ืื ืื ืืืืืช ืื-ืืืจืื ืืื ืื ืจืฆืื ืืื ืขืืงืฆื ื, ืืื ืืื ืืกืฃ ืืืกืืืื ื ืืืืจื ืืืืืคื ืืืื ืื ืืฆืืขืื ืืืืฉืืจ ืืืฆื ืจืื ืืื.
ืืคืชืจืื ืืื ืืื ืื ืืฉืื ืกืืคืจ ืืงืืจื, ืืื ืฉืืืื ืฉื ืคืชืจืื ืืช ืฉืื ืื ืฉื ืืฆืืื ืืืื ืืจื ื.
ืื ืื ื ืชืื
ะะพะผะตะฝ ืฉื Active Directory.
ืืฉืชืืฉื ืืืืืื ืฉืขืืืืื ืืืืฆืขืืช VPN, ืืื ืจืืื ืืืื.
ืคืืขื ืืฉืขืจ VPN ืืืืื.
ืฉืืืจืช ืืกืืกืื ืขืืืจ ืืงืื ื-VPN ืืกืืจื ืขื ืคื ืืืื ืืืช ืืืืืื.
ืคึผืึนืึดืืึดืืงึธื ืคืืจืืื ื ืืืืก ืืืกืืืื ืื ืฉืื, ืืชื ืื ืืืื ืืงืจืื ืืื ืคืืืช ื-zhlob - ืืฉ ืขื 10 ืืกืืืื ืื ืืืื ื, ืืฉืืจ - ืืืืืจ ืืืื ืื ืืฉืจ. ืื ืฉืงืืชื RSASecureID, Duo ืืืืืื, ืื ืื ื ืจืืฆื ืงืื ืคืชืื.
ืืจืืฉืืช ืงืื: ืืืจื * nix ืขื ืืืืกืก freeradius, ssd - ื ืื ืก ืืืืืืื, ืืฉืชืืฉื ืืืืืืื ืืืืืื ืืืฆืข ืืืืืช ืื ืืงืืืช.
ืืืืืืช ื ืืกืคืืช: ืชืืืช ืฉืืื ื, ืคืืืื, freeradius-ldap, ืืืคื rebel.tlf ืืืืืืจ
ืืืืืื ืฉืื - CentOS 7.8.
ืืืืืืื ืืขืืืื ืืืืจ ืืืืืช ืืืืงืื: ืืขืช ืืืืืจ ื-VPN, ืืืฉืชืืฉ ืืืื ืืืืื ืื ืืกื ืืืืืืื ื-OTP ืืืงืื ืกืืกืื.
ืืืืจืช ืฉืืจืืชืื
ะ /etc/raddb/radiusd.conf ืจืง ืืืฉืชืืฉ ืืืงืืืฆื ืืืขืื ืืชืืืืื freeradius, ืืื ืืฉืืจืืช ืจืืืืก ืืืืจ ืืืืืช ืืกืืื ืืงืจืื ืงืืฆืื ืืื ืกืคืจืืืช ืืืฉื ื /ืืืช/.
user = root
group = root
ืืื ืืืืืช ืืกืืื ืืืฉืชืืฉ ืืงืืืฆืืช ืืืืืจืืช ืืืืื, ืืฉ ืืืขืืืจ ืชืืื ื ืกืคืฆืืคืืช ืืกืคืง. ืืื ืืขืฉืืช ืืืช, ืืืืจืื raddb/policy.d ืื ื ืืืฆืจ ืงืืืฅ ืขื ืืชืืื ืืื:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
ืืืืจ ืืืชืงื ื freeradius-ldap ืืกืคืจืืื raddb/mods-available ืืงืืืฅ ื ืืฆืจ ldap.
ืขืืื ืืืฆืืจ ืงืืฉืืจ ืกืืื ืืกืคืจืืื ืืืคืขืืช raddb/mods.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
ืื ื ืืฆืื ืืช ืชืืื ื ืืืืงืื:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
ืืงืืฆืื raddb/sites-enabled/default ะธ raddb/sites-enabled/inner-tunnel ืืกืขืืฃ ืืืฉืจ ืื ื ืืืกืืฃ ืืช ืฉื ืืืืื ืืืช ืฉืื ืืฉ ืืืฉืชืืฉ - group_authorization. ื ืงืืื ืืฉืืื - ืฉื ืืคืืืืกื ืื ื ืงืืข ืืคื ืฉื ืืงืืืฅ ืืกืคืจืื ืืืื ืืืช.ื, ืืื ืืคื ืื ืืื ืืชืื ืืงืืืฅ ืืคื ื ืืคืืื ืืืชืืืชืืช.
ืืงืืข ืืืืช ืืืืชื ืงืืฆืื ืืชื ืฆืจืื ืืืื ืืช ืืืขืจื ืืฉืืจื ืคืื.
ืืงืืืฅ clients.conf ืืจืฉืื ืืช ืืคืจืืืจืื ืฉืืืชื ืืื ืืชืืืจ ืืืืื:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
ืชืฆืืจืช ืืืืื pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
ืืคืฉืจืืืืช ืืืฉืื ืืืืืืช ืืจืืจืช ืืืื freeradius ั ืืืืช ืฉื ืืืจืืฉ ืืืืฉืชืืฉ ืืืืื ืืืฉืืจืื ืืคืืจืื: ืฉื ืืฉืชืืฉ ืกืืกืื+OTP.
ืขื ืืื ืืืืืื ืืกืคืจ ืืงืืืืช ืฉืืืคืื ืขื ืืจืืฉ, ืืืงืจื ืฉื ืฉืืืืฉ ืืืืืืช ืืจืืจืช ืืืืื freeradius ั ืืืืช Google, ืืืืื ืืืฉืชืืฉ ืืชืฆืืจืช ืืืืืื ืคืื ืื ืฉืจืง ืืืกืืืื ืืกืืื ืืืืช Google.
ืืืฉืจ ืืฉืชืืฉ ืืชืืืจ, ืืชืจืืฉืื ืืืืจืื ืืืืื:
- Freeradius ืืืืง ืื ืืืฉืชืืฉ ื ืืฆื ืืืืืืื ืืืงืืืฆื ืืกืืืืช, ืืื ืืฆืืื, ืืืืง ืืช ืืกืืืื ื-OTP.
ืืื ื ืจืื ืืื ืืกืคืืง ืขื ืืจืืข ืฉืื ืืฉืืชื "ืืื ืื ื ืืืื ืืจืฉืื OTP ืขืืืจ 300+ ืืฉืชืืฉืื?"
ืืืฉืชืืฉ ืืืื ืืืชืืืจ ืืฉืจืช ืขื freeradius ืืืืืฉืืื ืฉืื ืืืคืขื ืืช ืืืคืืืงืฆืื ืืืืช ืืืื, ืืฉืจ ืืคืืง ืงืื QR ืขืืืจ ืืืคืืืงืฆืื ืขืืืจ ืืืฉืชืืฉ. ืืื ื ืื ืกืช ืขืืจื. ืชืืืช ืฉืืื ื ืืงืืืืื ืฆืื ืขื .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
ืงืืืฅ ืืชืฆืืจื ืฉื ืืืืื ื ืืฆื ื /etc/sysconfig/shellinabox.
ืื ื ืืฆืืื ืฉื ืืฆืืื 443 ืืืชื ืืืื ืืฆืืื ืืช ืืืืฉืืจ ืฉืื.
[root@freeradius ~]#systemctl enable --now shellinaboxd
ืืืฉืชืืฉ ืฆืจืื ืจืง ืืขืงืื ืืืจ ืืงืืฉืืจ, ืืืืื ืงืจืืืืื ืืืืืืื ืืืงืื ืงืื QR ืขืืืจ ืืืคืืืงืฆืื.
ืืืืืืจืืชื ืืื ืืืืงืื:
- ืืืฉืชืืฉ ืืชืืืจ ืืืืื ื ืืืืฆืขืืช ืืคืืคื.
- ืืกืืื ืื ืืืฉืชืืฉ ืืื ืืฉืชืืฉ ืืืืืื. ืื ืื, ืื ืื ื ืขืฉื ืื ืคืขืืื.
- ืื ืืืฉืชืืฉ ืืื ืืฉืชืืฉ ืืืืืืื, ืืืืจืืช ืืงืืืฆืช Administrators ืืกืืื ืช.
- ืื ืืื ื ืื ืื, ืืื ืืืืง ืื Google Authenticator ืืืืืจ. ืื ืื, ืื ื ืืฆืจ ืงืื QR ืืืชื ืชืง ืืฉืชืืฉ.
- ืื ืื ืืืืืจ ืื ืื ืืขืจืืช ื-Google Authenticator, ืคืฉืื ืืชื ืชืง.
- ืื ืื ืื ืืขืจืืช, ืืืืง ืฉืื ืืช Google Authenticator. ืื ืื ืืืืืจ, ื ืืฆืจ ืงืื QR.
ืื ืืืืืืื ื ืขืฉื ืืืืฆืขืืช /etc/skel/.bash_profile.
cat /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
ืืชืงื ื ืืืงื:
- ืื ืื ื ืืืฆืจืื ืจึทืึดืืึผืก-ืฉืจืช
- ืื ื ืืืฆืจืื ืืช ืืงืืืฆืืช ืืืจืืฉืืช, ืืืืืช ืืฆืืจื, ืืงืจืช ืืืฉื ืืคื ืงืืืฆืืช. ืฉื ืืงืืืฆื ืืืคืืข ืืืืื ืืืื ืืืชืืื ืืงืืืฆื ืืืืขืืจืช ืชืืื ื ืกืคืฆืืคืืช ืืกืคืง Fortinet-Group-Name.
- ืขืจืืืช ืืืจืืฉ SSL-ืคืืจืืืื.
- ืืืกืคืช ืงืืืฆืืช ืืืืื ืืืช.
ืืืชืจืื ืืช ืฉื ืคืชืจืื ืื:
- ื ืืชื ืืืฆืข ืืืืืช ืืืืฆืขืืช OTP ืืืคืขื ืืืืื ืคืชืจืื ืงืื ืคืชืื.
- ืืืฉืชืืฉ ืืื ื ืืืื ืกืืกืืช ืืืืืื ืืขืช โโืืืืืจ ืืืืฆืขืืช VPN, ืื ืฉืืคืฉื ืืขื ืืช ืชืืืื ืืืืืืจ. ืงื ืืืชืจ ืืืืื ืืช ืืกืืกืื ืืช 6 ืืกืคืจืืช ืืื ืฉืืกืคืงืช ืืืื ืืืช ืืืืืื. ืืชืืฆืื ืืื, ืืกืคืจ ืืืจืืืกืื ืขื ืื ืืฉื: "ืื ื ืื ืืืื ืืืชืืืจ ื-VPN" ืืืจื.
ื .ื. ืื ื ืืชืื ื ืื ืืฉืืจื ืืช ืืคืชืจืื ืืื ืืืืืืช ืื-ืืืจืื ืืื ืขื ืืชืืจ-ืชืืืื.
ืขืืืื:
ืืคื ืฉืืืืื, ืฉืื ืืชื ืืืชื ืืืคืฉืจืืช ืืืชืืจ-ืชืืืื.
ืื:
ืืงืืืฅ /etc/raddb/sites-enabled/default ืกึธืขึดืืฃ ืืืฉืจ ืืื ืืืืงืื:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
ืืืืจ ืืืืช ืขืืฉืื ื ืจืื ืื:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
ืืขืช ืืืฉืชืืฉ ืืืืืช ืืืืฆืขืืช ืืืืืืจืืชื ืืื:
- ืืืฉืชืืฉ ืืืื ืืืืื ืืืืืื ืืืงืื ื-VPN.
- Freeradius ืืืืง ืืช ืชืงืคืืช ืืืฉืืื ืืืกืืกืื
- ืื ืืกืืกืื ื ืืื ื, ื ืฉืืืช ืืงืฉื ืืงืืืช ืืกืืืื.
- ืืืกืืืื ืืืืืช.
- ืจืืื).
ืืงืืจ: www.habr.com