ʻO ka pono e hāʻawi i kahi mamao mamao i kahi ʻoihana ʻoihana e ulu pinepine ana, ʻaʻohe mea inā ʻo kāu mea hoʻohana a i ʻole nā hoa pili e pono ai ke komo i kahi kikowaena kūikawā i kāu hui.
No kēia mau kumu, hoʻohana ka hapa nui o nā ʻoihana i ka ʻenehana VPN, kahi i hōʻoia iā ia iho he ala palekana hilinaʻi e hāʻawi i ke komo i nā kumuwaiwai kūloko o ka hui.
ʻAʻole ʻokoʻa kaʻu hui, a ʻo mākou, e like me nā mea ʻē aʻe, hoʻohana i kēia ʻenehana. A, e like me nā mea ʻē aʻe, hoʻohana mākou iā Cisco ASA 55xx ma ke ʻano he puka komo mamao.
Ke piʻi nei ka nui o nā mea hoʻohana mamao, pono e hoʻomaʻamaʻa i ke kaʻina hana no ka hāʻawi ʻana i nā hōʻoia. Akā i ka manawa like, pono e hana ʻia kēia me ka ʻole o ka pale ʻana i ka palekana.
No mākou iho, ua loaʻa iā mākou kahi hopena i ka hoʻohana ʻana i ka hōʻoia ʻelua kumu no ka hoʻopili ʻana ma o Cisco SSL VPN, me ka hoʻohana ʻana i nā huaʻōlelo hoʻokahi manawa. A e haʻi aku kēia paʻi iā ʻoe pehea e hoʻonohonoho ai i kahi hopena me ka liʻiliʻi o ka manawa a me nā koina ʻole no ka polokalamu pono (inā loaʻa iā ʻoe ʻo Cisco ASA i kāu ʻoihana).
Hoʻopiha ʻia ka mākeke me nā hoʻonā pahu pahu no ka hana ʻana i nā huaʻōlelo hoʻokahi manawa, ʻoiai e hāʻawi ana i nā koho he nui no ka loaʻa ʻana iā lākou, ʻo ia ka hoʻouna ʻana i ka ʻōlelo huna ma o SMS a i ʻole ka hoʻohana ʻana i nā hōʻailona, nā lako a me nā lako polokalamu (no ka laʻana, ma ke kelepona paʻa). Akā,ʻo ka makemake e mālama i ke kālā a me ka makemake e mālama i ke kālā no kaʻu mea hana, i ka pilikia o kēia manawa, ua koi iaʻu eʻimi i kahi ala kūʻokoʻa e hoʻokō i kahi lawelawe no ka hanaʻana i nā hua'ōlelo hoʻokahi manawa. ʻO ia, ʻoiai ʻaʻole manuahi, ʻaʻole ia i emi loa i nā hoʻonā pāʻoihana (eia mākou e hana i kahi hoʻopaʻa ʻana, me ka ʻike ʻana he ʻano pāʻoihana pū kekahi o kēia huahana, akā ua ʻae mākou i kā mākou kumukūʻai, i ke kālā, ʻaʻole ia).
No laila, pono mākou:
- He kiʻi Linux me kahi hoʻonohonoho o nā mea hana - multiOTP, FreeRADIUS a me nginx, no ke komo ʻana i ka kikowaena ma o ka pūnaewele (http://download.multiotp.net/ - Ua hoʻohana wau i kahi kiʻi mākaukau no VMware)
— Kahua Papa kuhikuhi Active
- Cisco ASA pono'ī (no ka maʻalahi, hoʻohana wau i ka ASDM)
- ʻO kēlā me kēia hōʻailona polokalamu e kākoʻo ana i ka mīkini TOTP (ʻo wau, no ka laʻana, hoʻohana i ka Google Authenticator, akā e hana like ʻo FreeOTP)
ʻAʻole wau e hele i nā kikoʻī o ke ʻano o ke kiʻi. ʻO ka hopena, e loaʻa iā ʻoe Debian Linux me multiOTP a me FreeRADIUS i hoʻonohonoho mua ʻia, hoʻonohonoho ʻia e hana pū, a me kahi kikowaena pūnaewele no ka hoʻokele OTP.
KaʻAnuʻu 1. Hoʻomaka mākou i ka pūnaewele a hoʻonohonoho iā ia no kāu pūnaewele
Ma ka maʻamau, hele mai ka ʻōnaehana me nā hōʻoia kumu kumu. Manaʻo wau ua manaʻo nā mea a pau he manaʻo maikaʻi ia e hoʻololi i ka ʻōlelo huna mea hoʻohana ma hope o ke komo mua ʻana. Pono ʻoe e hoʻololi i nā hoʻonohonoho pūnaewele (ma ka paʻamau ʻo '192.168.1.44' me ka puka '192.168.1.1'). A laila hiki iā ʻoe ke hoʻomaka hou i ka ʻōnaehana.
E hana kākou i mea hoʻohana ma Active Directory otp, me ka ʻōlelo huna MySuperPassword.
KaʻAnuʻu Hana 2. Hoʻonohonoho i ka pilina a lawe mai i nā mea hoʻohana Active Directory
No ka hana ʻana i kēia, pono mākou e komo i ka console, a pololei i ka faila multiotp.php, me ka hoʻohana ʻana iā mākou e hoʻonohonoho i nā hoʻonohonoho pili i Active Directory.
E hele i ka papa kuhikuhi /usr/local/bin/multiotp/ a e hoʻokō i kēia mau kauoha i ka huli ʻana:
./multiotp.php -config default-request-prefix-pin=0Hoʻoholo inā makemake ʻia kahi pine hou (mau) ke komo ʻana i kahi pine hoʻokahi manawa (0 a i ʻole 1)
./multiotp.php -config default-request-ldap-pwd=0Hoʻoholo inā makemake ʻia kahi ʻōlelo huna i ke komo ʻana i kahi pine hoʻokahi manawa (0 a i ʻole 1)
./multiotp.php -config ldap-server-type=1Hōʻike ʻia ke ʻano o ke kikowaena LDAP (0 = server LDAP maʻamau, i kā mākou hihia 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Hōʻike i ke ʻano e hōʻike ai i ka inoa inoa (e hōʻike ʻia kēia waiwai i ka inoa wale nō, me ka ʻole o ka waihona)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"ʻO ka mea like, no ka hui wale nō
./multiotp.php -config ldap-group-attribute="memberOf"Kokoke i ke ala e hoʻoholo ai inā pili ka mea hoʻohana i kahi hui
./multiotp.php -config ldap-ssl=1Pono au e hoʻohana i kahi pilina paʻa i ka server LDAP (ʻoiaʻiʻo - ʻae!)
./multiotp.php -config ldap-port=636Awa no ka hoʻohui ʻana i ke kikowaena LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localKou wahi kikowaena Active Directory
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Hōʻike mākou i kahi e hoʻomaka ai e ʻimi i nā mea hoʻohana ma ka waihona
./multiotp.php -config ldap-bind-dn="[email protected]"E koho i mea hoʻohana nona nā kuleana huli ma Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"E wehewehe i ka ʻōlelo huna mea hoʻohana e hoʻopili ai iā Active Directory
./multiotp.php -config ldap-network-timeout=10Hoʻonohonoho i ka manawa pau no ka hoʻohui ʻana iā Active Directory
./multiotp.php -config ldap-time-limit=30Hoʻonoho mākou i ka palena manawa no ka hana hoʻokomo mea hoʻohana
./multiotp.php -config ldap-activated=1E ho'ā ana i ka hoʻonohonoho hoʻohui Active Directory
./multiotp.php -debug -display-log -ldap-users-syncLawe mākou i nā mea hoʻohana mai Active Directory
KaʻAnuʻu 3. E hana i kahi QR code no ka hōʻailona
He mea maʻalahi loa nā mea a pau ma ʻaneʻi. E wehe i ka punaewele o ka server OTP ma ka polokalamu kele pūnaewele, e komo (mai poina e hoʻololi i ka ʻōlelo huna no ka admin!), A kaomi i ke pihi "Print":
ʻO ka hopena o kēia hana he ʻaoʻao i loaʻa nā code QR ʻelua. Ke haʻalele wiwo ʻole nei mākou i ka mea mua o lākou (ʻoiai ke kākau inoa ʻana ʻo Google Authenticator / Authenticator / 2 Steps Authenticator), a nānā hou mākou me ka wiwo ʻole i ka helu lua i kahi hōʻailona polokalamu ma ke kelepona:
(ʻae, ua hoʻopau wau i ka QR code i hiki ʻole ke heluhelu ʻia).
Ma hope o ka hoʻopau ʻana i kēia mau hana, e hoʻomaka ʻia kahi huaʻōlelo ʻeono helu i kāu noi i kēlā me kēia kanakolu kekona.
No ka ʻoiaʻiʻo, hiki iā ʻoe ke nānā iā ia ma ka interface like:
Ma ke komo ʻana i kou inoa inoa a me ka ʻōlelo huna hoʻokahi mai ka noi ma kāu kelepona. Ua loaʻa iā ʻoe kahi pane maikaʻi? No laila, neʻe mākou.
KaʻAnuʻu 4. Hoʻohui hou a me ka hoʻāʻo ʻana o ka hana FreeRADIUS
E like me kaʻu i ʻōlelo ai ma luna, ua hoʻonohonoho ʻia ka multiOTP e hana pū me FreeRADIUS, ʻo nā mea a pau i koe e holo i nā hoʻokolohua a hoʻohui i ka ʻike e pili ana i kā mākou ʻīpuka VPN i ka faila hoʻonohonoho FreeRADIUS.
Hoʻi mākou i ka console server, i ka papa kuhikuhi /usr/local/bin/multiotp/, komo:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Me ka hoʻopaʻa inoa kikoʻī hou aku.
Ma ka waihona hoʻonohonoho o nā mea kūʻai aku FreeRADIUS (/etc/freeradius/clinets.conf) hōʻike i nā laina āpau e pili ana iā localhost a hoʻohui i ʻelua helu:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- no ka hoao ana
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- no kā mākou ʻīpuka VPN.
Hoʻomaka hou iā FreeRADIUS a hoʻāʻo e komo:
radtest username 100110 localhost 1812 testing321kahi inoa mea hoʻohana = inoa inoa, 100110 = ʻōlelo huna i hāʻawi ʻia iā mākou e ka noi ma ke kelepona, localhost = RADIUS kikowaena helu wahi, 1812 — awa kikowaena RADIUS, ke hoʻokolohua321 - ʻO ka ʻōlelo huna o ka mea kūʻai aku ʻo RADIUS (a mākou i kuhikuhi ai i ka config).
E hoʻopuka ʻia ka hopena o kēia kauoha e like me kēia:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20I kēia manawa pono mākou e hōʻoia i ka hōʻoia ʻana o ka mea hoʻohana. No ka hana ʻana i kēia, e nānā mākou i ka log o multiotp ponoʻī:
tail /var/log/multiotp/multiotp.logA inā he helu hope loa:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1A laila hele maikaʻi nā mea a pau a hiki iā mākou ke hoʻopau
KaʻAnuʻu Hana 5: E hoʻonohonoho iā Cisco ASA
E ʻae kāua ua loaʻa iā mākou kahi hui i hoʻonohonoho ʻia a me nā kulekele no ke komo ʻana ma o SLL VPN, i hoʻonohonoho pū ʻia me Active Directory, a pono mākou e hoʻohui i ʻelua-factor authentication no kēia ʻaoʻao.
1. Hoʻohui i kahi hui kikowaena AAA hou:
2. Hoʻohui i kā mākou kikowaena multiOTP i ka hui:
3. Hoʻoponopono mākou pili pili, hoʻonohonoho i ka hui kikowaena Active Directory ma ke ʻano he kikowaena hōʻoia nui:
4. I ka kapu Kiʻekiʻe -> Hōʻoia Koho pū mākou i ka hui kikowaena Active Directory:
5. I ka kapu Kiʻekiʻe -> ʻElua hōʻoia, koho i ka hui kikowaena i hana ʻia kahi i hoʻopaʻa inoa ʻia ai ka server multiOTP. E hoʻomaopopo ua hoʻoili ʻia ka inoa inoa Session mai ka hui kikowaena AAA mua:
E noi i nā hoʻonohonoho a
KaʻAnuʻu 6, aka ka mea hope
E nānā inā hana ka hōʻoia ʻelua kumu no SLL VPN:
Voila! Ke hoʻohui ʻia ma o Cisco AnyConnect VPN Client, e noi ʻia ʻoe no ka lua, hoʻokahi ʻōlelo huna.
Manaʻo wau e kōkua kēia ʻatikala i kekahi, a hāʻawi ia i kahi meaʻai no ka noʻonoʻo pehea e hoʻohana ai i kēia, lono OTP server, no nā hana ʻē aʻe. E kaʻana i nā manaʻo inā makemake ʻoe.
Source: www.habr.com