[squid-users] Squid radius Authentication

Pascal Schäfer p.schaefer at creapptive.de
Sat Sep 23 16:05:41 UTC 2017

Dear Amos,

I have another question to the key_extras for auth_param basic key_extras.
It is possible to give the helper more than one key_extras argument?
Maybe like this:

auth_param basic key_extras %macro
auth_param basic key_extras $macro


auth_param basic key_extras %macro %macro

And I tried some key_extras but the only usefull key_extras was %rp,
where I get /site/ from the URL: https://subdomain.domain.com/site/.
And when I try to use %rq my squid tell me an Error that he can't parse
the config file.
I wish I could get the whole URL from the squid.

Maybe do you know why that happens?
Or it isn't it the right key_extras %macro?
The most of the other %macros gives me the "-", which means that the
information is not available in this moment, where the authentication
helper get the username and password.

My squid version is squid 3.5.23-5 compiled from the sources of a debian
distribution (apt-get sources ... ).
I used these references for squid:


I hope you can help me.

with best regards,


Am 15.09.2017 um 17:26 schrieb Amos Jeffries:
> On 16/09/17 02:31, Pascal Schäfer wrote:
>> Dear Amos,
>> Thank you for your reply!
>>>> I have a question about the authentication with a radius server.
>>>> I use Squid as a reverse proxy.
>>>> It is possible to use two radius server for different pages or
>>>> subdomains with squid_radius_auth?
>>> HTTP has no concept of "page" - so for that; no.
>>> For sub-domains (OR specific URLs); maybe. Because the helper you are
>>> asking about does not use the key_extras feature provided by latest
>>> Squid version
>> Ok. Thank you. Exist another helper who did an authentication with a
>> radius server?
> I am aware of some proprietary ones existing. But that is not useful for
> you.
>>> You need to write your own helper that does what you want. That could be
>>> in the form of a wrapper script that starts multiple radius helper with
>>> the necessary parameters, and uses key_extra parameters to decide which
>>> one will handle any given auth lookup.
>> Is this https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator
>> the right wiki, where I have to lookup?
> That page describes the protocol Squid will be talking to your script
> with; and what is expected to arrive back.
>> Make it sense that behind the radius server is a Windows NPS Server to
>> authenticate the Users?
> That does not matter unless you are writing the RADIUS parts yourself.
> In which case I cannot help, not knowing much about RADIUS protocol.
>> So when I write the wrapper helper, I only need to decide which helper I
>> would like to start and with which parameters, like a Bash command?
> Yes. Though helpers are required to run until Squid stops them. So best
> to start the child radius helpers at the beginning then just relay query
> and response lines appropriately when they arrive.
>>> Since you are calling it the long obsolete name "squid_radius_auth", you
>>> probably do not have a current Squid version which supplies the
>>> key_extras feature. At the very least you will have to upgrade to at
>>> least Squid-3.5.
>> I have a Squid-3.5, self compiled.
>> I think about to upgrade there on Squid-4 or to compile it and install
>> them fresh on the system. Is the name of them another in the newer
>> versions?
> Then you should be fine, except "basic_radius_auth" is the helper binary
> name since Squid-3.2.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list