Squid RADIUS authentication

If you use a RADIUS server for other authentication needs in your organisation why not use it for proxy access? One possible scenario is giving access to web services only to users in specific Active Directory groups.

As a RADIUS server you can use freeRADIUS or Microsoft's IAS server. If you're using the latter you can find info and basic configuration for the IAS server in the first part of this article. Basically you have to declare the client and set up a remote access policy (set Service-Type = Login) and a connection request policy. You also need a security group that will be allowed to validate the remote access policy (you can't specify single users).

I won't describe the installation of Squid, it's not this article's topic.

The authenticating module I used is squid_radius_ath. You can find it here. Download it, unpack it and compile it. You will get a squid_radius_auth executable that you can move to a safe place. It needs a config file, squid_radius_auth that should contain the name of the RADIUS server and the secret:

server radius_server
secret secret_phrase

You need to point Squid to the authenticator so place something like this in squid.conf:

auth_param basic program /path_to_auth/squid_radius_auth
auth_param basic children 5
auth_param basic realm Please enter your domain credentials
auth_param basic credentialsttl 8 hours

Next you have to condition Squid to allow only authenticated users. In the following example users that are in the local LAN are allowed without logging in but users that don't show up in the local users file (localusers) are asked to login:

acl passwd proxy_auth
acl localusers src "/etc/squid/localusers"

http_access allow localusers
http_access allow all passwd
http_access allow all

You'll also have a log of who and when logged on to use the web services on the RADIUS server's logs.
   

Comments

3 Responses to " Squid RADIUS authentication "

Anonymous said... February 16, 2009 at 1:19 PM

i installed squid-rad-auth and tried to authenticate first with freeradius. my freeradius is working well when using radtest but i got "ERR" instead of "OK" while performing test with squid-rad-auth. may i know the problem please? see the following display message:

./squid_rad_auth
test
ERR
test123
ERR

any idea would be appreciable

cerber said... March 16, 2009 at 9:00 PM

While You want to test radius, You need to put _login_ _password_, between them only one space not an enter.

dave said... May 5, 2009 at 5:42 AM

I have squid running several ports. is there a way to specify a certain port for authentication while the others do not need to be authenticated?

Post a Comment

Follow by Email

Sponsored Links

Labels