Qhov yuav tsum tau muab cov chaw taws teeb nkag mus rau ib puag ncig kev lag luam tau tshwm sim ntau thiab ntau zaus, txawm tias nws yog koj cov neeg siv lossis cov neeg koom tes uas xav tau kev nkag mus rau ib lub server tshwj xeeb hauv koj lub koom haum.
Rau cov hom phiaj no, feem ntau cov tuam txhab siv VPN thev naus laus zis, uas tau ua pov thawj nws tus kheej yog txoj kev tiv thaiv kev ntseeg siab ntawm kev muab kev nkag mus rau lub koom haum cov peev txheej hauv zos.
Kuv lub tuam txhab tsis muaj kev zam, thiab peb, zoo li ntau lwm tus, siv cov thev naus laus zis no. Thiab, zoo li ntau lwm tus, peb siv Cisco ASA 55xx ua lub qhov rooj nkag mus rau tej thaj chaw deb.
Raws li tus naj npawb ntawm cov neeg siv tej thaj chaw deb nce, yuav tsum tau ua kom yooj yim cov txheej txheem rau kev tshaj tawm cov ntawv pov thawj. Tab sis tib lub sijhawm, qhov no yuav tsum tau ua yam tsis muaj kev cuam tshuam txog kev nyab xeeb.
Rau peb tus kheej, peb pom ib qho kev daws teeb meem hauv kev siv ob qhov kev lees paub rau kev sib txuas ntawm Cisco SSL VPN, siv tus password ib zaug. Thiab daim ntawv tshaj tawm no yuav qhia koj yuav ua li cas npaj cov kev daws teeb meem no nrog lub sijhawm tsawg thiab xoom tus nqi rau cov software tsim nyog (muab tias koj twb muaj Cisco ASA hauv koj cov infrastructure).
Kev ua lag luam muaj ntau cov kev daws teeb meem rau kev tsim cov passwords ib zaug, thaum muab ntau txoj hauv kev kom tau txais lawv, yog nws xa tus password ntawm SMS lossis siv tokens, hardware thiab software (piv txwv li, hauv xov tooj ntawm tes). Tab sis lub siab xav txuag nyiaj thiab kev xav txuag nyiaj rau kuv tus tswv ntiav haujlwm, hauv kev kub ntxhov tam sim no, yuam kom kuv nrhiav txoj hauv kev pub dawb los siv cov kev pabcuam rau kev tsim cov passwords ib zaug. Uas, thaum pub dawb, tsis yog qhov qis dua rau kev lag luam kev daws teeb meem (ntawm no peb yuav tsum tau txais kev tshwj tseg, nco ntsoov tias cov khoom no kuj muaj cov qauv lag luam, tab sis peb pom zoo tias peb cov nqi, hauv cov nyiaj, yuav yog xoom).
Yog li, peb yuav xav tau:
- Ib daim duab Linux nrog cov cuab yeej built-in - multiOTP, FreeRADIUS thiab nginx, rau kev nkag mus rau tus neeg rau zaub mov ntawm lub vev xaib (http://download.multiotp.net/ - Kuv siv daim duab npaj ua rau VMware)
- Active Directory Server
- Cisco ASA nws tus kheej (kom yooj yim, kuv siv ASDM)
- Ib qho software token uas txhawb nqa TOTP mechanism (Kuv, piv txwv li, siv Google Authenticator, tab sis tib FreeOTP yuav ua)
Kuv yuav tsis mus rau hauv cov ntsiab lus ntawm yuav ua li cas cov duab nthuav tawm. Raws li qhov tshwm sim, koj yuav tau txais Debian Linux nrog multiOTP thiab FreeRADIUS twb tau teeb tsa, teeb tsa ua haujlwm ua ke, thiab lub vev xaib cuam tshuam rau kev tswj hwm OTP.
Kauj ruam 1. Peb pib lub system thiab teeb tsa nws rau koj lub network
Los ntawm lub neej ntawd, lub kaw lus los nrog cov hauv paus ntaub ntawv pov thawj. Kuv xav tias txhua leej txhua tus kwv yees tias nws yuav yog ib lub tswv yim zoo los hloov tus neeg siv hauv paus lo lus zais tom qab thawj tus ID nkag mus. Koj kuj yuav tsum tau hloov lub network teeb tsa (los ntawm lub neej ntawd nws yog '192.168.1.44' nrog lub rooj vag '192.168.1.1'). Tom qab ntawd koj tuaj yeem reboot lub system.
Cia peb tsim ib tus neeg siv hauv Active Directory otp, nrog tus password MySuperPassword.
Kauj ruam 2. Teeb qhov kev twb kev txuas thiab import Active Directory cov neeg siv
Txhawm rau ua qhov no, peb xav tau nkag mus rau lub console, thiab ncaj qha mus rau cov ntaub ntawv multiotp.php, siv uas peb yuav teeb tsa kev sib txuas mus rau Active Directory.
Mus rau phau ntawv qhia /usr/local/bin/multiotp/ thiab ua raws li cov lus txib hauv qab no nyob rau hauv lem:
./multiotp.php -config default-request-prefix-pin=0Txiav txim siab seb yuav tsum muaj tus pin ntxiv (nruab mus li cas) thaum nkag mus rau tus pin ib zaug (0 lossis 1)
./multiotp.php -config default-request-ldap-pwd=0Txiav txim seb puas yuav tsum tau sau tus password thaum nkag mus rau tus pin ib zaug (0 lossis 1)
./multiotp.php -config ldap-server-type=1Hom LDAP server yog qhia (0 = li niaj zaus LDAP server, hauv peb rooj plaub 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Qhia meej cov hom ntawv uas yuav nthuav tawm tus neeg siv lub npe (tus nqi no yuav tso tawm tsuas yog lub npe, tsis muaj npe)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Tib yam, tsuas yog rau ib pab pawg
./multiotp.php -config ldap-group-attribute="memberOf"Qhia meej txog txoj hauv kev los txiav txim seb tus neeg siv puas koom nrog pawg
./multiotp.php -config ldap-ssl=1Kuv yuav tsum siv qhov kev sib txuas ruaj ntseg rau LDAP server (tau kawg, yog!)
./multiotp.php -config ldap-port=636Chaw nres nkoj rau txuas rau LDAP server
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localKoj qhov chaw nyob Active Directory server
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Peb qhia qhov twg yuav pib nrhiav cov neeg siv hauv lub npe
./multiotp.php -config ldap-bind-dn="[email protected]"Qhia tus neeg siv uas muaj cai tshawb nrhiav hauv Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Qhia tus neeg siv tus password kom txuas mus rau Active Directory
./multiotp.php -config ldap-network-timeout=10Teem lub sijhawm rau kev txuas mus rau Active Directory
./multiotp.php -config ldap-time-limit=30Peb teem lub sijhawm txwv rau cov neeg siv khoom lag luam
./multiotp.php -config ldap-activated=1Ua kom lub Active Directory txuas configuration
./multiotp.php -debug -display-log -ldap-users-syncPeb import cov neeg siv los ntawm Active Directory
Kauj ruam 3. Tsim ib tug QR code rau lub token
Txhua yam ntawm no yog qhov yooj yim heev. Qhib lub web interface ntawm OTP neeg rau zaub mov hauv qhov browser, nkag rau hauv (tsis txhob hnov ββββqab hloov tus password rau tus thawj tswj hwm!), thiab nyem rau ntawm lub pob "Print":
Qhov tshwm sim ntawm qhov kev txiav txim no yuav yog nplooj ntawv uas muaj ob tus lej QR. Peb ua siab loj tsis quav ntsej thawj tus ntawm lawv (txawm tias muaj cov ntawv sau zoo nkauj Google Authenticator / Authenticator / 2 Kauj Ruam Authenticator), thiab dua peb ua siab tawv luam theej duab thib ob rau hauv software token hauv xov tooj:
(yog, kuv txhob txwm ua phem rau QR code kom nws nyeem tsis tau).
Tom qab ua tiav cov haujlwm no, tus lej rau tus lej password yuav pib tsim hauv koj daim ntawv thov txhua peb caug vib nas this.
Kom paub meej, koj tuaj yeem tshawb xyuas nws hauv tib lub interface:
Los ntawm kev nkag mus rau koj lub npe siv thiab tus password ib zaug los ntawm daim ntawv thov hauv koj lub xov tooj. Koj puas tau txais cov lus teb zoo? Yog li cia peb mus ntxiv.
Kauj ruam 4. Ntxiv kev teeb tsa thiab kev sim ntawm FreeRADIUS kev ua haujlwm
Raws li kuv tau hais los saum no, multiOTP twb tau teeb tsa ua haujlwm nrog FreeRADIUS, txhua yam uas tseem tshuav yog khiav kev sim thiab ntxiv cov ntaub ntawv hais txog peb lub rooj vag VPN rau FreeRADIUS cov ntaub ntawv teeb tsa.
Peb rov qab mus rau lub server console, mus rau cov npe /usr/local/bin/multiotp/, nkag:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Ntxiv nrog rau kev sau kom ntxaws ntxiv.
Hauv FreeRADIUS cov neeg siv cov ntaub ntawv teeb tsa (/etc/freeradius/clinets.conf) tawm tswv yim tawm txhua kab ntsig txog localhost thiab ntxiv ob qhov nkag:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- rau kev xeem
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- rau peb lub rooj vag VPN.
Pib dua FreeRADIUS thiab sim nkag rau hauv:
radtest username 100110 localhost 1812 testing321qhov twg username = username, 100110 = tus password muab rau peb los ntawm daim ntawv thov hauv xov tooj, localhost = RADIUS server chaw nyob, 1812 - RADIUS server chaw nres nkoj, test321 - RADIUS server tus neeg siv tus password (uas peb tau teev tseg hauv kev teeb tsa).
Cov txiaj ntsig ntawm cov lus txib no yuav raug tso tawm kwv yees li hauv qab no:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Tam sim no peb yuav tsum xyuas kom meej tias tus neeg siv tau ua tiav authenticated. Ua li no, peb yuav saib lub cav ntawm multiotp nws tus kheej:
tail /var/log/multiotp/multiotp.logThiab yog tias qhov kev nkag zaum kawg muaj:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Tom qab ntawd txhua yam mus zoo thiab peb tuaj yeem ua tiav
Kauj ruam 5: Configure Cisco ASA
Cia peb pom zoo tias peb twb tau teeb tsa pab pawg thiab cov cai rau kev nkag los ntawm SLL VPN, teeb tsa ua ke nrog Active Directory, thiab peb yuav tsum tau ntxiv ob qhov kev lees paub rau qhov profile no.
1. Ntxiv ib pawg AAA server tshiab:
2. Ntxiv peb multiOTP server rau pab pawg:
3. Peb kho kev sib txuas profile, teeb tsa Active Directory neeg rau zaub mov pab pawg raws li lub ntsiab authentication server:
4. Hauv tab Advanced -> Authentication Peb kuj xaiv cov Active Directory server pawg:
5. Hauv tab Advanced -> Secondary authentication, xaiv pawg neeg rau zaub mov tsim nyob rau hauv uas multiOTP server tau sau npe. Nco ntsoov tias Session username yog tau txais los ntawm thawj pawg AAA server:
Siv cov kev teeb tsa thiab
Kauj Ruam 6, aka qhov kawg
Cia peb xyuas yog tias ob qhov kev lees paub ua haujlwm rau SLL VPN:
Voila! Thaum txuas ntawm Cisco AnyConnect VPN Client, koj tseem yuav raug nug rau tus password thib ob, ib zaug.
Kuv vam tias tsab xov xwm no yuav pab tau ib tus neeg, thiab hais tias nws yuav muab rau ib tus neeg noj zaub mov rau kev xav txog kev siv qhov no, pub dawb OTP server, rau lwm yam haujlwm. Qhia tawm hauv cov lus yog tias koj xav tau.
Tau qhov twg los: www.hab.com