cancel
Showing results for 
Search instead for 
Did you mean: 
freddykr
Level 7

Checking for user attributes without authentication

Jump to solution

In front of our web gateway (v7.2.0.1) we have a squid proxy with digest authentication.

The squid sends the authentication data to the web gateway also ("Proxy-Authorization: Digest username="user1" ,realm="realm1", nonce="xxxxxx"......").

The next step should be, that the web gateway checks the LDAP-Directory for specific attributes to operate with different policies for different user groups.

Because of, web gateway is not able to made digest auth to the LDAP itself, it should get the user attributes with the transmitted username from squid only (no authentication, just getting the attributes and work with them).

How can I implement such a policy without authentication (the user should not get a second popup from the web gateway)?

With Basic-Auth at the squid it works with authentication at the web gateway. But, I have to use Digest-Auth at the proxy.

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Checking for user attributes without authentication

Jump to solution

Done...

Give this a shot, please test it under a couple of different scenarios. Try HTTP, HTTPS (with SSL scanner on and off).

1proxyauth.png

2proxyauth.png

3proxyauth.png

Let me know if it works!

~Jon

0 Kudos
3 Replies
McAfee Employee

Re: Checking for user attributes without authentication

Jump to solution

Hi Freddy,

How exactly does the squid server send the proxy authorization header?

Is it litterally:

Proxy-Authorization: Digest username="user1" ,realm="realm1", nonce="xxxxxx"......

Where "username" is the first value, followed by realm?

There is a ruleset in the library called "Lookup Username From "Proxy-Authorization: Basic" Header" which is similar to what you most likley want.

~jon

0 Kudos
McAfee Employee

Re: Checking for user attributes without authentication

Jump to solution

Done...

Give this a shot, please test it under a couple of different scenarios. Try HTTP, HTTPS (with SSL scanner on and off).

1proxyauth.png

2proxyauth.png

3proxyauth.png

Let me know if it works!

~Jon

0 Kudos
freddykr
Level 7

Re: Checking for user attributes without authentication

Jump to solution

Thank you.

After I found the small error (the mistake was in my first mail too; there is no space between " and ,realm) it works perfectly.

I cannot test with SSL-Scanner, becuase this option we didn't use.

But with the normal policies for blocking and coaching it works very fine.

0 Kudos