He aha mena he pai te whakamotuhēhēnga-rua-rua, engari karekau he moni mo nga tohu taputapu me te nuinga o te waa ka tuku kia noho pai.
Ko tenei otinga ehara i te mea tino taketake, engari he ranunga o nga otinga rereke ka kitea i runga ipurangi.
Na homai
Ingoa Whaiaronga Active.
Ko nga kaiwhakamahi rohe e mahi ana ma te VPN, penei i te nuinga o enei ra.
Ka mahi hei kuaha VPN Whakaputa.
Ko te tiaki i te kupuhipa mo te kaihoko VPN ka aukatihia e te kaupapa here haumaru.
Torangapu mokowhiti mo o ake tohu, kaore e taea e koe te kii he iti iho i te zhlob - he 10 nga tohu kore utu, te toenga - i te utu kore-kosher. Kaore au i whakaaro ki te RSASecureID, Duo me era atu mea, na te mea e hiahia ana ahau ki te puna tuwhera.
Nga whakaritenga o mua: manaaki * nix me te whakapumautia reokorero, ssd - kua uru ki roto i te rohe, ka ngawari nga kaiwhakamahi rohe ki te whakamotuhēhē ki runga.
Ngā pōkai tāpiri: pouaka shellina, piki, freeradius-ldap, momotuhi whakakeke.tlf mai i te putunga
I taku tauira - CentOS 7.8.
Ko te arorau o te mahi ka penei: i te wa e hono ana ki te VPN, me whakauru te kaiwhakamahi ki te takiuru rohe me te OTP hei utu mo te kupuhipa.
Tatūnga ratonga
В /etc/raddb/radiusd.conf ko te kaiwhakamahi me te roopu anake ka timata reokorero, mai i te ratonga radiusd me kaha ki te panui i nga konae ki nga raarangiroto katoa / kāinga /.
user = root
group = root
Kia taea ai te whakamahi i nga roopu ki nga tautuhinga Whakaputa, me tuku Huanga Motuhake a te Kaihoko. Ki te mahi i tenei, i roto i te whaiaronga raddb/policy.d Ka waihangahia e au he konae me nga mea e whai ake nei:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
I muri i te whakaurunga freeradius-ldap i roto i te whaiaronga raddb/mods-e waatea ana ka hangaia te konae whakakahore.
Me hanga he hononga tohu ki te whaiaronga raddb/mods-whakahohea.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Ka kawea e ahau ona ihirangi ki tenei puka:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
I roto i nga konae raddb/pae-whakahohea/taunoa и raddb/pae-whakahohea/roto-tunnel i te wahanga whakamana Ka tapiritia e ahau te ingoa o te kaupapa here hei whakamahi - group_authorization. He mea nui - ko te ingoa o te kaupapa here kaore e whakatauhia e te ingoa o te konae kei roto i te raarangi kaupapa here.d, engari ma te tohutohu i roto i te konae i mua i nga taiapa mingimingi.
I te wahanga te tautuhi i roto i nga konae ano me whakakorehia e koe te raina Pam.
I roto i te kōnae kiritaki.conf tohua nga tawhā ka hono ai Whakaputa:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Whirihoranga kōwae pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Kōwhiringa whakatinana paihere taunoa reokorero с google authenticator tono te kaiwhakamahi ki te whakauru i nga tohu ki te whakatakotoranga: ingoa kaiwhakamahi/kupuhipa+OTP.
Ma te whakaaro ki te maha o nga kanga ka hinga ki runga i te mahunga, i roto i te take o te whakamahi i te paihere taunoa reokorero с Google Authenticator, i whakatauhia kia whakamahia te whirihoranga kōwae Pam kia taea anake te tirotiro i te tohu Google Authenticator.
Ina hono te kaiwhakamahi, ka puta nga mea e whai ake nei:
- Ka tirohia e Freeradius mena kei roto te kaiwhakamahi i te rohe me tetahi roopu, a, ki te angitu, tirohia te tohu OTP.
He pai te ahua o nga mea katoa tae noa ki te wa i whakaaro ahau "Me pehea taku rehita OTP mo nga kaiwhakamahi 300+?"
Me takiuru te kaiwhakamahi ki te tūmau me te reokorero mai i raro i to putea me te whakahaere i te tono Google Authenticator, ka puta he waehere QR mo te tono mo te kaiwhakamahi. I konei ka uru mai te awhina. pouaka shellina i roto i te ki .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Ko te kōnae whirihoranga daemon kei te /etc/sysconfig/shellinabox.
Ka tohua e ahau te tauranga 443 ki reira ka taea e koe te tohu i to tiwhikete.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Ko te kaiwhakamahi anake me whai i te hono, whakauruhia nga whiwhinga rohe me te whiwhi waehere QR mo te tono.
Ko te algorithm e whai ake nei:
- Ka takiuru te kaiwhakamahi ki te miihini ma te tirotiro.
- Mena kua takina te kaiwhakamahi rohe. Ki te kore, karekau he mahi.
- Mena he kaiwhakamahi rohe te kaiwhakamahi, ka takina te mema o te roopu Kaiwhakahaere.
- Mena ehara i te kaiwhakahaere, ka tirohia mena kua whirihorahia a Google Authenticator. Ki te kore, ka puta he waehere QR me te waitohu kaiwhakamahi.
- Mena karekau he kaiwhakahaere me te Authenticator Google i whirihorahia, katahi ka puta noa.
- Mena he kaiwhakahaere, tirohia ano a Google Authenticator. Mena kaore i whirihorahia, ka hangaia he waehere QR.
Kua oti te arorau katoa ki te whakamahi /etc/skel/.bash_profile.
ngeru /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Tatūnga whakakaha:
- Hanga tatou pūtoro-tūmau
- Ka waihangahia e matou nga roopu e tika ana, mehemea e tika ana, ka uru ki te mana whakahaere ma nga roopu. Kei runga te ingoa roopu Whakaputa me taurite ki te roopu kua paahitia Huanga Motuhake a te Kaihoko Fortinet-Group-Ingoa.
- Te whakatika i nga mea e tika ana SSL-putaputa.
- Te taapiri i nga roopu ki nga kaupapa here.
Ko nga painga o tenei otinga:
- Ka taea te whakamotuhēhē mā te OTP i runga Whakaputa otinga puna tuwhera.
- Karekau te kaiwhakamahi e uru ki tetahi kupuhipa rohe ina hono ana ma te VPN, he mea ngawari te mahi hononga. Ko te kupuhipa 6-mati he ngawari ake te whakauru atu i te mea e whakaratohia ana e te kaupapa here haumaru. Ko te mutunga, ka heke te maha o nga tikiti me te kaupapa: "Kaore e taea e au te hono atu ki te VPN".
PS Ka whakamahere matou ki te whakapai ake i tenei otinga ki te motuhēhēnga-rua-rua me te whakautu wero.
whakahou:
Ka rite ki te oati, ka takina e ahau ki te whiringa wero-whakautu.
Na:
I roto i te kōnae /etc/raddb/sites-enabled/default waahanga whakamana penei te ahua:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Wāhanga te tautuhi he penei te ahua inaianei:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Inaianei ka puta te manatoko kaiwhakamahi i runga i te algorithm e whai ake nei:
- Ka uru te kaiwhakamahi ki nga whiwhinga rohe ki te kiritaki VPN.
- Ka tirohia e Freeradius te mana o te kaute me te kupuhipa
- Mena he tika te kupuhipa, ka tukuna he tono mo te tohu.
- Kei te manatokohia te tohu.
- hua).
Source: will.com