Explicit Proxy Authentication¶
If explicit proxy authentication is enabled only authenticated users will be able to access the Internet through the proxy. Squid will request user credentials from the browser (using such single-sign-on schemes as Kerberos or NTLM or asking user to type valid login/password into popup box) as described in Squid Wiki https://wiki.squid-cache.org/Features/Authentication. This type of authentication can be used in case of explicit proxy deployment only, when browser is configured to use the proxy.
The following three types of explicit authentication is available in Admin UI.
Active Directory Authentication
Active Directory authentication allows Squid to limit access to proxy based on user names and security groups stored in Microsoft AD. It is possible to authenticate to AD using Kerberos, NTLM and/or Basic LDAP authentication schemes. Active Directory authentication is described in the article Integration with Microsoft Active Directory.
Local User Authentication
Local user authentication allows administrator to create a predefined list of users and passwords for this proxy. When a user tries to connect, a popup is presented with request to enter user credentials. Squid verifies the validity of provided credentials and allows or denies web access. This method of authentication is common in small networks with limited number of users.
Radius authentication allows administrator to authenticate proxy users with help of external Radius server. When a user tries to connect, a popup is presented requiring him to enter his credentials. Squid sends provided credentials to configured Radius server and allows or denies web access based on the Radius response.
Pseudo Proxy Authentication¶
Pseudo proxy authentication allows the administrator to transparently map a given IP address to the User Name or MAC address without requiring browser to login. This type of pseudo authentication is typically used in transparent deployments or in small networks where administrator manages IP or MAC addresses manually.
The following two types of pseudo proxy authentication is available in Admin UI.
It is also possible to manually assign user names to IP addresses or MAC addresses of the devices connecting to proxy. This scenario is only usable in small (home) networks where IPs and MAC addresses are known to the the administrator and proxy users do not roam among devices.
Active Directory Inspector
EXPERIMENTAL: Active Directory Inspector authenticator allows administrator to automatically map IP addresses of browsers connecting through the proxy to user names. If enabled, UI periodically connects to any Active Directory Inspector server that administrator installs on a domain controller within the network and maps IP address provided by Squid to user name. This type of pseudo authentication requires running a separate AD inspection server as indicated on https://github.com/diladele/active-directory-inspector .