Seo u lokelang ho se etsa haeba u batla ho netefatsa lintlha tse peli, empa u tšaba, empa u se na chelete bakeng sa li-tokens tsa hardware 'me ka kakaretso ba eletsoa ho tšoara le ho ba le boikutlo bo botle.
Tharollo ena ha se ntho ea mantlha, empa ke motsoako oa litharollo tse fapaneng tse fumanehang Marang-rang.
Kahoo, ho fanoa
Lebitso la Lebitso Active Directory.
Basebelisi ba marang-rang ba sebetsang ka VPN, joalo ka ha ba bangata ba etsa matsatsing ana.
VPN e sebetsa e le monyako Qobella.
Ho boloka phasewete bakeng sa moreki oa VPN ho thibetsoe ke leano la ts'ireletso.
Lipolotiki Fortinet mabapi le li-tokens tsa bona, u ke ke ua li bitsa ntho leha e le efe e fokolang - ho na le li-tokens tsa mahala tse ka bang 10, tse ling kaofela li theko e tlaase haholo. Ha kea ka ka nahana ka RSSecureID, Duo le tse ling, hobane ke batla mohloli o bulehileng.
Lintho tse hlokahalang: moamoheli * nix e kentsoeng freeradius, ssd - e kenngoa sebakeng sa marang-rang, basebelisi ba domain ba ka netefatsa ho eona habonolo.
Liphutheloana tse ling: shellinabox, figlet, freeradius-ldap, fonte lerabele.tlf ho tloha polokelong .
Mohlala oa ka - CentOS 7.8.
Mokhoa oa ts'ebetso o lokela ho ba ka tsela e latelang: ha o hokela VPN, mosebelisi o tlameha ho kenya domain login le OTP ho fapana le password.
Ho theha litšebeletso
В /etc/raddb/radiusd.conf ke mosebelisi le sehlopha feela bao ho qala ho etsoang molemong oa bona ba fetohang freeradius, hobane tshebeletso radius e tlameha ho tseba ho bala lifaele ho li-subdirectories tsohle / lapeng /.
user = root
group = root
Ho khona ho sebelisa lihlopha ho li-setting Qobella, hoa hlokahala ho fetisetsa Sebopeho se Khethehileng sa Morekisi. Bakeng sa morero ona, bukeng ea raddb/policy.d Ke theha faele e nang le litaba tse latelang:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Kamora ho kenya freeradius-ldap bukeng raddb/mods-a fumaneha faele e entsoe ldap.
Ho hlokahala hore u thehe sehokelo sa tšoantšetso ho directory raddb/mods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapKe tla tlisa likahare tsa eona foromong ena:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
} Lifaeleng raddb/sites-enabled/default и raddb/sites-enabled/inner-tunnel karolong tumella Ke kenya lebitso la leano le tla sebelisoa — group_authorization. Ntlha ea bohlokoa - lebitso la pholisi ha le khethoe ke lebitso la faele bukeng ea libuka policy.d, le taelo ka hare ho faele pele ho li-braces tse kobehileng.
Karolong netefatsa lifaeleng tsena tse tšoanang u hloka ho hlakola mohala Pam.
Ka faele bareki.conf re ngola li-parameter tseo re tla li hokahanya Qobella:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Tlhophiso ea module pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Likhetho tsa kamehla tsa ho kenya tšebetsong bongata freeradius с motlakase oa google hloka hore mosebelisi a kenye mangolo a bopaki ka mokhoa o latelang: username/password+OTP.
Ak'u inahanele palo ea lithohako tse tla na holim'a hlooho ea hau haeba u sebelisa motsoako oa kamehla freeradius с Google Authenticator, ho ile ha etsoa qeto ea ho sebelisa tlhophiso ea module Pam e le hore ho hlahlojoe feela letšoao Google Authenticator.
Ha mosebelisi a hokela, ho etsahala tse latelang:
- Freeradius e hlahloba hore na mosebedisi o sebakeng sa marang-rang le sehlopheng se itseng mme, haeba a atlehile, letšoao la OTP lea hlahlojoa.
Ntho e ngoe le e ngoe e ne e shebahala hantle ho fihlela ke nahana, "Nka ngolisa OTP joang bakeng sa basebelisi ba 300+?"
Mosebedisi o tlameha ho kena ho seva ka freeradius le ho tsoa tlasa ak'haonte ea hau ebe u qala ts'ebeliso Google Authenticator, e tla hlahisa khoutu ea QR bakeng sa kopo bakeng sa mosebedisi. Ke hona moo shellinabox e kopane le .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Faele ea tlhophiso ea daemon e teng /etc/sysconfig/shellinabox.
Ke hlakisa port 443 moo mme o ka hlakisa setifikeiti sa hau.
[root@freeradius ~]#systemctl enable --now shellinaboxdSohle seo mosebelisi a lokelang ho se etsa ke ho latela sehokelo, kenya lintlha tsa domain name mme o fumane khoutu ea QR bakeng sa kopo.
Algorithm e tjena:
- Mosebelisi o kena mochining ka sebatli.
- E hlahloba hore na mosebelisi ke mosebelisi oa domain. Haeba ho se joalo, ha ho khato e nkuoang.
- Haeba mosebelisi e le mosebelisi oa domain, ho hlahlojoa ho ba setho sa sehlopha sa batsamaisi.
- Haeba e se admin, e hlahloba hore na Google Autheticator e hlophisitsoe. Haeba ho se joalo, e hlahisa khoutu ea QR ebe e kenya mosebelisi kantle.
- Haeba u se motsamaisi 'me Google Authenticator e lokiselitsoe, joale u tsoe feela.
- Haeba ke admin, Google Authenticator hlahloba hape. Haeba e sa hlophisoa, khoutu ea QR e tla hlahisoa.
logic eohle e etsoa ho sebelisoa /etc/skel/.bash_profile.
katse /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Ho theha Fortigate:
- Rea bopa Radius-server
- Re theha lihlopha tse hlokahalang, haeba ho hlokahala ho khetholla ho fihlella ka lihlopha. Lebitso la sehlopha ho Qobella e tlameha ho tšoana le sehlopha se fetisetsoang ho sona Sebopeho se Khethehileng sa Morekisi Fortinet-Sehlopha-Lebitso.
- Re lokisa tse hlokahalang SSL- li-portal.
- Ho eketsa lihlopha ho maano.
Melemo ea tharollo ena:
- Ho na le monyetla oa ho netefatsa ka OTP ho Qobella tharollo ea mohloli o bulehileng.
- Mosebelisi ha a hlokehe ho kenya phasewete ea domain ha a hokela ka VPN, e nolofatsang ts'ebetso ea khokahano ka mokhoa o itseng. Phasewete ea linomoro tse 6 e bonolo ho e kenya ho feta e fanoeng ke leano la ts'ireletso. Ka lebaka leo, palo ea litekete tse nang le sehlooho se reng: "Ha ke khone ho hokela VPN" e fokotsehile.
P.S. Ho na le merero ea ho ntlafatsa tharollo ena ho netefatso e felletseng ea lintlha tse peli ka karabelo ea phephetso.
update loi:
Joalokaha ke tšepisitse, qetellong ke ile ka qeta khetho ea ho arabela phephetso.
E le:
Ka faele /etc/raddb/sites-enabled/default karolo tumella ke ka tsela e latelang:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Karolo netefatsa joale e shebahala tjena:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Joale netefatso ea mosebelisi e etsahala ho latela algorithm e latelang:
- Mosebelisi o kenya lintlha tsa "domain" ho moreki oa VPN.
- Freeradius e hlahloba bonnete ba akhaonto le password
- Haeba phasewete e nepahetse, kopo ea lets'oao e romelloa.
- Netefatso ea matšoao e ntse e tsoela pele.
- Phaello).
Source: www.habr.com
