Linux Authentication in BorderManager
Novell Cool Solutions: Tip
By Craig Johnson
Digg This -
Posted: 28 Sep 2005
A reader explained the following scenario:
"We are testing the new SUSE Linux Enterprise Server 9 (SLES) at our company. We already have a Novell Client for Linux running. Now we want to setup a TrendMicro Viruswall on that computer for test purposes, but neither the Viruswall nor Konqueror is able to connect to the Internet. When I try to connect to www.yahoo.com, Konqueror displays a Login Page from BorderManager. But even if I enter the needed data and try to login, nothing happens.
Is there perhaps a CLNTRUST for Linux or another way to authenticate to BorderManager? We don't want to disable the need for authentication to the BorderManager. We want a CLNTRUST.EXE-like authentication, depending on the rights a corresponding user has. Anyone know a solution and can explain what to do?"
And here's the response from BorderManager expert Craig Johnson ...
There may be multiple solutions to your problem. Some of them are documented in my BorderManager 3.x book (see www.craigjconsulting.com).
1. Novell has put out a CLNTRUST for Linux. The files are included in the latest support pack for BorderManager - BM38SP4.exe (CLNTRUST.TAR). There is also another one available that was not created by Novell, and it can be found on the Cool Solutions site at http://www.novell.com/coolsolutions/tools/14774.html.
2. Almost all browsers (at least all that I have looked at) except IE have TLS support enabled by default. Disabling that is needed to make browsers work with SSL Proxy Authentication on BorderManager. I do not know right now if Konqueror works or not (it did not use to, and I haven't tested recently), but if you want it to, you probably need to have the latest patches on BorderManager (see tip #1 at the consulting URL above), and very possibly some custom entries in proxy.cfg (see tip #63). It appears you've tried disabling TLS, but may not have made all the changes you can on the BorderManager side.
3. You can selectively proxy authenticate by making use of the 'Authenticate only when ....' option in the Authentication Context menu in BorderManager Setup in NWADMN32. You must be careful to structure your access rules correctly, allowing desired (non-authenticated) traffic using source=any or IP address. I have examples of this in my BorderManager 3.x book.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com