Re: [squid-users] Authentication through squid in transparent mode by take MACAddress, IPAddress

From: Adam Aube <aaube@dont-contact.us>
Date: Sat, 19 Jul 2003 10:49:36 -0400

>I have squid server running in transparent mode.
>The scenario is:

>1) As the user sends any http request all the port 80 traffic will
>be redirected to squid server.

>2) The Squid Server will then throw a page(jsp or cgi) on the users
>screen where he will enter the username and password.

>3) Now as we want do authentication on the basis of username,
>Password, IPAddress and MAC Address this CGI/PERL script will
>extract user's machine MAC and IPAddress and send it to the squid
>server along with username and password.

>4)squid will forward these parameters to another server and wait
>for response. if user is authenticated he will be allowed to pass
>throw to acces the page he reqested.

If you want to do this exactly the way you describe, then you are
in for a LOT of work. I'm not even sure if it's possible. Here's
what I would suggest:

1) Skip transparent proxying. Use a proxy.pac script (see the FAQ)
if you're worried about having to reconfigure each browser if you
change the proxy IP Address or port.

2) Use IPTables on the Squid box to match up MAC Addresses and IP
Addresses. REJECT (don't DROP) access if they don't match. Create
a text file with a list of IP Addresses and matching MAC addresses,
then write a a script that reads this file and generates the IPTables
rules.

3) Use Squid's basic auth with either the LDAP or Winbind helpers
(depending on your setup). This will prompt the user for a username
and password, then pass them to another server to verify them.

4) Use the max_user_ip acl to restrice a user to a single IP address
(whatever IP address they use first), and set authenticate_ip_ttl
high to make it difficult to switch IP addresses.

5) Write a script that audits the access.log and looks for users
not coming from their assigned IP address, then bust them.

That's probably the simplest way to implement what you want. Anything
else will require a lot of programming work, and may not even be
possible.

Adam
Received on Sat Jul 19 2003 - 09:07:21 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:12 MST