Request: Step-by-Step Guide for Enforcing Kerberos Authentication in NS7 Squid Proxy

malsaadoon · February 4, 2025, 8:56am

I am setting up Kerberos authentication with Squid Proxy on NethServer 7.9.2009 (Community Edition), but I am facing issues where non-domain computers can still access the internet without authentication. I have configured Squid with Kerberos authentication, but it seems something is missing.

Current Configuration:
NethServer Version: 7.9.2009 (Community Edition)
Active Directory Integration: Enabled
DNS Resolving Correctly
Kerberos Tickets Are Obtainable from NethServer
Squid Configuration Includes Authentication Directives
Issues Faced:
Domain-joined users authenticate successfully, but non-domain users still access the internet.
The Squid logs (/var/log/squid/access.log) do not show authentication failures.
Kerberos authentication tests (kinit, klist) succeed, but Squid does not enforce authentication properly.
Non-domain computers are not prompted for authentication and bypass the proxy rules.
Request for Assistance:
I am looking for a detailed step-by-step guide on properly enforcing Kerberos authentication in Squid Proxy on NethServer, ensuring that only authenticated domain users can access the internet.

Specifically, I need guidance on:

The correct Squid ACL and authentication directives to enforce domain authentication.
Ensuring Kerberos tickets are correctly obtained from the Active Directory KDC.
Blocking non-domain computers from bypassing authentication.
Any additional logs or troubleshooting steps to verify the setup.
Has anyone successfully implemented this scenario on NethServer? Any official documentation or community guides would be greatly appreciated!

Thanks in advance!

Andy_Wismer · February 4, 2025, 9:23am

Hi @malsaadoon

No matter how you set your Squid Proxy, one of the most important things is creating a whitelist for all “servers” (Including NS8!), then have a rule on your firewall blocking all non white list hosts using Ports 80 and 443. This, so that your servers can get updates any time, without any issues with AD, even if AD is “down” for maintenence.

I did implement something similiar a few years back (for several clients), but that was still using SME-Server or NethServer7, and both are very different animals from the present NS8.
Squid is still Squid, so that makes things simpler.

I did not use AD integration, as BYOD (Bring your own device) was allowed, and private Computers / Notebooks / Tablets and Smartphones were not members of the AD.

I used manual mode, allocating the Proxy with WPAD to the clients. Windows until Win10 still respected WPAD, if available (I’m not sure about Win11.). Linux, BSD, Macs, Androids and iOS needed a manual change to either accept WPAD or the Proxy itself.
At the time I was using Webalizer, optimized for Squid Proxy, as statistics.

On top of all this, I created special “warning” pages, eg for Facebook, Insta, WhatsApp, displaying a warning that such sites were not allowed during working hours, and the HR can see access attempts. For some clients I even implemented a cron, allowing after hour access to those sites (Outside of Office hours).

The WPAD proxy.pac file was highly customized.

I hope the pointers / tips above help, but if required I can provide a bit more…

I still have most of my own docs for this, but not everything. In 2018 there was 2 major outages in the swiss town I was living then, and both had the same cause, and were 2 days apart. Disks were still rebuilding the RAID on my Storages, when the second one hit. Both outages lasted 8+ hours, a very long time for an outage in Switzerland!

My 2 cents
Andy

malsaadoon · February 4, 2025, 11:54am

Hi Andy,

Thanks for sharing your experience! Your approach using WPAD and manual proxy allocation makes sense in environments where BYOD is allowed, and authentication enforcement is not a strict requirement. However, in my case, I must enforce Kerberos authentication, ensuring that only domain-joined devices can access the internet via Squid.

I have already configured Active Directory integration and verified that Kerberos authentication is working at the system level (e.g., kinit and klist are functioning correctly). However, Squid still allows non-domain computers to connect, which suggests that something is missing in my configuration.

I am particularly interested in how you structured your access controls in Squid. Since Squid is still Squid, do you recall if you implemented any additional ACLs or authentication checks to restrict access to only authenticated domain users?

Also, I appreciate your insight on custom warning pages—this could be a useful addition later on! If you still have any relevant documentation on enforcing authentication-based access controls in Squid, I’d love to check it out.

Andy_Wismer · February 4, 2025, 12:37pm

I will check my archives this weekend if I can find some usefull stuff.
I do recall doing a lot of ACLs and stuff.
And also firewall rules to stop any bypass or “leakage” (Unautherised hosts accessing the Internet!).
But it was quite a while ago, and I do have some docs about this.

I will come back to you in a couple of days, maybe even earlier…

My 2 cents
Andy

malsaadoon · February 7, 2025, 11:02am

Dear Gents, any suggestions?