Captive Portal + Squid + Sarg

jodel

I have Captive Portal, Squid and Sarge running.  Squid is on port 3128 using local authentication.  This works fine if the client PCs are set up to use proxy.  However if they are not, they can access the Internet freely and bypass squid and Sarg monitoring reports.  How can I redirect all clients through the proxy?

Alternativly, if I set up the proxy in transparent mode Sarg only has ip numbers not user IDs.  As I am using DHCP for clients the IP could be any user, hence the monitoring of squid logs is of no use, as the ID of the user is not known.

Ideally I am trying to achieve a Captive portal with monitoring of Internet usage by Client login ID.
Is that possible with pfSense?     
Jodel

heper

you could attempt to use WPAD (search the forum for 'wpad') .

It's not fool-proof method, but i don't know of any; except locking proxy settings with grouppolicy settings in AD

jodel

Thanks for the suggestion, however as client could be using various devices,(phones etc.,) I am not sure how well it would work.
I have tried putting squid listening on port 80 but normal web traffic goes through anyway unless the proxy in the browser is set to 80.

What setting could I use to direct all lan traffic to squid on 3128 and then users would have to log into the proxy?
I know they would be logging in twice, once to the captive portal and once to the proxy but at least I would now have user names in the squid logs.

Some of the settings I tried in NAT rules to try and do that left the system unusable (with no rules at all visible in the firewall or NAT and I had to start again.
The replies and help is much appreciated,
Jodel

lsense

As far as I know you can't use a transparent proxy and proxy auth at the same time.
User auth involves the user browser and it can't work if the proxy is not explicitly set.

jodel

I understand that the proxy can't be both transparent and requiring authorization at the same time. 
Am I correct in assuming that the captive portal is compatible with having the proxy in either configuration?
If so, a user after authorizing on the portal could, I presume, also be asked to input his name and password again for the proxy? 
Jodel

Nachtfalke

@jodel:

I understand that the proxy can't be both transparent and requiring authorization at the same time. 
Am I correct in assuming that the captive portal is compatible with having the proxy in either configuration?
If so, a user after authorizing on the portal could, I presume, also be asked to input his name and password again for the proxy? 
Jodel

I think this should work but perhaps only with squid3 as proxy. User marcelloc added some code to make it work with non-transparent squid and CP. Further there is a thread somewhere here in the forum from somewhere in 2012 which talks about a possibility to get the usernames on CP in squid logs. I do not find the thread right now but I am pretty sure there is one.

jodel

I will install Squid 3 and see if that helps.  I have been searching the forum for the last hour looking for the thread you mentioned but have not found it yet.
The perfect solution for me would be for the squid logs to have user name as used in the captive portal, and Sarg giving reports of sites visited by  user rather than by ip.
Thanks for the help.  If I find the answer I will post it here.

Nachtfalke

As far as I know marcelloc did some coding on this.
here is a post in his native language:
http://forum.pfsense.org/index.php/topic,58300.0.html

The problem ist that the links within this thread - which seem to be the correct ones - cannot be found on the forum.
Perhaps you can contact him or ask in this thread if he know where to find the tutorial.

jodel

Thanks for the help.  If anyone knows where to find the tutorial I would appreciate it.
Also would setting up a Radius server help or is that just storing the user names and passwords in a different fashion?
Jodel

Nachtfalke

@jodel:

Thanks for the help.  If anyone knows where to find the tutorial I would appreciate it.
Also would setting up a Radius server help or is that just storing the user names and passwords in a different fashion?
Jodel

freeradius2 just stores the credentials in a different way. What the tutorial did (simplified) is to use "squid auth helper" to communicate with CP.

jodel

Thanks for pointing me in the right direction.  However my knowledge of this area is not sufficient to be able to work how to do it.  The reason the links mentioned earlier do not work is, apparently, the post was taken down by the user.

If anyone has a saved copy of the Tutorial I would appreciate it if they reposted it.
Also where does the CP store user credentials?
Jodel