Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication

Similar Messages

• IEEE 802.1x port-based authetication

  I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
  I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

  Hi Claudia,
  do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
  What is the IOS version you're using there?
  What is the RADIUS server in use?
  What is the exact error message you see on the RADIUS side?
  Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
  What is the server cert size and the MTU configured on the switches?
  With the info you provided it's difficult to say what's the reason of this failure.
  I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Radius server for 802.1x port authentication

  Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
  Thanks

  Check connectivity between the PIX and the server.
  If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
  aaa-server group_tag (if_name) host server_ip key timeout 5
  If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
  If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
  Ensure that the secret key is correct.
  Check the server logs for failed attempts. All servers have some kind of logging function.

• HT3964 I did the SMC reset for my iMac intel-based and now it won't turn on. What can I do to fix this?

  I did the SMC reset for my iMac intel-based and now it won't turn on. What can I do to fix this?

  Well, first things first... is the power cord fully plugged into the back of the iMac (and the wall, for that matter)?
  Make sure the wall outlet has power, too... I've scratched my head over stupid issues where I forgot to flip a wall switch.
  If the outlet does have power, then try doing a pram zap. Command + option + P + R (hold those at startup).
  If the machine is receiving power, you should be able to see some LEDs if you look through the bottom grate of the machine to the left of the RAM door.

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• Help with 4506 802.1x Port Based Authentication (Wired)

  Hi all,
  I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
  I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
  I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
  I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
  The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
  dot1x port-control auto
  i've also configured the interface to be a plain L2 access port by executing
  switchport mode access
  any help will be appreciated!

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• OS/X unresponsive - waiting for response on ports 2222 and 137 ?

  About once a month it seems I have to power cycle the iMac as it becomes completely unresponsive on the console.
  I can ping it from other computers, but if I try to SSH into it to see what's wrong, all I see is it sending UDP packets to port 2222 and occasionally 137 (NETBIOS-NS).
  Naturally this always happens when my kids have a homework assignment due.
  Is there some knob to stop it caring about these things which simply don't exist?

  About once a month it seems I have to power cycle the iMac as it becomes completely unresponsive on the console.
  I can ping it from other computers, but if I try to SSH into it to see what's wrong, all I see is it sending UDP packets to port 2222 and occasionally 137 (NETBIOS-NS).
  Naturally this always happens when my kids have a homework assignment due.
  Is there some knob to stop it caring about these things which simply don't exist?

• 802.1X Port Based Authentication Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I believe , you need to configure re-authentication on this switch port:
  ! Enable re-authentication
  authentication periodic
  ! Enable re-authentication via RADIUS Session-Timeout
  authentication timer reauthenticate server

• IEEE 802.1x Port based Authentication with Restricted VLAN

  Hi all,
  I have the following configuration:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  dot1x system-auth-control
  radius-server host 10.10.10.10 key cisco
  interface FastEthernet0/1
  switchport mode access
  authentication event fail retry 1 action authorize vlan 2
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  But it takes quite a while for the user who is not authorized to be switch to vlan 2.
  I would like to know what is best practice when using this kind of configuration  and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
  Regards,
  Laurent

  Laurent,
  Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
  thanks,
  Tarik Admani

• Radius for 802.1x; Remote Access and Wireless authentication

  Looking to use a single Radius platform for authenticating Remote, wired and wireless users and machines. Anyone with some experience with that use to share some lessons learns...

  Hello Richard,
  there is a previous post from a user who wants to add authentication to his Cisco ACS Radius server for wireless clients, it might be worth contacting that user to see how he resolved this...here is the link to the thread:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9504e
  Also, have a look at the document below, which talks about the issue:
  Selecting an EAP Method: the RADIUS Authentication Server Component
  http://www.interlinknetworks.com/news/newsletters/20031104/tech.htm
  HTH,
  GP

• 802.1x mac based authentication

  We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.

  Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.
  The 2 options would be standard port security or 802.1x port security if you switches support this.
  In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.
  You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.
  standard port base security by MAC:
  http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html
  802.1x port based security:
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html

• 802.1x port authentication not working

  I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius server and I see no packets even coming from my switch IP address when I plug into a port (I verified communication because pings come up in my trace)
  Switch info:
  sw-ConfB>sho ver
  Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)
  Port config:
  interface FastEthernet0/11
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  Radius Server Info:
  radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
  Kinda lost why not Radius packet even comes from the switch. Any tips?

  sw-ConfB#sho ru
  Building configuration...
  Current configuration : 6301 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname sw-ConfB
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  system mtu routing 1500
  crypto pki trustpoint TP-self-signed-706182400
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-706182400
   revocation-check none
   rsakeypair TP-self-signed-706182400
  crypto pki certificate chain TP-self-signed-706182400
   certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
    365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
    34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
    D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
    E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
    BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
    02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
    11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
    A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
    D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
    8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
    CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
    2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
    1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
    quit
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet0/1
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/2
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/3
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/4
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/5
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/6
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/7
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/8
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/9
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/10
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/11
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/12
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface GigabitEthernet0/1
   switchport trunk native vlan 200
   switchport trunk allowed vlan 100,200,900
   switchport mode trunk
  interface GigabitEthernet0/2
   switchport access vlan 100
   switchport mode access
  interface Vlan1
   no ip address
  interface Vlan100
   ip address 10.0.1.3 255.255.255.0
  interface Vlan200
   ip address 10.0.2.4 255.255.255.0
  interface Vlan900
   ip address 10.0.9.4 255.255.255.0
  ip default-gateway 10.0.1.1
  ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
  radius-server retransmit 5
  radius-server key secret
  radius-server vsa send authentication

• How to open ports 2078 and 2077

  I can't seem to figure out how to do this.
  I need it for a webdisk for my site but can't get these 2 porst to open so it can connect.
  any help on how/where I go to do this?

  I'm not entirely sure if you're using the Mac OS X Server or the Mac OS X client software version here, so the following covers both. Use of System Preferences implies client, though this is a server forum.
  With Mac OS X Server 10.6, use the Server Admin tool to open up the ports you need. Launch Server Admin > select the target server > select Firewall > select Settings > select Services, open the ports, Save, etc.
  With Mac OS X client 10.5.1 and later and with 10.6 and later, the firewall mechanisms and settings are application-based and not port-based, and you select the application to allow, and it can then use whatever ports it needs. System Preferences > Sharing > Advanced... and then the + to add the application. (Details: [ht1810|http://support.apple.com/kb/ht1810])
  If you're running this box as a network gateway, then things can get a little more complex; I'd tend to use an external firewall if that's an option.
  If you're running this as the client for the disk services (as I might guess) and if you're accessing a remote web disk on a remote system via ports 2077 (SSL) and 2078, then I wouldn't usually expect to need to open these ports on the client; it's usually the remote server system and not the client that needs to open ports. (Are you getting any diagnostic messages here? Are you looking to serve disks out to other hosts via this protocol? If so, and if you're on Mac OS X Client here, then try adding the application that serves the disks to the list of applications known to the firewall.)
  As an alternative, Apple servers and servers from other providers can run WebDAV disk services via port 80, which means that most any server that allows http web connections can also allow WebDAV connections. (WebDAV is a built-in feature of this Apache web server, so most any Apple Mac OS X box can serve disk space using http port 80 and WebDAV.)
  The lower level approach to opening the ports is the ipfw tool, and the command line.

• Is there any difference in the prompts of UCCX 7 (Windows based) and UCCX 9 (Linux based) ?

  Are the prompts for UCCX 7 (windows based) and UCCX 9 (Linux Based) are different ?
  There are no default prompts available in the script editor folder of UCCX 9.
  I have downloaded some prompts from the internet with .wav format, but those prompts are not working.
  Can someone tell me if the prompts are different and if they are really different, where to get those prompts then ?
  I have also attached the prompts i have downloaded from the internet.

  Nope, there's no difference.  UCCX uses either G711 or G729 encoded files.  You have to encode them first before you upload them.  UCCX will not encode them like CUCM does for MOH files.  In fact, you can use CUCM's MOH file encoding to encode your files for use within UCCX.
  Also, you will not see the system prompts on your workstation where you installed the script editor.
  What is it that you are trying to do?
  Anthony Holloway
  Please use the star ratings to help drive great content to the top of searches.

• RV220W - Wrong NAS Port-Type using RADIUS for 802.11

  Hi everyone
  I am attempting to configure the RV220W (Firmware 1.0.6.6) for dot1x authentication over a Windows 2008 based RADIUS Server (using Remote Access Services).
  The RADIUS settings on the RV220W are pointing towards that W2008 Server. The SSID has been set up for "WPA2 Enterprise" Security.
  All the authentication attempts arrive at the server, but they fail to get authenticated because the Cisco RV220W is not transmitting a "NAS Port-Type" and therefore, the RADIUS Server will reject the requests.
  This is what the request from the RV220W looks like on the server:
  And this is a request from a similar Zyxel Router:
  How can I enable the Cisco RV220W to send a NAS Port-Type (19, Wireless 802.11)?
  Thank you for your support!

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/