[squid-users] Radius and Squid transparent mode

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 5 14:25:03 UTC 2018


On 6/09/18 1:16 AM, Colle Christophe wrote:
> Hello,
> 
> I am working on a WiFi project: People connect to the network using a
> Radius server, then use the Internet using Squid in transparent mode.
> 
> I would like to improve this system by adding the identifier of the
> person logged in the Squid logs (It's easier to do research, it saves
> time!).


First lesson: there is no "person".

In the HTTP world we explicitly avoid the terms "user" or "person"
because a lot (most?) of traffic is from automated services and
machinery around any given network. Some of it is even generated by your
own Squid with no client involved at all.


> 
> Is it easy or should use a specific helper authentication?
> 

Second;
 When traffic is MITM'd the client believes it is talking to some other
endpoint. It will only ever authenticate with credentials suitable for
that endpoint.
 No sane client software will broadcast credentials without the remote
endpoint explicitly requesting them. Some clients are not that sane, but
they are the exception.


Third;
 Authentication of all types involves some secret known only to the
endpoints, often generated on-demand via some other channel. The MITM
proxy even holding the credentials cannot authenticate them, nor
reliably use them for anything other than relaying as-is on the *same*
transactions outbound request message.


BUT ... this is where "authorization" being different from
"authentication" matters a lot.


> 
> Has anyone ever done that?
> 

As I understand it RADIUS has ways to tie IP:port of TCP connections to
a user account (if any?).

It is possible to have a RADIUS helper used on external_acl_type
receiving those details and providing Squid with a label to log as
"username".

Or, alternatively just send the log through a daemon which uses the log
lines it gets passed to append any extra details you want it to add.

But be aware these only associate the machinery by-IP to an account. It
does not imply the "person" was actually present, nor even aware of the
transaction happening.


Amos


More information about the squid-users mailing list