Re: [squid-users] Re: squid client authentication against AD computer account

From: Manoj Rajkarnikar <manoj.rajkarnikar_at_gmail.com>
Date: Thu, 23 Sep 2010 13:45:07 +0545

Hi Matus.

On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas
<uhlar_at_fantomas.sk> wrote:
> On 15.09.10 12:59, Manoj Rajkarnikar wrote:
>> Thanks for the quick response Marcus.
>>
>> The reason I need to  limit computer account and not user account is
>> that people here move out to distant branches and the internet access
>> policy is to allow to the position they hold, and thus the computer
>> they will use.
>
> I somehow don't understand this. Maybe it's my english.
> Do you need to control access for the user+computer combination?

I need to control access based on computer account as registered in
the AD server.

>
>> I've successfully setup the kerberos authentication but I don't see
>> how squid will fetch the computer information from client request and
>> authorize it based on the group membership in AD. What I wish to
>> accomplish is:
>>
>> 1. create a security group in AD
>> 2. add computer accounts to this security group
>> 3. squid checks if the computer trying to access internet is member of
>> this security group.
>> 4. if not, don't allow access to internet or request of AD user login
>> that is allowed.
>
> This seems that you want to allow access from some computers to the net, no
> matter which user is logged in. Why not use ip-based or maybe
> hardware_address-based authentication then?

That is correct.
We have dhcp all over our network so ip-based is a bad idea.
For hardware_address-based auth, will have to maintain a very large
list of hardware addresses.. not a good idea but considerable (if
computer account based auth don't work)..

Also to be noted that computer account based authentication would be
more secure as only a handful of admins have domain administrator
level access, so it will be hard to spoof.

>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Quantum mechanics: The dreams stuff is made of.
>
Received on Thu Sep 23 2010 - 08:00:09 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 23 2010 - 12:00:04 MDT