Re: [squid-users] Re: squid client authentication against AD computer account
Does any of the authentication methods include the computer name in the authentication tokens?? I can setup any auth method if any of it supports it. I basically want to authenticate client computers by the hostname as registered in the AD. Thanks everyone. On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar manoj.rajkarni...@gmail.com wrote: Hi Matus. On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 15.09.10 12:59, Manoj Rajkarnikar wrote: Thanks for the quick response Marcus. The reason I need to limit computer account and not user account is that people here move out to distant branches and the internet access policy is to allow to the position they hold, and thus the computer they will use. I somehow don't understand this. Maybe it's my english. Do you need to control access for the user+computer combination? I need to control access based on computer account as registered in the AD server. I've successfully setup the kerberos authentication but I don't see how squid will fetch the computer information from client request and authorize it based on the group membership in AD. What I wish to accomplish is: 1. create a security group in AD 2. add computer accounts to this security group 3. squid checks if the computer trying to access internet is member of this security group. 4. if not, don't allow access to internet or request of AD user login that is allowed. This seems that you want to allow access from some computers to the net, no matter which user is logged in. Why not use ip-based or maybe hardware_address-based authentication then? That is correct. We have dhcp all over our network so ip-based is a bad idea. For hardware_address-based auth, will have to maintain a very large list of hardware addresses.. not a good idea but considerable (if computer account based auth don't work).. Also to be noted that computer account based authentication would be more secure as only a handful of admins have domain administrator level access, so it will be hard to spoof. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: [squid-users] Re: squid client authentication against AD computer account
Hi Matus. On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 15.09.10 12:59, Manoj Rajkarnikar wrote: Thanks for the quick response Marcus. The reason I need to limit computer account and not user account is that people here move out to distant branches and the internet access policy is to allow to the position they hold, and thus the computer they will use. I somehow don't understand this. Maybe it's my english. Do you need to control access for the user+computer combination? I need to control access based on computer account as registered in the AD server. I've successfully setup the kerberos authentication but I don't see how squid will fetch the computer information from client request and authorize it based on the group membership in AD. What I wish to accomplish is: 1. create a security group in AD 2. add computer accounts to this security group 3. squid checks if the computer trying to access internet is member of this security group. 4. if not, don't allow access to internet or request of AD user login that is allowed. This seems that you want to allow access from some computers to the net, no matter which user is logged in. Why not use ip-based or maybe hardware_address-based authentication then? That is correct. We have dhcp all over our network so ip-based is a bad idea. For hardware_address-based auth, will have to maintain a very large list of hardware addresses.. not a good idea but considerable (if computer account based auth don't work).. Also to be noted that computer account based authentication would be more secure as only a handful of admins have domain administrator level access, so it will be hard to spoof. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: [squid-users] Re: squid client authentication against AD computer account
On 15.09.10 12:59, Manoj Rajkarnikar wrote: Thanks for the quick response Marcus. The reason I need to limit computer account and not user account is that people here move out to distant branches and the internet access policy is to allow to the position they hold, and thus the computer they will use. I somehow don't understand this. Maybe it's my english. Do you need to control access for the user+computer combination? I've successfully setup the kerberos authentication but I don't see how squid will fetch the computer information from client request and authorize it based on the group membership in AD. What I wish to accomplish is: 1. create a security group in AD 2. add computer accounts to this security group 3. squid checks if the computer trying to access internet is member of this security group. 4. if not, don't allow access to internet or request of AD user login that is allowed. This seems that you want to allow access from some computers to the net, no matter which user is logged in. Why not use ip-based or maybe hardware_address-based authentication then? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: [squid-users] Re: squid client authentication against AD computer account
Thanks for the quick response Marcus. The reason I need to limit computer account and not user account is that people here move out to distant branches and the internet access policy is to allow to the position they hold, and thus the computer they will use. I've successfully setup the kerberos authentication but I don't see how squid will fetch the computer information from client request and authorize it based on the group membership in AD. What I wish to accomplish is: 1. create a security group in AD 2. add computer accounts to this security group 3. squid checks if the computer trying to access internet is member of this security group. 4. if not, don't allow access to internet or request of AD user login that is allowed. I'm not sure if this is achievable. Thanks for the help. Manoj On Wed, Sep 15, 2010 at 12:28 AM, Markus Moeller hua...@moeller.plus.com wrote: Manoj Rajkarnikar manoj.rajkarni...@gmail.com wrote in message news:aanlktingxtowx+aysrvgoaseiqrs1qrmx2vym8t5i...@mail.gmail.com... Hi all. I've been trying to setup this squid box with authentication to AD 2003 server. The need in our situation is to allow the workstation allow access to internet and not the user since the users are always moving from station to station. I've already setup kerberos authentication successfully. I've searched through the list for any thing related to authorizing computer account but found none.. Why do you want to limit the computer not the user ? I assume the user login to the stations with their credentials, so moving stations should not be an issue or ? I'm not very familiar with ldap queries. any help would be greatly appreciated.. i'm trying to use squid_kerb_ldap for ldap authorization... squid_kerb_ldap will connect to AD and determines if a user is a member of an AD group. The connection to AD is authenticated using the Kerbeors key from the squid keytab file and the AD server is found by using SRV DNS records which are usually defined in a Windows environment with AD. Thank you very much for your help. Regards Manoj
[squid-users] Re: squid client authentication against AD computer account
Manoj Rajkarnikar manoj.rajkarni...@gmail.com wrote in message news:aanlktingxtowx+aysrvgoaseiqrs1qrmx2vym8t5i...@mail.gmail.com... Hi all. I've been trying to setup this squid box with authentication to AD 2003 server. The need in our situation is to allow the workstation allow access to internet and not the user since the users are always moving from station to station. I've already setup kerberos authentication successfully. I've searched through the list for any thing related to authorizing computer account but found none.. Why do you want to limit the computer not the user ? I assume the user login to the stations with their credentials, so moving stations should not be an issue or ? I'm not very familiar with ldap queries. any help would be greatly appreciated.. i'm trying to use squid_kerb_ldap for ldap authorization... squid_kerb_ldap will connect to AD and determines if a user is a member of an AD group. The connection to AD is authenticated using the Kerbeors key from the squid keytab file and the AD server is found by using SRV DNS records which are usually defined in a Windows environment with AD. Thank you very much for your help. Regards Manoj