çµç¹å ã®ç¹å®ã®ãµãŒããŒã«ã¢ã¯ã»ã¹ããå¿ èŠãããã®ããŠãŒã¶ãŒã§ãããããŒãããŒã§ãããã«é¢ä¿ãªããäŒæ¥ç°å¢ãžã®ãªã¢ãŒã ã¢ã¯ã»ã¹ãæäŸããå¿ èŠæ§ããŸããŸãé«ãŸã£ãŠããŸãã
ãããã®ç®çã§ãã»ãšãã©ã®äŒæ¥ã¯ VPN ãã¯ãããžãŒã䜿çšããŠããŸããVPN ãã¯ãããžãŒã¯ãçµç¹ã®ããŒã«ã« ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãæäŸãã確å®ã«ä¿è·ãããæ¹æ³ã§ããããšã蚌æãããŠããŸãã
ç§ã®äŒç€ŸãäŸå€ã§ã¯ãªããä»ã®å€ãã®äŒç€Ÿãšåæ§ã«ãã®ãã¯ãããžãŒã䜿çšããŠããŸãã ãŸããä»ã®å€ãã®äŒæ¥ãšåæ§ã«ããªã¢ãŒã ã¢ã¯ã»ã¹ ã²ãŒããŠã§ã€ãšã㊠Cisco ASA 55xx ã䜿çšããŠããŸãã
ãªã¢ãŒã ãŠãŒã¶ãŒã®æ°ãå¢å ããã«ã€ããŠãè³æ Œæ å ±ã®çºè¡æé ãç°¡çŽ åããå¿ èŠããããŸãã ãããåæã«ãããã¯å®å šæ§ãæãªãããšãªãè¡ãããªããã°ãªããŸããã
ç§ãã¡ã¯ãCisco SSL VPN çµç±ã§ã®æ¥ç¶ã«ã¯ã³ã¿ã€ã ãã¹ã¯ãŒãã䜿çšãã XNUMX èŠçŽ èªèšŒã䜿çšãããšãã解決çãèŠã€ããŸããã ãã®åºçç©ã§ã¯ãå¿ èŠãªãœãããŠã§ã¢ã®ã³ã¹ããæå°éã«æããŠããã®ãããªãœãªã¥ãŒã·ã§ã³ãæ§ç¯ããæ¹æ³ã説æããŸãïŒã€ã³ãã©ã¹ãã©ã¯ãã£ã« Cisco ASA ããã§ã«ååšããŠããå ŽåïŒã
åžå Žã«ã¯ãã¯ã³ã¿ã€ã ãã¹ã¯ãŒããçæããããã®ããã±ãŒãžåããããœãªã¥ãŒã·ã§ã³ãè±å¯ã«ãããŸãããSMS çµç±ã§ãã¹ã¯ãŒããéä¿¡ããããããŒããŠã§ã¢ãšãœãããŠã§ã¢ (æºåž¯é»è©±ãªã©) ã®äž¡æ¹ã§ããŒã¯ã³ã䜿çšããããããªã©ãã¯ã³ã¿ã€ã ãã¹ã¯ãŒããååŸããããã®ãªãã·ã§ã³ãå€æ°æäŸãããŠããŸãã ããããçŸåšã®å±æ©ã«ãããŠããéãç¯çŽããããšãã欲æ±ãšãéçšäž»ã®ããã«ãéãç¯çŽããããšãã欲æ±ãããã¯ã³ã¿ã€ã ãã¹ã¯ãŒããçæãããµãŒãã¹ãç¡æã§å®è£
ããæ¹æ³ãèŠã€ããå¿
èŠããããŸããã ããã¯ç¡æã§ã¯ãããŸãããåçšãœãªã¥ãŒã·ã§ã³ãšããã»ã©å£ããã®ã§ã¯ãããŸãã (ããã§äºçŽããå¿
èŠããããŸãããã®è£œåã«ã¯åçšããŒãžã§ã³ãããããšã«æ³šæããŠãã ããããã ããééçãªã³ã¹ãã¯ãŒãã§ããããšã«åæããŸãã)ã
ãã®ããã次ã®ãã®ãå¿
èŠã§ãã
- Web çµç±ã§ãµãŒããŒã«ã¢ã¯ã»ã¹ããããã®ããŒã«ã®ã»ãã (multiOTPãFreeRADIUSãnginx) ãçµã¿èŸŒãŸãã Linux ã€ã¡ãŒãž (http://download.multiotp.net/ - VMware çšã®æ¢è£œã®ã€ã¡ãŒãžã䜿çšããŸãã)
â Active Directory ãµãŒããŒ
â Cisco ASA èªäœïŒäŸ¿å®äžãASDM ã䜿çšããŸãïŒ
â TOTP ã¡ã«ããºã ããµããŒããããœãããŠã§ã¢ ããŒã¯ã³ (ããšãã°ãç§ã¯ Google Authenticator ã䜿çšããŠããŸãããåã FreeOTP ã§ã䜿çšã§ããŸã)
ç»åãã©ã®ããã«å±éããããã«ã€ããŠã¯è©³ãã説æããŸããã ãã®çµæãmultiOTP ãš FreeRADIUS ããã§ã«ã€ã³ã¹ããŒã«ãããé£æºããŠåäœããããã«èšå®ããã Debian Linuxãããã³ OTP 管ççšã® Web ã€ã³ã¿ãŒãã§ã€ã¹ãåãåãããšã«ãªããŸãã
ã¹ããã 1. ã·ã¹ãã ãéå§ãããããã¯ãŒã¯ã«åãããŠæ§æããŸã
ããã©ã«ãã§ã¯ãã·ã¹ãã ã«ã¯ root ã®è³æ Œæ
å ±ãä»å±ããŠããŸãã æåã®ãã°ã€ã³åŸã« root ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããå€æŽããã®ãåŸçã§ããããšã¯èª°ããæšæž¬ãããšæããŸãã ãããã¯ãŒã¯èšå®ãå€æŽããå¿
èŠããããŸã (ããã©ã«ãã§ã¯ãã²ãŒããŠã§ã€ãã192.168.1.44ãã®ã192.168.1.1ãã§ã)ã ãã®åŸãã·ã¹ãã ãåèµ·åã§ããŸãã
Active Directory ã«ãŠãŒã¶ãŒãäœæããŸããã otpããã¹ã¯ãŒãä»ã ç§ã®ã¹ãŒããŒãã¹ã¯ãŒã.
ã¹ããã 2. æ¥ç¶ãã»ããã¢ããããActive Directory ãŠãŒã¶ãŒãã€ã³ããŒããã
ãããè¡ãã«ã¯ãã³ã³ãœãŒã«ã«ã¢ã¯ã»ã¹ãããã¡ã€ã«ã«çŽæ¥ã¢ã¯ã»ã¹ããå¿
èŠããããŸãã ãã«ãOTP.php, ããã䜿çšããŠãActive Directory ãžã®æ¥ç¶èšå®ãæ§æããŸãã
ãã£ã¬ã¯ããªã«ç§»å /usr/local/bin/multiotp/ ãããŠã次ã®ã³ãã³ããé çªã«å®è¡ããŸãã
./multiotp.php -config default-request-prefix-pin=0
ã¯ã³ã¿ã€ã PIN (0 ãŸã㯠1) ãå ¥åãããšãã«è¿œå ã® (æ°žç¶çãª) PIN ãå¿ èŠãã©ããã決å®ããŸãã
./multiotp.php -config default-request-ldap-pwd=0
ã¯ã³ã¿ã€ã PIN (0 ãŸã㯠1) ãå ¥åãããšãã«ãã¡ã€ã³ ãã¹ã¯ãŒããå¿ èŠãã©ããã決å®ããŸãã
./multiotp.php -config ldap-server-type=1
LDAP ãµãŒããŒã®ã¿ã€ãã瀺ãããŸã (0 = éåžžã® LDAP ãµãŒããŒããã®å Žå㯠1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"
ãŠãŒã¶ãŒåã衚瀺ãã圢åŒãæå®ããŸã (ãã®å€ã¯ãã¡ã€ã³ãå«ãŸãã«ååã®ã¿ã衚瀺ããŸã)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"
åãããšãã°ã«ãŒãã®ã¿
./multiotp.php -config ldap-group-attribute="memberOf"
ãŠãŒã¶ãŒãã°ã«ãŒãã«å±ããŠãããã©ãããå€æããæ¹æ³ãæå®ããŸã
./multiotp.php -config ldap-ssl=1
LDAP ãµãŒããŒãžã®å®å šãªæ¥ç¶ã䜿çšããå¿ èŠããããŸãã (ãã¡ãããã¯ã!)
./multiotp.php -config ldap-port=636
LDAPãµãŒããŒã«æ¥ç¶ããããã®ããŒã
./multiotp.php -config ldap-domain-controllers=adSRV.domain.local
Active Directory ãµãŒããŒã®ã¢ãã¬ã¹
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"
ãã¡ã€ã³å ã®ãŠãŒã¶ãŒã®æ€çŽ¢ãã©ãããéå§ãããã瀺ããŸã
./multiotp.php -config ldap-bind-dn="[email protected]"
Active Directory ã§æ€çŽ¢æš©éãæã€ãŠãŒã¶ãŒãæå®ããŸã
./multiotp.php -config ldap-server-password="MySuperPassword"
Active Directoryã«æ¥ç¶ããããã®ãŠãŒã¶ãŒãã¹ã¯ãŒããæå®ããŸãã
./multiotp.php -config ldap-network-timeout=10
Active Directory ãžã®æ¥ç¶ã®ã¿ã€ã ã¢ãŠãã®èšå®
./multiotp.php -config ldap-time-limit=30
ãŠãŒã¶ãŒã®ã€ã³ããŒãæäœã«ã¯æéå¶éãèšå®ããŠããŸã
./multiotp.php -config ldap-activated=1
Active Directory æ¥ç¶æ§æã®ã¢ã¯ãã£ãå
./multiotp.php -debug -display-log -ldap-users-sync
Active Directory ãããŠãŒã¶ãŒãã€ã³ããŒãããŸã
ã¹ããã 3. ããŒã¯ã³ã® QR ã³ãŒããçæãã
ããã«ãããã®ã¯ãã¹ãŠéåžžã«ã·ã³ãã«ã§ãã ãã©ãŠã¶ã§ OTP ãµãŒããŒã® Web ã€ã³ã¿ãŒãã§ã€ã¹ãéãããã°ã€ã³ã (管çè
ã®ããã©ã«ãã®ãã¹ã¯ãŒããå€æŽããããšãå¿ããªãã§ãã ãã)ã[å°å·] ãã¿ã³ãã¯ãªãã¯ããŸãã
ãã®ã¢ã¯ã·ã§ã³ã®çµæã¯ã2 ã€ã® QR ã³ãŒããå«ãããŒãžã«ãªããŸãã æåã®ã³ãŒãã¯å€§èã«ãç¡èŠã (Google Authenticator / Authenticator / XNUMX Steps Authenticator ãšããé
åçãªè¡šèšã«ãããããã)ãåã³å€§èã« XNUMX çªç®ã®ã³ãŒããæºåž¯é»è©±äžã®ãœãããŠã§ã¢ ããŒã¯ã³ã«ã¹ãã£ã³ããŸãã
ïŒã¯ããQRã³ãŒããæå³çã«å£ããŠèªããªãããŸããïŒã
ãããã®ã¢ã¯ã·ã§ã³ãå®äºãããšãã¢ããªã±ãŒã·ã§ã³ã§ XNUMX ç§ããšã« XNUMX æ¡ã®ãã¹ã¯ãŒããçæããå§ããŸãã
確ãã«ãåãã€ã³ã¿ãŒãã§ã€ã¹ã§ç¢ºèªã§ããŸãã
æºåž¯é»è©±ã®ã¢ããªã±ãŒã·ã§ã³ãããŠãŒã¶ãŒåãšã¯ã³ã¿ã€ã ãã¹ã¯ãŒããå
¥åããŸãã è¯å®çãªåå¿ã¯åŸãããŸããã? ããã§ã¯æ¬¡ã«é²ã¿ãŸãã
ã¹ããã 4. FreeRADIUS åäœã®è¿œå æ§æãšãã¹ã
äžã§è¿°ã¹ãããã«ãmultiOTP ã¯ãã§ã« FreeRADIUS ã§åäœããããã«èšå®ãããŠããŸããæ®ã£ãŠããã®ã¯ããã¹ããå®è¡ããŠãVPN ã²ãŒããŠã§ã€ã«é¢ããæ
å ±ã FreeRADIUS èšå®ãã¡ã€ã«ã«è¿œå ããããšã ãã§ãã
ãµãŒããŒã³ã³ãœãŒã«ã®ãã£ã¬ã¯ããªã«æ»ããŸãã /usr/local/bin/multiotp/ã å ¥åïŒ
./multiotp.php -config debug=1
./multiotp.php -config display-log=1
ãã詳现ãªãã°èšé²ãå«ãŸããŸãã
FreeRADIUS ã¯ã©ã€ã¢ã³ãæ§æãã¡ã€ã« (/etc/freeradius/clinets.conf) ã«é¢é£ãããã¹ãŠã®è¡ãã³ã¡ã³ãã¢ãŠãããŸãã ããŒã«ã«ãã¹ã ãã㊠XNUMX ã€ã®ãšã³ããªãè¿œå ããŸãã
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}
- ãã¹ãçš
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}
â VPN ã²ãŒããŠã§ã€çšã
FreeRADIUS ãåèµ·åãããã°ã€ã³ããŠã¿ãŸãã
radtest username 100110 localhost 1812 testing321
ã©ã ãŠãŒã¶å = ãŠãŒã¶ãŒåã 100110 = é»è©±ã®ã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠäžãããããã¹ã¯ãŒãã ããŒã«ã«ãã¹ã = RADIUS ãµãŒããŒã®ã¢ãã¬ã¹ã 1812 â RADIUSãµãŒããŒããŒãã testing321 â RADIUS ãµãŒããŒã¯ã©ã€ã¢ã³ãã®ãã¹ã¯ãŒã (èšå®ã§æå®ãããã®)ã
ãã®ã³ãã³ãã®çµæã¯æ¬¡ã®ããã«åºåãããŸãã
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20
次ã«ããŠãŒã¶ãŒãæ£åžžã«èªèšŒãããããšã確èªããå¿ èŠããããŸãã ãããè¡ãã«ã¯ãmultiotp èªäœã®ãã°ã確èªããŸãã
tail /var/log/multiotp/multiotp.log
ãããŠãæåŸã®ãšã³ããªãããå Žå:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1
ãã®åŸããã¹ãŠãããŸããããå®äºããããšãã§ããŸã
ã¹ããã 5: Cisco ASA ãæ§æãã
SLL VPN çµç±ã§ã¢ã¯ã»ã¹ããããã®ã°ã«ãŒããšããªã·ãŒããã§ã«æ§æãããŠãããActive Directory ãšé£æºããŠæ§æãããŠããããã®ãããã¡ã€ã«ã« XNUMX èŠçŽ èªèšŒãè¿œå ããå¿
èŠãããããšã«åæããŸãããã
1. æ°ãã AAA ãµãŒã ã°ã«ãŒããè¿œå ããŸãã
2. multiOTP ãµãŒããŒãã°ã«ãŒãã«è¿œå ããŸãã
3. ç·šéããŸã æ¥ç¶ãããã¡ã€ã«ãActive Directory ãµãŒã㌠ã°ã«ãŒããã¡ã€ã³èªèšŒãµãŒããŒãšããŠèšå®ããŸãã
4. ã¿ã 詳现 -> èªèšŒ Active Directory ãµãŒã㌠ã°ã«ãŒããéžæããŸãã
5. ã¿ã äžçŽ -> äºæ¬¡ èªèšŒãè¡ãå Žåã¯ãäœæãããã«ãOTPãµãŒããŒãç»é²ãããŠãããµãŒããŒã°ã«ãŒããéžæããŸãã ã»ãã·ã§ã³ ãŠãŒã¶åã¯ãã©ã€ã㪠AAA ãµãŒã ã°ã«ãŒãããç¶æ¿ãããããšã«æ³šæããŠãã ããã
èšå®ãé©çšããŠã
ã¹ããã 6ãå¥åæåŸã®ã¹ããã
SLL VPN 㧠XNUMX èŠçŽ èªèšŒãæ©èœãããã©ããã確èªããŠã¿ãŸãããã
åºæ¥äžããïŒ Cisco AnyConnect VPN Client çµç±ã§æ¥ç¶ããå Žåã¯ãXNUMX çªç®ã®ã¯ã³ã¿ã€ã ãã¹ã¯ãŒããæ±ããããŸãã
ãã®èšäºã誰ãã«åœ¹ç«ã¡ããããã©ã®ããã«äœ¿çšããããèããææã«ãªãã°å¹žãã§ãã ç¡æ OTP ãµãŒã㌠(ä»ã®ã¿ã¹ã¯çš)ã å¿
èŠã«å¿ããŠã³ã¡ã³ãã§å
±æããŠãã ããã
åºæïŒ habr.com