Ae faʻapefea pe a faʻamaonia e lua-faʻailoga e manaʻomia uma ma tui, ae leai se tupe mo faʻailoga meafaigaluega ma i se tulaga lautele latou te ofoina atu e tumau i se lagona lelei.
O lenei fofo e le o se mea sili muamua, ae o se faʻafefiloi o fofo eseese o loʻo maua i luga ole Initaneti.
Ona tuuina atu lea
Igoa o le Igoa Active Directory.
Tagata fa'aoga o lo'o galulue i le VPN, pei o le tele o aso nei.
Galue o se faitotoa VPN Faʻamalosi tino.
O le fa'asaoina o le fa'aupuga mo le kalani VPN e fa'asaina e le puipuiga malu.
Fa'aupufai Fortinet e tusa ai ma au lava faʻailoga, e le mafai ona e taʻua e itiiti ifo nai lo le zhlob - o loʻo i ai le tele o 10 faʻailoga saoloto, o le isi - i se tau e le kosher. Ou te leʻi mafaufau i le RSASecureID, Duo ma isi mea, aua ou te manaʻo e tatala punaoa.
Manaomia muamua: talimalo * ix ma ua faavaeina freeradius, ssd - ulufale i totonu o le vaega, e mafai ona faigofie ona faʻamaonia e tagata faʻaoga i luga.
afifi faaopoopo: atigi pusa, fualaʻau, freeradius-ldap, vai papatisoga fouvale.tlf mai le fale teu oloa
I laʻu faʻataʻitaʻiga - CentOS 7.8.
Ole fa'atatau ole galuega e tatau ona fa'apea: pe a fa'afeso'ota'i ile VPN, e tatau i le tagata fa'aoga ona ulufale i totonu ole laiga ma le OTP nai lo se fa'aupuga.
Fa'atonuga o auaunaga
В /etc/raddb/radiusd.conf na'o le tagata fa'aoga ma le vaega e fai ma sui e amata freeradius, talu mai le sauniga radiusd e tatau ona mafai ona faitau faila i subdirectories uma / fale /.
user = root
group = root
Ina ia mafai ona faʻaogaina vaega i faʻatulagaga Faʻamalosi tino, e tatau ona tuʻuina atu Uiga Fa'apitoa Fa'atau. Ina ia faia lenei mea, i le lisi raddb/policy.d Ou te fatuina se faila ma mea nei:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
A maeʻa faapipiiina freeradius-ldap i totonu o le lisi raddb/mods-avanoa fai faila ldap.
Mana'omia le faia o se feso'ota'iga fa'atusa i le lisi raddb/mods-mafai.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Ou te aumaia ona anotusi i le fomu lenei:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
I faila raddb/sites-enabled/default и raddb/sites-enabled/inner-tunnel i vaega faʻataga Ou te faʻaopopo le igoa o le faiga faʻavae e faʻaaogaina - group_authorization. O se mea taua - o le igoa o le faiga faʻavae e leʻo fuafuaina e le igoa o le faila i totonu o le lisi faiga faavae.d, ae e ala i se faʻatonuga i totonu o le faila aʻo leʻi faʻapipiʻi fusi.
I le vaega faʻamaonia i faila lava e tasi e te manaʻomia e uncomment le laina Pam.
I le faila clients.conf fa'atonu mea e fa'afeso'ota'i ai Faʻamalosi tino:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Module faʻatulagaina pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Filifiliga fa'atino fa'aputuga masani freeradius с google faʻamaoni mana'omia le tagata fa'aoga e fa'aoga fa'amatalaga i le fa'atulagaga: username/password+OTP.
I le mafaufauina o le numera o fetuu o le a pa'ū i luga o le ulu, i le tulaga o le faʻaaogaina o le fusi faʻaletonu freeradius с Google Authenticator, na filifili e faʻaoga le faʻatulagaina o module Pam ina ia na o le faailoga e mafai ona siaki Google Authenticator.
A faʻafesoʻotaʻi se tagata faʻaoga, e tupu mea nei:
- E siaki e Freeradius pe afai o loʻo i ai le tagata faʻaoga i totonu o le vaega ma i totonu o se vaega ma, pe a manuia, siaki le faailoga OTP.
Na foliga lelei mea uma seia oʻo i le taimi na ou mafaufau ai "E faʻafefea ona ou resitalaina le OTP mo le 300+ tagata faʻaoga?"
E tatau i le tagata fa'aoga ona saini i le server ma freeradius ma mai lalo o lau teugatupe ma faʻatautaia le talosaga Google faʻamaoniaina, lea o le a maua ai se QR code mo le talosaga mo le tagata faʻaoga. O iinei e sau ai le fesoasoani. atigi pusa faatasi ma .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
O le faila fetuutuunaiga a daemon o loʻo i /etc/sysconfig/shellinabox.
Ou te faʻamaonia le taulaga 443 iina ma e mafai ona e faʻamaonia lau tusi faamaonia.
[root@freeradius ~]#systemctl enable --now shellinaboxd
E na'o le tagata fa'aoga e mana'omia le mulimuli i le feso'ota'iga, fa'aulu i fa'ailoga fa'apitonu'u ma maua se QR code mo le talosaga.
O le algorithm e faʻapea:
- E saini le tagata fa'aoga i le masini e ala i se su'esu'ega.
- Pe o siaki le tagata fa'aoga domain. Afai e leai, ona leai lea o se gaioiga e faia.
- Afai o le tagata fa'aoga ose tagata fa'aoga, e siaki le avea ma sui auai i le vaega Pule.
- Afai e le o se pule, e siaki pe ua fa'atulaga le Google Authenticator. A leai, ona fa'atupuina lea o le QR code ma le logout a le tagata.
- Afai e le o se admin ma Google Authenticator e faʻapipiʻiina, ona naʻo le logo i fafo.
- Afai e pule, toe siaki le Google Authenticator. Afai e le faʻatulagaina, o le QR code e gaosia.
O lo'o fa'aogaina uma manatu /etc/skel/.bash_profile.
pusi /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Seti fa'amalosi:
- Tatou te fatuina ratio-server
- Matou te fatuina vaega talafeagai, pe a manaʻomia, faʻatonutonu avanoa e vaega. Igoa le igoa o vaega Faʻamalosi tino e tatau ona fetaui ma le vaega ua pasia i totonu Uiga Fa'apitoa Fa'atau Fortinet-Group-Igoa.
- Fa'asa'o mea e mana'omia SSL- faitotoa.
- Fa'aopoopo vaega i faiga fa'avae.
Le lelei o lenei fofo:
- E mafai ona fa'amaonia e ala ile OTP ile Faʻamalosi tino fofo puna tatala.
- E le fa'aogaina e le tagata fa'aoga se upega tafa'ilagi pe a feso'ota'i e ala i le VPN, lea e fa'afaigofieina ai le fa'agasologa o feso'ota'iga. O le 6-numera password e faigofie ona ulufale nai lo le mea na saunia e le puipuiga malu. O se taunuuga, o le numera o tiketi ma le mataupu: "E le mafai ona ou faʻafesoʻotaʻi i le VPN" faʻaititia.
PS Matou te fuafua e faʻaleleia lenei fofo i se faʻamaoniga atoatoa e lua faʻatasi ma luʻitau-tali.
lata mai:
E pei ona folafola mai, na ou faʻaogaina i le filifiliga-tali atu filifiliga.
O lea:
I le faila /etc/raddb/sites-enabled/default vaega faʻataga foliga faapenei:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Vaega faʻamaonia ua foliga mai nei:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Ole taimi nei ole faʻamaoniga ole tagata faʻaoga e faʻatatau ile algorithm lea:
- Le tagata fa'aoga e fa'aulu i totonu o fa'ailoga i le VPN client.
- E siaki e Freeradius le aoga o le teugatupe ma le upu faataga
- Afai e sa'o le fa'aupuga, ona tu'uina atu lea o se talosaga mo se fa'ailoga.
- O lo'o fa'amaonia le fa'ailoga.
- tupe mama).
puna: www.habr.com