Mkpa ịnye ohere dịpụrụ adịpụ na gburugburu ụlọ ọrụ na-apụta ugboro ugboro, n'agbanyeghị ma ọ bụ ndị ọrụ ma ọ bụ ndị mmekọ gị chọrọ ịnweta otu ihe nkesa na nzukọ gị.
Maka ebumnuche ndị a, ọtụtụ ụlọ ọrụ na-eji teknụzụ VPN, nke gosipụtara onwe ya ka ọ bụrụ ụzọ echekwara ntụkwasị obi nke inye ohere ịnweta akụrụngwa mpaghara nke nzukọ ahụ.
Ụlọ ọrụ m abụghị ihe ọzọ, anyị, dị ka ọtụtụ ndị ọzọ, na-eji teknụzụ a. Ma, dị ka ọtụtụ ndị ọzọ, anyị na-eji Cisco ASA 55xx dị ka ọnụ ụzọ ámá dịpụrụ adịpụ.
Ka ọnụ ọgụgụ ndị ọrụ dịpụrụ adịpụ na-abawanye, ọ dị mkpa ime ka usoro ahụ dị mfe maka ịnye nzere. Mana n'otu oge ahụ, a ga-emerịrị nke a n'emebighị nchekwa.
Maka onwe anyị, anyị chọtara ngwọta n'iji njirimara abụọ maka ijikọ site na Cisco SSL VPN, na-eji okwuntughe otu oge. Na akwụkwọ a ga-agwa gị ka ị ga-esi hazie ụdị ngwọta dị otú ahụ na obere oge na efu efu maka ngwanrọ dị mkpa (ma ọ bụrụ na ị nwere Cisco ASA na akụrụngwa gị).
Ahịa ahụ jupụtara na ngwọta igbe maka ịmepụta okwuntughe otu oge, mgbe ị na-enye ọtụtụ nhọrọ maka ịnweta ha, ma ọ bụ izipu paswọọdụ site na SMS ma ọ bụ iji tokens, ma ngwaike na ngwanrọ (dịka ọmụmaatụ, na ekwentị mkpanaaka). Ma ọchịchọ ịchekwa ego na ọchịchọ ịchekwa ego maka onye ọrụ m, na nsogbu dị ugbu a, manyere m ịchọta ụzọ n'efu iji mejuputa ọrụ maka ịmepụta okwuntughe otu oge. Kedu nke, ọ bụ ezie na ọ bụ n'efu, ọ bụghị ihe dị ala karịa ngwọta azụmahịa (ebe a anyị kwesịrị ime ndoputa, na-achọpụta na ngwaahịa a nwekwara ụdị azụmahịa, ma anyị kwetara na ụgwọ anyị, na ego, ga-abụ efu).
Yabụ, anyị kwesịrị:
- Onyonyo Linux nwere ngwaọrụ arụnyere arụnyere - multiOTP, FreeRADIUS na nginx, maka ịnweta sava site na webụ (http://download.multiotp.net/ - Eji m onyonyo emebere maka VMware)
- Ọrụ ndekọ ihe nkesa
Cisco ASA n'onwe ya (maka mma, m na-eji ASDM)
- Ihe ngosi ngwanrọ ọ bụla na-akwado usoro TOTP (m, dịka ọmụmaatụ, na-eji Google Authenticator, mana otu FreeOTP ga-eme)
Agaghị m abanye n'ime nkọwa nke ka onyonyo a si pụta. N'ihi ya, ị ga-enweta Debian Linux nwere multiOTP na FreeRADIUS arụnyerelarị, ahaziri ịrụkọ ọrụ ọnụ, yana interface weebụ maka nchịkwa OTP.
Nzọụkwụ 1. Anyị na-amalite usoro ma hazie ya maka netwọk gị
Site na ndabara, sistemụ na-abịa na nzere mgbọrọgwụ mgbọrọgwụ. Echere m na onye ọ bụla chere na ọ ga-abụ ezi echiche ịgbanwe paswọọdụ onye ọrụ mgbọrọgwụ mgbe nbanye mbụ gasịrị. Ikwesiri ịgbanwe ntọala netwọkụ (site na ndabara ọ bụ '192.168.1.44' ya na ọnụ ụzọ '192.168.1.1'). Mgbe ahụ ị nwere ike ịmalitegharị usoro ahụ.
Ka anyị mepụta onye ọrụ na ndekọ ndekọ aha otp, na paswọọdụ MySuperPassword.
Nzọụkwụ 2. Tọọ njikọ na mbubata Active Directory ọrụ
Iji mee nke a, anyị kwesịrị ịnweta njikwa, na ozugbo na faịlụ ahụ multiotp.php, na-eji nke anyị ga-ahazi njikọ njikọ na Active Directory.
Gaa na ndekọ /usr/local/bin/multiotp/ ma mekwaa iwu ndị a n'aka nke ya:
./multiotp.php -config default-request-prefix-pin=0Na-ekpebi ma a chọrọ ntụtụ mgbakwunye (na-adịgide adịgide) mgbe ị na-abanye ntụtụ otu oge (0 ma ọ bụ 1)
./multiotp.php -config default-request-ldap-pwd=0Na-ekpebi ma achọrọ paswọọdụ ngalaba mgbe ị na-abanye ntụtụ otu oge (0 ma ọ bụ 1)
./multiotp.php -config ldap-server-type=1A na-egosipụta ụdị nkesa LDAP (0 = ihe nkesa LDAP oge niile, n'ọnọdụ anyị 1 = Akwụkwọ ndekọ aha)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Na-akọwapụta usoro iji wepụta aha njirimara (uru a ga-egosipụta naanị aha ahụ, na-enweghị ngalaba)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Otu ihe ahụ, naanị maka otu
./multiotp.php -config ldap-group-attribute="memberOf"Na-akọwapụta usoro iji chọpụta ma onye ọrụ so na otu
./multiotp.php -config ldap-ssl=1Ekwesịrị m iji njikọ echekwara na sava LDAP (n'ezie, ee!)
./multiotp.php -config ldap-port=636Port maka ijikọ na sava LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localAdreesị ihe nkesa ndekọ aha gị
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Anyị na-egosi ebe ịmalite ịchọ ndị ọrụ na ngalaba
./multiotp.php -config ldap-bind-dn="[email protected]"Ezipụta onye ọrụ nwere ikike nchọta na ndekọ ndekọ aha
./multiotp.php -config ldap-server-password="MySuperPassword"Ezipụta paswọọdụ onye ọrụ iji jikọọ na ndekọ ndekọ aha
./multiotp.php -config ldap-network-timeout=10Ịtọ oge nkwụsị maka ijikọ na ndekọ ndekọ ọrụ
./multiotp.php -config ldap-time-limit=30Anyị debere oke oge maka ọrụ mbubata onye ọrụ
./multiotp.php -config ldap-activated=1Na-eme nhazi njikọ ndekọ ndekọ Active
./multiotp.php -debug -display-log -ldap-users-syncAnyị na-ebubata ndị ọrụ site na ndekọ ndekọ aha
Kwụpụ 3. Mepụta koodu QR maka akara ngosi
Ihe niile ebe a dị nnọọ mfe. Mepee interface weebụ nke ihe nkesa OTP na ihe nchọgharị ahụ, banye (echefukwala ịgbanwe paswọọdụ ndabere maka onye nchịkwa!), wee pịa bọtịnụ "Bipụta":
Nsonaazụ omume a ga-abụ ibe nwere koodu QR abụọ. Anyị na-eleghara nke mbụ n'ime ha anya n'atụghị egwu (n'agbanyeghị ọmarịcha ederede Google Authenticator / Authenticator / 2 Steps Authenticator), ọzọ anyị ji obi ike nyochaa koodu nke abụọ n'ime akara ngwanrọ na ekwentị:
(ee, m kpachaara anya mebie koodu QR ka ọ ghara ịgụ ya).
Mgbe ịmechara omume ndị a, a ga-amalite imepụta paswọọdụ ọnụọgụ isii na ngwa gị kwa sekọnd iri atọ ọ bụla.
Iji jide n'aka, ị nwere ike ịlele ya n'otu interface ahụ:
Site na itinye aha njirimara gị na paswọọdụ otu oge site na ngwa dị na ekwentị gị. Ị nwetara nzaghachi dị mma? Ya mere, anyị na-aga n'ihu.
Nzọụkwụ 4. Nhazi agbakwunyere na nyocha nke ọrụ FreeRADIUS
Dịka m kwuru n'elu, ahazilarị multiOTP ka ya na FreeRADIUS rụọ ọrụ, naanị ihe fọdụrụ bụ ịme ule na ịgbakwunye ozi gbasara ọnụ ụzọ VPN anyị na faịlụ nhazi FreeRADIUS.
Anyị na-alaghachi na njikwa ihe nkesa, na ndekọ /usr/local/bin/multiotp/, banye:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Gụnyere ndekọ ndekọ zuru ezu karị.
Na faịlụ nhazi ndị ahịa FreeRADIUS (/etc/freeradius/clinets.conf) kwupụta ahịrị niile metụtara localhost ma tinye ndenye abụọ:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- maka ule
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- maka ọnụ ụzọ VPN anyị.
Malitegharịa FreeRADIUS wee nwaa ịbanye:
radtest username 100110 localhost 1812 testing321ebe aha njirimara = aha njirimara, 100110 = paswọọdụ nyere anyị site na ngwa dị na ekwentị, localhost = Adreesị ihe nkesa RADIUS, 1812 - ọdụ ụgbọ mmiri RADIUS, ule321 - RADIUS paswọọdụ onye ahịa (nke anyị akọwapụtara na nhazi).
Nsonaazụ nke iwu a ga-apụta dịka ndị a:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Ugbu a, anyị kwesịrị ijide n'aka na onye ọrụ bụ nke ọma authenticated. Iji mee nke a, anyị ga-eleba anya na log nke multiotp n'onwe ya:
tail /var/log/multiotp/multiotp.logMa ọ bụrụ na ntinye ikpeazụ enwere:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Mgbe ahụ ihe niile gara nke ọma ma anyị nwere ike mezue
Nzọụkwụ 5: Hazie Cisco ASA
Ka anyị kwenye na anyị enweelarị otu ahaziri ahazi na atumatu maka ịnweta site na SLL VPN, ahaziri yana njikọ Active Directory, anyị kwesịrị ịgbakwunye nyocha ihe abụọ maka profaịlụ a.
1. Tinye otu sava AAA ọhụrụ:
2. Tinye ihe nkesa multiOTP anyị na otu:
3. Anyị na-edezi profaịlụ njikọ, ịtọ otu nkesa Active Directory dị ka ihe nkesa nyocha bụ isi:
4. Na taabụ Di elu -> Nyocha Anyị na-ahọpụtakwa otu sava ndekọ aha:
5. Na taabụ Di elu -> Secondary Nyochaa, họrọ otu ihe nkesa emepụtara nke edebere ihe nkesa multiOTP na ya. Rịba ama na a na-eketa aha njirimara Oge site na otu sava AAA bụ isi:
Tinye ntọala na
Nzọụkwụ 6, aka nke ikpeazụ
Ka anyị lelee ma njirimara ihe abụọ na-arụ ọrụ maka SLL VPN:
Voila! Mgbe ị na-ejikọ site na Cisco AnyConnect VPN Client, a ga-ajụkwa gị maka paswọọdụ nke abụọ, otu oge.
Enwere m olileanya na isiokwu a ga-enyere mmadụ aka, nakwa na ọ ga-enye mmadụ nri maka echiche maka otu esi eji nke a eme ihe, free Ihe nkesa OTP, maka ọrụ ndị ọzọ. Kekọrịta na nkọwa ma ọ bụrụ na ịchọrọ.
isi: www.habr.com