ProHoster > Blog > Utongi > Enda ku2FA (Two-factor authentication yeASA SSL VPN)

Enda ku2FA (Two-factor authentication yeASA SSL VPN)

Iko kudikanwa kwekupa kure kure kune yekambani nharaunda iri kubuda kakawanda uye kazhinji, zvisinei kuti vari vashandisi vako kana vadyidzani vanoda kuwana imwe sevha musangano rako.

Nezvinangwa izvi, makambani mazhinji anoshandisa VPN tekinoroji, iyo yakazviratidza senzira yakavimbika yakachengetedzwa yekupa mukana kune zviwanikwa zvesangano.

Kambani yangu yakanga isiri iyo, uye isu, sevamwe vazhinji, tinoshandisa tekinoroji iyi. Uye, sevamwe vazhinji, isu tinoshandisa Cisco ASA 55xx senzira yekupinda kure.

Sezvo huwandu hwevashandisi vari kure hunowedzera, panoda kurerutsa maitiro ekuburitsa magwaro. Asi panguva imwe chete, izvi zvinofanira kuitwa pasina kukanganisa kuchengeteka.

Isu pachedu, takawana mhinduro pakushandisa mbiri-yechokwadi yekubatanidza kuburikidza neCisco SSL VPN, tichishandisa mapassword enguva imwe chete. Uye chinyorwa ichi chinokuudza nzira yekuronga mhinduro yakadai nenguva shoma uye zero mutengo wesoftware inodiwa (chero uchinge watove neCisco ASA mune yako zvivakwa).

Musika uzere nemhinduro dzebhokisi dzekugadzira mapassword enguva imwe chete, uku uchipa akawanda sarudzo dzekuawana, kungave kutumira password kuburikidza neSMS kana kushandisa tokens, zvese hardware uye software (semuenzaniso, parunhare mbozha). Asi chishuwo chekuchengetedza mari uye chishuwo chekuchengetedza mari kune wandinoshandira, mudambudziko riripo, zvakandimanikidza kutsvaga nzira yemahara yekushandisa sevhisi yekugadzira mapassword enguva imwe chete. Izvo, kunyange zvakasununguka, hazvisi zvakanyanya kuderera kune zvigadziriswe zvekutengeserana (pano tinofanira kuita reservation, tichicherechedza kuti chigadzirwa ichi chinewo shanduro yekutengeserana, asi takabvumirana kuti mari yedu, mumari, ichava zero).

Saka, tinoda:

- Mufananidzo weLinux une yakavakirwa-mukati seti yezvishandiso - multiOTP, FreeRADIUS uye nginx, yekuwana sevha kuburikidza newebhu (http://download.multiotp.net/ - Ndakashandisa mufananidzo wakagadzirirwa-wakagadzirwa weVMware)
- Active Directory Server
- Cisco ASA pachayo (kuitira nyore, ini ndinoshandisa ASDM)
-Chero software yechiratidzo inotsigira TOTP mashandiro (Ini, semuenzaniso, ndinoshandisa Google Authenticator, asi iyo iyo FreeOTP ichaita)

Ini handisi kuzoenda mune zvakadzama kuti chifananidzo chinoitika sei. Nekuda kweizvozvo, iwe unogashira Debian Linux ine multiOTP uye FreeRADIUS yatoiswa, yakagadzirirwa kushanda pamwechete, uye yewebhu interface yeOTP manejimendi.

Nhanho 1. Isu tinotanga iyo system uye tinoigadzira kune network yako
Nekusagadzikana, iyo sisitimu inouya nemidzi midzi zvitupa. Ini ndinofunga munhu wese akafungidzira kuti chingava zano rakanaka kushandura midzi mushandisi password mushure mekutanga kupinda. Iwe zvakare unofanirwa kushandura maratidziro etiweki (by default iri '192.168.1.44' ine gedhi '192.168.1.1'). Mushure meizvozvo, unogona kutangazve system.

Ngatigadzire mushandisi muActive Directory otp, nepassword MySuperPassword.

Danho 2. Seta kubatanidza uye pinza Active Directory vashandisi
Kuti tiite izvi, tinoda kuwana kune console, uye zvakananga kune faira multiotp.php, tichishandisa izvo zvatichagadzirisa marongero ekubatanidza kuActive Directory.

Enda kudhairekitori /usr/yemunharaunda/bhini/multiotp/ uye shandisa mirairo inotevera mukuchinjana:

./multiotp.php -config default-request-prefix-pin=0

Inoona kana pini yekuwedzera (yechigarire) ichidikanwa kana uchipinda pini yenguva imwe chete (0 kana 1)

./multiotp.php -config default-request-ldap-pwd=0

Inoona kana password yedomasi ichidikanwa kana uchipinda pini yenguva imwe chete (0 kana 1)

./multiotp.php -config ldap-server-type=1

Mhando yeLDAP server inoratidzwa (0 = yenguva dzose LDAP server, kwatiri isu 1 = Active Directory)

./multiotp.php -config ldap-cn-identifier="sAMAccountName"

Inotsanangura chimiro chekupa zita rekushandisa (ukoshi uhwu hucharatidza zita chete, pasina domain)

./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"

Chinhu chimwe chete, cheboka chete

./multiotp.php -config ldap-group-attribute="memberOf"

Inotsanangura nzira yekuona kana mushandisi ari weboka

./multiotp.php -config ldap-ssl=1

Ndinofanira kushandisa yakachengeteka yekubatanidza kune LDAP server (hongu, hongu!)

./multiotp.php -config ldap-port=636

Port yekubatanidza kune LDAP server

./multiotp.php -config ldap-domain-controllers=adSRV.domain.local

Yako Active Directory server kero

./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"

Isu tinotaridza pekutangira kutsvaga vashandisi mudura

./multiotp.php -config ldap-bind-dn="[email protected]"

Taura mushandisi ane kodzero dzekutsvaga muActive Directory

./multiotp.php -config ldap-server-password="MySuperPassword"

Taura password yemushandisi yekubatanidza kune Active Directory

./multiotp.php -config ldap-network-timeout=10

Kuseta nguva yekupera yekubatanidza kune Active Directory

./multiotp.php -config ldap-time-limit=30

Isu takaisa muganhu wenguva yekushanda kwemushandisi

./multiotp.php -config ldap-activated=1

Kugadzira iyo Active Directory yekubatanidza kumisikidza

./multiotp.php -debug -display-log -ldap-users-sync

Isu tinopinza vashandisi kubva kuActive Directory

Nhanho 3. Gadzira kodhi yeQR yechiratidzo
Zvese pano zviri nyore kwazvo. Vhura iyo web interface yeOTP server mubrowser, pinda (usakanganwe kushandura password yakasarudzika ye admin!), uye tinya bhatani re "Prinda":

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
Mhedzisiro yechiito ichi ichava peji ine maQR macode maviri. Isu tinoshinga kufuratira yekutanga yadzo (zvisinei neinokwezva kunyorwa Google Authenticator / Authenticator / 2 Matanho Authenticator), uye zvakare isu takashinga kuongorora kodhi yechipiri muchiratidzo chesoftware pafoni:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
(hongu, ndakakanganisa nemaune iyo QR kodhi kuti isaverengeke).

Mushure mekupedza zviito izvi, password ine manhamba-nhanhatu ichatanga kugadzirwa mukushandisa kwako masekonzi makumi matatu ega ega.

Kuti uve nechokwadi, unogona kuzvitarisa mune imwechete interface:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
Nekuisa zita rako rekushandisa uye imwe-nguva password kubva kune application pafoni yako. Wakagamuchira mhinduro yakanaka here? Saka tinoenderera mberi.

Nhanho 4. Kuwedzera kugadzirisa uye kuyedzwa kweFreeRADIUS kushanda
Sezvandambotaura pamusoro, multiOTP yakatogadzirirwa kushanda neFreeRADIUS, chasara kumhanyisa bvunzo uye kuwedzera ruzivo nezve yedu VPN gedhi kuFreeRADIUS faira yekumisikidza.

Isu tinodzokera kune server console, kune dhairekitori /usr/yemunharaunda/bhini/multiotp/, pinda:

./multiotp.php -config debug=1
./multiotp.php -config display-log=1

Kusanganisira kutema matanda kwakadzama.

Mune iyo FreeRADIUS vatengi kumisikidza faira (/etc/freeradius/clinets.conf) taura mitsara yese ine chekuita ne localhost uye wedzera zvinyorwa zviviri:

client localhost {
        ipaddr = 127.0.0.1
        secret          = testing321
        require_message_authenticator = no
}

- yebvunzo

client 192.168.1.254/32 {
        shortname =     CiscoASA
        secret =        ConnectToRADIUSSecret
}

- Yedu VPN gedhi.

Tangazve FreeRADIUS uye edza kupinda:

radtest username 100110 localhost 1812 testing321

apo Username = username, 100110 = password yakapihwa kwatiri nekushandisa parunhare, localhost = RADIUS server kero, 1812 - RADIUS server port, test321 - RADIUS server mutengi password (iyo yatakatsanangura mugadziriro).

Mhedzisiro yemurairo uyu ichaburitswa ingangoita seinotevera:

Sending Access-Request of id 44 to 127.0.0.1 port 1812
        User-Name = "username"
        User-Password = "100110"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20

Iye zvino isu tinofanirwa kuve nechokwadi chekuti mushandisi akanyatso kusimbiswa. Kuti tiite izvi, isu tichatarisa iyo logi ye multiotp pachayo:

tail /var/log/multiotp/multiotp.log

Uye kana iyo yekupedzisira yekupinda iripo:

2016-09-01 08:58:17     notice  username  User    OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17     debug           Debug   Debug: 0 OK: Token accepted from 127.0.0.1

Zvadaro zvinhu zvose zvakafamba zvakanaka uye tinogona kupedza

Nhanho 5: Gadzira Cisco ASA
Ngatibvumei kuti isu tatova neboka rakamisikidzwa uye marongero ekuwana kuburikidza neSLL VPN, yakagadziridzwa pamwe chete neActive Directory, uye isu tinofanirwa kuwedzera maviri-zvinhu kusimbiswa kweiyo mbiri.

1. Wedzera itsva AAA server boka:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
2. Wedzera yedu multiOTP server kuboka:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
3. Tinogadzirisa kubatana profile, kuseta iyo Active Directory server boka seyo huru yekusimbisa server:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
4. Mune tab Yepamberi -> Huchokwadi Isu tinosarudzawo iyo Active Directory server boka:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
5. Mune tab Yepamusoro -> Sekondari kutendeseka, sarudza iyo yakagadzirwa sevha boka umo iyo multiOTP server yakanyoreswa. Ziva kuti zita rekushandisa reSession rakagarwa kubva kune yekutanga AAA server boka:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
Isa zvigadziriso uye

Danho rechitanhatu, aka rekupedzisira
Ngatitarisei kana mbiri-chinhu chechokwadi chinoshanda kuSLL VPN:

Enda ku2FA (Two-factor authentication yeASA SSL VPN)
Voila! Kana uchibatanidza kuburikidza neCisco AnyConnect VPN Client, iwe unozobvunzwawo yechipiri, imwe-nguva password.

Ndinovimba kuti chinyorwa ichi chichabatsira mumwe munhu, uye kuti chinopa mumwe munhu chikafu chekufunga nezve mashandisiro aya, vakasununguka OTP server, yemamwe mabasa. Govera mumashoko kana uchida.

Source: www.habr.com

Voeg