He aha kāu e hana ai inā makemake ʻoe i ka hōʻoia ʻelua kumu a ke kānalua nei, akā ʻaʻohe kālā no nā hōʻailona hāmeʻa a ma ke ʻano nui ke manaʻo nei lākou e paʻa i kahi ʻano maikaʻi.
ʻAʻole kēia hoʻonā he mea kumu maoli, akā he hui o nā hopena like ʻole i loaʻa ma ka Pūnaewele.
No laila ua hāʻawi ʻia
Pūnaewele Kuhikuhi Kuhi.
ʻO nā mea hoʻohana pūnaewele e hana ana ma o VPN, e like me nā mea he nui i kēia lā.
Hana ka VPN ma ke ʻano he ʻīpuka Hoʻoikaika.
Hoʻopaʻa ʻia ka mālama ʻana i ka ʻōlelo huna no ka mea kūʻai VPN e ka kulekele palekana.
Kalaiaina ʻEhā kanahā e pili ana i kāna mau hōʻailona pono'ī,ʻaʻole hiki iāʻoe ke kapa iā ia he emi iho ma mua o ka redneck - aia ka nui o 10 mau pūʻulu o nā hōʻailona manuahi,ʻo ke koena ma ke kumu kūʻaiʻole kosher. ʻAʻole wau i noʻonoʻo i ka RSASecureID, Duo a me nā mea like, no ka mea makemake wau i ke kumu wehe.
Nā mea e pono ai: kahu kahu * nix me ka hoʻokomo freeradius, ssd — komo i loko o ke kāʻei kua, hiki i nā mea hoʻohana domain ke hōʻoia maʻalahi iā ia.
Nā pūʻolo hou aku: shellinabox, fākana, freeradius-ldap, font kipi.tlf mai ka waihona
I kaʻu hiʻohiʻona, ʻo CentOS 7.8.
ʻO ka loiloi hana penei: i ka wā e hoʻopili ai i kahi VPN, pono ka mea hoʻohana e hoʻokomo i kahi inoa inoa domain a me OTP ma kahi o ka ʻōlelo huna.
Hoʻonohonoho i nā lawelawe
В /etc/raddb/radiusd.conf ʻo ka mea hoʻohana a me ka hui wale nō ma lalo o kona inoa e hoʻomaka ai e loli freeradius, mai ka lawelawe ana radiusd Pono e hiki ke heluhelu i nā faila ma nā papa kuhikuhi āpau / home /.
user = root
group = root
No ka hiki ke hoʻohana i nā hui i nā hoʻonohonoho Hoʻoikaika, pono e hooili ia ʻAno Kūʻai Kūʻai. E hana i kēia ma ka papa kuhikuhi raddb/policy.d Hana wau i faila me kēia ʻike:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Ma hope o ka hoʻonohonoho freeradius-ldap ma ka papa kuhikuhi raddb/mods-loaʻa hana ʻia ka faila ldap.
Pono ʻoe e hana i kahi loulou hōʻailona i ka papa kuhikuhi raddb/mods-hiki.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Ke hoike aku nei au i kona mau mea penei:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
I nā faila raddb/pūnaewele-hiki/paʻamau и raddb/pūnaewele-hiki/inner-tunnel ma ka pauku ʻae ʻia Hoʻohui wau i ka inoa o ke kulekele e hoʻohana ʻia - group_authorization. ʻO kahi mea nui - ʻaʻole i hoʻoholo ʻia ka inoa o ke kulekele e ka inoa o ka faila ma ka papa kuhikuhi kulekele.d, akā he kuhikuhi i loko o ka faila ma mua o nā pale pale.
Ma ka pauku hōʻoiaʻiʻo i loko o nā faila pono ʻoe e wehe i ka laina Pam.
Ma ka waihona nā mea kūʻai.conf e kuhikuhi i nā ʻāpana e hoʻopili ai Hoʻoikaika:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Hoʻonohonoho modula pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Nā koho paʻamau no ka hoʻokō ʻana i ka pūʻolo freeradius с google authenticator koi i ka mea hoʻohana e hoʻokomo i nā hōʻoia ma ke ʻano: mea hoʻohana/ ʻōlelo huna+OTP.
E noʻonoʻo i ka nui o nā hōʻino e hāʻule i kou poʻo inā hoʻohana ʻoe i ka copula paʻamau freeradius с ʻO Google Authenticator, ua hoʻoholo ʻia e hoʻohana i ka hoʻonohonoho module Pam no laila e nānā wale ʻia ka hōʻailona ʻO Google Authenticator.
Ke hoʻohui ka mea hoʻohana, e hana ʻia kēia:
- Nānā ʻo Freeradius inā aia ka mea hoʻohana i ka domain a i loko o kahi hui kikoʻī a, inā kūleʻa, nānā i ka hōʻailona OTP.
Ua holomua nā mea a pau a hiki i koʻu manaʻo, "Pehea wau e hoʻopaʻa inoa ai i ka OTP no nā mea hoʻohana 300+?"
Pono ka mea hoʻohana e komo i ke kikowaena me freeradius a mai kāu moʻokāki a hoʻomaka i ka noi Pūnaewele Google, e hoʻopuka i kahi QR code no ka noi no ka mea hoʻohana. ʻO kēia kahi e hiki ai ke hoʻopakele shellinabox i hui pū ʻia me .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Aia ka faila hoʻonohonoho daemon ma /etc/sysconfig/shellinabox.
Hōʻike wau i ka port 443 ma laila a hiki iā ʻoe ke kuhikuhi i kāu palapala hōʻoia.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Hiki i ka mea hoʻohana ke hahai i ka loulou, e hoʻokomo i nā hōʻoia domain a loaʻa kahi QR code no ka noi.
Penei ka algorithm:
- Hoʻopili ka mea hoʻohana i ka mīkini ma o ka polokalamu kele pūnaewele.
- ʻIke ʻia inā he mea hoʻohana domain ka mea hoʻohana. Inā ʻaʻole, ʻaʻohe hana i hana ʻia.
- Inā he mea hoʻohana domain ka mea hoʻohana, nānā ʻia ka lālā o ka hui luna.
- Inā ʻaʻole he admin, nānā ia inā ua hoʻonohonoho ʻia ʻo Google Authenticator. Inā ʻaʻole, a laila hana ʻia kahi code QR a haʻalele ka mea hoʻohana.
- Inā ʻaʻole ʻoe he admin a ua hoʻonohonoho ʻia ʻo Google Authenticator, a laila e haʻalele wale.
- Inā he luna, e nānā hou iā Google Authenticator. Inā ʻaʻole i hoʻonohonoho ʻia, hana ʻia kahi code QR.
Hoʻohana ʻia nā loiloi āpau /etc/skel/.bash_profile.
cat /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Hoʻonohonoho paʻa:
- Hana mākou ke kahahńnai o-server
- Hoʻokumu mākou i nā hui pono, inā pono e hoʻokaʻawale i ke komo ʻana ma ka hui. Ka inoa hui ma Hoʻoikaika pono e kūlike me ka hui i hoʻouna ʻia i ʻAno Kūʻai Kūʻai Fortinet-Group-Inoa.
- Hoʻoponopono i nā mea e pono ai SSL-puka.
- Hoʻohui i nā hui i nā kulekele.
ʻO nā mea maikaʻi o kēia hopena:
- Hiki ke hōʻoia ma o OTP ma Hoʻoikaika hāmama kumu hoʻonā.
- ʻAʻole pono ka mea hoʻohana e hoʻokomo i kahi ʻōlelo huna i ka wā e hoʻopili ai ma o VPN, kahi mea maʻalahi i ke kaʻina pili. ʻOi aku ka maʻalahi o ka ʻōlelo huna 6-helu ma mua o ka mea i hāʻawi ʻia e ke kulekele palekana. ʻO ka hopena, ke emi nei ka helu o nā tiketi me ke kumuhana: "ʻAʻole hiki iaʻu ke hoʻohui i ka VPN".
PS Aia nā hoʻolālā e hoʻomaikaʻi i kēia hoʻonā i ka hōʻoia piha ʻelua ʻelua me ka pane-paʻakikī.
Kiʻi hou:
E like me ka mea i hoʻohiki ʻia, hoʻonui wau iā ia i ke koho me ka pane hoʻokūkū.
No laila:
Ma ka waihona /etc/raddb/sites-enabled/default pauku ʻae ʻia penei:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Paukū hōʻoiaʻiʻo i kēia manawa e like me kēia:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
I kēia manawa ua hōʻoia ka mea hoʻohana me ka hoʻohana ʻana i kēia algorithm:
- Hoʻokomo ka mea hoʻohana i nā hōʻoia kikowaena i ka mea kūʻai VPN.
- Nānā ʻo Freeradius i ka pono a me ka ʻōlelo huna
- Inā pololei ka ʻōlelo huna, a laila hoʻouna ʻia kahi noi no kahi hōʻailona.
- Ke hōʻoia ʻia nei ka hōʻailona.
- Loaʻa).
Source: www.habr.com