Re: RADIUS Authorization?

From: Andrew Brennan <>
Date: Thu, 19 Jun 1997 15:32:02 -0400 (EDT)

On Thu, 19 Jun 1997, Mark Lachniet wrote:

> Any developments in having a RADIUS auth module written? I am still very
> interested..
   While I'm also interested, I think we might have come up with a way
   to implement RADIUS-based acl-type restrictions. Hopefully, no one
   will point out glaring errors in this (but that's what this list is
   here for, yes? :^)

   I'm thinking of these entries in my squid.conf:

   acl nowtime time "/usr/local/squid/etc/nowtime"
   acl ISPprmt src "/usr/local/squid/etc/ISPprmt"
   http_access allow localhosts
   http_access allow ISPprmt nowtime
   http_access deny all

   F 09:42-10:42

   etc. ...

   The file "nowtime" is updated by a HTML form (that auths against
   our RADIUS server), "ISPprmt" is also updated at the same time and
   contains the source IP address and squid is HUP'd to force a read
   of the new configuration. A cron'd job can check the modification
   date/time of "nowtime" ... if over an hour old, both "nowtime" and
   "ISPprmt" are /dev/null'd.

   The HTML form is returned when users are denied access, so that
   they can extend their access or start a new session easily.

   A potential exploit is a user who accesses and has their access
   extended by a later user (who updated nowtime and ISPprmt) as I've
   no easy way to timestamp entries in ISPprmt (I could add bogus IPs
   in the 10.x.x.x where the last three octets are a timestamp, but
   is it *really* necessary?).

   Anyone see a huge hole I've missed? Does this have possibilities
   as a jiffy hack-implementation of RADIUS/squid authentication??

   andrew. (

                "Have you changed your domain name today?"
Received on Thu Jun 19 1997 - 12:42:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:33 MST