Radius and Squid transparent mode

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Radius and Squid transparent mode

Colle Christophe
Hello,

I am working on a WiFi project: People connect to the network using a Radius server, then use the Internet using Squid in transparent mode.

I would like to improve this system by adding the identifier of the person logged in the Squid logs (It's easier to do research, it saves time!).

Is it easy or should use a specific helper authentication?


thank you.

Has anyone ever done that?




Regards,
Chris.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Radius and Squid transparent mode

Amos Jeffries
Administrator
On 6/09/18 1:16 AM, Colle Christophe wrote:
> Hello,
>
> I am working on a WiFi project: People connect to the network using a
> Radius server, then use the Internet using Squid in transparent mode.
>
> I would like to improve this system by adding the identifier of the
> person logged in the Squid logs (It's easier to do research, it saves
> time!).


First lesson: there is no "person".

In the HTTP world we explicitly avoid the terms "user" or "person"
because a lot (most?) of traffic is from automated services and
machinery around any given network. Some of it is even generated by your
own Squid with no client involved at all.


>
> Is it easy or should use a specific helper authentication?
>

Second;
 When traffic is MITM'd the client believes it is talking to some other
endpoint. It will only ever authenticate with credentials suitable for
that endpoint.
 No sane client software will broadcast credentials without the remote
endpoint explicitly requesting them. Some clients are not that sane, but
they are the exception.


Third;
 Authentication of all types involves some secret known only to the
endpoints, often generated on-demand via some other channel. The MITM
proxy even holding the credentials cannot authenticate them, nor
reliably use them for anything other than relaying as-is on the *same*
transactions outbound request message.


BUT ... this is where "authorization" being different from
"authentication" matters a lot.


>
> Has anyone ever done that?
>

As I understand it RADIUS has ways to tie IP:port of TCP connections to
a user account (if any?).

It is possible to have a RADIUS helper used on external_acl_type
receiving those details and providing Squid with a label to log as
"username".

Or, alternatively just send the log through a daemon which uses the log
lines it gets passed to append any extra details you want it to add.

But be aware these only associate the machinery by-IP to an account. It
does not imply the "person" was actually present, nor even aware of the
transaction happening.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users