Baahida loo qabo in meel fog laga galo jawi shirkadeed ayaa soo ifbaxaysa marar badan iyo in ka badan, iyada oo aan loo eegin haddii ay tahay isticmaalayaashaada ama la-hawlgalayaashaada kuwaas oo u baahan gelitaanka server gaar ah oo ka tirsan ururkaaga.
Ujeeddooyinkan awgeed, shirkadaha intooda badani waxay isticmaalaan tignoolajiyada VPN, taas oo isu caddaysay inay tahay hab la isku halleyn karo oo lagu bixinayo helitaanka ilaha deegaanka ee ururka.
Shirkaddaydu kama reebin, annaguna, sida kuwa kale oo badan, waxaan isticmaalnaa tignoolajiyadan. Iyo, sida kuwa kale oo badan, waxaan u isticmaalnaa Sisiko ASA 55xx albaab laga galo fog.
Markay tirada isticmaalayaasha fog-fog ay korodho, waxaa loo baahan yahay in la fududeeyo nidaamka soo saarista aqoonsiga. Laakin isla mar ahaantaana, tan waa in la sameeyaa iyada oo aan waxyeello loo geysan badbaadada.
Nafteena, waxaanu xal u helnay adeegsiga xaqiijinta laba-geesoodka ah ee ku xidhidhiyaha Cisco SSL VPN, anagoo adeegsanayna furaha sirta ah ee hal mar ah. Daabacaaddani waxay kuu sheegi doontaa sida loo habeeyo xalkan oo leh wakhtiga ugu yar iyo eber kharashyada software-ka lagama maarmaanka ah (waa haddii aad horeba ugu haysatay Cisco ASA kaabayaashaaga).
Suuqa waxaa ka buuxa xalal sanduuq ah oo loogu talagalay abuurista ereyada sirta ah ee hal mar ah, iyada oo la bixinayo fursado badan oo lagu heli karo, ha ahaato in lagu diro erayga sirta ah SMS ama isticmaalka calaamado, labadaba hardware iyo software (tusaale, telefoonka gacanta). Laakin rabitaanka ah in aan lacag badbaadiyo iyo rabitaanka ah in aan lacag u badbaadiyo loo-shaqeeyahayga, dhibaatada hadda jirta, waxay igu qasabtay in aan helo hab bilaash ah oo lagu hirgeliyo adeeg loogu talagalay abuurista ereyada sirta ah ee hal mar ah. Taas oo, iyada oo bilaash ah, aan aad uga hooseynin xalalka ganacsiga (halkan waa inaan sameynaa boos celin, iyadoo la xusayo in alaabtani ay sidoo kale leedahay nooc ganacsi, laakiin waxaan ku heshiinnay in kharashyadayada, lacag ahaan, ay noqon doonaan eber).
Markaa, waxaanu u baahan doonaa:
- Sawir Linux ah oo leh qalab lagu dhex dhisay - multiOTP, FreeRADIUS iyo nginx, si aad u geliso server-ka iyada oo loo marayo webka (http://download.multiotp.net/ - Waxaan u adeegsaday sawir diyaarsan VMware)
- Active Directory Server
- Cisco ASA lafteeda (ku habboonaanta, waxaan isticmaalaa ASDM)
- Calaamad kasta oo software ah oo taageerta habka TOTP (Aniga, tusaale ahaan, waxaan isticmaalaa Google Authenticator, laakiin isla FreeOTP ayaa sameyn doonta)
Ma geli doono tafaasiisha sida sawirku u muuqdo. Natiijadu waxay tahay, waxaad heli doontaa Debian Linux oo leh multiOTP iyo FreeRADIUS mar hore lagu rakibay, loo habeeyey inay wada shaqeeyaan, iyo isku xirka shabakadda maamulka OTP.
Tallaabada 1. Waxaan bilownay nidaamka waxaanan u habeyneynaa shabakaddaada
Sida caadiga ah, nidaamku wuxuu la yimaadaa aqoonsiga xididka. Waxaan u maleynayaa in qof kastaa uu qiyaasay in ay ahaan lahayd fikrad wanaagsan in la beddelo erayga sirta ah ee isticmaalaha ka dib gelitaanka ugu horreeya. Waxaad sidoo kale u baahan tahay inaad bedesho goobaha shabakada (sida caadiga ah waa '192.168.1.44' oo leh albaabka '192.168.1.1'). Kadib waxaad dib u bilaabi kartaa nidaamka.
Aan ku abuurno isticmaale hagaha firfircoon otp, oo sirta ah MySuperPassword.
Tallaabada 2. Deji xidhiidhka oo soo deji isticmaalayaasha Hagaha Active
Si tan loo sameeyo, waxaan u baahanahay galitaanka console-ka, iyo si toos ah faylka multiotp.php, addoo isticmaalaya kaas oo aanu ku habaynayno goobaha xidhiidhka ilaa Hagaha Active.
Tag hagaha /usr/maxalli/bin/multiotp/ oo dhankiina uful amarada soo socda:
./multiotp.php -config default-request-prefix-pin=0Wuxuu go'aamiyaa in biin dheeraad ah (joogto ah) loo baahan yahay marka la gelayo biin hal mar ah (0 ama 1)
./multiotp.php -config default-request-ldap-pwd=0Wuxuu go'aamiyaa in erayga sirta ah ee domain loo baahan yahay marka la gelinayo biin hal mar ah (0 ama 1)
./multiotp.php -config ldap-server-type=1Nooca serfarka LDAP ayaa la tilmaamay (0 = server-ka LDAP ee caadiga ah, xaaladdeena 1 = Hagaha firfircoon)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Wuxuu qeexayaa qaabka lagu soo bandhigayo magaca isticmaalaha (qiimahani wuxuu muujin doonaa magaca oo keliya, iyada oo aan lahayn domain)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Wax la mid ah, koox kaliya
./multiotp.php -config ldap-group-attribute="memberOf"Wuxuu qeexayaa habka lagu go'aaminayo in isticmaale uu ka tirsan yahay koox
./multiotp.php -config ldap-ssl=1Miyaan u adeegsadaa xiriir aamin ah server-ka LDAP (dabcan, haa!)
./multiotp.php -config ldap-port=636Dekadda loogu xidho server-ka LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localCiwaanka serverkaaga Hagaha Firfircoon
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Waxaan ku tilmaamnay halka laga bilaabayo raadinta isticmaalayaasha boggaga
./multiotp.php -config ldap-bind-dn="[email protected]"Sheeg isticmaalaha leh xuquuqda raadinta ee Hagaha Firfircoon
./multiotp.php -config ldap-server-password="MySuperPassword"Sheeg erayga sirta ah ee isticmaalaha si aad ugu xidho Hagaha Active
./multiotp.php -config ldap-network-timeout=10Dejinta wakhtiga ku xidhidhiyaha Hagaha Firfircoon
./multiotp.php -config ldap-time-limit=30Waxaan dejinay waqti xaddidan hawlgalka soo dejinta isticmaalaha
./multiotp.php -config ldap-activated=1Shaqaysiinta isku xidhka Hagaha Active
./multiotp.php -debug -display-log -ldap-users-syncWaxaan ka soo dajinaa isticmaalayaasha Hagaha Active
Tallaabada 3. U samee summada QR code
Wax walba halkan aad bay u fudud yihiin. Fur interface-ka shabakadda server-ka OTP browser-ka, gal (ha iloobin inaad bedesho erayga sirta ah ee maamulaha!), Oo dhagsii badhanka "Daabac":
Natiijada falkani waxa ay noqon doontaa bog ka kooban laba kood oo QR ah. Waxaan si geesinimo leh iskaga indho tirnaa kan ugu horreeya (in kasta oo ay ku qoran tahay qoraalka soo jiidashada leh ee Google Authenticator / Authenticator/2 Steps Authenticator), haddana mar labaad waxaan si geesinimo leh ugu sawirnaa lambarka labaad calaamada software taleefanka:
(haa, si ula kac ah ayaan u kharibay koodka QR si aan u noqdo mid aan la akhriyin).
Ka dib marka la dhammeeyo falalkan, lambarka sirta ah ee lix-god ah ayaa bilaabi doona in laga soo saaro codsigaaga soddonkii ilbiriqsi kasta.
Si aad u hubiso, waxaad ku hubin kartaa isla interface:
Adigoo gelaya magacaaga isticmaale iyo eraygaaga sirta ah ee hal mar ah arjiga taleefankaaga. Jawaab wanaagsan ma heshay? Haddaba aan sii soconno.
Tallaabada 4. Habayn dheeri ah iyo tijaabinta hawlgalka FreeRADIUS
Sida aan kor ku soo sheegay, multiOTP waxaa mar hore loo habeeyey inay la shaqeyso FreeRADIUS, waxa hadhay oo dhan waa in la sameeyo imtixaanno oo lagu daro macluumaadka ku saabsan albaabkeena VPN faylka qaabeynta FreeRADIUS.
Waxaan ku soo laabanaa server-ka Console, tusaha /usr/maxalli/bin/multiotp/, geli:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Oo ay ku jirto goynta faahfaahsan.
Gudaha faylka qaabeynta macaamiisha FreeRADIUS (/etc/freeradius/clinets.conf) faallo ka bixi dhammaan khadadka la xiriira localhost oo ku dar laba qoraal:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- imtixaan
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- Albaabkayaga VPN.
Dib u bilow FreeRADIUS oo isku day inaad gasho:
radtest username 100110 localhost 1812 testing321halkaas oo username = magaca isticmaalaha, 100110 = furaha sirta ah ee uu na siiyay codsiga taleefanka, localhost = cinwaanka serverka RADIUS, 1812 - Dekedda server-ka RADIUS, test321 - RADIUS server-ka erayga sirta ah (kaas oo aan ku qeexnay qaabka).
Natiijada amarkan waxa loo soo saari doonaa qiyaas ahaan sida soo socota:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Hadda waxaan u baahanahay inaan hubino in isticmaaluhu si guul leh loo xaqiijiyay. Si tan loo sameeyo, waxaan eegi doonaa log of multiotp laftiisa:
tail /var/log/multiotp/multiotp.logOo haddii gelitaanka ugu dambeeya uu jiro:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Kadib wax waliba si fiican ayay u dhaceen waana dhamaystiri karnaa
Tallaabada 5: Habee Cisco ASA
Aan ku heshiino in aan horey u haysanay koox la habeeyey iyo siyaasado gelitaanka SLL VPN, lagu habeeyey iyada oo lala kaashanayo Hagaha Active, waxaanan u baahanahay in aan ku darno aqoonsigan laba-factor ee astaantan.
1. Kudar koox cusub oo AAA ah:
2. Kudar server-kayaga multiOTP kooxda:
3. Waanu tafatiraynaa profile profile, u dejinaya kooxda server-ka Active Directory sida adeegaha xaqiijinta ugu weyn:
4. In tab Sare -> Xaqiijinta Waxaan sidoo kale dooranaa kooxda server-ka Hagaha Active:
5. In tab Sare -> Sare xaqiijinta, dooro kooxda la abuuray ee server-ka kaas oo ka diiwaan gashan server-ka multiOTP. Ogsoonow in magaca isticmaalaha Kalfadhiga laga dhaxlay kooxda seerfarka AAA aasaasiga ah:
Codso goobaha iyo
Tallaabada 6, aka kan u dambeeya
Aynu eegno haddii xaqiijinta laba-factor u shaqeyso SLL VPN:
Voila! Markaad ku xidho macmiilka Cisco AnyConnect VPN, waxa kale oo lagu waydiin doonaa furaha sirta ah ee labaad.
Waxaan rajeynayaa in maqaalkani uu qof caawin doono, oo ay siin doonto qof cunto fikradeed sida loo isticmaalo tan. bilaash Adeegga OTP, ee hawlaha kale. La wadaag faallooyinka haddii aad rabto.
Source: www.habr.com