🥇Freeradius + Google Authenticator + LDAP + Fortigate

Agar ikki faktorli autentifikatsiya ham ma'qul, ham qiyin bo'lsa-chi, lekin apparat tokenlari uchun pul yo'q va umuman olganda ular yaxshi kayfiyatda bo'lishni taklif qilsalar.

Ushbu yechim juda original narsa emas, balki Internetda topilgan turli xil echimlarning aralashmasidir.

Shunday qilib berilgan

Domen nomi Active Directory.

Bugungi kunda ko'pchilik kabi VPN orqali ishlaydigan domen foydalanuvchilari.

VPN shlyuzi vazifasini bajaradi Fortigate.

VPN mijozi uchun parolni saqlash xavfsizlik siyosati bilan taqiqlangan.

Siyosat Fortinet o'zingizning tokenlaringizga nisbatan siz uni zhlobdan kamroq deb atay olmaysiz - 10 tagacha bepul tokenlar mavjud, qolganlari - juda kosher bo'lmagan narxda. Men RSASecureID, Duo va shunga o'xshashlarni hisobga olmadim, chunki men ochiq manbani xohlayman.

Old shartlar: mezbon * nix o'rnatilgan erkin radius, SSD - domenga kiritilgan domen foydalanuvchilari uni osongina autentifikatsiya qilishlari mumkin.

Qo'shimcha paketlar: shellina qutisi, qirmizi, freeradius-ldap, shrift rebel.tlf omboridan https://github.com/xero/figlet-fonts.

Mening misolimda - CentOS 7.8.

Ishning mantig'i quyidagicha bo'lishi kerak: VPN ga ulanishda foydalanuvchi parol o'rniga domen logini va OTP ni kiritishi kerak.

Xizmatlarni sozlash

В /etc/raddb/radiusd.conf faqat nomidan boshlanadigan foydalanuvchi va guruh erkin radius, xizmatdan beri radiusd barcha pastki kataloglardagi fayllarni o'qiy olishi kerak / home /.

user = root
group = root

Sozlamalarda guruhlardan foydalanish imkoniyatiga ega bo'lish Fortigate, uzatilishi kerak Sotuvchiga xos atribut. Buning uchun katalogda raddb/policy.d Men quyidagi tarkibga ega fayl yarataman:

group_authorization {
    if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
            update reply {
                &Fortinet-Group-Name = "vpn_admins" }
            update control {
                &Auth-Type := PAM
                &Reply-Message := "Welcome Admin"
                }
        }
    else {
        update reply {
        &Reply-Message := "Not authorized for vpn"
            }
        reject
        }
}

O'rnatishdan keyin freeradius-ldap katalogda raddb/mods-mavjud fayl yaratiladi ldap.

Katalogga ramziy havola yaratish kerak raddb/mods-yoqilgan.

ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap

Men uning mazmunini ushbu shaklga keltiraman:

ldap {
        server = 'domain.local'
        identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
        password = "SupeSecretP@ssword"
        base_dn = 'dc=domain,dc=local'
        sasl {
        }
        user {
                base_dn = "${..base_dn}"
                filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
                sasl {
                }
                scope = 'sub'
        }
        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=Group)'
                scope = 'sub'
                name_attribute = cn
                membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
                membership_attribute = 'memberOf'
        }
}

Fayllarda raddb/saytlar yoqilgan/standart и raddb/saytlar yoqilgan/ichki tunnel bo'limida ruxsat berish Men foydalaniladigan siyosat nomini qo'shaman - group_authorization. Muhim nuqta - siyosatning nomi katalogdagi fayl nomi bilan belgilanmaydi siyosat.d, lekin jingalak qavslardan oldin fayl ichidagi direktiva bilan.
Bo'limda autentifikatsiya qilish xuddi shu fayllarda siz qatorni izohdan olib tashlashingiz kerak Pam.

Fayl ichida clients.conf u bog'lanadigan parametrlarni belgilang Fortigate:

client fortigate {
    ipaddr = 192.168.1.200
    secret = testing123
    require_message_authenticator = no
    nas_type = other
}

Modul konfiguratsiyasi pam.d/radiusd:

#%PAM-1.0
auth       sufficient   pam_google_authenticator.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
session    include      password-auth

Birlamchi paketni amalga oshirish imkoniyatlari erkin radius с Google autentifikatori foydalanuvchidan hisob ma'lumotlarini quyidagi formatda kiritishni talab qiling: foydalanuvchi nomi/parol+OTP.

Odatiy to'plamdan foydalangan holda, boshga tushadigan la'natlar sonini tasavvur qilish orqali erkin radius с Google Authenticator, modul konfiguratsiyasidan foydalanishga qaror qilindi Pam shunday qilib, faqat tokenni tekshirish mumkin Google Authenticator.

Foydalanuvchi ulanganda quyidagilar sodir bo'ladi:

Freeradius foydalanuvchining domenda va ma'lum bir guruhda ekanligini tekshiradi va agar muvaffaqiyatli bo'lsa, OTP tokenini tekshiradi.

"Qanday qilib men 300 dan ortiq foydalanuvchi uchun OTPni ro'yxatdan o'tkazishim mumkin?" Deb o'ylagunimcha hammasi yaxshi ko'rinardi.

Foydalanuvchi bilan serverga kirishi kerak erkin radius va hisobingiz ostidan ilovani ishga tushiring Google autentifikator, bu foydalanuvchi uchun ilova uchun QR kodini yaratadi. Bu erda yordam keladi. shellina qutisi bilan birgalikda .bash_profile.

[root@freeradius ~]# yum install -y shellinabox

Demon konfiguratsiya fayli quyidagi manzilda joylashgan /etc/sysconfig/shellinabox.
Men u erda 443 portni ko'rsataman va siz sertifikatingizni belgilashingiz mumkin.

[root@freeradius ~]#systemctl enable --now shellinaboxd

Foydalanuvchi faqat havolaga amal qilishi, domen kreditlarini kiritishi va ilova uchun QR kodini olishi kerak.

Algoritm quyidagicha:

Foydalanuvchi brauzer orqali mashinaga kiradi.
Domen foydalanuvchisi tekshiriladimi. Agar yo'q bo'lsa, unda hech qanday chora ko'rilmaydi.
Agar foydalanuvchi domen foydalanuvchisi bo'lsa, Administrators guruhiga a'zolik tekshiriladi.
Agar administrator bo'lmasa, u Google Authenticator sozlanganligini tekshiradi. Agar yo'q bo'lsa, QR-kod va foydalanuvchi tizimdan chiqadi.
Agar administrator bo'lmasa va Google Authenticator sozlangan bo'lsa, shunchaki tizimdan chiqing.
Agar administrator bo'lsa, Google Authenticator-ni yana tekshiring. Agar sozlanmagan bo'lsa, QR kodi yaratiladi.

Barcha mantiq yordamida amalga oshiriladi /etc/skel/.bash_profile.

cat /etc/skel/.bash_profile

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs
# Make several commands available from user shell

if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
  then
    [[ ! -d $HOME/bin ]] && mkdir $HOME/bin
    [[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
    [[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
    [[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
    [[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
    [[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
    [[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
  # Set PATH env to <home user directory>/bin
    PATH=$HOME/bin
    export PATH
  else
    PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
    export PATH
fi


if [[ -n $(id $USER | grep "domain users") ]]
  then
    if [[ ! -e $HOME/.google_authenticator ]]
      then
        if [[ -n $(id $USER | grep "admins") ]]
          then
            figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
            sleep 1.5
            echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en

And prepare to scan QR code.

"
            sleep 5
            google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
            echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
          else
            figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
            sleep 1.5
            echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en

And prepare to scan QR code.

"
            sleep 5
            google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
            echo "Congratulations, now you can use an OTP token from application as a password to VPN."
            logout
        fi
      else
        echo "You have already setup a Google Authenticator"
        if [[ -z $(id $USER | grep "admins") ]]
          then
          logout
        fi
    fi
  else
    echo "You don't need to set up a Google Authenticator"
fi

Fortigate sozlamalari:

Biz yaratamiz radius-server
Biz kerakli guruhlarni yaratamiz, agar kerak bo'lsa, guruhlar tomonidan kirishni nazorat qilamiz. Guruh nomi yoqilgan Fortigate kiritilgan guruhga mos kelishi kerak Sotuvchiga xos atribut Fortinet guruhi nomi.
Keraklilarni tahrirlash SSL-portallar.
Siyosatlarga guruhlar qo'shish.

Ushbu yechimning afzalliklari:

OTP orqali autentifikatsiya qilish mumkin Fortigate ochiq manbali yechim.
VPN orqali ulanishda foydalanuvchi domen parolini kiritmaydi, bu ulanish jarayonini biroz soddalashtiradi. 6 xonali parolni kiritish xavfsizlik siyosatida taqdim etilganidan ko'ra osonroqdir. Natijada, "Men VPN-ga ulana olmayapman" mavzusidagi chiptalar soni kamayadi.

PS Biz ushbu yechimni chaqiruv-javob bilan to‘liq ikki faktorli autentifikatsiyaga oshirishni rejalashtirmoqdamiz.

yangilash:

Va'da qilinganidek, men uni chaqiruv-javob variantiga aylantirdim.
Shunday qilib:
Fayl ichida /etc/raddb/sites-enabled/default Bo'lim ruxsat berish quyidagilar:

authorize {
    filter_username
    preprocess
    auth_log
    chap
    mschap
    suffix
    eap {
        ok = return
    }
    files
    -sql
    #-ldap
    expiration
    logintime
    if (!State) {
        if (&User-Password) {
            # If !State and User-Password (PAP), then force LDAP:
            update control {
                Ldap-UserDN := "%{User-Name}"
                Auth-Type := LDAP
            }
        }
        else {
            reject
        }
    }
    else {
        # If State, then proxy request:
        group_authorization
    }
pap
}

Bo'lim autentifikatsiya qilish endi shunday ko'rinadi:

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap
        digest
        # Attempt authentication with a direct LDAP bind:
        Auth-Type LDAP {
        ldap
        if (ok) {
            update reply {
                # Create a random State attribute:
                State := "%{randstr:aaaaaaaaaaaaaaaa}"
                Reply-Message := "Please enter OTP"
                }
            # Return Access-Challenge:
            challenge
            }
        }
        pam
        eap
}

Endi foydalanuvchi tekshiruvi quyidagi algoritmga muvofiq amalga oshiriladi:

Foydalanuvchi VPN mijoziga domen kreditlarini kiritadi.
Freeradius hisob va parolning haqiqiyligini tekshiradi
Agar parol to'g'ri bo'lsa, token uchun so'rov yuboriladi.
Token tekshirilmoqda.
foyda).

Manba: www.habr.com

Freeradius + Google Authenticator + LDAP + Fortigate

Shunday qilib berilgan

Xizmatlarni sozlash

Fortigate sozlamalari:

yangilash:

a Izoh qo'shish Bu savolga javob bekor