Port or switch level authorization

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Port or switch level authorization

Eliezer Croitoru-3
I have a Mikrotik PPPOE server and I would like to register the logged in
user on PPPOE Tunnel creation.
In the mikroitk device I have a code which can run a curl/fetch request with
the login details ie IP and username towards any server.
I was thinking about creating a PHP api that will be allowed access only
from the Mikrotik devices.
On every login the user+IP pairs will be written to a small DB.
Squid in it's turn will use an external helper to run queries against the DB
per request with small cache of 3-10 seconds.

What's the best way to pass a username so with the ip it will be logged.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Port or switch level authorization

Amos Jeffries
Administrator
On 8/02/21 10:48 pm, Eliezer Croitoru wrote:
> I have a Mikrotik PPPOE server and I would like to register the logged in
> user on PPPOE Tunnel creation.
> In the mikroitk device I have a code which can run a curl/fetch request with
> the login details ie IP and username towards any server.
> I was thinking about creating a PHP api that will be allowed access only
> from the Mikrotik devices.
> On every login the user+IP pairs will be written to a small DB.
> Squid in it's turn will use an external helper to run queries against the DB
> per request with small cache of 3-10 seconds.

Do you mean the ext_session_sql_acl helper?

>
> What's the best way to pass a username so with the ip it will be logged.
>

The helper needs to return user= kv-pair to Squid for this to be an
"authentication" rather than just authorization. That username will be
logged without anything special having to be done.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Port or switch level authorization

Eliezer Croitoru-3
Thanks Amos,

OK this seems to answer my question.
A session helper with ttl=3 should be enough if it will return the username associated by the helper.

The next thing is to block traffic if there is no username.

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Tuesday, February 9, 2021 5:30 AM
To: [hidden email]
Subject: Re: [squid-users] Port or switch level authorization

On 8/02/21 10:48 pm, Eliezer Croitoru wrote:
> I have a Mikrotik PPPOE server and I would like to register the logged in
> user on PPPOE Tunnel creation.
> In the mikroitk device I have a code which can run a curl/fetch request with
> the login details ie IP and username towards any server.
> I was thinking about creating a PHP api that will be allowed access only
> from the Mikrotik devices.
> On every login the user+IP pairs will be written to a small DB.
> Squid in it's turn will use an external helper to run queries against the DB
> per request with small cache of 3-10 seconds.

Do you mean the ext_session_sql_acl helper?

>
> What's the best way to pass a username so with the ip it will be logged.
>

The helper needs to return user= kv-pair to Squid for this to be an
"authentication" rather than just authorization. That username will be
logged without anything special having to be done.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users