Local user auth via Captive portal + Transparent Proxy username in Squid Log

[rackg]

Hi All,
I am testing Opnsene 19.2 have enabled Captive Portal and Transparent proxy for HTTP/HTTPS. My problem is that when i check the Squid Log i could only see the client logged IP address and mac but not the username. Is that as per design ? Do we have a way to get it working by tweaking configuration/patch ? Or What should be the best approach?  if I have to write a script to append authenticated username via Captive Portal  in Squid access log along with IP address, mac and username suggest me where to start with.

Thanks

[franco]

19.7 switches to pure PAM auth, maybe the logging is better there, but I don't know. Right now in 19.1 it's using a custom script so that might be the reason.


Cheers,
Franco

[rackg]

Thanks Franco. But I would like to stay with 19.2 since 19.7 is beta. Can you point me to the script location used for the extended loging in squid+captive portal.

Sent from my Redmi 6 Pro using Tapatalk

[franco]

I'm not saying you should use 19.7 -- I simply want to lay out the facts.

Here's the script it's currently using:

https://github.com/opnsense/core/blob/stable/19.1/src/etc/inc/plugins.inc.d/squid/auth-user.php


Cheers,
Franco

[rackg]

Thanks for the heads up but I would definitely try 19.7a however getting username fixed is going to be first priority now. I am sure I can test 19.7 sometime and share some feedback on this regard.

Sent from my Redmi 6 Pro using Tapatalk

[rackg]

Dear Franco,
I think the particular authentication syslog never get logged into the system.log or squid log I could only see in portal log for the username auth. So I think the issue exist some whereelse. Do you think trying with active directory make sense ? Or issue with local authentication.

[bartjsmit]

I haven't used Squid for a while, but aren't user authentication and transparent mode mutually exclusive?

If the browser is unaware of the proxy, how/why should it offer credentials without knowing the proxy's address?

Bart...

[rackg]

Authentication work fine, the issue is on logging the username. I see couple of posts regarding logging issue with Squid and Captive portal. Squid only logs mac and ip address and not the username. Captive portal logs the AUTH session details. The issue is mainly how Captive portal parse the userid so that squid.conf can understand and could push the username in extended-log/syslog. I doubt this is more do to with Captive portal or local authentication. Please correct me if i am wrong.

[bartjsmit]

That's cool, thanks for the clarification. I thought that Squid was doing the authentication.

Bart...

[rackg]

Dear Franco/Opnsense Team,

Issue remains same with Active Directory authentication also. So its very clear that Captive Portal Authentication does use only IP address for authentication to Squid and not username.

No one else has this issue ? I saw in pfsense has the same issue some one reported the it here.
https://forum.netgate.com/topic/110107/no-usernames-in-squid-logs-when-using-captive-portal/5 . They have asked to fix it in https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/bin/check_ip.php#L52

I dont see the same code check_ip.php in Opnsense code path.  So suggest me the script i need to look for to fix this .

[rackg]

Guys any one who can help me to work around this issue.

[franco]

It's best to raise a ticket here to discuss technical matters such as this.

https://github.com/opnsense/core/issues/new/choose

I was under the impression the code pointer requested would have been of help to you but it seems not?

It is also unclear if the development version works in this regard already or if it was not tried...


Cheers,
Franco

[rackg]

I dont know if that make any difference since i am only the person in the forum asked for this feature or having issue otherwise. Wondering how every users of this product using this access log features on the need of dynamic ip address to user systems with Firewall running with Captive portal Authentication + squid Transparent mode. So i would stop here until i hear from some one else how they are using this features for access log verification. Thanks Franco you are awesome.