny bad behaviour. > > http_access deny !ad_auth Step 1) deny with a "require authentication" message if there are no valid credentials sent. > http_access allow ad_auth Step 2) allow anyone who has valid credentials to use the proxy. ... Uh, Stop. Users either sent valid credentials [2 happened] or they did not [1 happened]. There are no other possibilities. > http_access deny !AllowDomainAdmin > http_access allow AllowDomainAdmin > As explained in the FAQ <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Access_Lists> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
