Kufunika kopereka mwayi wakutali kumalo ogwirira ntchito kumawonekera pafupipafupi, mosasamala kanthu kuti ndi ogwiritsa ntchito anu kapena anzanu omwe akufunika kupeza seva inayake m'gulu lanu.
Pazifukwa izi, makampani ambiri amagwiritsa ntchito ukadaulo wa VPN, womwe wadziwonetsa kuti ndi njira yotetezedwa yodalirika yoperekera mwayi wopezeka kuzinthu zapagulu.
Kampani yanga inalinso chimodzimodzi, ndipo ife, monga ena ambiri, timagwiritsa ntchito lusoli. Ndipo, monga ena ambiri, timagwiritsa ntchito Cisco ASA 55xx ngati chipata chakutali.
Pamene chiwerengero cha ogwiritsa ntchito kutali chikuwonjezeka, pakufunika kufewetsa ndondomeko yoperekera zizindikiro. Koma panthawi imodzimodziyo, izi ziyenera kuchitika popanda kusokoneza chitetezo.
Kwa ife tokha, tapeza yankho pogwiritsa ntchito kutsimikizika kwazinthu ziwiri kuti tilumikizane kudzera pa Cisco SSL VPN, pogwiritsa ntchito mawu achinsinsi anthawi imodzi. Ndipo bukhuli likuuzani momwe mungakonzekerere yankho lotereli ndi nthawi yochepa komanso mtengo wa zero pa pulogalamu yofunikira (ngati muli ndi Cisco ASA muzomangamanga zanu).
Msikawu uli ndi mayankho a mabokosi opangira mapasiwedi anthawi imodzi, pomwe akupereka njira zambiri zowapeza, kukhala kutumiza mawu achinsinsi kudzera pa SMS kapena kugwiritsa ntchito ma tokeni, zida zonse ndi mapulogalamu (mwachitsanzo, pa foni yam'manja). Koma chikhumbo chofuna kusunga ndalama ndi chikhumbo chosungira ndalama kwa abwana anga, pamavuto omwe alipo, adandikakamiza kupeza njira yaulere yogwiritsira ntchito ntchito yopangira mapepala achinsinsi a nthawi imodzi. Zomwe, ngakhale zaulere, sizili zotsika kwambiri pazamalonda (pano tiyenera kusungitsa malo, pozindikira kuti mankhwalawa alinso ndi mtundu wamalonda, koma tidavomereza kuti ndalama zathu, mu ndalama, zidzakhala zero).
Chifukwa chake, tikufunika:
- Chithunzi cha Linux chokhala ndi zida zomangidwira - multiOTP, FreeRADIUS ndi nginx, kuti mupeze seva kudzera pa intaneti (http://download.multiotp.net/ - Ndinagwiritsa ntchito chithunzi chokonzekera cha VMware)
- Active Directory Server
- Cisco ASA yokha (yosavuta, ndimagwiritsa ntchito ASDM)
- Chizindikiro cha pulogalamu iliyonse chomwe chimathandizira makina a TOTP (ine, mwachitsanzo, ndimagwiritsa ntchito Google Authenticator, koma FreeOTP yomweyo idzachita)
Sindidzafotokoza mwatsatanetsatane momwe chithunzicho chimakhalira. Zotsatira zake, mudzalandira Debian Linux yokhala ndi multiOTP ndi FreeRADIUS yokhazikitsidwa kale, yokonzedwa kuti igwire ntchito limodzi, ndi mawonekedwe a intaneti a OTP.
Khwerero 1. Timayambitsa dongosolo ndikukonzekera pa intaneti yanu
Mwachikhazikitso, dongosololi limabwera ndi zizindikiro za mizu. Ndikuganiza kuti aliyense adaganiza kuti zingakhale bwino kusintha mawu achinsinsi achinsinsi atatha kulowa koyamba. Muyeneranso kusintha zoikamo maukonde (ndi kusakhulupirika ndi '192.168.1.44' ndi pachipata '192.168.1.1'). Pambuyo pake mukhoza kuyambitsanso dongosolo.
Tiyeni tipange wogwiritsa ntchito mu Active Directory otp, ndi mawu achinsinsi MySuperPassword.
Gawo 2. Khazikitsani kugwirizana ndi kuitanitsa Active Directory owerenga
Kuti tichite izi, tiyenera kupeza kutonthoza, ndi mwachindunji wapamwamba multiotp.php, pogwiritsa ntchito zomwe tidzakonza makonda olumikizirana ndi Active Directory.
Pitani ku chikwatu /usr/local/bin/multiotp/ ndipo tsatirani malamulo otsatirawa:
./multiotp.php -config default-request-prefix-pin=0Imatsimikiza ngati pini yowonjezera (yokhazikika) ikufunika polowa pini yanthawi imodzi (0 kapena 1)
./multiotp.php -config default-request-ldap-pwd=0Imatsimikiza ngati mawu achinsinsi a domeni amafunikira polowa pini yanthawi imodzi (0 kapena 1)
./multiotp.php -config ldap-server-type=1Mtundu wa seva ya LDAP ukuwonetsedwa (0 = seva yanthawi zonse ya LDAP, kwa ife 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Imatchula mtundu woti muwonetsere dzina lolowera (mtengo uwu ungowonetsa dzina lokha, popanda domain)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Chinthu chomwecho, kwa gulu lokha
./multiotp.php -config ldap-group-attribute="memberOf"Imatchula njira yodziwira ngati wogwiritsa ntchito ali m'gulu
./multiotp.php -config ldap-ssl=1Ndiyenera kugwiritsa ntchito kulumikizana kotetezeka ku seva ya LDAP (ndithudi - inde!)
./multiotp.php -config ldap-port=636Doko lolumikizira ku seva ya LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localAdilesi yanu ya Active Directory seva
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Tikuwonetsa komwe tingayambire kusaka ogwiritsa ntchito mu domeni
./multiotp.php -config ldap-bind-dn="[email protected]"Tchulani wogwiritsa ntchito yemwe ali ndi ufulu wofufuza mu Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Tchulani mawu achinsinsi oti mulumikizane ndi Active Directory
./multiotp.php -config ldap-network-timeout=10Kukhazikitsa nthawi yoti mulumikizidwe ku Active Directory
./multiotp.php -config ldap-time-limit=30Timayika malire a nthawi yoti munthu alowetse
./multiotp.php -config ldap-activated=1Kuyambitsa kulumikizidwa kwa Active Directory
./multiotp.php -debug -display-log -ldap-users-syncTimalowetsa ogwiritsa ntchito kuchokera ku Active Directory
Gawo 3. Pangani nambala ya QR ya chizindikirocho
Chilichonse apa ndi chophweka kwambiri. Tsegulani mawonekedwe a intaneti a seva ya OTP mu msakatuli, lowani (musaiwale kusintha mawu achinsinsi a admin!), ndikudina batani la "Sindikizani":
Chotsatira cha ichi chidzakhala tsamba lomwe lili ndi ma QR code awiri. Molimba mtima timanyalanyaza woyamba waiwo (ngakhale zolemba zowoneka bwino za Google Authenticator / Authenticator / 2 Steps Authenticator), ndipo molimba mtima timasanthula nambala yachiwiri kukhala chizindikiro cha pulogalamu pafoni:
(inde, ndinawononga dala code ya QR kuti ikhale yosawerengeka).
Mukamaliza kuchita izi, mawu achinsinsi a manambala asanu ndi limodzi ayamba kupangidwa mu pulogalamu yanu masekondi makumi atatu aliwonse.
Kuti mutsimikizire, mutha kuyang'ana mu mawonekedwe omwewo:
Polowetsa dzina lanu lolowera ndi mawu achinsinsi anthawi imodzi kuchokera pa pulogalamuyo pafoni yanu. Kodi mwalandira yankho labwino? Ndiye tiyeni tipitirire.
Khwerero 4. Kukonzekera kowonjezera ndi kuyesa ntchito ya FreeRADIUS
Monga ndanenera pamwambapa, multiOTP idakonzedwa kale kuti igwire ntchito ndi FreeRADIUS, zomwe zatsala ndikuyesa mayeso ndikuwonjezera zambiri zachipata chathu cha VPN ku fayilo ya kasinthidwe ya FreeRADIUS.
Timabwerera ku console ya seva, ku chikwatu /usr/local/bin/multiotp/, kulowa:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Kuphatikizapo kudula mitengo mwatsatanetsatane.
Mu fayilo yosinthira makasitomala a FreeRADIUS (/etc/freeradius/clinets.conf) fotokozani mizere yonse yokhudzana ndi localhost ndi kuwonjezera zolemba ziwiri:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- kwa mayeso
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- Pachipata chathu cha VPN.
Yambitsaninso FreeRADIUS ndikuyesa kulowa:
radtest username 100110 localhost 1812 testing321kumene lolowera = username, 100110 = mawu achinsinsi omwe tapatsidwa ndi pulogalamu pafoni, localhost = Adilesi ya seva ya RADIUS, 1812 - doko la seva la RADIUS, test321 - Achinsinsi a kasitomala a RADIUS seva (omwe tidawafotokozera mu config).
Zotsatira za lamuloli zidzatuluka pafupifupi motere:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Tsopano tiyenera kuonetsetsa kuti wosuta bwinobwino kutsimikiziridwa. Kuti tichite izi, tiwona chipika cha multiotp palokha:
tail /var/log/multiotp/multiotp.logNdipo ngati kulowa komaliza kuli:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Kenako zonse zidayenda bwino ndipo titha kumaliza
Khwerero 5: Konzani Cisco ASA
Tiyeni tivomereze kuti tili ndi gulu lokonzekera ndi ndondomeko zofikira kudzera pa SLL VPN, zokonzedwa molumikizana ndi Active Directory, ndipo tifunika kuwonjezera kutsimikizika kwazinthu ziwiri za mbiriyi.
1. Onjezani gulu la seva la AAA latsopano:
2. Onjezani seva yathu ya multiOTP pagulu:
3. Timakonza mbiri yolumikizana, kukhazikitsa gulu la seva la Active Directory ngati seva yayikulu yotsimikizira:
4. Mu tabu Zapamwamba -> Kutsimikizika Timasankhanso gulu la seva la Active Directory:
5. Mu tabu Zapamwamba -> Zachiwiri kutsimikizika, sankhani gulu lopangidwa la seva lomwe seva ya multiOTP imalembetsedwa. Dziwani kuti dzina lolowera la Session limachokera ku gulu loyambirira la seva ya AAA:
Ikani zoikamo ndi
Gawo 6, lomwe ndi lomaliza
Tiyeni tiwone ngati kutsimikizika kwazinthu ziwiri kumagwira ntchito pa SLL VPN:
Voila! Mukalumikiza kudzera pa Cisco AnyConnect VPN Client, mudzafunsidwanso mawu achinsinsi anthawi imodzi.
Ndikukhulupirira kuti nkhaniyi ithandiza wina, ndipo ipatsa wina malingaliro a momwe angagwiritsire ntchito izi, mfulu Seva ya OTP, ya ntchito zina. Gawani nawo ndemanga ngati mukufuna.
Source: www.habr.com