Squid and Windows 7/8 browser authentication (negotiate)



  • Does anyone know how to configure Squid in pfSense to work properly with recent versions of Windows?  At present, I'm testing Squid and SquidGuard but my Windows browsers aren't prompting for credentials and seem to be connecting to the proxy as anonymous.

    From what I can gather after a few too many hours on google, is that Windows 7 doesn't like basic authentication much and would much prefer negotiate or something better.  I found one registry tweak that claimed to make Windows happier with the lesser auth standards, but that doesn't seem to work.

    Try as I might, I've not found any clear guide on how to set up Squid on pfSense to work with higher authentication standards than "basic".  I'd be happy to run it using either the local or the freeRADIUS authentication back-end, but I'd rather avoid making changes to the packaged pfSense system as I don't fancy the risk of an update wiping them out later.

    Any help very much appreciated!

    Thanks,

    Jeff



  • I didn't try this environment but I think your problem is squid + Windows related.

    Google squid win7 win8 user authentication

    Please post your squid version package if you need more help.

    Another thread about Win7 clients, https://forum.pfsense.org/index.php?topic=75003.0



  • Thanks… when I said "after a few too many hours on google", that was one of the many search terms I spent hours trying!  Sadly, I didn't find anything useful - almost all the posts are about either trying to prevent auth popups (I'd be happy to see one!) or authenticating against a Windows domain (I don't run one).

    pfSense 2.1.2-release; Squid Cache: Version 2.7.STABLE9

    I think the two ways out of this are probably (1) teach Windows to live with basic auth and to show the popup for credentials so that the user can enter and then save them; or (2) teach Squid to use one of the higher authentication standards against the local or RADIUS user databases.
    The latter is neater from the client side, but has the problem that it's likely to need custom modules/helpers installed and I'd rather not have a non-standard pfSense setup as that will probably break during an update at some point.



  • Try squid3-dev(read forum tutorials to fetch missing libs) and captive portal authentication integration.

    It's fast and works really nice.



  • Thanks Marcello, I'll have a look at that. :)