Author Archives: manu

Squid transparent AD authentication

This article describes how to make transparent squid authentication against active directory.
Prerequisite: your linux box has joined the domaine, see article: Debian active directory authentication

Just remember to check your DNS config in resolv.conf:

domain unknown.local
search unknown.local

Make a reverse check with

# dig -x <nameserver ip>

Ensute time is correct

# ntpdate <windows DC>

Generate keytab file:

# kinint administrateur
# msktutil -c -b "CN=COMPUTERS" -s HTTP/serverproxy.unknown.local -k /etc/the.keytab --computer-name serverproxy --upn HTTP/serverproxy.unknown.local --server dc.unknown.local --enctypes 28

keytab file must be readable from processes that will use it, for example squid.
In case of errors you can check if you got a ticket after kinit:

# klist

You can also check if the keytab was successfully generated with servers

# klist -k /etc/the.keytab

Ensure keytab is renewed, put in cron:

00 4  *   *   *     msktutil --auto-update --verbose --computer-name serverproxy | logger -t msktutil

Squid configuration:

### Authentification automatique via Kerberos
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/serverproxy.unknown.local@UNKNOWN.LOCAL
auth_param negotiate children 20 startup=30
auth_param negotiate keep_alive off

Include variables before starting squid, you can put it in /etc/profile

export KRB5_KTNAME

In the browser you must configure the proxy with it’s FQDN:


iproute2 multiple gateway

Workstation has ip and gateway

Linux router has 4 nics with the following IP: eth1 eth2 eth3 eth0
The default gw to reach internet is
Internet can also be reache through

All the traffic coming to the linux router uses the default gw eth0 to reach internet.

Now we want to make an exception for workstation
Instead of using eth0 to go on internet we want to use now eth3.

Add routing table 4G with priority 200:

echo 200 4G >> /etc/iproute2/rt_tables

Specify routes in this table, next hop of interface wich is

ip route add dev eth1 table 4G
ip route add dev eth2 table 4G
ip route add default via table 4G

Now specify the client (here that will use these settings:

ip rule add from table 4G

Cisco debian freeradius authentication with local fallback

This article describes the configuration of a radius server to Log on a cisco device

  • Freeradius server setup on debian
  • Radius server configuration for one cisco device and one user
  • Cisco device configuration to user the freeradius login
  • Cisco device configuration to fall back on local authentication when the radius server is unreachable

On your debian box:

apt-get install freeradius

Add at the end of file /etc/freeradius/3.0/clients.conf. In this file we define clients allowed to authenticate agains the radius server.

client {
secret = PASSTEST
nastype = cisco
shortname = Switch_test

We define a user « jdoe » witch password « theroot » and level 15 privilege on the Cisco device:
At the end of file /etc/freeradius/3.0/users:

jdoe Cleartext-Password := "theroot"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP
The shared key is PASSTEST

radius server LNXSRV
address ipv4 auth-port 1812 acct-port 1813

Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV

aaa group server radius GRPSRV
server name LNXSRV

To get access to your cisco device locally you are supposed to have something like:

aaa authentication login default local
aaa authentication login SSH local

To get radius authentication then it falls back to local change the two lines:

aaa authentication login default group GRPSRV local
aaa authentication login SSH group GRPSRV local

Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.