Bukatar samar da hanya mai nisa zuwa yanayin kamfani yana fitowa akai-akai, ko da masu amfani da ku ko abokan haɗin gwiwa ne ke buƙatar samun dama ga takamaiman sabar a cikin ƙungiyar ku.
Don waɗannan dalilai, yawancin kamfanoni suna amfani da fasaha na VPN, wanda ya tabbatar da kansa a matsayin hanyar da aka dogara da shi don samar da dama ga albarkatun gida na kungiyar.
Kamfanina bai keɓanta ba, kuma mu, kamar sauran mutane, muna amfani da wannan fasaha. Kuma, kamar sauran mutane, muna amfani da Cisco ASA 55xx azaman ƙofa mai nisa.
Yayin da yawan masu amfani da nesa ke ƙaruwa, akwai buƙatar sauƙaƙe hanyar ba da takaddun shaida. Amma a lokaci guda, dole ne a yi hakan ba tare da lalata aminci ba.
Ga kanmu, mun sami mafita ta amfani da ingantaccen abu biyu don haɗawa ta hanyar Cisco SSL VPN, ta amfani da kalmomin shiga lokaci ɗaya. Kuma wannan ɗaba'ar za ta gaya muku yadda ake tsara irin wannan mafita tare da ƙarancin lokaci da farashin sifili don software da ake buƙata (idan har kun riga kuna da Cisco ASA a cikin kayan aikin ku).
Kasuwar tana cike da kwalin hanyoyin samar da kalmomin shiga na lokaci guda, yayin da ake ba da zaɓuɓɓuka masu yawa don samun su, ta hanyar aika kalmar sirri ta SMS ko ta amfani da alamu, duka hardware da software (misali, akan wayar hannu). Amma sha'awar adana kuɗi da sha'awar adana kuɗi ga mai aiki na, a cikin rikicin da ake ciki, ya tilasta ni in sami hanyar kyauta don aiwatar da sabis don samar da kalmomin shiga na lokaci ɗaya. Wanne, yayin da yake kyauta, ba shi da ƙasa da mafita na kasuwanci (a nan ya kamata mu yi ajiyar wuri, lura da cewa wannan samfurin kuma yana da nau'in kasuwanci, amma mun yarda cewa farashin mu, a cikin kudi, zai zama sifili).
Don haka, za mu buƙaci:
- Hoton Linux tare da kayan aikin da aka gina - multiOTP, FreeRADIUS da nginx, don samun dama ga uwar garke ta hanyar yanar gizo (http://download.multiotp.net/ - Na yi amfani da hoton da aka shirya don VMware)
- Active Directory Server
- Cisco ASA kanta (don dacewa, Ina amfani da ASDM)
- Duk wata alamar software da ke goyan bayan tsarin TOTP (Ni, alal misali, yi amfani da Google Authenticator, amma FreeOTP iri ɗaya zai yi)
Ba zan shiga cikin cikakkun bayanai na yadda hoton ke bayyana ba. Sakamakon haka, zaku karɓi Linux Debian tare da multiOTP da FreeRADIUS da aka riga aka shigar, an saita su don yin aiki tare, da haɗin yanar gizo don gudanarwar OTP.
Mataki 1. Mun fara tsarin da kuma saita shi don hanyar sadarwar ku
Ta hanyar tsoho, tsarin yana zuwa tare da tushen bayanan tushen. Ina tsammanin kowa ya zaci cewa yana da kyau a canza kalmar sirrin mai amfani bayan shiga ta farko. Hakanan kuna buƙatar canza saitunan cibiyar sadarwa (ta tsohuwa shine '192.168.1.44' tare da ƙofar '192.168.1.1'). Bayan haka zaku iya sake kunna tsarin.
Bari mu ƙirƙiri mai amfani a cikin Active Directory otp, da kalmar sirri MySuperPassword.
Mataki 2. Saita haɗin kuma shigo da masu amfani da Directory Active
Don yin wannan, muna buƙatar samun dama ga na'ura wasan bidiyo, kuma kai tsaye zuwa fayil ɗin multiotp.php, ta amfani da wanda za mu saita saitunan haɗin kai zuwa Active Directory.
Je zuwa kundin adireshi /usr/local/bin/multiotp/ kuma aiwatar da waɗannan umarni bi da bi:
./multiotp.php -config default-request-prefix-pin=0Yana ƙayyade ko ana buƙatar ƙarin fil (na dindindin) yayin shigar da fil ɗin lokaci ɗaya (0 ko 1)
./multiotp.php -config default-request-ldap-pwd=0Yana ƙayyade ko ana buƙatar kalmar sirri ta yanki lokacin shigar da fil na lokaci ɗaya (0 ko 1)
./multiotp.php -config ldap-server-type=1Ana nuna nau'in uwar garken LDAP (0 = uwar garken LDAP na yau da kullun, a yanayin mu 1 = Directory Active)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Yana ƙayyade tsarin da za a gabatar da sunan mai amfani (wannan ƙimar za ta nuna sunan kawai, ba tare da yankin ba)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Abu daya, kawai ga rukuni
./multiotp.php -config ldap-group-attribute="memberOf"Yana ƙayyade hanya don tantance ko mai amfani yana cikin ƙungiya
./multiotp.php -config ldap-ssl=1Shin zan yi amfani da amintaccen haɗi zuwa uwar garken LDAP (hakika, eh!)
./multiotp.php -config ldap-port=636Port don haɗi zuwa uwar garken LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localAdireshin uwar garke Active Directory
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Muna nuna inda za a fara neman masu amfani a cikin yankin
./multiotp.php -config ldap-bind-dn="[email protected]"Ƙayyade mai amfani wanda ke da haƙƙin bincike a cikin Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Ƙayyade kalmar sirrin mai amfani don haɗawa zuwa Active Directory
./multiotp.php -config ldap-network-timeout=10Saita lokacin ƙarewar haɗi zuwa Active Directory
./multiotp.php -config ldap-time-limit=30Mun saita iyakacin lokaci don aikin shigo da mai amfani
./multiotp.php -config ldap-activated=1Kunna saitin haɗin kai Active Directory
./multiotp.php -debug -display-log -ldap-users-syncMuna shigo da masu amfani daga Active Directory
Mataki 3. Ƙirƙirar lambar QR don alamar
Komai anan abu ne mai sauqi qwarai. Bude haɗin yanar gizon uwar garken OTP a cikin mai bincike, shiga (kar ku manta da canza kalmar sirri ta tsoho don admin!), kuma danna maɓallin "Buga":
Sakamakon wannan aikin zai zama shafin da ya ƙunshi lambobin QR guda biyu. Mun yi watsi da na farkon su (duk da kyakkyawan rubutun Google Authenticator / Authenticator / 2 Matakai Mai tabbatarwa), kuma mun sake bincika lambar ta biyu cikin ƙarfin hali a cikin alamar software akan wayar:
(eh, da gangan na lalata lambar QR don sanya shi rashin karantawa).
Bayan kammala waɗannan ayyuka, za a fara samar da kalmar sirri mai lamba shida a cikin aikace-aikacenku kowane daƙiƙa talatin.
Don tabbatarwa, zaku iya duba ta a cikin wannan keɓancewa:
Ta hanyar shigar da sunan mai amfani da kalmar wucewa ta lokaci ɗaya daga aikace-aikacen kan wayarka. Shin kun sami amsa mai kyau? Don haka mu ci gaba.
Mataki 4. Ƙarin tsari da gwaji na aikin FreeRADIUS
Kamar yadda na ambata a sama, an riga an saita multiOTP don yin aiki tare da FreeRADIUS, abin da ya rage shine gudanar da gwaje-gwaje da ƙara bayani game da ƙofar VPN ɗinmu zuwa fayil ɗin sanyi na FreeRADIUS.
Muna komawa zuwa uwar garken wasan bidiyo, zuwa ga directory /usr/local/bin/multiotp/, shiga:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Ciki har da ƙarin cikakkun bayanai.
A cikin fayil ɗin daidaitawar abokan ciniki na FreeRADIUS (/etc/freeradius/clinets.conf) yi sharhi duk layukan da suka shafi Localhost kuma ƙara shigarwar guda biyu:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- don gwaji
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- don ƙofarmu ta VPN.
Sake kunna FreeRADIUS kuma gwada shiga:
radtest username 100110 localhost 1812 testing321inda sunan mai amfani = sunan mai amfani, 100110 = kalmar sirri da aka bamu ta aikace-aikacen akan wayar, Localhost = adireshin uwar garken RADIUS, 1812 - tashar tashar tashar RADIUS, gwaji321 - kalmar sirrin abokin ciniki na RADIUS (wanda muka ayyana a cikin saitin).
Za a fitar da sakamakon wannan umarni kamar haka:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Yanzu muna buƙatar tabbatar da cewa mai amfani ya sami nasarar inganta shi. Don yin wannan, za mu dubi log na multiotp kanta:
tail /var/log/multiotp/multiotp.logKuma idan shigar ta ƙarshe akwai:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Sannan komai ya tafi daidai kuma zamu iya kammalawa
Mataki 5: Sanya Cisco ASA
Bari mu yarda cewa mun riga mun sami ƙayyadaddun ƙungiya da manufofi don samun dama ta hanyar SLL VPN, an daidaita su tare da Active Directory, kuma muna buƙatar ƙara ingantaccen abu biyu don wannan bayanin martaba.
1. Ƙara sabon rukunin uwar garken AAA:
2. Ƙara uwar garken multiOTP zuwa ƙungiyar:
3. Muna gyarawa bayanin martabar haɗin gwiwa, saita rukunin uwar garken Active Directory azaman babban sabar tantancewa:
4. A cikin shafin Na ci gaba -> Tabbatarwa Mun kuma zaɓi rukunin uwar garken Active Directory:
5. A cikin shafin Na ci gaba -> Sakandare Tantancewa, zaɓi ƙungiyar uwar garken da aka ƙirƙira wacce uwar garken multiOTP ke rajista. Lura cewa an gaji sunan mai amfani na Zama daga rukunin sabar AAA na farko:
Aiwatar da saitunan kuma
Mataki na 6, aka na ƙarshe
Bari mu bincika idan ingantaccen abu biyu yana aiki don SLL VPN:
Voila! Lokacin haɗi ta hanyar Cisco AnyConnect VPN Client, za a kuma nemi kalmar sirri ta biyu, kalmar sirri ta lokaci ɗaya.
Ina fatan wannan labarin zai taimaki wani, kuma zai ba wa wani abinci don tunani kan yadda ake amfani da wannan, kyauta Sabar OTP, don wasu ayyuka. Raba a cikin sharhin idan kuna so.
source: www.habr.com