Re: [squid-users] HTTP 407 responses

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 17 Feb 2012 10:49:35 +1300

On 16/02/2012 9:31 a.m., Mr J Potter wrote:
> Hi Alex,
>
> I've got it working fine on domain members. I should have explained
> better - I'm setting up a guest wireless network in a school, so all
> devices that attach will be personal, non domain, and as a rule I
> won't get the chance to configure them before they connect.
>
> The devices that I want to connect will be mostly student laptops,
> smartphones and visitors' devices.
>
> The plan is to set up proxy DHCP autoconfig and/or transparent port
> forwarding trick to point people towards the proxy (https is likely
> not to like this I know), but I want a way of getting people to say
> who they are and give them internet access accordingly. I;m using
> squid/squidguard to great effect for the domain machines, and I'd like
> to use the same set of rules for folks connecting their own devices.
>
> How has anyone else done this? the options I've found are basic,
> digest or NTLM all of which have major issues in terms of security,
> configuration or usability respectively.

Ah. "Transparent" interception proxy is not able to do HTTP authentication.

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F

You can use WPAD "transparent" configuration, to make them actually
configured after which authenticatino can be used.

Or you can use external_acl_type helper to try and determine whether the
request is legit or not and allow/deny it.

Amos
Received on Thu Feb 16 2012 - 21:49:43 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 17 2012 - 12:00:03 MST