We have a large network in our university with about 10000 users. We have an AD and wants to use a Squid server for caching and NTLM authentication. We have 40 Mbit/s Internet too, we are going to share it.
In AD we have students, teachers, ... OUs , and every group should have its appropriate Internet speed. I know we should use a traffic shaper for sharing Internet in the best way.
First question is: which traffic shaper is suitable for use (in Linux)? Can we use a MikroTik?
The second is: can we use Squid authentication to identify users and their OU from AD then give them their Internet speed from the traffic shaper (and how we can)?
THe third is: is there any other solution to solve this problem? (Problem: using AD with the best way for sharing the Internet connection.)
-
The easy answer is to use something like 802.1x.
If you've got a totally blank slate, you then go buy enterasys switches which can apply policies to users based on 802.1x radius responses. Faculty would get unlimited bandwidth, students would get 50k/sec to the internet but unlimited to the local network, etc.
If you've got an existing network (and you're not using enterasys switches) you then would put different classes of users into different subnets, and then apply your traffic shaping at the border using freebsd and PF or linux's traffic shaping and based on those subnets. Any given existing subnet would be split into 2-4 subnets each with a different policy. It'd be a hassle to deploy, but not absurdly hard.
In another life, I setup a firewall for our campus wireless network that setup a captive portal and authenticated users against an ldap database. It would have been pretty easy to apply different traffic shaping polices based on user attributes. Setting this up was far from trivial, though, and I wouldn't suggest it as a solution these days.
I'm sure other people have other ways of solving this problem, and mine may well be more complex and not as reliable as those other ways.
From chris -
Squid supports NTLM authentication.
For bandwidth management you might want to investigate a feature of squid, known as delay pools.
Ansari : yes , i know what is delay pools , can delay pools use as traffic shaper for about 8000users network with 1600 active node and 40mb internet ?Anonymous : Absolutely. I believe that such a big amount of users is spread over a big infrastructure. I mean you likely don't have 8000 user accounts and 10 computers connected to Internet :-) So you'll have a whole hierarchy of squid proxies.scraft3613 : Just wanted to add that at my place of employment we DO use squid w/delay pools for 8000+ users (12k) with a number of actual squid deployments.From Anonymous -
There are purchasable software solutions that can address your needs easily, Blue Coat comes to mind, with their PacketShaper and Proxy solutions, but obviously this costs money. Surely an 8000 user university could afford such a thing, but if not, you have a few options.
First, if you want to use squid to transparently intercept traffic, authentication cannot be done. So make sure that you are able to have proxy settings assigned within the browser for every machine on the network.
The solution Chris suggested would likely work, but it would indeed be a bit complex to implement and support.
Delay pools would be usable as a bandwidth limiter, but as a traffic shaper, I do not believe squid is capable of doing that. You would need another software solution for that and I'm not sure you will find many quality traffic shapers or easy to use/configure traffic shapers for free.
Ansari : we are going to use 3 servers : 1->main squid cache server , 2->main authe server with ntlm in squid , 3->main traffic shaper , what do you think of this ? can this solve our problem ?
0 comments:
Post a Comment