Apa yen bukti asli loro-faktor loro seng di pengeni lan prickly, nanging ora ana dhuwit kanggo token hardware lan ing umum padha kurban Tetep ing swasana ati apik.
Solusi iki ora soko super asli, nanging campuran saka solusi beda ditemokaké ing Internet.
Dadi diwenehi
Домен Direktori aktif.
Pangguna domain sing makarya liwat VPN, kaya saiki.
Tumindak minangka gateway VPN Benteng.
Nyimpen sandhi kanggo klien VPN dilarang dening kabijakan keamanan.
politik Fortinet ing hubungan kanggo token dhewe, sampeyan ora bisa nelpon kurang saka zhlob a - ana minangka akeh minangka 10 free token, liyane - ing rega banget non-halal. Aku ora nganggep RSASecureID, Duo lan liya-liyane, amarga aku pengin mbukak sumber.
prasyarat: inang * nix karo mantep radius bebas, ssd - mlebu menyang domain, pangguna domain bisa gampang keasliane ing domain.
Paket tambahan: kothak shellina, anjir, freeradius-ldap, font mbalela.tlf saka gudang
Ing contoku - CentOS 7.8.
Logika kerja mesthine kaya ing ngisor iki: nalika nyambung menyang VPN, pangguna kudu ngetik login domain lan OTP tinimbang sandhi.
Persiyapan layanan
В /etc/raddb/radiusd.conf mung pangguna lan grup atas jenenge sing diwiwiti radius bebas, wiwit layanan radiusd kudu bisa maca file ing kabeh subdirektori / home /.
user = root
group = root
Kanggo bisa nggunakake grup ing setelan Benteng, kudu ditularaké Atribut Khusus Vendor. Kanggo nindakake iki, ing direktori raddb/kabijakan.d Aku nggawe file kanthi isi ing ngisor iki:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Sawise nginstal freeradius-ldap ing direktori raddb / mods-kasedhiya file digawe ldap.
Perlu nggawe link simbolis menyang direktori raddb / mods-aktif.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Aku nggawa isi menyang formulir iki:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Ing file raddb / situs-aktif / standar и raddb/sites-enabled/inner-tunnel ing bagean kuoso Aku nambah jeneng kabijakan sing bakal digunakake - group_authorization. Titik penting - jeneng kabijakan ora ditemtokake dening jeneng file ing direktori kawicaksanan.d, nanging kanthi arahan ing file sadurunge kurung kriting.
Ing bagean bukti asli ing file sing padha sampeyan kudu uncomment baris Pam.
Ing file klien.conf prescribe paramèter karo kang bakal nyambung Benteng:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Konfigurasi modul pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Opsi implementasi paket standar radius bebas с google asli mbutuhake pangguna ngetik kredensial ing format: jeneng panganggo/sandi+OTP.
Kanthi mbayangno jumlah kutukan sing bakal tiba ing sirah, ing kasus nggunakake bundle standar radius bebas с Google Authenticator, diputusake nggunakake konfigurasi modul Pam supaya mung token sing bisa dipriksa Google Authenticator.
Nalika pangguna nyambung, kedadeyan ing ngisor iki:
- Freeradius mriksa yen pangguna ana ing domain lan ing grup tartamtu lan, yen sukses, mriksa token OTP.
Kabeh katon cukup apik nganti aku mikir "Kepiye carane aku bisa ndhaptar OTP kanggo 300+ pangguna?"
Pangguna kudu mlebu menyang server karo radius bebas lan saka ing akun lan mbukak aplikasi Google asli, sing bakal ngasilake kode QR kanggo aplikasi kanggo pangguna. Iki ngendi bantuan teka. kothak shellina ing kombinasi karo .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
File konfigurasi daemon dumunung ing /etc/sysconfig/shellinabox.
Aku nemtokake port 443 ana lan sampeyan bisa nemtokake sertifikat sampeyan.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Pangguna mung kudu ngetutake link kasebut, ketik kridit domain lan nampa kode QR kanggo aplikasi kasebut.
Algoritme kaya ing ngisor iki:
- Pangguna mlebu menyang mesin liwat browser.
- Apa pangguna domain wis dicenthang. Yen ora, mula ora ana tindakan sing ditindakake.
- Yen pangguna pangguna domain, anggota ing grup Administrator dicenthang.
- Yen dudu admin, mriksa manawa Google Authenticator wis dikonfigurasi. Yen ora, kode QR lan logout pangguna bakal digawe.
- Yen ora admin lan Google Authenticator wis diatur, banjur mung logout.
- Yen admin, banjur mriksa Google Authenticator maneh. Yen ora dikonfigurasi, kode QR bakal digawe.
Kabeh logika wis rampung nggunakake /etc/skel/.bash_profile.
cat /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Persiyapan Fortigate:
- Kita nggawe radius-server
- Kita nggawe grup sing perlu, yen perlu, akses kontrol dening grup. Jeneng grup ing Benteng kudu cocog karo grup sing dilewati Atribut Khusus Vendor Fortinet-Group-Jeneng.
- Ngedit sing perlu SSL- portal.
- Nambahake grup menyang kabijakan.
Kaluwihan saka solusi iki:
- Iku bisa kanggo keasliane dening OTP ing Benteng solusi open source.
- Pangguna ora ngetik sandhi domain nalika nyambung liwat VPN, sing rada nyederhanakake proses sambungan. Tembung sandhi 6 digit luwih gampang dilebokake tinimbang sing diwenehake dening kabijakan keamanan. Akibaté, jumlah tiket kanthi subyek: "Aku ora bisa nyambung menyang VPN" suda.
PS We rencana upgrade solusi iki kanggo otentikasi loro-faktor lengkap karo tantangan-respon.
nganyari:
Kaya sing dijanjekake, aku ngapiki menyang pilihan tantangan-respon.
Dadi:
Ing file /etc/raddb/sites-enabled/default bagean kuoso katon kaya iki:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Bagean bukti asli saiki katon kaya iki:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Saiki verifikasi pangguna ditindakake miturut algoritma ing ngisor iki:
- Pangguna ngetik kridit domain ing klien VPN.
- Freeradius mriksa validitas akun lan sandhi
- Yen tembung sandhi bener, banjur panjalukan kanggo token dikirim.
- Token lagi diverifikasi.
- keuntungan).
Source: www.habr.com