<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#464646" bgcolor="#FFFFFF">
<font face="Arial">Eliezer, <br>
<br>
First of all, thank you for twisting your brain at our request.<br>
I know your skills and your time is very valuable.<br>
<br>
HotSpot+Cookies can be interesting but it has a constraint that
kerberos/NTLM SSO fixes: <br>
<br>
1) Redirecting connections to a HotSpot requires Squid to be able
to forward the redirection. <br>
When using SSL sites without MAN-IN-THE-MIDDLE, we fall into
structural issues.<br>
<br>
2) Even if this problem can be circumvented, it is necessary for
the user to identify himself on the Splash Screen to understand
who he is.<br>
While this user is already identified with his Windows session.<br>
<br>
<br>
Forget about NTLMv2 which does not provide the "Fake" anymore<br>
The advantage of fake_ntlm is that when Squid performs its 407,
naturally the browser sends its windows session username whether
it is connected to an Active Directory or not.<br>
<br>
This is what we want to catch in the end.<br>
<br>
The HotSpot way is a half-solution. It circumvents the limit of
identification but adds new network constraints you mention. <br>
<br>
The dream is a plugin that forces Squid to generate a 407, asks to
browsers "Give me your user account whatever it is" and allows
access in any case to place the user=xxx switch for the next
processing.<br>
<br>
It almost looks like the "ident" method <br>
<a class="moz-txt-link-freetext" href="http://www.squid-cache.org/Misc/ident.html">http://www.squid-cache.org/Misc/ident.html</a><br>
Without having to install a piece of software and a listening port
on all the computers in the network<br>
</font><br>
<div class="moz-cite-prefix">Le 14/02/2022 à 19:50, Eliezer Croitoru
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:001501d821d3$caea7a10$60bf6e30$@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:#464646;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:#464646;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Hey David,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Transparent
authentication using Kerberos can only be used with a
directory service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">There are
couple ways to authenticate…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">You can use
an “automatic” hotspot website that will use cookies to
authenticate the client once in a very long time.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">If the
client request is not recognized or the client is not
recognized for any reason it’s reasonable to redirect him
into a captive portal.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">I can try to
work on a demo but I need to know more details about the
network structure and to verify what is possible and not.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Every device
ie Switch and router or AP etc should be mentioned to
understand the scenario.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">While you
assume it’s a chimera I still believe it’s just a three
heads Kerberos which… was proved to exists… in the movies
and in the virtual world.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Eliezer <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:windowtext">----<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Eliezer
Croitoru<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">NgTech,
Tech Support<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Mobile:
+972-5-28704261<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Email: <a
href="mailto:ngtech1ltd@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ngtech1ltd@gmail.com</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> David Touzeau
<a class="moz-txt-link-rfc2396E" href="mailto:david@articatech.com"><david@articatech.com></a> <br>
<b>Sent:</b> Monday, February 14, 2022 03:21<br>
<b>To:</b> Eliezer Croitoru <a class="moz-txt-link-rfc2396E" href="mailto:ngtech1ltd@gmail.com"><ngtech1ltd@gmail.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid plugin sponsor<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><br>
<span style="font-family:"Arial",sans-serif">Thank
you for your answer Elizer for all these details, but I've
done some research to avoid soliciting the community for
simple questions.<br>
<br>
The objective is to not ask anything to the user and not to
break his navigation with a session request.<br>
To summarize, An SSO identification like kerberos with the
following constraints:</span><o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo1"><span
style="font-family:"Arial",sans-serif">unknown
Mac addresses </span><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo1"><span
style="font-family:"Arial",sans-serif">DHCP IP
with a short lease</span><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo1"><span
style="font-family:"Arial",sans-serif">No Active
Directory connection.</span><o:p></o:p></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Arial",sans-serif"><br>
<br>
<br>
The network is in VLAN (Mac addr masked) and in DHCP with a
short lease.<br>
Even the notion of hotspot is complicated when you can't
focus on a network attribute.<br>
I try to find a way directly in the HTTP protocol. <br>
This is the reason why a fake could be a solution.<br>
<br>
But I think I'm trying to catch a chimera and we'll have to
redesign the network architecture.<br>
<br>
regards</span><o:p></o:p></p>
<div>
<p class="MsoNormal">Le 12/02/2022 à 06:27, Eliezer Croitoru a
écrit :<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:windowtext">Hey David,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">The
general name of this concept is SSO service.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">It can
have single or multiple backends.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">The main
question is how to implement the solution in the optimal
way possible.<br>
(taking into account money, coding complexity and other
humane parts)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">You will
need to authenticate the client against the main AUTH
service.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">There is a
definitive way or statistical way to implement this
solution.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">With AD or
Kerberos it’s possible to implement the solution in such a
way that windows will<br>
“transparently” authenticate to the proxy service.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">However
you must understand that all of this requires an
infrastructure that will provide every piece of the setup.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">If your
setup doesn’t contains RDP like servers then it’s possible
that you can authenticate a user with an IP compared<br>
to pinning every connection to a specific user.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Also, the
“cost” of non-transparent authentication is that the user
will be required to enter (manually or automatically) <br>
the username and the password.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">An HotSpot
like setup is called “Captive Portal” and it’s a very
simple setup to implement with active directory.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">It’s also
possible to implement a transparent authentication for
such a setup based on session tokens.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">You
actually don’t need to create a “fake” helper for such a
setup but you can create one that is based on Linux.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">It’s an
“Advanced” topic but if you do ask me it’s possible that
you can take this in steps.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">The first
step would be to use a session helper that will
authenticate the user and will identify the user<br>
based on it’s IP address.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">If it’s a
wireless setup you can use a radius based authentication (
can also be implemented on a wired setup).</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Once you
will authenticate the client transparently or in another
way you can limit the usage of the username to<br>
a specific client and with that comes a guaranteed
situation that a username will not be used from two
sources.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">I don’t
know about your experience but the usage of a captive
portal is very common In such situations.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">The other
option is to create an agent in the client side that will
identify the user against the proxy/auth service<br>
and it will create a situation which an authorization will
be acquired based on some degree of authentication.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">In most
SSO environments it’s possible that per
request/domain/other there is a transparent validation.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">In all the
above scenarios which requires authentication the right
way to do it would be to use the proxy as<br>
a configured proxy compared to transparent.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">I believe
that one thing to consider is that once you authenticate
against a RADIUS service you would just<br>
minimize the user interaction.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">The main
point from what I understand is to actually minimize the
authentication steps of the client.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">My
suggestion for you is to first try and asses the
complexity of a session helper, raidus and captive portal.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">These are
steps that you will need to do in order to asses the
necessity of transparent SSO.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Also take
your time to compare how a captive portal is configured in
the next general products:</span><o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l1 level1
lfo4">Palo Alto<o:p></o:p></li>
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l1 level1
lfo4">FortiGate<o:p></o:p></li>
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l1 level1
lfo4">Untangle<o:p></o:p></li>
<li class="MsoListParagraph"
style="color:windowtext;margin-left:0in;mso-list:l1 level1
lfo4">Others<o:p></o:p></li>
</ol>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">From the
documentation you would see the different ways and
“grades” that they implement the solutions.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Once you
know what the market offers and their equivalent costs you
will probably understand what<br>
you want and what you can afford to invest in the
development process of each part of setup.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">All The
Bests,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Eliezer</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="color:windowtext">----</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Eliezer
Croitoru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">NgTech,
Tech Support</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Mobile:
+972-5-28704261</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext">Email: <a
href="mailto:ngtech1ltd@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ngtech1ltd@gmail.com</a></span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:windowtext"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> squid-users <a
href="mailto:squid-users-bounces@lists.squid-cache.org"
moz-do-not-send="true"><squid-users-bounces@lists.squid-cache.org></a>
<b>On Behalf Of </b>David Touzeau<br>
<b>Sent:</b> Friday, February 11, 2022 17:03<br>
<b>To:</b> <a
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true" class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid plugin sponsor</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Arial",sans-serif">Hello<br>
<br>
Thank you but this is not the objective and this is the
reason for needing the "fake".<br>
Access to Kerberos or NTLM ports of the AD, is not
possible. An LDAP server would be present with accounts
replication.<br>
The idea is to do a silent authentication without joining
the AD <br>
We did not need the double user/password credential, only
the user sent by the browser is required<br>
<br>
If the user has an Active Directory session then his
account is automatically sent without him having to take
any action.<br>
If the user is in a workgroup then the account sent will
not be in the LDAP database and will be rejected.<br>
I don't need to argue about the security value of this
method. It saves us from setting up a gas factory to make
a kind of HotSpot</span><o:p></o:p></p>
<div>
<p class="MsoNormal">Le 11/02/2022 à 05:55, Dieter Bloms a
écrit :<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hello David,<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>for me it looks like you want to use kerberos authentication.<o:p></o:p></pre>
<pre>With kerberos authentication the user don't have to authenticate against<o:p></o:p></pre>
<pre>the proxy. The authentication is done in the background.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Mayb this link will help:<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre><a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos" moz-do-not-send="true" class="moz-txt-link-freetext">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</a><o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>On Thu, Feb 10, David Touzeau wrote:<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hi<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>What we are looking for is to retrieve a "user" token without having to ask<o:p></o:p></pre>
<pre>anything from the user.<o:p></o:p></pre>
<pre>That's why we're looking at Active Directory credentials.<o:p></o:p></pre>
<pre>Once the user account is retrieved, a helper would be in charge of checking<o:p></o:p></pre>
<pre>if the user exists in the LDAP database.<o:p></o:p></pre>
<pre>This is to avoid any connection to an Active Directory<o:p></o:p></pre>
<pre>Maybe this is impossible<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Le 10/02/2022 à 05:03, Amos Jeffries a écrit :<o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>On 10/02/22 01:43, David Touzeau wrote:<o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hi<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>I would like to sponsor the improvement of ntlm_fake_auth to support<o:p></o:p></pre>
<pre>new protocols<o:p></o:p></pre>
</blockquote>
<pre> <o:p></o:p></pre>
<pre>ntlm_* helpers are specific to NTLM authentication. All LanManager (LM)<o:p></o:p></pre>
<pre>protocols should already be supported as well as currently possible.<o:p></o:p></pre>
<pre>NTLM is formally discontinued by MS and *very* inefficient.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>NP: NTLMv2 with encryption does not *work* because that encryption step<o:p></o:p></pre>
<pre>requires secret keys the proxy is not able to know.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>or go further produce a new negotiate_kerberos_auth_fake<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
</blockquote>
<pre> <o:p></o:p></pre>
<pre>With current Squid this helper only needs to produce an "OK" response<o:p></o:p></pre>
<pre>regardless of the input. The basic_auth_fake does that.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Amos<o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>squid-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true" class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><o:p></o:p></pre>
<pre><a href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre>
</blockquote>
</blockquote>
<pre> <o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>_______________________________________________<o:p></o:p></pre>
<pre>squid-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true" class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><o:p></o:p></pre>
<pre><a href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre>
</blockquote>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>