RAS Infosystems. Powered by Blogger.

Tuesday, 23 August 2016

Squid Configuration With Radius Authentication



In this article we discuss about how to configure squid proxy server with Radius authentication. After configure squid using below steps all proxy clients requires Radius username and password for internet access.

For Squid server installation steps click on How to install squid proxy server

Note – All commands are tested on CentOS 7

Squid Configuration with Radius Authentication

1.     Log in to your CentOS server with root permission and edit “squid.conf” file using vi editor command below,
vi /etc/squid/squid.conf


2.     Enter below line at the beginning of the configuration file
auth_param basic program  /usr/lib64/squid/basic_radius_auth -f /etc/squid/radius.conf

            
  Note: Enter syntax in single line

            In first part of the syntax we define authentication param and call plugin to support authentication where “/usr/lib64/squid/basic_radius_auth” is default plugin path for 64bit servers if its 32bit path should be “/usr/lib/squid/basic_radius_auth” like this.

            Next you have to enter radius config file path.

            Create “radius.conf”file inside “/etc/squid” Open file using  
           
vi /etc/squid/radius.conf

            
           Enter below lines
server 192.168.1.1
secret radiuspassword  


“server” – Enter your radius server IP address
“secret” – Enter your radius server password to validate credentials.
Save and exit (:wq) radius.conf file and open squid conf file in vi editor again,

3.     Enter the below line after step 2
auth_param basic children 5
auth_param basic realm proxyserver
auth_param basic credentialsttl 1 hour


            

“auth_param basic children” is the number of basic authentication helper processes squid uses.
            “auth_param basic realm” here you can enter which every string(name) you want to display in authentication box. Here we use proxyserver so authentication box showing the name proxyserver.
            “auth_param basic credentialsttl 1 hour” is used to reduce authentication process load, by using credentialsttl squid cache successful authentication for 1 hour (as per our example).  If any changes happen in authentication server squid may not notice the change until ttl expiries.

4.     Now move to line below “# Example rule allowing access from your local networks.” in squid config

By default there are number possible networks in squid config like
#acl localnet src 10.0.0.0/8   
#acl localnet src 172.16.0.0/12
#acl localnet src 192.168.0.0/16 
      
Enable network which you want to give internet access through proxy by removing “#” with authentication parameters. In this example we use 192.168.0.0/16

Below syntax enable authentication for possible networks. In this example we use radius authentication so whenever a request from 192.168.0.0/16 series proxy will ask for radius username/password.
acl localnet proxy_auth REQUIRED src 192.168.0.0/16


“acl” – Access control List
“localnet” – name of acl which we allow/denied access in next step.
“proxy_auth REQUIRED” – Using this syntax a request coming from 192.168.0.0/16 network proxy always ask for authentication.
“src” – network source list

5.     Now move to line below “# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS”

Here we will decide whether we have to allow or deny access to acl’s which we enter in step 4. Syntax below,
http_access allow localnet


Above syntax will allow access to localnet (acl name entered in step4). If syntax is like below
http_access deny localnet
  
then it will deny request from localnet.

6.     Squid uses default port 3128 you can change that to any port as you wish. For changing go to line below “# Squid normally listens to port 3128” Syntax below,
http_port 8080


Now squid listen to port 8080 as per above syntax.

7.     Default log file path “/var/log/squid/access.log” you can customize log file path and log name as well, syntax below
access_log /var/log/squid/squidaccess.log



Squid log name change to “squidaccess.log” as per above syntax.

After making above changes in squid.conf save file and exit vi editor using “:wq”.  Now you test the proxy server is working or not, open your browser(chrome) go to settings -> show advance setting->network->change proxy settings->lansettings->enter your proxy server IP address and port number under Proxy Server and click Ok refresh your browser it will ask for proxy authentication. Screenshot below,



Your proxy server is ready with Radius authentication.

Any doubts and query feel free to post it on comment section.



SHARE!!!!! COMMENT!!!!! SUBSCRIBE!!!!!!

2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete

Sponsers