On Fri, 10 Jan 2003 00:17, d.sergent@dcs.fr wrote:
> This is the situation ...
>
> User connect thrue the firewall, the firewall connect to radius to valid
> the authentification, and to websense to create an new entry in the log.
>
> The proxy is a plus, configure in some web browser. So the user connect on
> the proxy, the proxy to the firewall, the firewall to radius, and to
> websense ...
> The only authentification in all of this is on the radius server. I don't
> want to had another authentification... but the problem is that the first
> person need to be loggued, but the others use the first login and in
> websense all the logs say that there is only one person who is surfing as
> if squid was creating a connexion with the first information (the ip I
> think) and doesn't upgrade it when a new user connect.
>
> Sergent David
>
I don't know how your firewall actually performs the radius authentication,
but I suspect it ends up mapping a username to an IP address. Since the
firewall sees the request coming from the proxy server's IP, all subsequent
requests through the proxy will be associated with the user who first
triggered the user-IP mapping. This is obviously undesirable so it might be
worth looking at using another form of authentication on the firewall. Or
alternatively, ensure that client workstations are connected directly to the
firewall. Another option may be to use a transparent proxy, but I'm afraid I
can't give directions on how to set it up.
Gerard
Received on Thu Jan 09 2003 - 07:43:29 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:36 MST