Ho thoe'ng haeba netefatso ea lintlha tse peli e lakatseha ebile e le prickly, empa ha ho na chelete bakeng sa li-tokens tsa hardware 'me ka kakaretso li fana ka ho lula li le boemong bo botle.
Tharollo ena ha se ntho ea mantlha, empa ke motsoako oa litharollo tse fapaneng tse fumanehang Marang-rang.
Ho fanoe ka eona
Lebitso la Lebitso Active Directory.
Basebelisi ba marang-rang ba sebetsang ka VPN, joalo ka ba bangata kajeno.
E sebetsa joalo ka phepelo ea VPN Qobella.
Ho boloka phasewete bakeng sa moreki oa VPN ho thibetsoe ke leano la ts'ireletso.
Lipolotiki Fortinet mabapi le li-tokens tsa hau, u ke ke ua li bitsa ka tlase ho zhlob - ho na le li-tokens tsa mahala tsa 10, tse ling - ka theko e sa kosher haholo. Ha kea ka ka nahana ka RSSecureID, Duo le tse ling, hobane ke batla mohloli o bulehileng.
Lintho tse hlokahalang: moamoheli * nix le thehilweng freeradius, ssd - e kentsoeng sebakeng sa marang-rang, basebelisi ba domain ba ka netefatsa ho eona habonolo.
Liphutheloana tse ling: shellina lebokose, letlapa, freeradius-ldap, fonte lerabele.tlf ho tsoa sebakeng sa polokelo .
Mohlala oa ka - CentOS 7.8.
Morero oa mosebetsi o lokela ho ba ka tsela e latelang: ha o hokela VPN, mosebelisi o tlameha ho kenya domain login le OTP ho fapana le password.
Tlhophiso ea litšebeletso
В /etc/raddb/radiusd.conf ke mosebelisi feela le sehlopha se qalang molemong oa sona freeradius, ho tloha tshebeletsong radius e lokela ho tseba ho bala lifaele ho li-subdirectories tsohle / lapeng /.
user = root
group = root
Ho khona ho sebelisa lihlopha ho li-setting Qobella, e tlameha ho fetisoa Sebopeho se Khethehileng sa Morekisi. Ho etsa sena, ka har'a "directory". raddb/policy.d Ke theha faele e nang le litaba tse latelang:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Kamora ho kenya freeradius-ldap bukeng raddb/mods-a fumaneha faele e entsoe ldap.
Ho hlokahala hore u thehe sehokelo sa tšoantšetso ho directory raddb/mods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapKe tlisa likahare tsa eona foromong ena:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Lifaeleng raddb/sites-enabled/default и raddb/sites-enabled/inner-tunnel karolong tumella Ke kenya lebitso la leano le tla sebelisoa - group_authorization. Ntlha ea bohlokoa - lebitso la pholisi ha le khethoe ke lebitso la faele bukeng ea libuka policy.d, empa ka taelo ka hare ho faele pele ho li-braces tse curly.
Karolong netefatsa lifaeleng tse tšoanang u hloka ho hlakola mohala Pam.
Ka faele bareki.conf laela li-parameter tseo e tla hokahana le tsona Qobella:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Tlhophiso ea module pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Likhetho tsa ho kenya tšebetsong li-default freeradius с motlakase oa google hloka hore mosebelisi a kenye mangolo a bopaki ka mokhoa ona: username/password+OTP.
Ka ho nahana ka palo ea lithohako tse tla oela hloohong, tabeng ea ho sebelisa bongata ba kamehla freeradius с Google Authenticator, ho ile ha etsoa qeto ea ho sebelisa tlhophiso ea module Pam e le hore ho hlahlojoe feela letšoao Google Authenticator.
Ha mosebelisi a hokela, ho etsahala tse latelang:
- Freeradius e lekola hore na mosebelisi o sebakeng sa marang-rang le sehlopheng se itseng mme, haeba a atlehile, o hlahloba lets'oao la OTP.
Ntho e ngoe le e ngoe e ne e shebahala hantle ka ho lekana ho fihlela motsotso oo ke neng ke nahana "Nka ngolisa OTP joang bakeng sa basebelisi ba 300+?"
Mosebedisi o tlameha ho kena ho seva ka freeradius le ho tsoa tlas'a akhaonto ea hau 'me u tsamaise kopo Google Authenticator, e tla hlahisa khoutu ea QR bakeng sa kopo bakeng sa mosebedisi. Ke hona moo thuso e hlahang teng. shellina lebokose e kopane le .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Faele ea tlhophiso ea daemon e fumaneha ho /etc/sysconfig/shellinabox.
Ke hlakisa port 443 moo mme o ka hlakisa setifikeiti sa hau.
[root@freeradius ~]#systemctl enable --now shellinaboxdMosebelisi o hloka feela ho latela sehokelo, kenya lintlha tsa marang-rang le ho fumana khoutu ea QR bakeng sa kopo.
Algorithm e tjena:
- Mosebelisi o kena mochining ka sebatli.
- Hore na mosebelisi oa domain o hlahlojoe. Haeba ho se joalo, ha ho na khato e nkuoang.
- Haeba mosebelisi e le mosebelisi oa domain, ho hlahlojoa ho ba setho sa sehlopha sa Batsamaisi.
- Haeba e se admin, e hlahloba hore na Google Authenticator e lokisitsoe. Haeba ho se joalo, ho tla hlahisoa khoutu ea QR le ho tsoa ha basebelisi.
- Haeba e se admin le Google Authenticator e lokiselitsoe, joale tsoa feela.
- Haeba ke admin, hlahloba Google Authenticator hape. Haeba e sa hlophisoa, ho tla hlahisoa khoutu ea QR.
logic eohle e etsoa ho sebelisoa /etc/skel/.bash_profile.
katse /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Ntlafatsa ho seta:
- Rea bopa Radius-server
- Re theha lihlopha tse hlokahalang, haeba ho hlokahala, taolo ea phihlello ka lihlopha. Lebitso la sehlopha ka Qobella e tlameha ho lumellana le sehlopha se fetisitsoeng Sebopeho se Khethehileng sa Morekisi Fortinet-Sehlopha-Lebitso.
- Ho hlophisoa ho hlokahalang SSL- li-portal.
- Ho eketsa lihlopha ho maano.
Melemo ea tharollo ena:
- Hoa khoneha ho netefatsa ka OTP ka Qobella tharollo ea mohloli o bulehileng.
- Mosebelisi ha a kenye phasewete ea domain ha a hokela ka VPN, e leng ho nolofatsang ts'ebetso ea khokahano. Phasewete ea linomoro tse 6 e bonolo ho e kenya ho feta e fanoeng ke leano la ts'ireletso. Ka lebaka leo, palo ea litekete tse nang le sehlooho se reng: "Ha ke khone ho hokahanya le VPN" e fokotseha.
PS Re rera ho ntlafatsa tharollo ena ho netefatso e felletseng ea lintlha tse peli e nang le karabelo ea phephetso.
update loi:
Joalo ka ha ke tšepisitse, ke e fetotse ho khetho ea karabelo ea phephetso.
E le:
Ka faele /etc/raddb/sites-enabled/default karolo tumella ke ka tsela e latelang:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Karolo netefatsa joale e shebahala tjena:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Joale netefatso ea basebelisi e etsahala ho latela algorithm e latelang:
- Mosebelisi o kenya lintlha tsa marang-rang ho moreki oa VPN.
- Freeradius e hlahloba bonnete ba akhaonto le password
- Haeba phasewete e nepahetse, joale kopo ea letšoao le rometsoe.
- Letshwao le ntse le netefatswa.
- phaello).
Source: www.habr.com