Re: [squid-users] Re: squid client authentication against AD computer account

From: Manoj Rajkarnikar <manoj.rajkarnikar_at_gmail.com>
Date: Sun, 3 Oct 2010 12:18:21 +0545

Does any of the authentication methods include the computer name in
the authentication tokens?? I can setup any auth method if any of it
supports it. I basically want to authenticate client computers by the
hostname as registered in the AD.

Thanks everyone.

On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar
<manoj.rajkarnikar_at_gmail.com> wrote:
> Hi Matus.
>
> On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas
> <uhlar_at_fantomas.sk> wrote:
>> On 15.09.10 12:59, Manoj Rajkarnikar wrote:
>>> Thanks for the quick response Marcus.
>>>
>>> The reason I need to �limit computer account and not user account is
>>> that people here move out to distant branches and the internet access
>>> policy is to allow to the position they hold, and thus the computer
>>> they will use.
>>
>> I somehow don't understand this. Maybe it's my english.
>> Do you need to control access for the user+computer combination?
>
> I need to control access based on computer account as registered in
> the AD server.
>
>>
>>> I've successfully setup the kerberos authentication but I don't see
>>> how squid will fetch the computer information from client request and
>>> authorize it based on the group membership in AD. What I wish to
>>> accomplish is:
>>>
>>> 1. create a security group in AD
>>> 2. add computer accounts to this security group
>>> 3. squid checks if the computer trying to access internet is member of
>>> this security group.
>>> 4. if not, don't allow access to internet or request of AD user login
>>> that is allowed.
>>
>> This seems that you want to allow access from some computers to the net, no
>> matter which user is logged in. Why not use ip-based or maybe
>> hardware_address-based authentication then?
>
> That is correct.
> We have dhcp all over our network so ip-based is a bad idea.
> For hardware_address-based auth, will have to maintain a very large
> list of hardware addresses.. not a good idea but considerable (if
> computer account based auth don't work)..
>
> Also to be noted that computer account based authentication would be
> more secure as only a handful of admins have domain administrator
> level access, so it will be hard to spoof.
>
>>
>> --
>> Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> Quantum mechanics: The dreams stuff is made of.
>>
>
Received on Sun Oct 03 2010 - 06:33:22 MDT

This archive was generated by hypermail 2.2.0 : Sun Oct 03 2010 - 12:00:01 MDT