>I have squid server running in transparent mode. >The scenario is: >1) As the user sends any http request all the port 80 traffic will >be redirected to squid server.
>2) The Squid Server will then throw a page(jsp or cgi) on the users >screen where he will enter the username and password. >3) Now as we want do authentication on the basis of username, >Password, IPAddress and MAC Address this CGI/PERL script will >extract user's machine MAC and IPAddress and send it to the squid >server along with username and password. >4)squid will forward these parameters to another server and wait >for response. if user is authenticated he will be allowed to pass >throw to acces the page he reqested. If you want to do this exactly the way you describe, then you are in for a LOT of work. I'm not even sure if it's possible. Here's what I would suggest: 1) Skip transparent proxying. Use a proxy.pac script (see the FAQ) if you're worried about having to reconfigure each browser if you change the proxy IP Address or port. 2) Use IPTables on the Squid box to match up MAC Addresses and IP Addresses. REJECT (don't DROP) access if they don't match. Create a text file with a list of IP Addresses and matching MAC addresses, then write a a script that reads this file and generates the IPTables rules. 3) Use Squid's basic auth with either the LDAP or Winbind helpers (depending on your setup). This will prompt the user for a username and password, then pass them to another server to verify them. 4) Use the max_user_ip acl to restrice a user to a single IP address (whatever IP address they use first), and set authenticate_ip_ttl high to make it difficult to switch IP addresses. 5) Write a script that audits the access.log and looks for users not coming from their assigned IP address, then bust them. That's probably the simplest way to implement what you want. Anything else will require a lot of programming work, and may not even be possible. Adam
