Blog

Setup Squid and FreeRADIUS on CentOS 5 and CentOS 6

This tutorial assumes you have already setup FreeRADIUS – to setup FreeRADIUS, use the following link. Link.

In this article we will setup the popular squid proxy software to authenticate off FreeRADIUS, we will also supply standard configs to get you going.

**Please note we used Squid Version 2.6.STABLE21 in this article but still applies to version 3, just make sure you note the differences between the two versions.

Ok nice and easy, lets install squid:

yum install squid -y

Now open up /etc/squid/squid.conf and add the config below to the top of this file for Squid 2.6:

#  TAG: auth_param
#Authentication Radius:
auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f /etc/squid/squid_rad_auth.conf
auth_param basic children 5
auth_param basic realm YOURSITENAME
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl radius-auth proxy_auth REQUIRED

#  TAG: http_access
# Allow authorized users:
http_access allow radius-auth

Open up /etc/squid/squid.conf and add the config below to the top of this file for Squid 3:

#  TAG: auth_param
#Authentication Radius:
auth_param basic program /usr/lib64/squid/squid_radius_auth -f /etc/squid/squid_rad_auth.conf
auth_param basic children 5
auth_param basic realm YOURSITENAME
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl radius-auth proxy_auth REQUIRED

#  TAG: http_access
# Allow authorized users:
http_access allow radius-auth

Only do below if using squid 2.6, if on v3 move to creating the squid_rad_auth.conf file

Now lets grab the radius plugin:

wget http://www.squid-cache.org/contrib/squid_radius_auth/squid_radius_auth-1.10.tar.gz

Extract the files:

tar xvzf squid_radius_auth-1.10.tar.gz

Move to its directory:

cd squid_radius_auth-1.10

Now lets install the plugin:

cp Makefile.default Makefile
make clean
make install

Copy the radius auth binary to its location:

cp squid_radius_auth /usr/local/squid/libexec/squid_radius_auth

Create the radius plugin config file:

touch /etc/squid/squid_rad_auth.conf

And enter the following:

server 123.123.123.123 # Radius Server IP or Hostname
secret your_secret_here

After you save that – start squid and make sure all is ok:

service squid restart

Now setup your squid proxy in your favourite browser on port 3128, when you start to browse or open your browser it should show you a prompt to login like this:

You should now be good to go.

Have Fun
SafeSrv.net

t

Tags: ,
31 replies
  1. flash says:

    Hey, nice tutorial.
    By the way, what is the Squid Version used in the article??

    Reply
  2. feby says:

    thanks nice tutor,

    i have one question , How to set username and password ? if we finish setup and have get auth like your article at up. Any database, maybe ?

    Reply
    • Admin says:

      Hi there – you can create users locally in the freeradius configs http://freeradius.org/radiusd/man/users.html or find a system that creates them in mysql for you, our module does this with WHMCS along with supporting alot of other features or you could give http://www.daloradius.com a whirl.

      Reply
      • feby says:

        thanks, any config on file radiusd.conf?

        Reply
        • Admin says:

          Hi feby – what you looking for in radiusd.conf ?

          Reply
          • feby says:

            ok , so i have installed squid3 , and freeradius and squid_radius_auth , i follow in this article and i get a success. When i open the browser, the pop up authentification is up.OK good from here

            But when i want to create username and password , i get problem, I dont understant how to create the user and password , and then you give me toturial at http://freeradius.org/radiusd/man/users.html .

            I have create user at freeradius users

            bob Cleartext-Password := “hello”

            but this is still error,

            log from freeradius

            Ignoring request to authentication address * port 1812 from unknown client 192.168.20.105 port 53147

            and log from squid

            squid_rad_auth : No response from RADIUS server

            can you help me? there are anything configuration loss of me?

  3. Admin says:

    Hi feby – this just means you need to add “192.168.20.105” to clients.conf in in the freeradius directory and restart the service.

    Reply
  4. Mainak says:

    I have one question. Can we make this squid authentication free so that i can use it as proxy in my vpn??? Then how

    Reply
    • Admin says:

      Hello – sorry how do you mean by “Free” ?

      Reply
      • Mainak says:

        sorry, i meant to say that no authentication will be required. i figured it out :P did not apply any acl rule and then add one rule

        http allow all

        then it is working as squid proxy without any authentication..

        One question though, i have seen many proxies in hidemyass/xroxy which has port 80/8080 and they dont show squid proxy, i.e they are transparent proxy.. how can i make such proxy ??

        Reply
  5. imran says:

    how to authenticate radius users through squid to use squid, please comments. i am having the username and password prompt and my radius client username and password not going to authenticate and prompt me back for username and password.

    i will be waiting for your response,

    thanks

    Reply
    • Admin says:

      Hello – have you tried running radius in debug mode then trying to connect to see if your squid is reaching freeradius ?

      Reply
  6. thedarke says:

    I’ve been toying with SSHA authentication via FreeRADIUS + MySQL without OpenLDAP (which works fine).

    I take it to get SSHA working with Squid I’ll need to re-write the authenticate function to use SHA-1 and pick the salt from wherever I’m storing it so the two can cross-authenticate?

    Reply
  7. ibef says:

    how to set up this to transparent proxy? i have information , squid rad cannot support transparent proxy? sure?

    Reply
  8. zhou says:

    i start the squid but it’s returen ” The basicauthenticator helpers are crashing too rapidly, need help!” i don’t set the radius server .it’s must set the radius server?

    Reply
  9. Anwar says:

    Hi, I just follow your instruction to configure squid auth with freeradius,

    Actually my freeradius using mysql database.I can test it using radtest and successfully using username and passwod from mysql (Table radcheck)

    But when i try on browser i got error like bellow :

    Sending duplicate reply to client localprivate port 42003 – ID: 2
    Sending Access-Reject of id 2 to 192.168.2.3 port 42003
    Waking up in 2.9 seconds.
    rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63

    Sending duplicate reply to client localprivate port 42003 – ID: 2
    Sending Access-Reject of id 2 to 192.168.2.3 port 42003
    Waking up in 0.9 seconds.

    Found Auth-Type = PAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group PAP {…}
    [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
    [pap] Using clear text password “password”
    [pap] Passwords don’t match
    ++[pap] returns reject
    Failed to authenticate the user.
    WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
    Using Post-Auth-Type REJECT

    Help me, please

    Thanks

    Reply
  10. Anwar says:

    Hi Admin,

    This is output when i try squid3 -V

    Squid Cache: Version 3.1.19

    Reply
  11. anwar says:

    Actually in my radcheck table i have this data.

    username | atriibute | Op | value
    —————————————————————————-
    alice | Cleartext-Password | := | password

    Am i right login using this username and password on prompt username and password squid ?

    Reply
  12. anwar says:

    Yes, i am.

    this file

    squid_rad_auth.conf
    —————————–
    server 192.168.2.3
    secret testing123

    and my configuration my squid.conf like in your post blog, any something wrong ?
    i suspicious in log:

    [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
    [pap] Using clear text password “password”
    [pap] Passwords don’t match

    Is it because of different authentification method between squid and radius ?

    Reply
  13. shiladitya says:

    can squid and radius server be working in the same server? Then what squid_rad_auth.conf configuration?
    We have tried with localhost ip is there a way out?

    Reply
    • Admin says:

      Hello – you would simply enter 127.0.0.1 and make sure there is a client in the radius config file clients.conf with 127.0.0.1 as the client IP.

      Reply
  14. raco says:

    hello, i have a ubuntu 12.4 with squid 3.x. i tested your config also i put server ip:127.0.0.1 with secret in squid_rad_auth.conf.

    now when i want start proxy in browser i need username and password, i should put which user and pass?
    thanks

    Reply
  15. mani says:

    hi i test any config on internet but not Work
    i have error 407
    Squid Config :
    http://textuploader.com/?p=6&id=Cdbsy
    this is Error
    http://textuploader.com/?p=6&id=FEdvX
    plz show me how can i fix this
    or if not enough Plz give me your mail i Will send the User Pass
    Best Regard

    Reply

Trackbacks & Pingbacks

  1. […] i try squid using radius authentication. i followed step by step from : http://safesrv.net/setup-squid-and-f…/#comment-1043 But i got error message log on cache.log […]

  2. […] __reach_config = { pid: '4f079b93396cef0b2f0003d6', title: 'Adding multiple Public IP's to Squid', tags: ["squid"], authors: ["Admin"], channels: ["network"], slide_logo: false, slide_active: true, date: '2012-07-28 09:16:01', url: 'https://safesrv.net/adding-multiple-public-ips-to-squid/', header: 'RECOMMENDED FOR YOU:' }; var content = document.getElementById('simplereach-slide-tag').parentNode, loc; if (content.className){ loc = '.' + content.className; } if (content.id){ loc = '#' + content.id; } __reach_config.loc = loc || content; (function(){ var s = document.createElement('script'); s.async = true; s.type = 'text/javascript'; s.src = document.location.protocol + '//d8rk54i4mohrb.cloudfront.net/js/slide.js'; __reach_config.css = ''; var tg = document.getElementsByTagName('head')[0]; if (!tg) {tg = document.getElementsByTagName('body')[0];} if (tg) {tg.appendChild(s);} })(); This tutorial assumes you have already setup Squid – to setup Squid to authenticate using FreeRADIUS follow this guide here. […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Copyright 2013 SafeSrv.net | All Rights Reserved