Squid radius Authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid radius Authentication

Pascal Schäfer
Dear Ladies and Gentlemen,

I have a question about the authentication with a radius server.
I use Squid as a reverse proxy.
It is possible to use two radius server for different pages or
subdomains with squid_radius_auth?
I think about a maybe special configuration.
I try to use radius server A for the  website A and to use the radius
server B for the website B. Maybe it is good to know that the website A
is on web server A and Website B is on web server B.
I would like to use one Squid server instead of two Squid server (and
two port fowardings).

A Example of my configuration:

https://A.domain.com/... -> authentication over Radius Server A
https://B.domain.com/... -> authentication over Radius Server B

When I search on Google I don't found an acceptable answer for my question.
Should I program such function on my own or know someone a configuration
that work for my project?

With best regards
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid radius Authentication

Amos Jeffries
Administrator
On 15/09/17 12:53, Pascal Schäfer wrote:
> Dear Ladies and Gentlemen,
>
> I have a question about the authentication with a radius server.
> I use Squid as a reverse proxy.
> It is possible to use two radius server for different pages or
> subdomains with squid_radius_auth?

HTTP has no concept of "page" - so for that; no.

For sub-domains (OR specific URLs); maybe. Because the helper you are
asking about does not use the key_extras feature provided by latest
Squid versions.

You need to write your own helper that does what you want. That could be
in the form of a wrapper script that starts multiple radius helper with
the necessary parameters, and uses key_extra parameters to decide which
one will handle any given auth lookup.

Since you are calling it the long obsolete name "squid_radius_auth", you
probably do not have a current Squid version which supplies the
key_extras feature. At the very least you will have to upgrade to at
least Squid-3.5.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid radius Authentication

Pascal Schäfer
Dear Amos,

Thank you for your reply!

>>
>> I have a question about the authentication with a radius server.
>> I use Squid as a reverse proxy.
>> It is possible to use two radius server for different pages or
>> subdomains with squid_radius_auth?
>
> HTTP has no concept of "page" - so for that; no.
>
> For sub-domains (OR specific URLs); maybe. Because the helper you are
> asking about does not use the key_extras feature provided by latest
> Squid version

Ok. Thank you. Exist another helper who did an authentication with a
radius server?

>
> You need to write your own helper that does what you want. That could be
> in the form of a wrapper script that starts multiple radius helper with
> the necessary parameters, and uses key_extra parameters to decide which
> one will handle any given auth lookup.

Is this https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator
the right wiki, where I have to lookup?
Make it sense that behind the radius server is a Windows NPS Server to
authenticate the Users?
So when I write the wrapper helper, I only need to decide which helper I
would like to start and with which parameters, like a Bash command?

>
> Since you are calling it the long obsolete name "squid_radius_auth", you
> probably do not have a current Squid version which supplies the
> key_extras feature. At the very least you will have to upgrade to at
> least Squid-3.5.

I have a Squid-3.5, self compiled.
I think about to upgrade there on Squid-4 or to compile it and install
them fresh on the system. Is the name of them another in the newer versions?

best regards,

Pascal

>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid radius Authentication

Amos Jeffries
Administrator
On 16/09/17 02:31, Pascal Schäfer wrote:

> Dear Amos,
>
> Thank you for your reply!
>
>>>
>>> I have a question about the authentication with a radius server.
>>> I use Squid as a reverse proxy.
>>> It is possible to use two radius server for different pages or
>>> subdomains with squid_radius_auth?
>>
>> HTTP has no concept of "page" - so for that; no.
>>
>> For sub-domains (OR specific URLs); maybe. Because the helper you are
>> asking about does not use the key_extras feature provided by latest
>> Squid version
>
> Ok. Thank you. Exist another helper who did an authentication with a
> radius server?
>

I am aware of some proprietary ones existing. But that is not useful for
you.

>>
>> You need to write your own helper that does what you want. That could be
>> in the form of a wrapper script that starts multiple radius helper with
>> the necessary parameters, and uses key_extra parameters to decide which
>> one will handle any given auth lookup.
>
> Is this https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator
> the right wiki, where I have to lookup?

That page describes the protocol Squid will be talking to your script
with; and what is expected to arrive back.

> Make it sense that behind the radius server is a Windows NPS Server to
> authenticate the Users?

That does not matter unless you are writing the RADIUS parts yourself.
In which case I cannot help, not knowing much about RADIUS protocol.


> So when I write the wrapper helper, I only need to decide which helper I
> would like to start and with which parameters, like a Bash command?
>

Yes. Though helpers are required to run until Squid stops them. So best
to start the child radius helpers at the beginning then just relay query
and response lines appropriately when they arrive.


>>
>> Since you are calling it the long obsolete name "squid_radius_auth", you
>> probably do not have a current Squid version which supplies the
>> key_extras feature. At the very least you will have to upgrade to at
>> least Squid-3.5.
>
> I have a Squid-3.5, self compiled.
> I think about to upgrade there on Squid-4 or to compile it and install
> them fresh on the system. Is the name of them another in the newer versions?

Then you should be fine, except "basic_radius_auth" is the helper binary
name since Squid-3.2.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid radius Authentication

Eliezer Croitoru
In reply to this post by Pascal Schäfer
Hey,

What kind of authentication do you want\need? Basic?
Depends on your needs there might be a helper that you can use.
If you have only two domains\subdomains it's one thing but if you have more then these then the program would be different.

If I will have more details I might be able to answer your question and I maybe even have a radius authentication helper written somewhere which I can pull.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Pascal Sch?fer
Sent: Friday, September 15, 2017 03:53
To: [hidden email]
Subject: [squid-users] Squid radius Authentication

Dear Ladies and Gentlemen,

I have a question about the authentication with a radius server.
I use Squid as a reverse proxy.
It is possible to use two radius server for different pages or
subdomains with squid_radius_auth?
I think about a maybe special configuration.
I try to use radius server A for the  website A and to use the radius
server B for the website B. Maybe it is good to know that the website A
is on web server A and Website B is on web server B.
I would like to use one Squid server instead of two Squid server (and
two port fowardings).

A Example of my configuration:

https://A.domain.com/... -> authentication over Radius Server A
https://B.domain.com/... -> authentication over Radius Server B

When I search on Google I don't found an acceptable answer for my question.
Should I program such function on my own or know someone a configuration
that work for my project?

With best regards
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid radius Authentication

Pascal Schäfer
Hey,

thank you for your reply.
Yes it would be Basic.
I think I will write my own helper as a generic solution, not only for 2
domains/subdomains. Do you had the same problem in the past?

The answer mails from Amos helped me a lot to know how I can program the
wrapper helper.

Pascal

Am 17.09.2017 um 05:57 schrieb Eliezer Croitoru:

> Hey,
>
> What kind of authentication do you want\need? Basic?
> Depends on your needs there might be a helper that you can use.
> If you have only two domains\subdomains it's one thing but if you have more then these then the program would be different.
>
> If I will have more details I might be able to answer your question and I maybe even have a radius authentication helper written somewhere which I can pull.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Pascal Sch?fer
> Sent: Friday, September 15, 2017 03:53
> To: [hidden email]
> Subject: [squid-users] Squid radius Authentication
>
> Dear Ladies and Gentlemen,
>
> I have a question about the authentication with a radius server.
> I use Squid as a reverse proxy.
> It is possible to use two radius server for different pages or
> subdomains with squid_radius_auth?
> I think about a maybe special configuration.
> I try to use radius server A for the  website A and to use the radius
> server B for the website B. Maybe it is good to know that the website A
> is on web server A and Website B is on web server B.
> I would like to use one Squid server instead of two Squid server (and
> two port fowardings).
>
> A Example of my configuration:
>
> https://A.domain.com/... -> authentication over Radius Server A
> https://B.domain.com/... -> authentication over Radius Server B
>
> When I search on Google I don't found an acceptable answer for my question.
> Should I program such function on my own or know someone a configuration
> that work for my project?
>
> With best regards
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid radius Authentication

Eliezer Croitoru
Hey Pascal,

I have some experience with wrapper scripts but I must admit that it has couple things which led me to not use it.
One of the issues was excessive CPU usage since I was using a bash script as a wrapper.
I remember that long ago a sysadmin used something else then basic auth.
They had a WIFI system on the premise and every user could login to the WIFI network using it's username and password.
Then they pulled from the radius DB periodically the user=> ip mapping and applied acl's based on the client IP which is unique per username.

If I will write a helper I would probably use GoLang or ruby.
I was thinking about some way to make an helper generic enough but if you have an idea\sketch I might take it and will actually write the helper.
I have seen but have not used the next library:
https://github.com/layeh/radius

Which might be very helpful.

Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Pascal Schäfer [mailto:[hidden email]]
Sent: Tuesday, September 19, 2017 15:20
To: Eliezer Croitoru <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Squid radius Authentication

Hey,

thank you for your reply.
Yes it would be Basic.
I think I will write my own helper as a generic solution, not only for 2
domains/subdomains. Do you had the same problem in the past?

The answer mails from Amos helped me a lot to know how I can program the
wrapper helper.

Pascal

Am 17.09.2017 um 05:57 schrieb Eliezer Croitoru:

> Hey,
>
> What kind of authentication do you want\need? Basic?
> Depends on your needs there might be a helper that you can use.
> If you have only two domains\subdomains it's one thing but if you have more then these then the program would be different.
>
> If I will have more details I might be able to answer your question and I maybe even have a radius authentication helper written somewhere which I can pull.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Pascal Sch?fer
> Sent: Friday, September 15, 2017 03:53
> To: [hidden email]
> Subject: [squid-users] Squid radius Authentication
>
> Dear Ladies and Gentlemen,
>
> I have a question about the authentication with a radius server.
> I use Squid as a reverse proxy.
> It is possible to use two radius server for different pages or
> subdomains with squid_radius_auth?
> I think about a maybe special configuration.
> I try to use radius server A for the  website A and to use the radius
> server B for the website B. Maybe it is good to know that the website A
> is on web server A and Website B is on web server B.
> I would like to use one Squid server instead of two Squid server (and
> two port fowardings).
>
> A Example of my configuration:
>
> https://A.domain.com/... -> authentication over Radius Server A
> https://B.domain.com/... -> authentication over Radius Server B
>
> When I search on Google I don't found an acceptable answer for my question.
> Should I program such function on my own or know someone a configuration
> that work for my project?
>
> With best regards
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid radius Authentication

Pascal Schäfer
In reply to this post by Amos Jeffries
Dear Amos,

I have another question to the key_extras for auth_param basic key_extras.
It is possible to give the helper more than one key_extras argument?
Maybe like this:

auth_param basic key_extras %macro
auth_param basic key_extras $macro

or

auth_param basic key_extras %macro %macro


And I tried some key_extras but the only usefull key_extras was %rp,
where I get /site/ from the URL: https://subdomain.domain.com/site/.
And when I try to use %rq my squid tell me an Error that he can't parse
the config file.
I wish I could get the whole URL from the squid.

Maybe do you know why that happens?
Or it isn't it the right key_extras %macro?
The most of the other %macros gives me the "-", which means that the
information is not available in this moment, where the authentication
helper get the username and password.

My squid version is squid 3.5.23-5 compiled from the sources of a debian
distribution (apt-get sources ... ).
I used these references for squid:

http://www.squid-cache.org/Doc/config/auth_param/
http://devel.squid-cache.org/customlog/logformat.html

I hope you can help me.

with best regards,

Pascal

Am 15.09.2017 um 17:26 schrieb Amos Jeffries:

> On 16/09/17 02:31, Pascal Schäfer wrote:
>> Dear Amos,
>>
>> Thank you for your reply!
>>
>>>>
>>>> I have a question about the authentication with a radius server.
>>>> I use Squid as a reverse proxy.
>>>> It is possible to use two radius server for different pages or
>>>> subdomains with squid_radius_auth?
>>>
>>> HTTP has no concept of "page" - so for that; no.
>>>
>>> For sub-domains (OR specific URLs); maybe. Because the helper you are
>>> asking about does not use the key_extras feature provided by latest
>>> Squid version
>>
>> Ok. Thank you. Exist another helper who did an authentication with a
>> radius server?
>>
>
> I am aware of some proprietary ones existing. But that is not useful for
> you.
>
>>>
>>> You need to write your own helper that does what you want. That could be
>>> in the form of a wrapper script that starts multiple radius helper with
>>> the necessary parameters, and uses key_extra parameters to decide which
>>> one will handle any given auth lookup.
>>
>> Is this https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator
>> the right wiki, where I have to lookup?
>
> That page describes the protocol Squid will be talking to your script
> with; and what is expected to arrive back.
>
>> Make it sense that behind the radius server is a Windows NPS Server to
>> authenticate the Users?
>
> That does not matter unless you are writing the RADIUS parts yourself.
> In which case I cannot help, not knowing much about RADIUS protocol.
>
>
>> So when I write the wrapper helper, I only need to decide which helper I
>> would like to start and with which parameters, like a Bash command?
>>
>
> Yes. Though helpers are required to run until Squid stops them. So best
> to start the child radius helpers at the beginning then just relay query
> and response lines appropriately when they arrive.
>
>
>>>
>>> Since you are calling it the long obsolete name "squid_radius_auth", you
>>> probably do not have a current Squid version which supplies the
>>> key_extras feature. At the very least you will have to upgrade to at
>>> least Squid-3.5.
>>
>> I have a Squid-3.5, self compiled.
>> I think about to upgrade there on Squid-4 or to compile it and install
>> them fresh on the system. Is the name of them another in the newer
>> versions?
>
> Then you should be fine, except "basic_radius_auth" is the helper binary
> name since Squid-3.2.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users