Hi,
I'm having a problem with a Squid 2.5.stable3 installation using
squid_radius_auth and a Websense redirector on Red Hat ES r3. At
times you get out even with invalid username and/or password. When
makes this more fun is that it's intermittent, so I don't think it's a
basic acl problem.
Squid is not my strong point, so I'd appreciate any advice on how to
troubleshoot this. (Of course, I've inherited the Squid box as part
of my new job, and this issue has just raised its ugly head. Here
I've left it alone for a few weeks thinking "Oh, it's Squid, it's
working, I'll investigate it later," and now everyone's screaming.)
If you enter a valid username and a password you get Internet access,
as you would expect.
If you enter an invalid username and an invalid password, you might
get Internet access. It appears that the longer Squid is running, the
greater chance you have of getting that access.
If you enter a valid username and an invalid password, you get asked
for a correct password. Three tries later, it kicks you out. Then
hit "refresh," enter your invalid password, and you *might* get out.
Maybe not.
It seems that if you refresh often enough and have a bit of patience,
eventually you'll get out.
I've checked the radius server with "squid_rad_auth -f
squid_rad_auth.conf" and gotten the proper ERR and OK messages no
matter what combination of username/password I try.
We have 30 children for squid_rad_auth, but increasing it to 60 didn't
help.
Running with debug_options ALL,9 generates a lot of cache info
messages, but grepping for my bogus username gives me stuff like:
2006/04/07 14:10:30| helperSubmit: blahuser_t euhtansoeuhtnsaoeu
2006/04/07 14:10:30| authenticateBasicDecodeAuth: cleartext = 'blahuser_t:euhtansoeuhtnsaoeu'
2006/04/07 14:10:30| authBasicAuthUserFindUsername: Looking for user 'blahuser_t'
2006/04/07 14:10:30| authBasicDecodeAuth: Found user 'blahuser_t' in the user cache as '0xa4f29e8'
2006/04/07 14:10:30| authenticateStart: 'blahuser_t:euhtansoeuhtnsaoeu'
2006/04/07 14:10:30| helperSubmit: blahuser_t euhtansoeuhtnsaoeu
For the above two I get prompted again, but asking again got me in with:
2006/04/07 14:10:34| authenticateBasicDecodeAuth: cleartext = 'blahuser_t:888888'
2006/04/07 14:10:34| authBasicAuthUserFindUsername: Looking for user 'blahuser_t'
2006/04/07 14:10:34| authBasicDecodeAuth: Found user 'blahuser_t' in the user cache as '0xa4f29e8'
2006/04/07 14:10:34| authenticateStart: 'blahuser_t:888888'
2006/04/07 14:10:34| helperSubmit: blahuser_t 888888
2006/04/07 14:10:34| aclMatchUser: user is blahuser_t, case_insensitive is 0
2006/04/07 14:10:34| helperSubmit: http://slashdot.org/ 10.184.184.193/- blahuser_t GET
Any suggestions would be most appreciated.
Thanks,
==ml
-- Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ "The cloak of anonymity protects me from the nuisance of caring." -Non SequiturReceived on Fri Apr 07 2006 - 12:49:10 MDT
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT