The reason we want to use squid is because we are monitoring the traffic
with Websense and squid will send the username to the websesne server
for monitoring. It was my understanding that PIX would not do that.
We will point squid to our Active Directory LDAP servers. This is
working in a test environment.
Thanks
>>> "Kevin" <kkadow@gmail.com> 07/25/05 01:10PM >>>
On 7/25/05, Corey Tyndall <CTyndall@pcmh.com> wrote:
> I am looking at implementing squid proxy for internet authentication
> purposes. We will not be utilizing the cache just the
authentication
> piece.
If all you really need is authentication, Squid may not be the best
solution, as Squid does a lot of extra work and rewriting of requests,
necessary for caching but not really useful for just user
authentication.
Personally, I would instead consider something like the Cisco PIX or
any
other hardware or software product which can provide a "Single Sign
On"
approach to authenticating users for outbound (and/or inbound) access.
If you do want to proceed with Squid, may I inquire as to what type of
authentication will you be using?
Will the credential store be local on the box running Squid, or will
the
authentication requests be forwarded using a network protocol to a
remote
host? If so, what protocol will be used for the network
authentication?
> We will have hundreds of users authenticating at any given time.
Squid will cache the password for a successful authentication for one
hour by default:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.3
So for each unique user who successfully authenticates, the Squid
server
will only need to contact the "authentication helper" at most once per
hour.
Kevin Kadow
(P.S. Squid caches local authentication usernames and passwords
in memory in cleartext, so you may wish to look into encrypting swap.)
------------------------------------------------------------------------------
The contents of this e-mail (and any attachments) are confidential, may be privileged and may contain copyright material. You may only reproduce or distribute material if you are expressly authorized by us to do so. If you are not the intended recipient, any use, disclosure or copying of this email (and any attachments) is unauthorized. If you have received this e-mail in error, please notify the sender and immediately delete this e-mail and any copies of it from your system.
==============================================================================
Received on Mon Jul 25 2005 - 11:37:25 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:03 MDT