[squid-users] Squid radius Authentication

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 15 15:26:54 UTC 2017

On 16/09/17 02:31, Pascal Schäfer wrote:
> Dear Amos,
> Thank you for your reply!
>>> I have a question about the authentication with a radius server.
>>> I use Squid as a reverse proxy.
>>> It is possible to use two radius server for different pages or
>>> subdomains with squid_radius_auth?
>> HTTP has no concept of "page" - so for that; no.
>> For sub-domains (OR specific URLs); maybe. Because the helper you are
>> asking about does not use the key_extras feature provided by latest
>> Squid version
> Ok. Thank you. Exist another helper who did an authentication with a
> radius server?

I am aware of some proprietary ones existing. But that is not useful for 

>> You need to write your own helper that does what you want. That could be
>> in the form of a wrapper script that starts multiple radius helper with
>> the necessary parameters, and uses key_extra parameters to decide which
>> one will handle any given auth lookup.
> Is this https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator
> the right wiki, where I have to lookup?

That page describes the protocol Squid will be talking to your script 
with; and what is expected to arrive back.

> Make it sense that behind the radius server is a Windows NPS Server to
> authenticate the Users?

That does not matter unless you are writing the RADIUS parts yourself. 
In which case I cannot help, not knowing much about RADIUS protocol.

> So when I write the wrapper helper, I only need to decide which helper I
> would like to start and with which parameters, like a Bash command?

Yes. Though helpers are required to run until Squid stops them. So best 
to start the child radius helpers at the beginning then just relay query 
and response lines appropriately when they arrive.

>> Since you are calling it the long obsolete name "squid_radius_auth", you
>> probably do not have a current Squid version which supplies the
>> key_extras feature. At the very least you will have to upgrade to at
>> least Squid-3.5.
> I have a Squid-3.5, self compiled.
> I think about to upgrade there on Squid-4 or to compile it and install
> them fresh on the system. Is the name of them another in the newer versions?

Then you should be fine, except "basic_radius_auth" is the helper binary 
name since Squid-3.2.


More information about the squid-users mailing list