<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:#464646;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:#464646;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:946733111;
mso-list-template-ids:-120671676;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1010334570;
mso-list-template-ids:-1030854824;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:1905027802;
mso-list-template-ids:-762441166;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='color:windowtext'>Hey David,<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Transparent authentication using Kerberos can only be used with a directory service.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>There are couple ways to authenticate…<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>You can use an “automatic” hotspot website that will use cookies to authenticate the client once in a very long time.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>If the client request is not recognized or the client is not recognized for any reason it’s reasonable to redirect him into a captive portal.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>I can try to work on a demo but I need to know more details about the network structure and to verify what is possible and not.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Every device ie Switch and router or AP etc should be mentioned to understand the scenario.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>While you assume it’s a chimera I still believe it’s just a three heads Kerberos which… was proved to exists… in the movies and in the virtual world.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Eliezer <o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='color:windowtext'>----<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Eliezer Croitoru<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>NgTech, Tech Support<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Mobile: +972-5-28704261<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Email: <a href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='color:windowtext'>From:</span></b><span style='color:windowtext'> David Touzeau <david@articatech.com> <br><b>Sent:</b> Monday, February 14, 2022 03:21<br><b>To:</b> Eliezer Croitoru <ngtech1ltd@gmail.com><br><b>Cc:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> Re: [squid-users] Squid plugin sponsor<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><br><span style='font-family:"Arial",sans-serif'>Thank you for your answer Elizer for all these details, but I've done some research to avoid soliciting the community for simple questions.<br><br>The objective is to not ask anything to the user and not to break his navigation with a session request.<br>To summarize, An SSO identification like kerberos with the following constraints:</span><o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo1'><span style='font-family:"Arial",sans-serif'>unknown Mac addresses </span><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo1'><span style='font-family:"Arial",sans-serif'>DHCP IP with a short lease</span><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo1'><span style='font-family:"Arial",sans-serif'>No Active Directory connection.</span><o:p></o:p></li></ol><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Arial",sans-serif'><br><br><br>The network is in VLAN (Mac addr masked) and in DHCP with a short lease.<br>Even the notion of hotspot is complicated when you can't focus on a network attribute.<br>I try to find a way directly in the HTTP protocol. <br>This is the reason why a fake could be a solution.<br><br>But I think I'm trying to catch a chimera and we'll have to redesign the network architecture.<br><br>regards</span><o:p></o:p></p><div><p class=MsoNormal>Le 12/02/2022 à 06:27, Eliezer Croitoru a écrit :<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='color:windowtext'>Hey David,</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>The general name of this concept is SSO service.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>It can have single or multiple backends.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>The main question is how to implement the solution in the optimal way possible.<br>(taking into account money, coding complexity and other humane parts)</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>You will need to authenticate the client against the main AUTH service.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>There is a definitive way or statistical way to implement this solution.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>With AD or Kerberos it’s possible to implement the solution in such a way that windows will<br>“transparently” authenticate to the proxy service.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>However you must understand that all of this requires an infrastructure that will provide every piece of the setup.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>If your setup doesn’t contains RDP like servers then it’s possible that you can authenticate a user with an IP compared<br>to pinning every connection to a specific user.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Also, the “cost” of non-transparent authentication is that the user will be required to enter (manually or automatically) <br>the username and the password.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>An HotSpot like setup is called “Captive Portal” and it’s a very simple setup to implement with active directory.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>It’s also possible to implement a transparent authentication for such a setup based on session tokens.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>You actually don’t need to create a “fake” helper for such a setup but you can create one that is based on Linux.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>It’s an “Advanced” topic but if you do ask me it’s possible that you can take this in steps.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>The first step would be to use a session helper that will authenticate the user and will identify the user<br>based on it’s IP address.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>If it’s a wireless setup you can use a radius based authentication ( can also be implemented on a wired setup).</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Once you will authenticate the client transparently or in another way you can limit the usage of the username to<br>a specific client and with that comes a guaranteed situation that a username will not be used from two sources.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>I don’t know about your experience but the usage of a captive portal is very common In such situations.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>The other option is to create an agent in the client side that will identify the user against the proxy/auth service<br>and it will create a situation which an authorization will be acquired based on some degree of authentication.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>In most SSO environments it’s possible that per request/domain/other there is a transparent validation.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>In all the above scenarios which requires authentication the right way to do it would be to use the proxy as<br>a configured proxy compared to transparent.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>I believe that one thing to consider is that once you authenticate against a RADIUS service you would just<br>minimize the user interaction.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>The main point from what I understand is to actually minimize the authentication steps of the client.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>My suggestion for you is to first try and asses the complexity of a session helper, raidus and captive portal.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>These are steps that you will need to do in order to asses the necessity of transparent SSO.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Also take your time to compare how a captive portal is configured in the next general products:</span><o:p></o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l1 level1 lfo4'>Palo Alto<o:p></o:p></li><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l1 level1 lfo4'>FortiGate<o:p></o:p></li><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l1 level1 lfo4'>Untangle<o:p></o:p></li><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l1 level1 lfo4'>Others<o:p></o:p></li></ol><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>From the documentation you would see the different ways and “grades” that they implement the solutions.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Once you know what the market offers and their equivalent costs you will probably understand what<br>you want and what you can afford to invest in the development process of each part of setup.</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>All The Bests,</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Eliezer</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><div><p class=MsoNormal><span style='color:windowtext'>----</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Eliezer Croitoru</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>NgTech, Tech Support</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Mobile: +972-5-28704261</span><o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'>Email: <a href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a></span><o:p></o:p></p></div><p class=MsoNormal><span style='color:windowtext'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='color:windowtext'>From:</span></b><span style='color:windowtext'> squid-users <a href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a> <b>On Behalf Of </b>David Touzeau<br><b>Sent:</b> Friday, February 11, 2022 17:03<br><b>To:</b> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br><b>Subject:</b> Re: [squid-users] Squid plugin sponsor</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Arial",sans-serif'>Hello<br><br>Thank you but this is not the objective and this is the reason for needing the "fake".<br>Access to Kerberos or NTLM ports of the AD, is not possible. An LDAP server would be present with accounts replication.<br>The idea is to do a silent authentication without joining the AD <br>We did not need the double user/password credential, only the user sent by the browser is required<br><br>If the user has an Active Directory session then his account is automatically sent without him having to take any action.<br>If the user is in a workgroup then the account sent will not be in the LDAP database and will be rejected.<br>I don't need to argue about the security value of this method. It saves us from setting up a gas factory to make a kind of HotSpot</span><o:p></o:p></p><div><p class=MsoNormal>Le 11/02/2022 à 05:55, Dieter Bloms a écrit :<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hello David,<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>for me it looks like you want to use kerberos authentication.<o:p></o:p></pre><pre>With kerberos authentication the user don't have to authenticate against<o:p></o:p></pre><pre>the proxy. The authentication is done in the background.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Mayb this link will help:<o:p></o:p></pre><pre> <o:p></o:p></pre><pre><a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</a><o:p></o:p></pre><pre> <o:p></o:p></pre><pre>On Thu, Feb 10, David Touzeau wrote:<o:p></o:p></pre><pre> <o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hi<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>What we are looking for is to retrieve a "user" token without having to ask<o:p></o:p></pre><pre>anything from the user.<o:p></o:p></pre><pre>That's why we're looking at Active Directory credentials.<o:p></o:p></pre><pre>Once the user account is retrieved, a helper would be in charge of checking<o:p></o:p></pre><pre>if the user exists in the LDAP database.<o:p></o:p></pre><pre>This is to avoid any connection to an Active Directory<o:p></o:p></pre><pre>Maybe this is impossible<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Le 10/02/2022 à 05:03, Amos Jeffries a écrit :<o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>On 10/02/22 01:43, David Touzeau wrote:<o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hi<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>I would like to sponsor the improvement of ntlm_fake_auth to support<o:p></o:p></pre><pre>new protocols<o:p></o:p></pre></blockquote><pre> <o:p></o:p></pre><pre>ntlm_* helpers are specific to NTLM authentication. All LanManager (LM)<o:p></o:p></pre><pre>protocols should already be supported as well as currently possible.<o:p></o:p></pre><pre>NTLM is formally discontinued by MS and *very* inefficient.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>NP: NTLMv2 with encryption does not *work* because that encryption step<o:p></o:p></pre><pre>requires secret keys the proxy is not able to know.<o:p></o:p></pre><pre> <o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>or go further produce a new negotiate_kerberos_auth_fake<o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote><pre> <o:p></o:p></pre><pre>With current Squid this helper only needs to produce an "OK" response<o:p></o:p></pre><pre>regardless of the input. The basic_auth_fake does that.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Amos<o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>squid-users mailing list<o:p></o:p></pre><pre><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><o:p></o:p></pre><pre><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre></blockquote></blockquote><pre> <o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>_______________________________________________<o:p></o:p></pre><pre>squid-users mailing list<o:p></o:p></pre><pre><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><o:p></o:p></pre><pre><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre></blockquote><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote><p class=MsoNormal> <o:p></o:p></p></blockquote><p class=MsoNormal><o:p> </o:p></p></div></body></html>