Re: [squid-users] Re: Re: squid client authentication against AD computer account

From: Manoj Rajkarnikar <manoj.rajkarnikar_at_gmail.com>
Date: Thu, 16 Sep 2010 09:59:58 +0545

On Thu, Sep 16, 2010 at 3:28 AM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>
>> "Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
>> news:AANLkTimRPZFwid0ehc0cBFchnDc7nV=-jStXTngMmXZp_at_mail.gmail.com...
>> Thanks for the quick response Marcus.
>>
>> The reason I need to  limit computer account and not user account is
>> that people here move out to distant branches and the internet access
>> policy is to allow to the position they hold, and thus the computer
>> they will use.
>>
>> I've successfully setup the kerberos authentication but I don't see
>> how squid will fetch the computer information from client request and
>> authorize it based on the group membership in AD. What I wish to
>> accomplish is:
>>
>> 1. create a security group in AD
>> 2. add computer accounts to this security group
>> 3. squid checks if the computer trying to access internet is member of
>> this security group.
>> 4. if not, don't allow access to internet or request of AD user login
>> that is allowed.
>>
>> I'm not sure if this is achievable.
>>
>
> I don't think this is possible with Kerberos as the ticket does not have
> (usable) information about the client computer.
>
Is there any other way that I can achieve this?? kerberos or no
kerberos..?? I will have multiple layers of auth acls and the major
portion will be handled by this auth(if possible i.e. if not, will
have to use user based auth)

This is how I plan to do.
1. sites allowed to all..(internal sites + some update sites.)
2. privileged users all sites allowed... (computer account if
possible, or IP based or user based)
3. semi-privileged users.. (some sites like facebook/hotmail/gmail
etc. allowed to computer accounts or user accounts)
4. whitelist allowed to all...
5. blacklist denied to all...(porn/video sites and many others that are blocked)
6. other authenticated users allowed to rest of the sites...(this is
the main acl where I want it to be computer account based if possible)

Thanks
Manoj
Received on Thu Sep 16 2010 - 04:14:59 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 16 2010 - 12:00:03 MDT