[squid-users] can squid handle indirect request from clients ?

Eliezer Croitoru eliezer at ngtech.co.il
Tue Feb 17 22:25:36 UTC 2015


Hey,

There are couple ways to look at authentication and some would sometimes 
trade authorization to authentication and vise versa.

In some environments there is a mix of both terms which is required to 
build a logical service unit.
I do not have all my archives but I remember that someone have asked 
about some single sign on system which grants access using a login page 
to many in campus systems.
It was based on a very complex system which I do not remember right now.

There are options to run some process triggered by a radius server login 
or any other system that would be considered the authorization authority 
to mark a specific IP as ALLOWED or under some group.
I know that there are many network systems which uses a network level 
authorization and it is very useful.
The main difference between directly authenticating to squid vs 3rd 
party authentication is the way and level of authentication.

For example a radius server with an enterprise level switch and\or wifi 
access point can provide authentication encryption layer which squid 
direct authentication cannot provide and no matter what you will do.
Of course that in many cases it will require absolute reliability and 
should not allow mistakes.
One rule of thumb in the raidus lands network authentication security 
level is:
Every authenticated user can be only identified with one IP at a time.

So yes squid doesn't support a direct proxy authentication level in 
intercept and tproxy modes BUT using some external_acl helpers it's 
pretty simple to connect squid and an external authentication system. 
Here the answer turns the tables and makes it possible to authenticate 
even in intercept and tproxy mode but not at the same way many might 
think of.

All The Bests,
Eliezer

On 18/02/2015 04:04, snakeeyes wrote:
> Thanks eleizer , but does it support other types like radius authentication ?
>
> I mean all types of  authentications are forbidden in intercept mode ?




More information about the squid-users mailing list