Re: [squid-users] Question about auth radius and 802.1x authentication.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Oct 2012 23:05:59 +1300

On 2/10/2012 8:43 p.m., Eliezer Croitoru wrote:
> On 10/2/2012 8:55 AM, Amos Jeffries wrote:
>> On 2/10/2012 4:45 p.m., Eliezer Croitoru wrote:
>>> The current authenticators for squid using ntlm\kerb etc but based on
>>> forward connection to the proxy.
>>>
>>> how about using 802.1x authentication to radius? what i mean is as
>>> transparent authenticator that dosnt require the user to configure
>>> something in his browser but just connect the cable to the network and
>>> the rest will be done by the dhcp+radius+some helper?
>>
>> Supported. Although we do not bundle a helper for it. (Contributions
>> welome).
>>
> any specific language ?
> (since I wrote a nice framework in ruby that can take lots and lots of
> load)

We do not have any formal criterion. Preferrably something portable,
well known and either commonly available or easily installable to ease
the job on disributors and testers. We so far distribute C++, perl, awk,
or bash code helpers. At the very least it needs to integrate cleanly
with auto-tools so we can actually build and bundle it.

The interpreted languages like Ruby, Python, Java, PHP etc are getting
close to being options, but I'm not sure whether the redistributors OS
distro systems are all up to the task of packaging them cleanly yet.

>> That rides the fine line between authentication and authorization - and
>> the other fine line whether it is validating a machine client or a user
>> client. HTTP authentication requires the credentials to be contained
>> within the HTTP message itself, otherwise one cannot guarantee that the
>> client sending the message is the client originating the message. For
>> example all requests coming out of your Squid would be from a RADIUS
>> authenticated machines, but what user account gets credited? two
>> requests on the same TCP connection relayed through another proxy before
>> they arrive has the same issues.
>>
>> Squid external ACL is the interface for side-band authorization to
>> permit/deny through Squid based on some non-credentials criteria
>> (possibly the side-band 802.1x information). With user= password= helper
>> response keys it can be used to assign Squid some credentials for real
>> authentication with down-stream servers on the clients behalf. Even then
>> that still rides the fine line as to whether it is machine client,
>> software client or user client credentials being used.
>>
>> Amos
>>
> I do understand the difference between authentication and authorization.
> the point in my case is that we are talking about a user account
> rather the user itself like In ISP environments.
> In ISP environment the user authentication is done per
> connection\session and not per request.
> Let say the ISP has some radius server that serves
> cisco\juniper\microtik NAS for PPPOE\L2TP\PPTP\SSTP incoming
> connections to authenticate the users login.
> In this case the username is assigned IP from the pool and will only
> be removed in the case where the session\connection is terminated
> (usually after 2*10 echo interval) which makes about 1 minute max for
> the radius to get update from the NAS to remove the ip->user entry.
>
> So as for the helper it's pretty simple query of IP from a DB and
> since I already kind of wrote an external_acl\helpers framework with
> concurrency support it only matter of how to implement it which is
> nothing.
>
> since I am talking about ISP everything is per IP + MAC address
> ->username.
>
> if anyone wants to get other user credentials for now he will need to
> disconnect from the system.
>
> I am planning to put together some mechanism that will allow a user to
> identify himself to the system using some web page.
>
> By the way in ipv6 era since every internet client can get a subnet it
> can give to the IP level of things a wider band of options.
>
> so for now I have a question.
> If an external_acl returns the username to squid on the http_access
> line and has ttl=30 then squid complains about that intercept dosn't
> support authentication and will not apply any internal acls for
> identity but, is it suppose to send to ICAP service (like it logs in
> the access.log) the username?

Er, yes applying ACLs is not possible because Squid only contains ACLs
to test Proxy-Authentication: header values (proxy_auth ACL type). Which
is leveraged for WWW-Authenticate header values in reverse-proxy mode.
  The external ACL interface is not registering credentials as such to
Squid, but making them available for Squid to use to authenticate an
outbound request as it goes upstream.

>
>
> I have a more technical question about TPROXY(sockets programming) not
> related to this directly, who is the guy that did all the TPROXY stuff?
>

The Squid bits by me. The latest round of kernel bits by Krisztian
Kovacs on netfiler-devel mailing list.

Amos
Received on Wed Oct 03 2012 - 10:06:15 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 03 2012 - 12:00:03 MDT