Quid si duo-factores authenticas et optabiles sint et spinosae, sed nullae pecuniae signa pro ferramentis et generatim offerunt manere in bono animo.
Haec solutio non est aliquid super originalibus, sed mixtum diversarum solutionum in Interreti inventarum.
Sic dedit
Домен Active Directory.
Domain utentes per VPN laborantes, sicut multi hodie.
Ut porta VPN Fortigate.
Tessera salva clientis VPN per consilium securitatis prohibetur.
Politica Fortinet in tuis signis, non minus quam zhlob dicere potes - tot sunt signa 10 gratuita, reliqua - maximo pretio non-kosheri. RSASecureID, Duo et similia, non consideravi, quia fontem apertum volo.
PRAEREQUISITIS: host * nix cum statutum freeradius, ssd * - In dominium ingressi, utentes domain facile eam authenticam reddere possunt.
Additional packages: shellina arca, figlett, freeradius-ldap, font rebel.tlf ex eclesiae reposito .
In exemplo meo - CentOS 7.8.
Logica laboris haec esse putatur: cum VPN connectens, usor login et OTP loco tesserae ditionem inire debet.
Officia setup
В /etc/raddb/radiusd.conf tantum user et coetus pro quo incipit freeradiusQuia religio radiid si legere possit in omnibus files subdirectories / Domus /.
user = root
group = root
Posse uti coetus in occasus Fortigate, traduci debet Vendor Imprimis attributum. Hoc facere in indicem raddb/policy.d Fasciculum cum sequenti contento creo:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Post institutionem freeradius-ldap in indicem raddb/mods-available file creatum est ldap.
Opus creare vinculum symbolicum indicem raddb/mods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapContenta affero in hanc formam;
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
In files raddb/sites-enabled/default и raddb/sites-enabled/interne-tunnel in sectione auctor Nomen addo consilio utendi - group_authorization. Punctum magni momenti - nomen consiliorum nomine tabellae in indicem non determinatur policy.dsed directiva intra tabella ante adstringit crispa.
In sectione signo authenticitatis incisionem in eodem lima debes ut uncomment linea bam.
In file clients.conf parametri praecipere cum quibus coniungetur Fortigate:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
OMNIBUS configuratione pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Default bundle implementation options freeradius с google Authenticator require utentis ad documentorum in forma; username / password+OTP.
Numerum maledictionum, quae in caput cadet, imaginando, in casu utendi fasciculo defalta freeradius с google Authenticator, placuit modulo configuratione uti bam ut modo signum comprimatur google Authenticator.
Cum usuario coniungit, sequitur:
- Freeradius inhibet si usor in dominico et in quodam circulo est et, si res prospere gesta est, OTP indicium coercet.
Omnia satis visa sunt usque ad momentum cum cogitavi "Quomodo possum subcriptio OTP pro 300+ usoribus?"
A user debet aperire in calculonis servi cum freeradius et sub ratione vestra et applicatione currunt Google Authenticatorquae pro applicatione utentis generabit QR. Hic ubi venit auxilium. shellina arca et tandem coniunctim afficient vniuersa .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Configuratio daemonis in file sita est /etc/sysconfig/shellinabox.
443 Portum ibi denota et libellum tuum exprimere potes.
[root@freeradius ~]#systemctl enable --now shellinaboxdUsor solum nexum sequi debet, intrant promeritum dominium et in applicatione QR codicem recipiunt.
Algorithmus talis est;
- Usor tigna in machina per navigatrum.
- Utrum usor dominii inhibetur. Si non, nihil agit.
- Si usor usor fundi usor est, sodalitas in coetus Administratorum retunditur.
- Si non admin, impedit si Google Authenticator configuratur. Si non, QR code ac user concludere generatur.
- Si non admin et Google Authenticator configuratur, tunc iustus concludere.
- Si admin, Google Authenticator iterum reprehendo. Si non configuratur, generatur signum QR.
Omnis ratio fit utens /etc/skel/.bash_profile.
cat /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Fortigate setup:
- Nos creare radii-server
- Necessarios circulos, si opus est, creamus, per circulos imperium accessum. Group nomen in Fortigate necesse est inserere coetus quod est in Vendor Imprimis attributum Fortinet-Group-Name.
- Edere necesse est SSL-portals.
- Sodalitates addendo ut tueantur.
Commoda huius solutionis;
- Potest signo authenticitatis incisionem OTP on Fortigate fons aperta solutio.
- Usoris tesseram domain non ingreditur cum per VPN coniungens, quae nexum processum aliquantum simpliciorem reddit. Tessera digiti 6 facilior est intrare quam ea quae consilio securitatis providentur. Quam ob rem numerus tesserarum cum re: "VPN coniungere non possum".
PS Hanc solutionem ad plenam discursivam duorum factorem authenticas cum provocatione responsionis cogitamus upgrade.
Update:
Prout pollicitus duxi eam ad optionis responsionis provocationis .
sic:
In file /etc/raddb/sites-enabled/default sectionem auctor Ea est huiusmodi:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
sectioni signo authenticitatis incisionem nunc similis est:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Nunc usor verificationis occurrit secundum algorithmum sequentium:
- Usor in VPN clientem credit domain intrat.
- Freeradius cohibet validitatem rationis et tesserae
- Si tessera recta est, tum petitio tessera mittitur.
- Vestigium verificatur.
- lucrum).
Source: www.habr.com