Yuav ua li cas yog tias ob qho kev lees paub qhov tseeb yog ob qho tib si xav tau thiab prickly, tab sis tsis muaj nyiaj rau hardware tokens thiab feem ntau lawv muab nyob rau hauv lub siab zoo.
Qhov kev daws teeb meem no tsis yog ib yam dab tsi super qub, tab sis yog kev sib xyaw ntawm cov kev daws teeb meem sib txawv pom hauv Internet.
Yog li muab
Sau npe Active Directory.
Cov neeg siv lub npe ua haujlwm los ntawm VPN, zoo li ntau niaj hnub no.
Ua raws li lub rooj vag VPN Ciaj sia.
Txuag tus password rau tus neeg siv khoom VPN raug txwv los ntawm txoj cai ruaj ntseg.
Kev nom kev tswv fortnite nyob rau hauv kev sib raug zoo rau koj tus kheej tokens, koj tsis tuaj yeem hu nws tsawg tshaj li zhlob - muaj ntau npaum li 10 free tokens, tus so - ntawm tus nqi tsis-kosher heev. Kuv tsis tau xav txog RSASecureID, Duo thiab lwm yam, vim kuv xav tau qhib qhov chaw.
Yam yuavtsum tau kawm uantej: tswv * nix nrog tsim dawb radius, sssd ua - nkag mus rau hauv tus sau, cov neeg siv sau tau yooj yim authenticate rau nws.
Cov pob khoom ntxiv: shellina lub thawv, tsev hais plaub, dawb radius-ldap, ntawv font rebel.tlf los ntawm qhov chaw cia khoom .
Hauv kuv qhov piv txwv, CentOS 7.8.
Lub logic ntawm kev ua haujlwm yuav tsum ua raws li hauv qab no: thaum txuas rau VPN, tus neeg siv yuav tsum nkag mus rau lub npe nkag thiab OTP tsis yog tus password.
Kev pabcuam
В /etc/raddb/radiusd.conf tsuas yog tus neeg siv thiab pab pawg sawv cev ntawm qhov pib dawb radius, txij li kev pabcuam hluav taws xob yuav tsum tau nyeem cov ntaub ntawv nyob rau hauv tag nrho cov subdirectories / tsev /.
user = root
group = root
Yuav kom siv tau pab pawg hauv chaw Ciaj sia, yuav tsum tau kis Vendor Specific Attribute. Txhawm rau ua qhov no, hauv phau ntawv qhia raddb/policy.d Kuv tsim ib cov ntaub ntawv nrog cov ntsiab lus hauv qab no:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Tom qab kev teeb tsa dawb radius-ldap hauv phau ntawv raddb/mods-muaj cov ntaub ntawv raug tsim ldap ua.
Yuav tsum tau tsim ib lub cim txuas rau cov npe raddb/mods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapKuv nqa nws cov ntsiab lus rau hauv daim ntawv no:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Hauv cov ntaub ntawv raddb/sites-enabled/default и raddb/sites-enabled/ puab-tunnel hauv seem kev tso cai Kuv ntxiv lub npe ntawm txoj cai siv - group_authorization. Ib qho tseem ceeb - lub npe ntawm txoj cai tsis yog txiav txim los ntawm lub npe ntawm cov ntaub ntawv nyob rau hauv phau ntawv txoj cai.d, tab sis los ntawm kev qhia hauv cov ntaub ntawv ua ntej curly braces.
Hauv seem kuaj nyob rau hauv tib cov ntaub ntawv koj yuav tsum tau uncomment kab Pam.
Hauv cov ntaub ntawv clients.conf sau cov parameters uas nws yuav txuas Ciaj sia:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Module teeb tsa pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Default bundle kev xaiv xaiv dawb radius с google authenticator xav kom tus neeg siv nkag mus rau cov ntaub ntawv pov thawj hauv hom: username/password+OTP.
Los ntawm kev xav txog tus naj npawb ntawm cov lus foom uas yuav poob rau ntawm lub taub hau, nyob rau hauv cov ntaub ntawv ntawm kev siv lub default bundle dawb radius с Google Qhabnias, nws tau txiav txim siab siv lub module configuration Pam kom tsuas yog lub token tuaj yeem kuaj xyuas Google Qhabnias.
Thaum tus neeg siv txuas, cov hauv qab no tshwm sim:
- Freeradius kuaj xyuas yog tias tus neeg siv nyob hauv qhov sau npe thiab hauv ib pawg thiab, yog tias ua tiav, kuaj xyuas OTP token.
Txhua yam zoo txaus kom txog thaum kuv xav tias "Kuv tuaj yeem sau npe OTP rau 300+ cov neeg siv li cas?"
Tus neeg siv yuav tsum nkag mus rau lub server nrog dawb radius thiab los ntawm hauv qab koj tus account thiab khiav daim ntawv thov Google Authenticator, uas yuav tsim QR code rau daim ntawv thov rau tus neeg siv. Qhov no yog qhov kev pab tuaj. shellina lub thawv nyob rau hauv ua ke nrog .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Cov ntaub ntawv daemon configuration yog nyob ntawm /etc/sysconfig/shellinabox.
Kuv qhia qhov chaw nres nkoj 443 nyob ntawd thiab koj tuaj yeem qhia koj daim ntawv pov thawj.
[root@freeradius ~]#systemctl enable --now shellinaboxdTus neeg siv tsuas yog yuav tsum ua raws li qhov txuas, nkag mus rau cov qhab nia sau npe thiab tau txais QR code rau daim ntawv thov.
Lub algorithm yog raws li nram no:
- Tus neeg siv nkag mus rau hauv lub tshuab los ntawm qhov browser.
- Seb tus neeg siv lub npe raug kuaj xyuas. Yog tsis yog, ces tsis muaj kev nqis tes ua.
- Yog tias tus neeg siv yog tus neeg siv sau npe, kev ua tswv cuab hauv pawg Administrators raug kuaj xyuas.
- Yog tias tsis yog tus thawj tswj hwm, nws kuaj xyuas yog tias Google Authenticator tau teeb tsa. Yog tias tsis yog, tom qab ntawd tus lej QR thiab tus neeg siv nkag tawm raug tsim tawm.
- Yog tias tsis yog tus tswj hwm thiab Google Authenticator tau teeb tsa, ces tsuas yog tawm mus.
- Yog tias admin, ces kos Google Authenticator dua. Yog tias tsis tau teeb tsa, QR code raug tsim.
Tag nrho cov logic yog ua tiav siv /etc/skel/.bash_profile.
miv /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Fortigate kev teeb tsa:
- Peb tsim Radius- server
- Peb tsim cov pab pawg tsim nyog, yog tias tsim nyog, nkag mus tswj los ntawm pawg. Pab pawg npe rau Ciaj sia yuav tsum phim cov pab pawg uas tau dhau mus Vendor Specific Attribute Fortinet-Group-Npe.
- Kho qhov tsim nyog SSL-portals.
- Ntxiv pab pawg rau cov cai.
Qhov zoo ntawm qhov kev daws teeb meem no:
- Nws tuaj yeem ua pov thawj los ntawm OTP ntawm Ciaj sia qhib qhov kev daws teeb meem.
- Tus neeg siv tsis nkag mus rau tus lej lo lus zais thaum txuas ntawm VPN, uas ua rau qee yam yooj yim rau txoj kev sib txuas. Tus lej 6 tus lej nkag tau yooj yim dua li qhov muab los ntawm txoj cai tswjfwm. Yog li ntawd, tus naj npawb ntawm daim pib nrog cov ntsiab lus: "Kuv tsis tuaj yeem txuas rau VPN" txo qis.
PS Peb npaj yuav hloov kho qhov kev daws teeb meem no mus rau qhov kev lees paub qhov tseeb ntawm ob lub ntsiab lus nrog kev sib tw- teb.
hloov tshiab:
Raws li tau cog lus tseg, kuv tweaked nws mus rau qhov kev sib tw teb kev xaiv.
Yog li ntawd,
Hauv cov ntaub ntawv /etc/raddb/sites-enabled/default ntu kev tso cai zoo li no:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Feem kuaj tam sim no zoo li no:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Tam sim no tus neeg siv kev txheeb xyuas tshwm sim raws li cov hauv qab no algorithm:
- Tus neeg siv nkag mus rau cov qhab nia sau npe hauv tus neeg siv VPN.
- Freeradius txheeb xyuas qhov siv tau ntawm tus account thiab tus password
- Yog hais tias tus password yog lawm, ces xa ib daim ntawv thov rau token.
- Lub token tab tom raug txheeb xyuas.
- profit).
Tau qhov twg los: www.hab.com