<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#464646" bgcolor="#FFFFFF">
<br>
<font face="Arial">Thank you for your answer Elizer for all these
details, but I've done some research to avoid soliciting the
community for simple questions.<br>
<br>
The objective is to not ask anything to the user and not to break
his navigation with a session request.<br>
To summarize, An SSO identification like kerberos with the
following constraints:<br>
</font>
<ol>
<li><font face="Arial"><font face="Arial">unknown </font>Mac
addresses </font></li>
<li><font face="Arial">DHCP IP with a short lease</font></li>
<li><font face="Arial">No Active Directory connection.</font></li>
</ol>
<font face="Arial"><br>
<br>
<br>
The network is in VLAN (Mac addr masked) and in DHCP with a short
lease.<br>
Even the notion of hotspot is complicated when you can't focus on
a network attribute.<br>
I try to find a way directly in the HTTP protocol. <br>
This is the reason why a fake could be a solution.<br>
<br>
But I think I'm trying to catch a chimera and we'll have to
redesign the network architecture.<br>
<br>
regards<br>
</font><br>
<div class="moz-cite-prefix">Le 12/02/2022 à 06:27, Eliezer Croitoru
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:001a01d81fd1$3b14bb70$b13e3250$@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New",serif;
color:#464646;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:#464646;}span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Hey David,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">The general
name of this concept is SSO service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">It can have
single or multiple backends.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">The main
question is how to implement the solution in the optimal way
possible.<br>
(taking into account money, coding complexity and other
humane parts)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">You will
need to authenticate the client against the main AUTH
service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">There is a
definitive way or statistical way to implement this
solution.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">With AD or
Kerberos it’s possible to implement the solution in such a
way that windows will<br>
“transparently” authenticate to the proxy service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">However you
must understand that all of this requires an infrastructure
that will provide every piece of the setup.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">If your
setup doesn’t contains RDP like servers then it’s possible
that you can authenticate a user with an IP compared<br>
to pinning every connection to a specific user.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Also, the
“cost” of non-transparent authentication is that the user
will be required to enter (manually or automatically) <br>
the username and the password.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">An HotSpot
like setup is called “Captive Portal” and it’s a very simple
setup to implement with active directory.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">It’s also
possible to implement a transparent authentication for such
a setup based on session tokens.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">You actually
don’t need to create a “fake” helper for such a setup but
you can create one that is based on Linux.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">It’s an
“Advanced” topic but if you do ask me it’s possible that you
can take this in steps.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">The first
step would be to use a session helper that will authenticate
the user and will identify the user<br>
based on it’s IP address.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">If it’s a
wireless setup you can use a radius based authentication (
can also be implemented on a wired setup).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Once you
will authenticate the client transparently or in another way
you can limit the usage of the username to<br>
a specific client and with that comes a guaranteed situation
that a username will not be used from two sources.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">I don’t know
about your experience but the usage of a captive portal is
very common In such situations.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">The other
option is to create an agent in the client side that will
identify the user against the proxy/auth service<br>
and it will create a situation which an authorization will
be acquired based on some degree of authentication.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">In most SSO
environments it’s possible that per request/domain/other
there is a transparent validation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">In all the
above scenarios which requires authentication the right way
to do it would be to use the proxy as<br>
a configured proxy compared to transparent.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">I believe
that one thing to consider is that once you authenticate
against a RADIUS service you would just<br>
minimize the user interaction.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">The main
point from what I understand is to actually minimize the
authentication steps of the client.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">My
suggestion for you is to first try and asses the complexity
of a session helper, raidus and captive portal.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">These are
steps that you will need to do in order to asses the
necessity of transparent SSO.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Also take
your time to compare how a captive portal is configured in
the next general products:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l0 level1
lfo1">Palo Alto<o:p></o:p></li>
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l0 level1
lfo1">FortiGate<o:p></o:p></li>
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l0 level1
lfo1">Untangle<o:p></o:p></li>
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l0 level1
lfo1">Others<o:p></o:p></li>
</ul>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">From the
documentation you would see the different ways and “grades”
that they implement the solutions.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Once you
know what the market offers and their equivalent costs you
will probably understand what<br>
you want and what you can afford to invest in the
development process of each part of setup.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">All The
Bests,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Eliezer<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:windowtext">----<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Eliezer
Croitoru<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">NgTech,
Tech Support<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Mobile:
+972-5-28704261<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Email: <a
href="mailto:ngtech1ltd@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ngtech1ltd@gmail.com</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> squid-users
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a> <b>On
Behalf Of </b>David Touzeau<br>
<b>Sent:</b> Friday, February 11, 2022 17:03<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid plugin sponsor<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Arial",sans-serif">Hello<br>
<br>
Thank you but this is not the objective and this is the
reason for needing the "fake".<br>
Access to Kerberos or NTLM ports of the AD, is not possible.
An LDAP server would be present with accounts replication.<br>
The idea is to do a silent authentication without joining
the AD <br>
We did not need the double user/password credential, only
the user sent by the browser is required<br>
<br>
If the user has an Active Directory session then his account
is automatically sent without him having to take any action.<br>
If the user is in a workgroup then the account sent will not
be in the LDAP database and will be rejected.<br>
I don't need to argue about the security value of this
method. It saves us from setting up a gas factory to make a
kind of HotSpot</span><o:p></o:p></p>
<div>
<p class="MsoNormal">Le 11/02/2022 à 05:55, Dieter Bloms a
écrit :<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hello David,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>for me it looks like you want to use kerberos authentication.<o:p></o:p></pre>
<pre>With kerberos authentication the user don't have to authenticate against<o:p></o:p></pre>
<pre>the proxy. The authentication is done in the background.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Mayb this link will help:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos" moz-do-not-send="true" class="moz-txt-link-freetext">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</a><o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>On Thu, Feb 10, David Touzeau wrote:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hi<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>What we are looking for is to retrieve a "user" token without having to ask<o:p></o:p></pre>
<pre>anything from the user.<o:p></o:p></pre>
<pre>That's why we're looking at Active Directory credentials.<o:p></o:p></pre>
<pre>Once the user account is retrieved, a helper would be in charge of checking<o:p></o:p></pre>
<pre>if the user exists in the LDAP database.<o:p></o:p></pre>
<pre>This is to avoid any connection to an Active Directory<o:p></o:p></pre>
<pre>Maybe this is impossible<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Le 10/02/2022 à 05:03, Amos Jeffries a écrit :<o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>On 10/02/22 01:43, David Touzeau wrote:<o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hi<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>I would like to sponsor the improvement of ntlm_fake_auth to support<o:p></o:p></pre>
<pre>new protocols<o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>ntlm_* helpers are specific to NTLM authentication. All LanManager (LM)<o:p></o:p></pre>
<pre>protocols should already be supported as well as currently possible.<o:p></o:p></pre>
<pre>NTLM is formally discontinued by MS and *very* inefficient.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>NP: NTLMv2 with encryption does not *work* because that encryption step<o:p></o:p></pre>
<pre>requires secret keys the proxy is not able to know.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>or go further produce a new negotiate_kerberos_auth_fake<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>With current Squid this helper only needs to produce an "OK" response<o:p></o:p></pre>
<pre>regardless of the input. The basic_auth_fake does that.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Amos<o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>squid-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true" class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><o:p></o:p></pre>
<pre><a href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre>
</blockquote>
</blockquote>
<pre><o:p> </o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>_______________________________________________<o:p></o:p></pre>
<pre>squid-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true" class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><o:p></o:p></pre>
<pre><a href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>