mån 2003-03-10 klockan 14.06 skrev reymc@eurecom.fr:
> hi again !
>
> here is why I think it was not only identification with border manager
>
> the way authentication was performed with border manager:
> we had a program "Novell Client Trust" that communicated with the Border
> Manager Proxy, supplying it with the logon information we had entered when
> logging into SDS2000. Then if this information corresponds to what Border
> Manager has in its text file of authorised users (which file is built by
> exporting the list of Lotus Notes authorised users), then access to the
> Internet is allowed.
Which sounds as BorderManager authorizes the users IP address after
receiving authentication (or maybe only identification) for that IP
address by "Novell Client Trust".
What happens at BorderManager when a user logs out?
What happens if the client station is a Windows Terminal Server or other
multi-user station?
A silly test is to have two stations configured to use the same IP
address.
1. Connect one of the stations to the network (the other disconnected)
2. Log in as a user not having any special privileges in the firewall
3. Disconnect the first station and connect the other
4. Log in as a user having special privileges in the firewall such as
being able to surf or use FTP and verify that this works.
5. Disconnect the second station and connect the first again. Check
what privileges the supposedly unprivileged user now has. My guess is
that he will now be able to access the privileged services via the
firewall which indicates it is the IP address of the user who has been
authorized, not the user.
> Now, if I use ntlm authentication with squid2.5, will I be prompted only once
> for a username and password or will I be authenticated based on my SDS2000
> login and password, and therefore never be prompted for authentication once I
> have logged into the system ?
Almost certainly no.
NTLM is a kind of HTTP authentication scheme where the browser
authenticated to the proxy on each connection to the proxy using
Microsoft NT Lan Manager authentication, as used in Microsoft NT Domain
logon.
What you describe does not sound at all like a HTTP authentication
scheme but as something which runs in parallel to HTTP or other network
traffic, using special protocols for the purpose of identifying the user
or his computer to the firewall.
-- Henrik Nordstrom <hno@squid-cache.org> MARA Systems AB, SwedenReceived on Mon Mar 10 2003 - 06:39:09 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:59 MST