Re: [SQU] Authenticate problem: from Henk-Jan Kloosterman on 2000-12-22 (squid-users)

From: Henk-Jan Kloosterman <proxy@dont-contact.us>
Date: Fri, 22 Dec 2000 16:39:59 +0100

> Henk-Jan Kloosterman wrote:
>
> > > The browser always authenticates, but Squid tries to cache this to not
> > > overload the backend database.
> >
> > Can I disable this cache? Cuase it realy "feels" that this is the
problem.
>
> Most likely not. All this cache does is to lower the amount of requests
> to the backend authentication service. If you disable the cache then
> Squid will have to validate the password on each and every request. And
> since you use securid tokens this means that the user would have to
> generate a new passphrases mostly the whole time..
>
> > > Is the radius authentication sucessful, or is it repeated failures?
> >
> > No it is not succesfull: And there is the problem! The passwords change
> > every minute (we use a "secureid" token to generaie the password)
>
> Ok. So each user whould have to reauthenticate each authenticate_ttl
> then, possibly causing trouble if it happens in the middle of a page, or
> on a page partially cached in the client browser. If the users browser
> have or tries to open multiple connections to the proxy when the old
> passphrase expires then multiple requests for a new identification will
> be sent (one for each concurrent request not carrying a valid
> identification).
>
> Hmm.. maybe there are a proxy_auth cache defiency there. In theory the
> first request carrying the new passphrase would be sent to the
> authenticator, but maybe all are until the authenticator returns. Need
> to check the code on this.
>

If you could to that please, cuase I am running out of options right now.
I checked in cachemgr.cgi: In authticator sttistics the average service time
is 1830 msec

I am not sure, but it looks like it happens if the user hasn't used the
browser for a longer period (shorter then 3600 secs) I will try to check. Do
you want more info?

> > > What is your settings of
> > >
> > > authenticate_ttl
> >
> > 3600
>
> Fine.
>
> > > authenticate_ip_ttl
> >
> > 3600
>
> This might also be one source if the same userid tried to access Squid
> from two or more different IP's.

No!!! I triple checked this: It is always from the same IP adress!

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Fri Dec 22 2000 - 08:48:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:05 MST