On 13/05/2013 8:26 p.m., Alex Domoradov wrote:
> On Mon, May 13, 2013 at 11:18 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 13/05/2013 5:54 p.m., Alex Domoradov wrote:
>>> You can use acl apr, for example
>>>
>>> acl BIG_BOSS arp 01:02:03:04:05:06
>>>
>>> On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote:
>>>> Assume your executive of corporation, sit on his clerk desk PC, and
>>>> login to his username on the network (authenticate with Active
>>>> Directory), of course he wants his full access to internet, but he
>>>> can't because his IP address is different from what we set in squid
>>>> for his PC.
>>>>
>>>> we authenticate users in Active Directory, and set their gateways to
>>>> squid server so we have a Transparent squid. we don't want our users
>>>> to be authenticate for second time in Browser...
>>
>> This makes no sense at all. It is a simple matter for the browser to send
>> the already authenticated AD credentials to Squid for Squid to conform them
>> with AD. It's called single-sign-on to most people familiar with MS
>> products, and works with all forms of HTTP auth.
> will it work with transparent mode?
Ah "transparent". single-sign-on *is* "transparent" authentication.
Except that is not at all what you mean.
The "transparent" interception you use is only getting in the way
because you are not pushing the proxy settings over, just the gateway
settings. If you push *both* over to the client then all software which
uses the proxy settings correctly will be able to do single-sign-on, for
a transparently configured and authenticated proxy. The ones which do
not will have to use interception and can be controlled with different
security settings in the proxy.
>
>> It is also a simple matter for Squid helpers to take the IP (or EUI / MAC
>> address even) and verify them against AD to confirm there is a user logged
>> in on that machine and retrieve the details of said user back to Squid. The
>> external ACL helpers routinely do this for group checks.
>>
>> However, if you base the Squid security all on the IP or MAC you *always*
>> run the risk of an attacker hijacking the machine or even just spoofing that
>> clients IP/MAC details to bypass your Squid security controls.
Amos
Received on Mon May 13 2013 - 08:43:56 MDT
This archive was generated by hypermail 2.2.0 : Mon May 13 2013 - 12:00:05 MDT