Maxaa dhacaya haddii aqoonsiga laba-arrimood uu yahay mid la jecel yahay iyo mid jilicsan, laakiin ma jirto lacag loogu talagalay calaamadaha qalabka iyo guud ahaan waxay bixiyaan si ay u joogaan niyadda wanaagsan.
Xalkani maaha wax asal ah, laakiin waa isku dhafka xalalka kala duwan ee laga helo internetka.
Markaa la siiyay
Xayndaab Tusaha Hawl-galka.
Isticmaalayaasha domain ka shaqeeya VPN, sida kuwa badan oo maanta ah.
Wuxuu u shaqeeyaa sidii albaabka VPN Bakhtiyaa.
Kaydinta erayga sirta ah ee macmiilka VPN waa mamnuuc siyaasadda amniga.
Siyaasada Fortinet Marka la eego calaamadahaaga, ma wici kartid wax ka yar zhlob - waxaa jira ilaa 10 calaamadood oo bilaash ah, inta soo hartay - qiimo aan kosher ahayn. Maan tixgelin RSASEcureID, Duo iyo wixii la mid ah, sababtoo ah waxaan rabaa il furan.
Shuruudaha: martigeliye * nix la aasaasay freeradius, ssd - galay domainka, isticmaalayaasha domain si fudud ayay u xaqiijin karaan.
Xirmooyinka dheeriga ah: sanduuqa shellina, fig, freeradius-ldap, far jabhad.tlf laga bilaabo kaydka .
Tusaalahayga - CentOS 7.8.
Macnaha shaqadu waa in uu ahaado sidan soo socota: marka aad ku xidhidhiyaha VPN, isticmaaluhu waa in uu galaa domain login iyo OTP halkii uu ka galin lahaa erayga sirta ah.
Dejinta adeegyada
В /etc/raddb/radiusd.conf kaliya isticmaalaha iyo kooxda oo ka wakiil ah kuwaas oo bilaabma freeradius, tan iyo markii adeegga radiusd waa inuu awood u leeyahay inuu akhriyo faylasha dhammaan buug-hoosaadyada / guriga /.
user = root
group = root
Si aad u awooddo inaad u isticmaasho kooxaha goobaha Bakhtiyaa, waa in la kala qaadaa Sifada gaarka ah iibiyaha. Si tan loo sameeyo, gudaha tusaha raddb/siyaasad.d Waxaan abuuraa fayl leh waxa soo socda:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Rakibaadda kadib freeradius-ldap tusaha ku jira raddb/mods-la heli karo file waa la abuuray ldp.
Waxa loo baahan yahay in la abuuro xidhiidh calaamad ah hagaha raddb/mods-ku-shaqeeyay.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapWaxa aan ku keenay foomkan:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Faylasha ku jira raddb/sites-karti/default и raddb/ sites-karti/tunnel-gudaha qaybta ogolaansho Waxaan ku daraa magaca siyaasadda la isticmaalayo - group_authorization. Qodob muhiim ah - magaca siyaasadda laguma go'aamiyo magaca faylka ku jira hagaha siyaasad.d, laakiin iyadoo la raacayo dardaaranka gudaha faylka ka hor inta aan la duubin.
Qaybta xaqiijin isla faylalka aad u baahan tahay inaad xakamayso khadka pam.
Faylka ku jira macaamiisha.conf qor xuduudaha uu ku xidhi doono Bakhtiyaa:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Qaabaynta Module pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Ikhtiyaarada hirgelinta xidhmada caadiga ah freeradius с aqoonsi google uga baahan isticmaaluhu inuu u galo aqoonsiga qaabka: username/password+OTP.
Adiga oo qiyaasi doona tirada habaar ee ku dhici doonta madaxa, marka la eego isticmaalka xidhmada caadiga ah freeradius с Authenticator Google, waxaa la go'aamiyay in la isticmaalo qaabeynta moduleka pam si calaamadda kaliya loo hubiyo Authenticator Google.
Marka isticmaaluhu isku xidho, waxa soo socda ayaa dhacaya:
- Freeradius wuxuu hubiyaa haddii isticmaaluhu uu ku jiro domainka iyo koox gaar ah iyo, haddii lagu guuleysto, calaamadda OTP waa la hubiyaa.
Wax kastaa waxay u muuqdeen kuwo ku filan ilaa wakhtiga aan ka fikiray "Sideen ugu diwaangelin karaa OTP isticmaalayaasha 300+?"
Isticmaaluhu waa inuu la soo galo server-ka freeradius iyo ka hoos xisaabtaada oo socodsii codsiga xaqiijinta google, kaas oo soo saari doona koodka QR ee codsiga isticmaalaha. Tani waa halka ay caawimadu ka soo gasho. sanduuqa shellina oo lagu daray .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Faylka qaabeynta daemon wuxuu ku yaalaa /etc/sysconfig/shellinabox.
Waxaan ku cayimay dekedda 443 halkaas oo waxaad caddayn kartaa shahaadadaada.
[root@freeradius ~]#systemctl enable --now shellinaboxdIsticmaaluhu wuxuu kaliya u baahan yahay inuu raaco isku xirka, galo credits domain oo uu helo koodka QR ee codsiga.
Algorithm waa sida soo socota:
- Isticmaaluhu wuxuu mashiinka ka galaa browserka.
- Haddii isticmaalaha bogga la hubiyay. Haddii kale, markaas tallaabo lagama qaadin.
- Haddii isticmaaluhu yahay isticmaale xayndaab, xubinnimada kooxda Maamulka waa la hubiyaa.
- Haddaanu ahayn maamule, waxay hubisaa haddii Google Authenticator la habeeyey. Haddaysan ahayn, markaas koodka QR iyo calaamadaynta isticmaalaha ayaa la sameeyay.
- Haddi aanu ahayn maamule iyo Google Authenticator waa la habeeyey, ka dib uun bixi.
- Haddii maamulaha, markaa mar kale hubi Google Authenticator. Haddii aan la habeynin, koodka QR ayaa la sameeyay
Dhammaan macquulka ah waxaa lagu sameeyaa iyadoo la isticmaalayo /etc/skel/.bash_profile.
bisad /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Dejinta xoojinta:
- Waxaan abuurnaa gacan-server
- Waxaan abuurnaa kooxaha lagama maarmaanka ah, haddii loo baahdo, helitaanka xakamaynta kooxaha. Magaca kooxda ayaa shiran Bakhtiyaa waa inay isku mid noqdaan kooxda lagu soo gudbay Sifada gaarka ah iibiyaha Fortinet-Kooxda-Magaca.
- Tafatirka lagama maarmaanka ah SSL-portals.
- Ku darida kooxaha siyaasadaha.
Faa'iidooyinka xalkan:
- Waa suurtagal in lagu xaqiijiyo OTP on Bakhtiyaa xal il furan.
- Isticmaaluhu ma galo erayga sirta ah ee domainka marka lagu xidho VPN, kaas oo xoogaa fududaynaya habka isku xidhka. Furaha sirta ah ee 6-lambar ah ayaa ka fudud in la geliyo kan ay bixiso siyaasadda ammaanku. Natiijo ahaan, tirada tigidhada mawduuca: "Kuma xidhi karo VPN" hoos u dhaco.
PS Waxaan qorsheyneynaa inaan u cusboonaysiino xalkan xaqiijinta laba-arrbood oo dhammaystiran oo leh jawaab-celin caqabad ah.
update:
Sidii ballanku ahaa, waxaan u rogay ikhtiyaarka ka jawaabista caqabada.
Sidaas awgeed:
Faylka ku jira /etc/raddb/sites-enabled/default qaybta ogolaansho sidan oo kale:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Qaybta xaqiijin hadda waxay u egtahay sidan:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Hadda xaqiijinta isticmaaluhu waxay u dhacdaa iyadoo loo eegayo algorithm soo socda:
- Isticmaaluhu wuxuu galaa credits domain gudaha macmiilka VPN.
- Freeradius wuxuu hubiyaa ansaxnimada akoontiga iyo erayga sirta ah
- Haddii erayga sirta ah uu sax yahay, markaas codsi calaamad ayaa la soo diraa.
- Calaamadda waa la xaqiijinayaa.
- faa'iido).
Source: www.habr.com