Ko te hiahia ki te whakarato huarahi mamao ki tetahi taiao umanga kei te puta ake i te nuinga o nga wa, ahakoa ko o kaiwhakamahi me o hoa hoa e hiahia ana ki te uru atu ki tetahi tūmau i roto i to whakahaere.
Mo enei kaupapa, ko te nuinga o nga kamupene e whakamahi ana i te hangarau VPN, kua whakamatauhia ko ia ano he huarahi tiaki pono mo te uru atu ki nga rauemi o te rohe o te whakahaere.
Ko taku kamupene he rereke, a ko matou, pera i etahi atu, ka whakamahi i tenei hangarau. A, pera i etahi atu, ka whakamahia e matou a Cisco ASA 55xx hei huarahi uru mamao.
Ka piki ake te maha o nga kaiwhakamahi mamao, me whakangawari te tikanga mo te tuku tohu. Engari i te wa ano, me mahi tenei me te kore e whakaiti i te haumaru.
Mo matou ake, i kitea e matou he otinga ki te whakamahi i te whakamotuhēhēnga-rua-rua mo te hono ma te Cisco SSL VPN, ma te whakamahi i nga kupuhipa kotahi-wa. Ma tenei panui e korero ki a koe me pehea te whakarite i taua otinga me te iti o te waa me te kore utu mo te rorohiko e tika ana (mehemea kei a koe a Cisco ASA i roto i to hanganga).
Kei te ki tonu te maakete i nga otinga pouaka mo te whakaputa i nga kupuhipa kotahi-wa, i te wa e tuku ana i te maha o nga whiringa mo te whiwhi, ahakoa te tuku kupuhipa ma te SMS, ma te whakamahi tohu ranei, nga taputapu me nga punaha (hei tauira, i runga waea pūkoro). Engari ko te hiahia ki te penapena moni me te hiahia ki te penapena moni mo taku kaituku mahi, i roto i nga raru o naianei, i akiaki ahau ki te rapu huarahi kore utu ki te whakatinana i tetahi ratonga mo te whakaputa i nga kupuhipa kotahi-wa. Ko te mea, ahakoa he kore utu, ehara i te mea iti ake i nga otinga arumoni (i konei me whakarite he rahui, me te mahara he putanga arumoni ano tenei hua, engari i whakaae matou ko a matou utu, i roto i te moni, ka kore).
Na, ka hiahia tatou:
- He ahua Linux me te huinga taputapu - multiOTP, FreeRADIUS me te nginx, mo te uru atu ki te tūmau ma te paetukutuku (http://download.multiotp.net/ - I whakamahia e ahau he ahua kua rite mo VMware)
— Tūmau Whaiaronga Hohe
— Cisco ASA ake (mo te waatea, ka whakamahi ahau i te ASDM)
— Ko nga tohu rorohiko e tautoko ana i te tikanga TOTP (Ko au, hei tauira, ka whakamahi i a Google Authenticator, engari ka pera ano te FreeOTP)
Kaore au e haere ki nga korero mo te ahua o te ahua o te ahua. Ko te mutunga, ka whiwhi koe i a Debian Linux me te multiOTP me te FreeRADIUS kua whakauruhia, kua whirihorahia kia mahi tahi, me tetahi atanga tukutuku mo te whakahaere OTP.
Hipanga 1. Ka timata matou i te punaha me te whirihora mo to whatunga
Ma te taunoa, ka tae mai te punaha me nga tohu pakiaka pakiaka. Ki taku whakaaro i whakaaro nga tangata katoa he mea pai ki te whakarereke i te kupuhipa kaiwhakamahi pakiaka i muri i te takiuru tuatahi. Me huri ano koe i nga tautuhinga whatunga (ma te taunoa ko '192.168.1.44' me te kuaha '192.168.1.1'). Muri iho ka taea e koe te whakaara ano i te punaha.
Me hanga he kaiwhakamahi ki Active Directory otp, me te kupuhipa TakuKupuhipa.
Hipanga 2. Whakaritehia te hononga me te kawemai i nga kaiwhakamahi Active Directory
Ki te mahi i tenei, me uru ki te papatohu, me te tika ki te konae multiotp.php, ka whirihorahia e matou nga tautuhinga hononga ki Active Directory.
Haere ki te whaiaronga /usr/local/bin/multiotp/ ka mahia nga whakahau e whai ake nei:
./multiotp.php -config default-request-prefix-pin=0Ka whakatau mena ka hiahiatia he titi taapiri (tuuturu) ina uru ana ki te pine kotahi (0, 1 ranei)
./multiotp.php -config default-request-ldap-pwd=0Ka whakatau mena ka hiahiatia he kupuhipa rohe ina whakauru i te titi kotahi (0, 1 ranei)
./multiotp.php -config ldap-server-type=1Ko te momo tūmau LDAP e tohuhia ana (0 = tūmau LDAP auau, i roto i ta maatau take 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Ka tautuhi i te whakatakotoranga hei whakaatu i te ingoa kaiwhakamahi (ma tenei uara anake e whakaatu te ingoa, kaore he rohe)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"He mea ano, mo te roopu anake
./multiotp.php -config ldap-group-attribute="memberOf"Ka tautuhia he tikanga mo te whakatau mehemea no te roopu tetahi kaiwhakamahi
./multiotp.php -config ldap-ssl=1Me whakamahi hononga haumaru ki te tūmau LDAP (ae, ae!)
./multiotp.php -config ldap-port=636Tauranga hei hono ki te tūmau LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localTō wāhitau tūmau Active Directory
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Ka tohu matou ki hea ka timata ki te rapu i nga kaiwhakamahi i te rohe
./multiotp.php -config ldap-bind-dn="[email protected]"Tauwhāitihia he kaiwhakamahi kei a ia nga motika rapu i roto i te Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Tauwhāitihia te kupuhipa kaiwhakamahi hei hono atu ki Active Directory
./multiotp.php -config ldap-network-timeout=10Te whakarite i te waahi mo te hono atu ki Active Directory
./multiotp.php -config ldap-time-limit=30Ka whakatauhia e matou he wa mo te mahi kawemai a te kaiwhakamahi
./multiotp.php -config ldap-activated=1Whakahohe i te whirihoranga hononga Active Directory
./multiotp.php -debug -display-log -ldap-users-syncKa kawemai matou i nga kaiwhakamahi mai i Active Directory
Hipanga 3. Hanga he waehere QR mo te tohu
Ko nga mea katoa i konei he tino ngawari. Whakatuwheratia te atanga tukutuku o te tūmau OTP i roto i te kaitirotiro, takiuru (kaua e wareware ki te huri i te kupuhipa taunoa mo te kaiwhakahaere!), ka paato i te paatene "Taa":
Ko te hua o tenei mahi he wharangi kei roto e rua nga waehere QR. Ka maia matou ki te wareware i te tuatahi o ratou (ahakoa te tuhinga ataahua a Google Authenticator / Authenticator / 2 Steps Authenticator), a ka maia ano matou ki te tirotiro i te waehere tuarua ki te tohu rorohiko i runga i te waea:
(ae, i tino pahuatia e ahau te QR code kia kore ai e taea te panui).
I muri i te whakaoti i enei mahi, ka timata te hanga kupuhipa e ono mati ki to tono ia toru tekau hēkona.
Kia tino mohio, ka taea e koe te tirotiro i te atanga kotahi:
Ma te whakauru i to ingoa kaiwhakamahi me te kupuhipa kotahi-wa mai i te tono i runga i to waea. I whiwhi whakautu pai koe? Na ka haere tonu tatou.
Hipanga 4. whirihoranga taapiri me te whakamatautau mo te mahi FreeRADIUS
Ka rite ki taku korero i runga ake nei, kua whirihorahia te multiOTP ki te mahi me FreeRADIUS, ko nga mea katoa e toe ana ko te whakahaere i nga whakamatautau me te taapiri i nga korero e pa ana ki to tatou kuaha VPN ki te konae whirihoranga FreeRADIUS.
Ka hoki matou ki te papatohu tūmau, ki te whaiaronga /usr/local/bin/multiotp/, tomo:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Tae atu ki te tuhi korero taipitopito.
I roto i te konae whirihoranga kiritaki FreeRADIUS (/etc/freeradius/clinets.conf) korero i nga rarangi katoa e pa ana ki localhost me te taapiri kia rua nga urunga:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- mo te whakamatautau
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}— mo ta matou kuaha VPN.
Tīmataria anō FreeRADIUS ka ngana ki te takiuru:
radtest username 100110 localhost 1812 testing321te wahi ingoa kaiwhakamahi = ingoa kaiwhakamahi, 100110 = kupuhipa homai ki a matou e te tono i runga i te waea, localhost = Wāhitau tūmau RADIUS, 1812 — Tauranga tūmau RADIUS, test321 — RADIUS kupuhipa kiritaki tūmau (i tohua e matou i roto i te whirihora).
Ko te hua o tenei whakahau ka puta te ahua penei:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Inaianei me whakarite kia pai te whakamotuhēhē o te kaiwhakamahi. Ki te mahi i tenei, ka titiro tatou ki te rangitaki o multiotp ake:
tail /var/log/multiotp/multiotp.logMena ko te urunga whakamutunga kei reira:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Na ka pai nga mea katoa ka taea e matou te whakaoti
Hipanga 5: Whakaritea Cisco ASA
Kia whakaae tatou he roopu kua whirihorahia me nga kaupapa here mo te uru atu ma te SLL VPN, i whirihorahia me te Active Directory, me taapiri atu he motuhēhēnga-rua mo tenei kōtaha.
1. Tāpirihia he roopu tūmau AAA hōu:
2. Tāpirihia to tatou tūmau multiOTP ki te roopu:
3. Ka whakatika tatou kōtaha hononga, te whakarite i te roopu tūmau Active Directory hei tūmau motuhēhēnga matua:
4. Kei te ripa Arā Atu Anō -> Motuhēhēnga Ka tohua ano e matou te roopu tūmau Active Directory:
5. Kei te ripa Arā Atu Anō -> Tuarua motuhēhēnga, tīpakohia te roopu tūmau i hangaia i rehitatia ai te tūmau multiOTP. Kia mahara ko te ingoa kaiwhakamahi Wātū i riro mai i te roopu tūmau AAA tuatahi:
Hoatu nga tautuhinga me
Hipanga 6, aka te mea whakamutunga
Me titiro mena ka mahi te motuhēhēnga-rua mo SLL VPN:
Aue! Ina hono ana ma te Kiritaki VPN Cisco AnyConnect, ka pataihia ano koe mo tetahi kupuhipa tuarua, kotahi te wa.
Ko taku tumanako ka awhina tenei tuhinga ki tetahi, ka whai whakaaro ano ki tetahi mo te whakamahi i tenei, kāka Tūmau OTP, mo etahi atu mahi. A faaite i roto i nga korero ki te hiahia koe.
Source: will.com