I work as the lead developer for an ISP in Houston TX. I am developing a
transparent bridge/filter/firewall for our customers where we map each
customers IP/MAC/etc (and other information depending on the type of
account and whats available to 'map' them) to their account, and using
that as 'authentication' for who they are. After they are mapped to their
account, we use a user/pass combo stored in an SQL database through a web
interface so that customers can select what kind of filtering/etc they
desire. The customers mapping is re-evaluated every 30 seconds or so
(through a background accounting daemon), to make sure that the correct
settings/firewall/etc are in place for 'their' IP(s) the account is
currently using (we update periodically because we have many customers
which are dynamic DSL which we map using their vp/vc pair info, and to
generally ensure people are configured correctly). It is still in the
final phases of development, but it all appears to be going well thus far
(after a few hiccups that had to be cured here and there, of course). By
keeping track of this information we can also see if any customers are
misconfigured, or connected to the network through our in-house web based
management software. Another nice benefit of this method that might be
something to consider. This works on a per-ip basis, so if you have
several customers connecting behind a NAT box or something similar, you
are out of luck as far as controlling each person independently.
Just thought I'd offer a perspective on what one company is doing to get
around these issues.
-Jon
-- Jon Newman (jnewman@oplink.net) Technical Solutions Manager / Senior software Engineer The Optimal Link (http://www.oplink.net) > > This solution only works when there is a one-to-one > mapping between users and ip addresses but imagine > circumstances where all users have same ip addresses( > e.g. terminal server users). > > The definite solution to this problem is > "cookie-based authentication" which is implemented by > some commercial products like bluecoat ProxySG > (http://www.bluecoat.com/downloads/support/BCS_tb_enabling_transparent_auth.pdf) > and Novell BoarderManager > (http://support.novell.com/techcenter/articles/cfa03332.html) > > > --- Henrik Nordstrom <hno@squid-cache.org> wrote: >> On Sat, 30 Apr 2005, Varun wrote: >> >> > Is it possible to have any sort of >> > authentication with squid running as >> > transparent proxy. >> >> Yes, but not the HTTP authentication. >> >> To make authenitcation in a transparent proxy you >> need to figure out some >> way of authenticating the user based on his IP. The >> external_acl interface >> of Squid-2.5 or later allows you to plug this into >> Squid. >> >> Regards >> Henrik >> > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- Jon Newman (jnewman@oplink.net) Technical Solutions Manager / Senior software Engineer The Optimal Link (http://www.oplink.net)Received on Sun May 01 2005 - 11:04:51 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:02 MDT