Rick, please respond to the mailing list, not just to me.
Read up on the ACLs. If the destination is signup.com then you can REQUIRE authentication, or not... !REQUIRED acl newbies dst signup.com acl authenticated proxy_auth REQUIRED http_access allow newbies authenticated (I think this would work...and if it doesn't that's another reason to post to the list so others can correct my error and we all learn) All traffic for their browser is directed (or ends up at) the proxy server. How will squid know to direct them to this activate account webpage? What makes a user who has an account vs one who does not different and how will squid know it? Squid will not know until they either pass/fail an authentication run. It sounds like you want all failed authentication to end up on the sign up page. The first-time user would be presented with a logon box, not know what to do with it, but if failed out three times would end up on this page. If they didn't try and fail they'd call the helpdesk (you!:)) Better to just send new users to this page in the first place. Once signed up, as part of this process, they can then end up at the disclaimer page, and then start browsing the internet. You want to show the disclaimer page every time they go out to the internet? Then all traffic from Squid has to end up at this dislaimer page. Now what does the user do? If they try to go to the internet again they end up at the disclaimer page again....and again. Sounds like you want a !REQUIRED....for the single sign up site. This means if they are told to go to signup.com it won't authenticate them and they can then sign up. If signup.com is inside the gateway (that you said the proxy is defined as) then you don't need to worry about the ACL and they will just go to it on your back end network. In both cases they need to be told go to signup.com to sign up. Better yet, when they turn in their physicals, payment for class, etc...have them sign an internet use policy form and keep that in their file and grant internet access at the same time as their email account and other accesses are created. Chris Perreault -----Original Message----- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 8:52 PM To: Chris Perreault Subject: RE: [squid-users] ldap authentication... Hi Chris Sorry to keep bothering you. Do you have an example of how to pass non-authenticated traffic through to one site and authenticated through to another? When the user gets on the network for the first time they will be non-authenticated and be passed to a site where they can activate there account. After that he user will be authenticated and needs to be passed to a site which displays a disclaimer prior to them getting on the internet. Does this sound fesible? Thanks again for your help. rick... Rom.5:8 >>> Chris Perreault <[EMAIL PROTECTED]> 7/12/2004 2:10:19 PM >>> No need to apologize. Often I see someone post something like "I need this" and then 4-5 posts later someone else finally asks why, and then you see "ahhh, you just need to do this instead" :) If all traffic going through the proxy needs to be authenticated, and you use basic auth, then the users will be presented with a basic auth pop up box asking for their username and password. You can have an ACL rule that allows non-authenticated traffic through, to one site, that web page you mentioned. Alternatively, that website can be inside your network. In that case the students will access that local webserver for their account setup, and then head out through the proxy to the internet. Traffic going through the proxy can be set up so it needs to be authenticated, doing so on another server first I have not heard of. Giving the new students notification like: "welcome to school, to access the internet you need to set up your account here: www.internal.webserver.com/student/signup.htm" And then have all proxy traffic that is not authenticated properly be redirected to this site or some other page that explains why they couldn't get access to the internet. If the users are already logged into some kind of network, then there are other methods of authenticating too. Spend some time learning about the ACL options and read through some of the online documentation. I picked up the O'reilly book, "Squid the Definitive Guide" and it helped me a lot..as did scouring the net for information about squid and what we were trying to do. Chris Perreault -----Original Message----- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Monday, July 12, 2004 2:36 PM To: Chris Perreault Subject: RE: [squid-users] ldap authentication... Hi Chris, Thanks for the reply and I appologize for the generic posting. We are a university and are setting up a proxy server for the student/dorm internet access. The goal is to have a student (wired or wireless) hit the network, and be displayed a web page that will give them the option to activate their account or if they already have, login and access the internet. We have dhcp with the gateway pointing to the proxy server. The proxy will redirect to a web server to display the page. Once they login the proxy will authenticate them and either reject access or allow access. Do I have the process right or am I way out in left field? thanks for taking time to respond to this. rick... Rom.5:8 >>> Chris Perreault <[EMAIL PROTECTED]> 7/12/2004 1:09:46 PM >>> The FAQ at the www.squid-cache.org site is one place to research this. When you compile squid you need to have the ldap helper included too. ./configure -h will display all the options ./configure --enable-basic-auth-helpers=LDAP >From the source code will help. Within the helpers directory you can drill down into the LDAP directory and read the help files included there too. Using your favorite search engine on SQUID LDAP will give you plenty to read too. You may also find that stating what you'd like to do, to this list, will result in responses less generic and more geared towards a solution that suites your particular needs. Chris Perreault -----Original Message----- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Monday, July 12, 2004 1:23 PM To: [EMAIL PROTECTED] Subject: [squid-users] ldap authentication... Hello, I am new to Squid and would like to know where to find information on setting up squid to use ldap for authentication. I have read that it is part of the basic ncsa_auth module but the only examples I see use ncsa_auth with a passwd file. I'm not asking for anyone to do my job, just tell me where to find some documentation and examples. thanks rick... Rom.5:8
