On 6/09/18 1:16 AM, Colle Christophe wrote: > Hello, > > I am working on a WiFi project: People connect to the network using a > Radius server, then use the Internet using Squid in transparent mode. > > I would like to improve this system by adding the identifier of the > person logged in the Squid logs (It's easier to do research, it saves > time!). First lesson: there is no "person". In the HTTP world we explicitly avoid the terms "user" or "person" because a lot (most?) of traffic is from automated services and machinery around any given network. Some of it is even generated by your own Squid with no client involved at all. > > Is it easy or should use a specific helper authentication? > Second; When traffic is MITM'd the client believes it is talking to some other endpoint. It will only ever authenticate with credentials suitable for that endpoint. No sane client software will broadcast credentials without the remote endpoint explicitly requesting them. Some clients are not that sane, but they are the exception. Third; Authentication of all types involves some secret known only to the endpoints, often generated on-demand via some other channel. The MITM proxy even holding the credentials cannot authenticate them, nor reliably use them for anything other than relaying as-is on the *same* transactions outbound request message. BUT ... this is where "authorization" being different from "authentication" matters a lot. > > Has anyone ever done that? > As I understand it RADIUS has ways to tie IP:port of TCP connections to a user account (if any?). It is possible to have a RADIUS helper used on external_acl_type receiving those details and providing Squid with a label to log as "username". Or, alternatively just send the log through a daemon which uses the log lines it gets passed to append any extra details you want it to add. But be aware these only associate the machinery by-IP to an account. It does not imply the "person" was actually present, nor even aware of the transaction happening. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
