Re: [squid-users] Re: Re: squid client authentication against AD computer account

From: Manoj Rajkarnikar <manoj.rajkarnikar_at_gmail.com>
Date: Mon, 18 Oct 2010 21:56:18 +0545

Thanks Markus..

That sounds like a very useful tool for me.. I will get back to you
once I've tested it.. Thanks alot ..

Manoj

On Thu, Oct 7, 2010 at 1:23 AM, Nyamul Hassan <mnhassan_at_usa.net> wrote:
> On Sun, Oct 3, 2010 at 19:46, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>> Hi Manoj,
>>
>>
>> The only way I see this can work �is to use my experimental local proxy to
>> support application which don't support Negotiate authentication. You can
>> find it here
>> http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/
>>
>> c:\> client_kerb_auth_sspi.exe -S -s <proxy-fqdn> -d -l evtlog � (It will
>> run the client as a Servuce under the machine account.)
>>
>> It will start a local proxy listening on port 8080 and when connecting to
>> the proxy (on port 3128) it will add Negotiate with the machine ID.
>>
>> A squid log entry woul look like:
>>
>> 2010/10/03 14:35:45| squid_kerb_auth: Decode
>> 'YIIEqgYJKoZIhvcSAQICAQBuggSZMIIElaADAgEFoQMCAQ6iBwMFAAAAAACjggO/YYI......CY481Crtw+7+9ClxAeVjhI919w=='
>> (decoded length: 1198).
>> 2010/10/03 14:35:45| squid_kerb_auth: AF AA== WINXP$@WIN2003R2.HOME
>>
>> The id WINXP$@WIN2003R2.HOME can be fed into squid_kerb_ldap like it is a
>> user. ( WINXP$ is the samaccountname of the machine in AD)
>>
>> Regards
>> Markus
>>
>> "Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
>> news:AANLkTi=1JZ9PahW3PpD9L_KkccmxGwy8SQywy5J4eBCK_at_mail.gmail.com...
>> Does any of the authentication methods include the computer name in
>> the authentication tokens?? I can setup any auth method if any of it
>> supports it. I basically want to authenticate client computers by the
>> hostname as registered in the AD.
>>
>> Thanks everyone.
>>
>> On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar
>> <manoj.rajkarnikar_at_gmail.com> wrote:
>>>
>>> Hi Matus.
>>>
>>> On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas
>>> <uhlar_at_fantomas.sk> wrote:
>>>>
>>>> On 15.09.10 12:59, Manoj Rajkarnikar wrote:
>>>>>
>>>>> Thanks for the quick response Marcus.
>>>>>
>>>>> The reason I need to limit computer account and not user account is
>>>>> that people here move out to distant branches and the internet access
>>>>> policy is to allow to the position they hold, and thus the computer
>>>>> they will use.
>>>>
>>>> I somehow don't understand this. Maybe it's my english.
>>>> Do you need to control access for the user+computer combination?
>>>
>>> I need to control access based on computer account as registered in
>>> the AD server.
>>>
>>>>
>>>>> I've successfully setup the kerberos authentication but I don't see
>>>>> how squid will fetch the computer information from client request and
>>>>> authorize it based on the group membership in AD. What I wish to
>>>>> accomplish is:
>>>>>
>>>>> 1. create a security group in AD
>>>>> 2. add computer accounts to this security group
>>>>> 3. squid checks if the computer trying to access internet is member of
>>>>> this security group.
>>>>> 4. if not, don't allow access to internet or request of AD user login
>>>>> that is allowed.
>>>>
>>>> This seems that you want to allow access from some computers to the net,
>>>> no
>>>> matter which user is logged in. Why not use ip-based or maybe
>>>> hardware_address-based authentication then?
>>>
>>> That is correct.
>>> We have dhcp all over our network so ip-based is a bad idea.
>>> For hardware_address-based auth, will have to maintain a very large
>>> list of hardware addresses.. not a good idea but considerable (if
>>> computer account based auth don't work)..
>>>
>>> Also to be noted that computer account based authentication would be
>>> more secure as only a handful of admins have domain administrator
>>> level access, so it will be hard to spoof.
>>>
>
> I still think Matus's idea of using IP based is the best and simplest
> approach. �Even if you have DHCP enabled, you can always force a
> certain computer to a certain IP.
>
> Regards
> HASSAN
>
Received on Mon Oct 18 2010 - 16:11:25 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 19 2010 - 12:00:02 MDT