Re: [squid-users] Radius Accounting!

[Amos Jeffries]

On 14.11.2012 04:00, Azfar Hashmi wrote:

Hi Eliezer,

My clients simply login via browser, squid just ask them for http 
auth.

Your are right squid is not a NAS hence it does not respect radius
protocols other then simple authentication request. Btw I can achieve
the multi-user login check without external_acl  by using 
"max_user_ip

-s 1" but this is also not working for me because I have Stunnel in
between so all requests finally forwarded to squid via stunnel 
(instead
of client original ip) and squid feels all users are coming from 
single

ip (stunnel ip),


Aha! now you describe what the REAL problem is.

Squid is not "feeling" the users come from the one IP address. They 
*are* coming from the one IP address when they arrive at Squid for 
authentication. Your description of "not working" is everybody elses 
description of "working correct".




also ultimately I will have multiple squid servers so
this trick even without stunnel will not gonna work for me accurately 
as
user will still be able to login from same username on different 
servers.



So you have multiple users all being tunneled through some upstream TCP 
proxy point (erasing the IP address information) to multiple Squid 
servers which do not check each others user login state (HTTP is 
stateless).


And you want to use user-IP address locking.  You blame Squid for 
obeying TCP and HTTP protocols?


You were nearly correct earlier when you jumped ahead (without telling 
us these extra details) and said it was "impossible".



There *is* still a way around the problem. But you are going to have to 
do some major network restructuring in order to achieve it.


1) remove stunnel, or, at minimum ensure each user-IP source has their 
own stunnel-IP sending address (stunnel from the user machine is best 
for this).


* If you need SSH encryption over a specific network path (ie Internet 
between two POPs) consider using a Squid at each end of where the 
stunnel is now with SSL settings on the cache_peer linkage between them. 
And X-Forwarded-For feature to pass the IP addresses via HTTP header.


 Either way the *shared* stunnel MUST NOT be used directly by the 
clients. It is the stunnel sharing which is causing user-IP problem.



2) prevent users logging into multiple Squid.

* consider a CARP style proxy hierarchy. Where all client traffic goes 
through one parent proxy which does as few actions as possible - 
authentication and user-IP max limitation being among those minimums for 
your case. If the traffic gets past that minimum check, passing to one 
of multiple backend peers for the slower network or cache fetching.


* consider use of PAC files at the user end to enforce each user only 
being given one proxy to make all their access through.
 PAC files can be generated per-user by some server script as requested 
by the users.



The Question is, are you willing to do that just to require each user 
to only have one proxy be useful?


IMHO it is not worth the effort and you most likely have some other 
reason for even considering user-IP locking which you again have not 
told us about anyway. Chances are VERY high that other reason will have 
a solution different to user-IP locking which can be implemented in 
Squid. I will take a guess in the dark here and say "bandwidth 
accounting?"


Amos

Re: [squid-users] Radius Accounting!

[Azfar Hashmi]

Hi Eliezer,

My clients simply login via browser, squid just ask them for http auth.
Your are right squid is not a NAS hence it does not respect radius
protocols other then simple authentication request. Btw I can achieve
the multi-user login check without external_acl  by using "max_user_ip
-s 1" but this is also not working for me because I have Stunnel in
between so all requests finally forwarded to squid via stunnel (instead
of client original ip) and squid feels all users are coming from single
ip (stunnel ip), also ultimately I will have multiple squid servers so
this trick even without stunnel will not gonna work for me accurately as
user will still be able to login from same username on different servers.  

On 11/13/2012 7:45 PM, Eliezer Croitoru wrote:
> On 11/13/2012 3:47 PM, Azfar Hashmi wrote:
>> Do have any example? My problem is that I can't play with squid conf
>> whenever a new user is created in radius. Addition/expiration of users
>> should be transparent from squid.
> you dont need to change squid conf more then to use some external_acl
> helper (you will need to write) that does anything related to users by
> usage if IP or any other way.
>
> How does your clients log on?
> Raidus most of the time is being used with some NAS device that
> respects radius polices so in a case you dont have this kind of device
> you should do some thinking and planning of implementing such a feature.
>
> If you will have more info on how things works in your environment I
> can take a peek at it and thing with you on a sensible solution.
>
> Regards,
> Eliezer
>


-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.has...@cloudways.com

w: www.cloudways.com 

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

Re: [squid-users] Radius Accounting!

[Eliezer Croitoru]

On 11/13/2012 3:47 PM, Azfar Hashmi wrote:

Do have any example? My problem is that I can't play with squid conf
whenever a new user is created in radius. Addition/expiration of users
should be transparent from squid.
you dont need to change squid conf more then to use some external_acl 
helper (you will need to write) that does anything related to users by 
usage if IP or any other way.


How does your clients log on?
Raidus most of the time is being used with some NAS device that respects 
radius polices so in a case you dont have this kind of device you should 
do some thinking and planning of implementing such a feature.


If you will have more info on how things works in your environment I can 
take a peek at it and thing with you on a sensible solution.


Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

Re: [squid-users] Radius Accounting!

[Azfar Hashmi]

Do have any example? My problem is that I can't play with squid conf
whenever a new user is created in radius. Addition/expiration of users
should be transparent from squid.
 
On 11/13/2012 6:40 PM, Eliezer Croitoru wrote:
> On 11/13/2012 3:31 PM, Azfar Hashmi wrote:
>> My scenario is simple that different customers should not be able to
>> login simultaneously from a same username.
>>
>> Or
>>
>> If username "A" is being used by x.x.x.x IP address then user "A" should
>> not be able to login from y.y.y.y IP address at same time.
> Well it's a basic feature of radius.
> It's not a feature inside squid but you are able to allow or deny
> access using external_acl.
> What you can do in squid is to write external_acl that will deny
> access\login using specific user while it's being logged in using
> another IP.
>
> Regards,
> Eliezer
>


-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.has...@cloudways.com

w: www.cloudways.com 

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

Re: [squid-users] Radius Accounting!

[Eliezer Croitoru]

On 11/13/2012 3:31 PM, Azfar Hashmi wrote:

My scenario is simple that different customers should not be able to
login simultaneously from a same username.

Or

If username "A" is being used by x.x.x.x IP address then user "A" should
not be able to login from y.y.y.y IP address at same time.

Well it's a basic feature of radius.
It's not a feature inside squid but you are able to allow or deny access 
using external_acl.
What you can do in squid is to write external_acl that will deny 
access\login using specific user while it's being logged in using 
another IP.


Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

Re: [squid-users] Radius Accounting!

[Azfar Hashmi]

My scenario is simple that different customers should not be able to
login simultaneously from a same username.

Or

If username "A" is being used by x.x.x.x IP address then user "A" should
not be able to login from y.y.y.y IP address at same time.

On 11/13/2012 5:57 PM, Eliezer Croitoru wrote:
> On 11/13/2012 2:40 PM, Azfar Hashmi wrote:
>> Thanks for the information.
>>
>> It seems also impossible to control radius level simultaneous-use check
>> to me, can anyone confirm it?
> And what do you mean by that?
> To control what exactly?
> Radius is for most likely used with a per IP to user level.
>
> Eliezer


-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.has...@cloudways.com

w: www.cloudways.com 

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

Re: [squid-users] Radius Accounting!

[Eliezer Croitoru]

On 11/13/2012 2:40 PM, Azfar Hashmi wrote:

Thanks for the information.

It seems also impossible to control radius level simultaneous-use check
to me, can anyone confirm it?

And what do you mean by that?
To control what exactly?
Radius is for most likely used with a per IP to user level.

Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

Re: [squid-users] Radius Accounting!

[Azfar Hashmi]

Thanks for the information.

It seems also impossible to control radius level simultaneous-use check
to me, can anyone confirm it?

On 11/8/2012 5:42 PM, Eliezer Croitoru wrote:
> On 11/8/2012 2:14 PM, Azfar Hashmi wrote:
>> So there is no workground except manually parsing squid logs and feeding
>> radius database?
> Not that I know of.
> I think that most of the needed code for the option is there and also
> can be fetched by SNMP.
> take a look at: http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs
> at the part of "Client Table".
>
> Regards,
> Eliezer
>


-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.has...@cloudways.com

w: www.cloudways.com 

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

Re: [squid-users] Radius Accounting!

[Eliezer Croitoru]

On 11/8/2012 2:14 PM, Azfar Hashmi wrote:

So there is no workground except manually parsing squid logs and feeding
radius database?

Not that I know of.
I think that most of the needed code for the option is there and also 
can be fetched by SNMP.
take a look at: http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs at 
the part of "Client Table".


Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

Re: [squid-users] Radius Accounting!

[Azfar Hashmi]

On 11/7/2012 4:55 PM, Eliezer Croitoru wrote:
> On 11/7/2012 1:37 PM, Azfar Hashmi wrote:
>> Hi all,
>>
>> I am using Squid 2.7 Stable9 (Debian Squeeze package) and i am using
>> squid_radius_auth helper to perform authentication from radius
>> (Freeradius 2.x) and this is working fine. Now the problem is that I
>> want to do accounting in radius and for it I need squid to send
>> accounting start / stop, interim updates etc to radius but it does not
>> sending anything to radius except authentication requests. I want to
>> confirm that is it even possible to do it with squid (log session time,
>> bandwidth etc in radius)? is there any other radius plugin which can do
>> it? or squid simply does not support these things? I can also try to
>> hack squid_radius_auth helper code to add this functionality but first I
>> need to confirm whether it will worth or squid simply do not support
>> such things.
>>
>> I have also tried pam_auth helper with radius but it made no difference
>> as well.
>>
>> Thanks in advance.
>
> Hey Azfar,
>
> As you may noticed this is auth helper and not related in any way to
> accounting.
>
> Squid dosnt have any accounting mechanism else then in delay pools as
> far as I can remember.
>
> This can be a nice feature.
>
> Radius accounting usually works on routing basis since it's based on
> IP level.
> I have been using a bit freebsd with MPD that can work with radius and
> accounting.
>
> if you are using sort of LNS you should do it there and not in the
> squid machine.
>
> Regards,
> Eliezer
>
So there is no workground except manually parsing squid logs and feeding
radius database?

-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.has...@cloudways.com

w: www.cloudways.com 

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

Re: [squid-users] Radius Accounting!

[Eliezer Croitoru]

On 11/7/2012 1:37 PM, Azfar Hashmi wrote:

Hi all,

I am using Squid 2.7 Stable9 (Debian Squeeze package) and i am using
squid_radius_auth helper to perform authentication from radius
(Freeradius 2.x) and this is working fine. Now the problem is that I
want to do accounting in radius and for it I need squid to send
accounting start / stop, interim updates etc to radius but it does not
sending anything to radius except authentication requests. I want to
confirm that is it even possible to do it with squid (log session time,
bandwidth etc in radius)? is there any other radius plugin which can do
it? or squid simply does not support these things? I can also try to
hack squid_radius_auth helper code to add this functionality but first I
need to confirm whether it will worth or squid simply do not support
such things.

I have also tried pam_auth helper with radius but it made no difference
as well.

Thanks in advance.


Hey Azfar,

As you may noticed this is auth helper and not related in any way to 
accounting.


Squid dosnt have any accounting mechanism else then in delay pools as 
far as I can remember.


This can be a nice feature.

Radius accounting usually works on routing basis since it's based on IP 
level.
I have been using a bit freebsd with MPD that can work with radius and 
accounting.


if you are using sort of LNS you should do it there and not in the squid 
machine.


Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

[squid-users] Radius Accounting!

[Azfar Hashmi]

Hi all,

I am using Squid 2.7 Stable9 (Debian Squeeze package) and i am using
squid_radius_auth helper to perform authentication from radius
(Freeradius 2.x) and this is working fine. Now the problem is that I
want to do accounting in radius and for it I need squid to send
accounting start / stop, interim updates etc to radius but it does not
sending anything to radius except authentication requests. I want to
confirm that is it even possible to do it with squid (log session time,
bandwidth etc in radius)? is there any other radius plugin which can do
it? or squid simply does not support these things? I can also try to
hack squid_radius_auth helper code to add this functionality but first I
need to confirm whether it will worth or squid simply do not support
such things.

I have also tried pam_auth helper with radius but it made no difference
as well.

Thanks in advance.

-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.has...@cloudways.com

w: www.cloudways.com 

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com