Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 01 November 2024, 03:28:52 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  HTTP Proxy LDAP Authentication problem
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: HTTP Proxy LDAP Authentication problem  (Read 37312 times)
entourage
Full Member
***
Offline Offline

Posts: 48


« on: Tuesday 09 June 2009, 01:26:19 am »

I have ver. 2.2 installed and working...mostly.

I've setup LDAP Authentication and it appears to be working because I can select and enable my 'Internet Users' AD group.  If I set the Green interface to Transparent, it filters as it should.  It blocks pages, restricts browsers and scans sites...HOWEVER it doesn't care what group I'm in.  I don't need to be authenticated to the domain at all to get Internet access.

So I set the Green interface to Authentication Required and now any site I try to browse to I'm prompted for a username and password.  It doesn't matter how I put in the username/password I am never able to get to the site and finally, the message comes up saying "Sorry, you are not currently allowed to request: (website) from this cache until you have authenticated yourself.

BTW, I have a single NIC setup as this acts as ONLY a web filtering/caching proxy.

Any ideas or suggestions?
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #1 on: Tuesday 09 June 2009, 11:07:43 pm »

If this is going to be a standalone proxy / filter, i wouldn't set this up as transparent. Setup the clients to go directly to the proxy, or use a wpad. It may be part of your problem as well.
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #2 on: Tuesday 09 June 2009, 11:44:46 pm »

Yeah, I didn't think I wanted it transparent since Authentication Required was an option, but it wasn't working with the authentication.  I just wanted to verify that filtering was working.

All of my clients are currently directed through an ISA server, so their proxy access is setup and working without a problem.  It's just that if I point their proxy to the EFW, it won't authenticate them and gives them the message in my previous post.  Should it even prompt them at all?

Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #3 on: Wednesday 10 June 2009, 01:06:02 am »

Yea if your wanting to track where people go or setup special group access.

If you are using authentication to a Active directory domain, you should set the authentication type to Windows not ldap, i had some problems trying to do ldap too, and switched over to the Windows(active directory) authentication.

You will need to enter a username with the ability to add computers to the domain, after it creates an AD account, i dont believe it uses the account anymore.

Also enter the IP addresses for the PDC and BDC, or if you use their hostnames, you may need to add a host entry on the Network->edit hosts page. Hit Join domain. You can verify that its connected by going to group policies and selecting add group, your AD groups should be listed there.

Back on  the authentication page, set the Authentication realm prompt to your active directory domain name (ex company.com). otherwise your users will need to use company.com\user for their username.
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #4 on: Wednesday 10 June 2009, 01:37:52 am »

Ok, closer.  I changed it to Windows Authentication and put in my Domain, PDC Hostname, BDC Hostname, username and password.  (My PDC and BDC are the same)  I added the host entry so I could type in my hostname.  Now when I click 'Join Domain' I get this message:

Error while connecting to PDC. Is the PDC listed in the custom nameserver list?

I then added my Server to the Custom nameserver under DNS.  Rebooted, and I still get this message.
I also notice that up at the top is a message saying

dnsmasq is stopped Starting dnsmasq: [FAILED]

Any ideas?

Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #5 on: Wednesday 10 June 2009, 07:02:01 am »

-Update-

After reading a bit and knowing what little of Linux I actually do know, I decided to make sure my hostnames were all CAPS.  Once I matched the case I was able to join the EFW to the Domain!  (Crazy case sensitive OS)
I set it to Authentication Required and had 'User-based access restrictions' checked.  I put my username in and I can now browse successfully through the proxy.

I was also then able to add my 'SBS Internet Users' group!

Thanks for the help!!
Logged
davvidde
Full Member
***
Offline Offline

Gender: Male
Posts: 68


« Reply #6 on: Saturday 13 June 2009, 02:55:27 am »

If you change back to LDAP authentication and try to set the groups listed in "group policy" to "unrestricted" instead of "default policy" does the authentication works? (and of course the content filter is BYPAS SED?)
I have a similar problem and the LDAP authentication works for me only in this mode but I cannot filter HTTP traffic.
Logged
davvidde
Full Member
***
Offline Offline

Gender: Male
Posts: 68


« Reply #7 on: Wednesday 24 June 2009, 06:27:15 am »

Nobody has resolved this problem?
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #8 on: Wednesday 24 June 2009, 06:50:54 am »

I basically gave up on LDAP.  I've read that by design, it constantly requires the use of username/password even though you are already authenticated. 
Logged
davvidde
Full Member
***
Offline Offline

Gender: Male
Posts: 68


« Reply #9 on: Thursday 25 June 2009, 06:57:51 pm »

That sounds strange for me: with 2.2rc3 I need to authenticate only the first time when I open the browser (Firefox 3 or IE 6), and that credentials are in place until the end of the session.
What log file I need to set up and look to debug the problem with the 2.2 final?
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com