Re: [squid-users] pass-thru authentication with radius

From: Squid Support (Henrik Nordstrom) <[email protected]>
Date: Fri, 12 Apr 2002 12:35:04 +0200

> In the US they are of the principal : If it is not commercial, it cannot be
> good.
> They had squid for proxying and ran well except for their intranet.
> This intranet was built with Xpedio which requires NTLM v1.0
> authentication. Oktober/November we had NTLM auth installed. It worked a
> bit of buggy, too many popups.

Squid cannot proxy NTLMv1 authentication. It can only act as a NTLM endpoint
for the authentication. I.e. When using transparent NTLM authentication the
user has to authenticate to the proxy, not the web server.

There is some known issues with the communication between the Squid NTLM
helper NTLMSSP and NT Domain controllers. To address this a new helper is
being developed using winbind from Samba to talk to the domain controllers.
Unfortunately the needed winbind support in Samba to support Squid and other
similar applications is still being developed and not yet part of a stable
Samba release.

> It did not work for there intranet, we also tested with a script
> on a other server to point direct to the intranet in stead of
> using the proxy for that.
> But still it seemed the squid was involved, it did not work. It worked
> however without using any proxy in the browser config.

If your browser is configured not to use the proxy for the site in question
then it won't, at least not unless you are doing transparent interception of
port 80 traffic as well..

> The best we got was with smb_auth for squid to auth. However when the first
> user authenticated all other users then took this users credentials.

This certainly is not an effect of Squid. But if the web server is running
NTLM authentication then you may see all kinds of strange effects if using a
proxy..

smb_auth is a Basic HTTP authenticator to Squid. Not a NTLM authentication
helper.

> We went back and they now tested Cacheflow along with Smartfilter as a
> product to replace squid.

:-(

> They now have setup RADIUS for all Internet users. With Radius those users
> can use the same credentials (NT) they use to log on to their NT PC's.

There is RADIUS support for Squid. But this has technically nothing to do
with NTLM authentication. In theory it may be possible to run NTLM ontop of
RADIUS using MS proprietary extensions but I don't see the point of doing so.

> The Cacheflow product they have tested is completely transparent (is what
> they said). The users NT credentials are pulled automatically through the
> browser, authenticated and the user is allowed to access whatever their
> group is permitted to access.

In which case they must be using MS NTLM authentication, or have a software
installed at the client.

Standard HTTP authentication will ask the user for their credentials.

Regards
Henrik

-- 
Basic free Squid support provided thanks to MARA Systems AB
Your source of advanced reverse proxy solutions or customized
Squid solutions. http://www.marasystems.com/products/
Received on Fri Apr 12 2002 - 04:35:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:32 MST