Bwanji ngati kutsimikizika kwazinthu ziwiri kuli kofunikira komanso kopanda pake, koma palibe ndalama zama tokeni a Hardware ndipo ambiri amapereka kuti azikhala ndi malingaliro abwino.
Yankho ili si chinthu choyambirira kwambiri, koma kusakaniza kwa mayankho osiyanasiyana omwe amapezeka pa intaneti.
Choncho anapatsidwa
Kasitomala Active Directory.
Ogwiritsa ntchito ma domain omwe akugwira ntchito kudzera pa VPN, monga ambiri masiku ano.
Imagwira ngati chipata cha VPN Limbikitsani.
Kusunga mawu achinsinsi kwa kasitomala wa VPN ndikoletsedwa ndi ndondomeko yachitetezo.
Ndale Fortinet pokhudzana ndi zizindikiro zanu, simungathe kuzitcha zochepa kuposa zhlob - pali zizindikiro zaulere za 10, zina - pamtengo wosakhala wa kosher kwambiri. Sindinaganizire RSSecureID, Duo ndi zina, chifukwa ndikufuna gwero lotseguka.
Zofunikira: wolandira * nix ndi kukhazikitsidwa freeradius, Sssd - adalowa mu domain, ogwiritsa ntchito madambwe amatha kutsimikizira pa izo.
Paketi zowonjezera: shellna box, chilombo, freeradius-ldap, fonti rebel.tlf kuchokera kunkhokwe .
Mu chitsanzo changa - CentOS 7.8.
Lingaliro la ntchito likuyenera kukhala motere: polumikizana ndi VPN, wogwiritsa ntchitoyo ayenera kulowa malo olowera ndi OTP m'malo mwachinsinsi.
Kukhazikitsa misonkhano
В /etc/raddb/radiusd.conf wogwiritsa ntchito ndi gulu m'malo mwake omwe amayamba freeradius, kuyambira utumiki utali wozungulira ayenera kuwerenga mafayilo m'ma subdirectories onse / kunyumba /.
user = root
group = root
Kuti athe kugwiritsa ntchito magulu muzokonda Limbikitsani, ziyenera kuperekedwa Ma Vendor Specific Attribute. Kuti muchite izi, dinani pazizindikiro raddb/policy.d Ndimapanga fayilo yokhala ndi zotsatirazi:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Pambuyo kukhazikitsa freeradius-ldap mu directory raddb/mods-apo fayilo idapangidwa ldap.
Muyenera kupanga ulalo wophiphiritsa ku chikwatu raddb/mods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapNdikubweretsa zomwe zili mu fomu iyi:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Mu mafayilo raddb/sites-enabled/default и raddb/sites-enabled/inner-tunnel mu gawo vomereza Ndikuwonjezera dzina la ndondomeko yomwe idzagwiritsidwe ntchito - group_authorization. Mfundo yofunika - dzina la ndondomeko silinadziwike ndi dzina la fayilo mu bukhuli ndondomeko.d, koma mwa chitsogozo mkati mwa fayilo pamaso pa zopota zopotana.
Mu gawo tsimikizirani m'mafayilo omwewo muyenera kumasula mzerewo Pam.
Mu fayilo makasitomala.conf fotokozani magawo omwe adzalumikizana nawo Limbikitsani:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Kusintha kwa gawo pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Zosankha zokhazikitsa mtolo freeradius с katswiri wodziwa google funani wogwiritsa ntchito kuti alembe zidziwitso mumpangidwe: dzina lolowera / mawu achinsinsi+OTP.
Poganizira chiwerengero cha matemberero omwe adzagwa pamutu, pakugwiritsa ntchito mtolo wokhazikika freeradius с Google Authenticator, adaganiza zogwiritsa ntchito kasinthidwe ka module Pam kotero kuti chizindikiro chokha chikhoza kufufuzidwa Google Authenticator.
Wogwiritsa akalumikizana, zotsatirazi zimachitika:
- Freeradius amayang'ana ngati wogwiritsa ntchitoyo ali mu domain komanso m'gulu linalake ndipo, ngati atapambana, amayang'ana chizindikiro cha OTP.
Chilichonse chinkawoneka bwino mpaka nthawi yomwe ndimaganiza "Kodi ndingalembetse bwanji OTP kwa ogwiritsa ntchito 300+?"
Wogwiritsa ayenera kulowa mu seva ndi freeradius ndi kuchokera pansi pa akaunti yanu ndikuyendetsa pulogalamuyi Google Authenticator, yomwe idzapanga nambala ya QR ya pulogalamu ya wogwiritsa ntchito. Apa ndi pamene thandizo limabwera. shellna box mophatikizana ndi .alireza.
[root@freeradius ~]# yum install -y shellinabox
Fayilo yosinthira daemon ili pa /etc/sysconfig/shellinabox.
Ndimatchula doko 443 pamenepo ndipo mutha kufotokoza satifiketi yanu.
[root@freeradius ~]#systemctl enable --now shellinaboxdWogwiritsa amangofunika kutsatira ulalo, kulowetsa ma domain credits ndikulandila nambala ya QR pakugwiritsa ntchito.
Ma algorithm ndi awa:
- Wogwiritsa amalowa mu makina kudzera pa msakatuli.
- Kaya wogwiritsa ntchitoyo ndi wodziwika ndi domain amawunikidwa. Ngati sichoncho, ndiye kuti palibe chochita.
- Ngati wosuta ndi wogwiritsa ntchito madambwe, umembala mugulu la Administrators umayang'aniridwa.
- Ngati si admin, imayang'ana ngati Google Authenticator yakhazikitsidwa. Ngati sichoncho, ndiye kuti nambala ya QR ndi kulowa kwa ogwiritsa ntchito zimapangidwa.
- Ngati si admin ndi Google Authenticator yokonzedwa, ndiye ingotulukani.
- Ngati admin, fufuzaninso Google Authenticator. Ngati sichinasinthidwe, nambala ya QR imapangidwa.
logic zonse zachitika ntchito /etc/skel/.bash_profile.
mphaka /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Konzani kupanga:
- Timalenga utali wozungulira- seva
- Timapanga magulu ofunikira, ngati kuli kofunikira, kuwongolera kofikira ndi magulu. Dzina lagulu Limbikitsani ziyenera kufanana ndi gulu lomwe ladutsamo Ma Vendor Specific Attribute Dzina la Gulu la Fortinet.
- Kusintha kofunikira SSL- zipata.
- Kuwonjezera magulu ku ndondomeko.
Ubwino wa yankho ili:
- Ndizotheka kutsimikizira ndi OTP pa Limbikitsani Open source solution.
- Wogwiritsa ntchito samalowetsa mawu achinsinsi akamalumikizana kudzera pa VPN, zomwe zimathandizira kulumikizako mosavuta. Mawu achinsinsi a manambala 6 ndi osavuta kulowa kuposa omwe amaperekedwa ndi ndondomeko yachitetezo. Zotsatira zake, chiwerengero cha matikiti omwe ali ndi mutu wakuti: "Sindingathe kulumikiza ku VPN" imachepa.
PS Tikukonzekera kukweza yankho ili kuti likhale lotsimikizika lazinthu ziwiri ndi zovuta-kuyankha.
pomwe:
Monga ndidalonjeza, ndidasinthira ku njira yoyankhira zovuta.
Kotero:
Mu fayilo /etc/raddb/sites-enabled/default gawo vomereza zikuwoneka ngati:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Gawo tsimikizirani tsopano zikuwoneka motere:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Tsopano kutsimikizira kwa ogwiritsa ntchito kumachitika molingana ndi algorithm iyi:
- Wogwiritsa amalowetsa ma domain credits mu kasitomala wa VPN.
- Freeradius amayang'ana kutsimikizika kwa akaunti ndi mawu achinsinsi
- Ngati mawu achinsinsi ali olondola, ndiye kuti pempho la chizindikiro limatumizidwa.
- Chizindikiro chikutsimikiziridwa.
- phindu).
Source: www.habr.com