Iko kudikanwa kwekupa kure kure kune yekambani nharaunda iri kubuda kakawanda uye kazhinji, zvisinei kuti vari vashandisi vako kana vadyidzani vanoda kuwana imwe sevha musangano rako.
Nezvinangwa izvi, makambani mazhinji anoshandisa VPN tekinoroji, iyo yakazviratidza senzira yakavimbika yakachengetedzwa yekupa mukana kune zviwanikwa zvesangano.
Kambani yangu yakanga isiri iyo, uye isu, sevamwe vazhinji, tinoshandisa tekinoroji iyi. Uye, sevamwe vazhinji, isu tinoshandisa Cisco ASA 55xx senzira yekupinda kure.
Sezvo huwandu hwevashandisi vari kure hunowedzera, panoda kurerutsa maitiro ekuburitsa magwaro. Asi panguva imwe chete, izvi zvinofanira kuitwa pasina kukanganisa kuchengeteka.
Isu pachedu, takawana mhinduro pakushandisa mbiri-yechokwadi yekubatanidza kuburikidza neCisco SSL VPN, tichishandisa mapassword enguva imwe chete. Uye chinyorwa ichi chinokuudza nzira yekuronga mhinduro yakadai nenguva shoma uye zero mutengo wesoftware inodiwa (chero uchinge watove neCisco ASA mune yako zvivakwa).
Musika uzere nemhinduro dzebhokisi dzekugadzira mapassword enguva imwe chete, uku uchipa akawanda sarudzo dzekuawana, kungave kutumira password kuburikidza neSMS kana kushandisa tokens, zvese hardware uye software (semuenzaniso, parunhare mbozha). Asi chishuwo chekuchengetedza mari uye chishuwo chekuchengetedza mari kune wandinoshandira, mudambudziko riripo, zvakandimanikidza kutsvaga nzira yemahara yekushandisa sevhisi yekugadzira mapassword enguva imwe chete. Izvo, kunyange zvakasununguka, hazvisi zvakanyanya kuderera kune zvigadziriswe zvekutengeserana (pano tinofanira kuita reservation, tichicherechedza kuti chigadzirwa ichi chinewo shanduro yekutengeserana, asi takabvumirana kuti mari yedu, mumari, ichava zero).
Saka, tinoda:
- Mufananidzo weLinux une yakavakirwa-mukati seti yezvishandiso - multiOTP, FreeRADIUS uye nginx, yekuwana sevha kuburikidza newebhu (http://download.multiotp.net/ - Ndakashandisa mufananidzo wakagadzirirwa-wakagadzirwa weVMware)
- Active Directory Server
- Cisco ASA pachayo (kuitira nyore, ini ndinoshandisa ASDM)
-Chero software yechiratidzo inotsigira TOTP mashandiro (Ini, semuenzaniso, ndinoshandisa Google Authenticator, asi iyo iyo FreeOTP ichaita)
Ini handisi kuzoenda mune zvakadzama kuti chifananidzo chinoitika sei. Nekuda kweizvozvo, iwe unogashira Debian Linux ine multiOTP uye FreeRADIUS yatoiswa, yakagadzirirwa kushanda pamwechete, uye yewebhu interface yeOTP manejimendi.
Nhanho 1. Isu tinotanga iyo system uye tinoigadzira kune network yako
Nekusagadzikana, iyo sisitimu inouya nemidzi midzi zvitupa. Ini ndinofunga munhu wese akafungidzira kuti chingava zano rakanaka kushandura midzi mushandisi password mushure mekutanga kupinda. Iwe zvakare unofanirwa kushandura maratidziro etiweki (by default iri '192.168.1.44' ine gedhi '192.168.1.1'). Mushure meizvozvo, unogona kutangazve system.
Ngatigadzire mushandisi muActive Directory otp, nepassword MySuperPassword.
Danho 2. Seta kubatanidza uye pinza Active Directory vashandisi
Kuti tiite izvi, tinoda kuwana kune console, uye zvakananga kune faira multiotp.php, tichishandisa izvo zvatichagadzirisa marongero ekubatanidza kuActive Directory.
Enda kudhairekitori /usr/yemunharaunda/bhini/multiotp/ uye shandisa mirairo inotevera mukuchinjana:
./multiotp.php -config default-request-prefix-pin=0
Inoona kana pini yekuwedzera (yechigarire) ichidikanwa kana uchipinda pini yenguva imwe chete (0 kana 1)
./multiotp.php -config default-request-ldap-pwd=0
Inoona kana password yedomasi ichidikanwa kana uchipinda pini yenguva imwe chete (0 kana 1)
./multiotp.php -config ldap-server-type=1
Mhando yeLDAP server inoratidzwa (0 = yenguva dzose LDAP server, kwatiri isu 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"
Inotsanangura chimiro chekupa zita rekushandisa (ukoshi uhwu hucharatidza zita chete, pasina domain)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"
Chinhu chimwe chete, cheboka chete
./multiotp.php -config ldap-group-attribute="memberOf"
Inotsanangura nzira yekuona kana mushandisi ari weboka
./multiotp.php -config ldap-ssl=1
Ndinofanira kushandisa yakachengeteka yekubatanidza kune LDAP server (hongu, hongu!)
./multiotp.php -config ldap-port=636
Port yekubatanidza kune LDAP server
./multiotp.php -config ldap-domain-controllers=adSRV.domain.local
Yako Active Directory server kero
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"
Isu tinotaridza pekutangira kutsvaga vashandisi mudura
./multiotp.php -config ldap-bind-dn="[email protected]"
Taura mushandisi ane kodzero dzekutsvaga muActive Directory
./multiotp.php -config ldap-server-password="MySuperPassword"
Taura password yemushandisi yekubatanidza kune Active Directory
./multiotp.php -config ldap-network-timeout=10
Kuseta nguva yekupera yekubatanidza kune Active Directory
./multiotp.php -config ldap-time-limit=30
Isu takaisa muganhu wenguva yekushanda kwemushandisi
./multiotp.php -config ldap-activated=1
Kugadzira iyo Active Directory yekubatanidza kumisikidza
./multiotp.php -debug -display-log -ldap-users-sync
Isu tinopinza vashandisi kubva kuActive Directory
Nhanho 3. Gadzira kodhi yeQR yechiratidzo
Zvese pano zviri nyore kwazvo. Vhura iyo web interface yeOTP server mubrowser, pinda (usakanganwe kushandura password yakasarudzika ye admin!), uye tinya bhatani re "Prinda":
Mhedzisiro yechiito ichi ichava peji ine maQR macode maviri. Isu tinoshinga kufuratira yekutanga yadzo (zvisinei neinokwezva kunyorwa Google Authenticator / Authenticator / 2 Matanho Authenticator), uye zvakare isu takashinga kuongorora kodhi yechipiri muchiratidzo chesoftware pafoni:
(hongu, ndakakanganisa nemaune iyo QR kodhi kuti isaverengeke).
Mushure mekupedza zviito izvi, password ine manhamba-nhanhatu ichatanga kugadzirwa mukushandisa kwako masekonzi makumi matatu ega ega.
Kuti uve nechokwadi, unogona kuzvitarisa mune imwechete interface:
Nekuisa zita rako rekushandisa uye imwe-nguva password kubva kune application pafoni yako. Wakagamuchira mhinduro yakanaka here? Saka tinoenderera mberi.
Nhanho 4. Kuwedzera kugadzirisa uye kuyedzwa kweFreeRADIUS kushanda
Sezvandambotaura pamusoro, multiOTP yakatogadzirirwa kushanda neFreeRADIUS, chasara kumhanyisa bvunzo uye kuwedzera ruzivo nezve yedu VPN gedhi kuFreeRADIUS faira yekumisikidza.
Isu tinodzokera kune server console, kune dhairekitori /usr/yemunharaunda/bhini/multiotp/, pinda:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1
Kusanganisira kutema matanda kwakadzama.
Mune iyo FreeRADIUS vatengi kumisikidza faira (/etc/freeradius/clinets.conf) taura mitsara yese ine chekuita ne localhost uye wedzera zvinyorwa zviviri:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}
- yebvunzo
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}
- Yedu VPN gedhi.
Tangazve FreeRADIUS uye edza kupinda:
radtest username 100110 localhost 1812 testing321
apo Username = username, 100110 = password yakapihwa kwatiri nekushandisa parunhare, localhost = RADIUS server kero, 1812 - RADIUS server port, test321 - RADIUS server mutengi password (iyo yatakatsanangura mugadziriro).
Mhedzisiro yemurairo uyu ichaburitswa ingangoita seinotevera:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20
Iye zvino isu tinofanirwa kuve nechokwadi chekuti mushandisi akanyatso kusimbiswa. Kuti tiite izvi, isu tichatarisa iyo logi ye multiotp pachayo:
tail /var/log/multiotp/multiotp.log
Uye kana iyo yekupedzisira yekupinda iripo:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1
Zvadaro zvinhu zvose zvakafamba zvakanaka uye tinogona kupedza
Nhanho 5: Gadzira Cisco ASA
Ngatibvumei kuti isu tatova neboka rakamisikidzwa uye marongero ekuwana kuburikidza neSLL VPN, yakagadziridzwa pamwe chete neActive Directory, uye isu tinofanirwa kuwedzera maviri-zvinhu kusimbiswa kweiyo mbiri.
1. Wedzera itsva AAA server boka:
2. Wedzera yedu multiOTP server kuboka:
3. Tinogadzirisa kubatana profile, kuseta iyo Active Directory server boka seyo huru yekusimbisa server:
4. Mune tab Yepamberi -> Huchokwadi Isu tinosarudzawo iyo Active Directory server boka:
5. Mune tab Yepamusoro -> Sekondari kutendeseka, sarudza iyo yakagadzirwa sevha boka umo iyo multiOTP server yakanyoreswa. Ziva kuti zita rekushandisa reSession rakagarwa kubva kune yekutanga AAA server boka:
Isa zvigadziriso uye
Danho rechitanhatu, aka rekupedzisira
Ngatitarisei kana mbiri-chinhu chechokwadi chinoshanda kuSLL VPN:
Voila! Kana uchibatanidza kuburikidza neCisco AnyConnect VPN Client, iwe unozobvunzwawo yechipiri, imwe-nguva password.
Ndinovimba kuti chinyorwa ichi chichabatsira mumwe munhu, uye kuti chinopa mumwe munhu chikafu chekufunga nezve mashandisiro aya, vakasununguka OTP server, yemamwe mabasa. Govera mumashoko kana uchida.
Source: www.habr.com