[squid-users] Strange authentication problem using squid_radius_auth

From: Michael Schwartzkopff <misch@dont-contact.us>
Date: Thu, 28 Jun 2007 12:12:48 +0200

Hi,

we have been using squid_radius_auth for some time without any problems. Now
we moved to a new platform (OpenSuSE 10.2) an experience a strange behaviour
from squid / squid_radius_auth.

Sometimes (random in time, about once per day) some users tell us that they
cannot use the proxy any more. Squid writes into the logfile:

1183022732.285 30183 172.18.7.13 TCP_DENIED/407 1718 GET http://www.heise.de/
misch NONE/- text/html

testing squid_radius_auth manually gives not problem, but when I do a tcpdump
on port 1812 I see a lot of

proxy -> radius Access-Request
radius -> proxy Access-Accept

packets on the wire. Since the RADIUS server answers with Access-Accept it
cannot be a problem in authentication. These packets are send about every
second(!), but it seems that squid somehow does not get the authentication
correct.

After a while squid writes the 407 to the logfile and the user get a new
authentication window.

Other users still can surf and sometimes squid accepts the authentication
after several tries and the user can use the proxy.

Any idea what might be wrong? Any hint welcome. Thanks.

Config:
squid.conf:
auth_param basic \
program /usr/local/squid/libexec/squid_radius_auth -f /usr/local/squid/etc/squid_radius_auth.conf
auth_param basic children 5
auth_param basic realm myCompany
auth_param basic credentialsttl 20 minutes
auth_param basic casesensitive off
acl AuthorizedUsers proxy_auth REQUIRED

squid_radius_auth.conf:
server 172.19.1.3
secret testing123

RADIUS Server:
M$ IAS

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75
mail: misch@multinet.de
web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
Received on Thu Jun 28 2007 - 04:13:07 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:05 MDT