O le manaʻoga e tuʻuina atu le avanoa mamao i se siosiomaga faʻapisinisi o loʻo faʻaalia atili ma sili atu, e tusa lava pe o au tagata faʻaoga poʻo paʻaga e manaʻomia le avanoa i se server faapitoa i lau faʻalapotopotoga.
Mo nei faʻamoemoega, o le tele o kamupani e faʻaogaina VPN tekonolosi, lea ua faʻamaonia o ia lava o se auala faʻalagolago puipuia e maua ai avanoa i punaoa faʻapitonuʻu a le faʻalapotopotoga.
O laʻu kamupani e leai se faʻalavelave, ma matou, pei o le tele o isi, faʻaaogaina lenei tekinolosi. Ma, pei o le tele o isi, matou te faʻaogaina Cisco ASA 55xx o se faitotoa avanoa mamao.
A o faʻateleina le numera o tagata faʻaoga mamao, e manaʻomia le faʻafaigofieina o le faʻagasologa mo le tuʻuina atu o faʻamaoniga. Ae i le taimi lava e tasi, e tatau ona faia lenei mea e aunoa ma le faʻafefeina o le saogalemu.
Mo i matou lava, na matou maua se fofo i le faʻaaogaina o faʻamaoniga e lua-faʻailoga mo le faʻafesoʻotaʻi e ala i Cisco SSL VPN, faʻaaoga upu faʻaupu e tasi. Ma o lenei faʻasalalauga o le a taʻuina atu ia te oe le faʻatulagaina o sea fofo ma sina taimi itiiti ma leai se tau mo le polokalama talafeagai (pe a fai o loʻo iai lau Cisco ASA i au atinaʻe).
Ua tumu le maketi i fofo pusa mo le fatuina o upu faʻa-tasi taimi, aʻo ofoina atu le tele o filifiliga mo le mauaina, pe o le lafoina o le faʻaupuga e ala i SMS poʻo le faʻaogaina o faʻailoga, mea uma ma masini komepiuta (mo se faʻataʻitaʻiga, i luga o se telefoni feaveaʻi). Ae o le manaʻo e teu tupe ma le manaʻo e teu tupe mo loʻu fale faigaluega, i le faʻalavelave o loʻo i ai nei, na faʻamalosia ai aʻu e suʻe se auala saoloto e faʻatino ai se auaunaga mo le fausiaina o upu faʻaulu e tasi. Lea, e ui e leai se totogi, e le itiiti ifo i fofo faapisinisi (o iinei e tatau ona tatou faia se reservation, ia maitauina o lenei oloa o loʻo i ai foi se faʻasalalauga faʻapisinisi, ae na matou malilie o matou tau, i tupe, o le a zero).
O lea la, tatou te manaʻomia:
- O se ata Linux ma se seti o mea faigaluega - multiOTP, FreeRADIUS ma nginx, mo le mauaina o le 'auʻaunaga e ala i le upega tafaʻilagi (http://download.multiotp.net/ - Na ou faʻaogaina se ata ua saunia mo VMware)
— Active Directory Server
- Cisco ASA lava ia (mo le faigofie, ou te faʻaaogaina le ASDM)
- Soʻo se faʻailoga faʻapipiʻi e lagolagoina le masini TOTP (O aʻu, mo se faʻataʻitaʻiga, faʻaaoga Google Authenticator, ae tutusa le FreeOTP e faia)
O le a ou le alu i auiliiliga pe faʻafefea ona faʻaalia le ata. O se taunuuga, o le ae mauaina Debian Linux ma multiOTP ma FreeRADIUS ua uma ona faʻapipiʻiina, faʻatulagaina e galulue faʻatasi, ma se upega tafaʻilagi mo le pulega OTP.
Laasaga 1. Matou te amataina le faiga ma faʻapipiʻi mo lau fesoʻotaʻiga
Ona o le faaletonu, o le faiga e sau ma aʻa faʻamaonia faʻamaonia. Ou te manatu na mate tagata uma o se manatu lelei le suia o le upu faʻaoga aʻa pe a uma le saini muamua. E mana'omia fo'i ona sui tulaga o feso'ota'iga (e ala i le fa'aletonu o le '192.168.1.44' ma le faitotoa '192.168.1.1'). A maeʻa e mafai ona e toe faʻafouina le faiga.
Se'i tatou faia se tagata fa'aoga ile Active Directory otp, ma upu faataga La'uSuperPassword.
Laasaga 2. Seti le feso'ota'iga ma fa'aulufale mai tagata fa'aoga Active Directory
Ina ia faia lenei mea, matou te manaʻomia le avanoa i le faʻamafanafanaga, ma tuusaʻo i le faila multiotp.php, fa'aaogaina lea o le a matou fa'atulaga ai fa'aoga feso'ota'iga i Active Directory.
Alu i le lisi /usr/local/bin/multiotp/ ma faatino poloaiga nei i le faasologa:
./multiotp.php -config default-request-prefix-pin=0Fuafua pe mana'omia se pine fa'aopoopo (tumau) pe a ulufale i se pine e tasi le taimi (0 po'o le 1)
./multiotp.php -config default-request-ldap-pwd=0Fuafua pe mana'omia se upega tafa'ilagi pe a ulufale i se pine tasi (0 po'o le 1)
./multiotp.php -config ldap-server-type=1Le ituaiga LDAP server o loʻo faʻaalia (0 = masani LDAP server, i la matou tulaga 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Fa'ama'oti le faatulagaga e tu'uina atu ai le igoa ole igoa (o lenei tau o le a fa'aalia na'o le igoa, e aunoa ma le vaega)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"O le mea lava e tasi, mo na'o se vaega
./multiotp.php -config ldap-group-attribute="memberOf"Fa'ama'oti se metotia mo le fa'amautinoaina pe o se tagata fa'aoga e iai i se vaega
./multiotp.php -config ldap-ssl=1E tatau ona ou faʻaogaina se fesoʻotaʻiga malupuipuia i le LDAP server (ioe - ioe!)
./multiotp.php -config ldap-port=636Taulaga mo feso'ota'iga i le LDAP server
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localLau tuatusi server Active Directory
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Matou te fa'ailoa mai le mea e amata su'e ai tagata fa'aoga i le itu
./multiotp.php -config ldap-bind-dn="[email protected]"Fa'ailoa mai se tagata fa'aoga o lo'o iai aia tatau ile Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Fa'ailoa le upu fa'aoga e fa'afeso'ota'i i Active Directory
./multiotp.php -config ldap-network-timeout=10Fa'atulaga le taimi fa'agata mo le feso'ota'i i Active Directory
./multiotp.php -config ldap-time-limit=30Matou te setiina se taimi fa'atapula'a mo le fa'agaioiga fa'aulufale mai o tagata
./multiotp.php -config ldap-activated=1Fa'agaoioia le fa'aoga feso'ota'iga Active Directory
./multiotp.php -debug -display-log -ldap-users-syncMatou te fa'aulufale mai tagata fa'aoga mai Active Directory
Laasaga 3. Fausia se QR code mo le faʻailoga
O mea uma iinei e matua faigofie lava. Tatala le 'upega tafaʻilagi o le OTP server i totonu o le suʻega, ulufale i totonu (aua neʻi galo e sui le upu faʻamalo mo le pule!), Ma kiliki i le "Lomi" faʻamau:
O le taunuuga o lenei gaioiga o le a avea ma se itulau e aofia ai le lua QR code. Matou te le amanaʻiaina ma le lototele le mea muamua o latou (e ui lava i le faʻailoga matagofie Google Authenticator / Authenticator / 2 Steps Authenticator), ma matou toe suʻesuʻe ma le lototele le code lona lua i se faʻailoga polokalama i luga o le telefoni:
(ioe, na ou faaleagaina ma le loto i ai le QR code ina ia le mafai ona faitau).
A maeʻa nei gaioiga, o le a amata ona faʻatupuina se faʻaupuga e ono-numera i lau talosaga ile tolusefulu sekone.
Ina ia mautinoa, e mafai ona e siakiina i le faʻaoga tutusa:
E ala i le fa'aofiina o lou igoa ole igoa ma le upu fa'a-tasi taimi mai le talosaga i lau telefoni. Na e mauaina se tali lelei? O lea la tatou agai i luma.
Laasaga 4. Fa'aopoopo fa'aopoopo ma su'ega ole fa'agaioiga FreeRADIUS
E pei ona ou taʻua i luga, multiOTP ua uma ona faʻatulagaina e galulue ma FreeRADIUS, pau lava le mea o loʻo totoe o le faʻataʻitaʻiina lea o suʻega ma faʻaopoopo faʻamatalaga e uiga i la matou faitotoa VPN i le FreeRADIUS faila faila.
Matou te toe foʻi i le faʻamafanafanaga o le server, i le lisi /usr/local/bin/multiotp/, ulufale:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1E aofia ai le fa'amauina o fa'amaumauga.
I le FreeRADIUS clients configuration file (/etc/freeradius/clinets.conf) fa'amatala uma laina e feso'ota'i ma localhost ma faʻaopoopo ni faʻamatalaga se lua:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- mo suʻega
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- mo la matou faitotoa VPN.
Toe amata FreeRADIUS ma taumafai e saini i totonu:
radtest username 100110 localhost 1812 testing321le mea username = igoa ole igoa, 100110 = upu faʻamaonia na tuʻuina mai ia i matou e le talosaga i luga o le telefoni, localhost = tuatusi server RADIUS, 1812 - Taulaga server RADIUS, tofotofoga321 - RADIUS server client password (lea na matou faʻamaonia i le config).
O le taunuʻuga o lenei faʻatonuga o le a faʻaalia e pei ona taua i lalo:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Ole taimi nei e tatau ona tatou mautinoa o loʻo faʻamaonia lelei le tagata faʻaoga. Ina ia faia lenei mea, o le a tatou tilotilo i le ogalaau o multiotp lava ia:
tail /var/log/multiotp/multiotp.logMa afai o le tusi mulimuli e iai:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Ona sologa lelei lea o mea uma ma mafai ona matou faamaeaina
Laasaga 5: Fa'atulaga Cisco ASA
Sei o tatou malilie ua uma ona i ai sau vaega ma faiga faavae mo le avanoa e ala i le SLL VPN, faʻapipiʻi faʻatasi ma Active Directory, ma e manaʻomia le faʻaopoopoina o faʻamaoniga e lua mo lenei talaaga.
1. Fa'aopoopo se vaega AAA fou:
2. Faʻaopoopo le matou multiOTP server i le vaega:
3. Matou te fa'asa'o fa'amatalaga feso'ota'iga, fa'atulagaina le vaega fa'aumau Active Directory e fai ma 'au'aunaga fa'amaoni autu:
4. I le tab Avatu -> Fa'amaoni Matou te filifilia foi le vaega o le server Active Directory:
5. I le tab Maualuga -> Lua faʻamaoni, filifili le vaega faʻapipiʻi na faia lea e lesitala ai le multiOTP server. Manatua o le igoa ole igoa ole Session e maua mai ile vaega autu ole AAA server:
Fa'aoga tulaga ma
Laasaga 6, aka o le mea mulimuli
Sei o tatou siaki pe aoga faʻamaoniga e lua mo SLL VPN:
Voila! Pe a faʻafesoʻotaʻi e ala i Cisco AnyConnect VPN Client, o le a fesiligia foi oe mo se lua, tasi-taimi upu faʻaoga.
Ou te faʻamoemoe o lenei tusiga o le a fesoasoani i se tasi, ma o le a tuʻuina atu i se tasi se meaʻai mo le mafaufau ile faʻaogaina o lenei mea, saoloto OTP server, mo isi galuega. Fa'asoa i fa'amatalaga pe a e mana'o ai.
puna: www.habr.com