Kuthekani ukuba ukuqinisekiswa kwezinto ezimbini kunqweneleka kunye ne-prickly, kodwa akukho mali yamathokheni e-hardware kwaye ngokubanzi banikezela ukuba bahlale benesimo sengqondo esihle.
Esi sisombululo asiyonto ibalaseleyo, kodwa ngumxube wezisombululo ezahlukeneyo ezifunyenwe kwi-Intanethi.
Ngoko ke
Indawo Active Directory.
Abasebenzisi besizinda abasebenza ngeVPN, njengabaninzi namhlanje.
Isebenza njengesango leVPN Hlanganisa.
Ukugcina igama eliyimfihlo kumxhasi weVPN akuvumelekanga ngumgaqo-nkqubo wokhuseleko.
Ezopolitiko Fortinet ngokumalunga namathokheni akho, awukwazi ukubiza ngaphantsi kwe-zhlob - kukho amaninzi angama-10 amathokheni akhululekile, amanye - ngexabiso elingeyona i-kosher kakhulu. Khange ndithathele ingqalelo iRSSecureID, iDuo nokunye okunjalo, kuba ndifuna umthombo ovulekileyo.
Izinto ezifunekayo kuqala: umamkeli * nix ngokusekwa freeradius, ssd - efakwe kwi-domain, abasebenzisi besizinda banokuqinisekisa ngokulula kuyo.
Iipakethe ezongezelelweyo: ibhokisi yeshelina, umzobo, freeradius-ldapifonti uvukeli.tlf ukusuka kwindawo yokugcina
Kumzekelo wam - i-CentOS 7.8.
Ingqiqo yomsebenzi kufuneka ibe ngolu hlobo lulandelayo: xa uxhuma kwi-VPN, umsebenzisi kufuneka afake i-domain login kunye ne-OTP endaweni yegama lokugqitha.
Ukuseta iinkonzo
В /etc/raddb/radiusd.conf kuphela umsebenzisi kunye neqela egameni eliqalayo freeradius, ukusukela inkonzo iradiusd kufuneka ikwazi ukufunda iifayile kuwo onke amacandelo angaphantsi / ikhaya /.
user = root
group = root
Ukukwazi ukusebenzisa amaqela kuseto Hlanganisa, kufuneka idluliselwe Uphawu Oluthe ngqo lomthengisi. Ukwenza oku, kuluhlu raddb/policy.d Ndenza ifayile enomxholo olandelayo:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Emva kofakelo freeradius-ldap kuluhlu raddb/mods-zikhoyo yenziwe ifayile ldap.
Kufuneka kuyilwe ikhonkco lomfuziselo kuluhlu raddb/iimods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Ndizisa imixholo yayo kule fomu:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Kwiifayile iraddb/iziza-ezinikwe/okungagqibekanga и iraddb/iziza-ezinikwe amandla/itonela yangaphakathi kwicandelo gunyazisa Ndongeza igama lomgaqo-nkqubo oza kusetyenziswa - i-group_authorization. Inqaku elibalulekileyo - igama lomgaqo-nkqubo alinqunywanga igama lefayile kuluhlu umgaqo-nkqubo.d, kodwa ngomyalelo ngaphakathi kwefayile phambi kweebrayisi ezigobileyo.
Kwicandelo ungqinisisa kwiifayile ezifanayo ofuna ukukhulula umgca Pam.
Kwifayile abathengi.conf misela iiparameters eza kudibanisa ngayo Hlanganisa:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Uqwalaselo lweModyuli pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Iinketho zokuphunyezwa kwenqwaba ehlala ikho freeradius с google funa umsebenzisi ukuba angenise iinkcazi kwifomathi: igama lokusebenzisa nephasiwedi+OTP.
Ngokucinga inani leziqalekiso eziya kuwela entloko, kwimeko yokusebenzisa i-bundle engagqibekanga freeradius с Google Authenticator, kwagqitywa ekubeni kusetyenziswe uqwalaselo lwemodyuli Pam ukuze kujongwe umqondiso kuphela Google Authenticator.
Xa umsebenzisi eqhagamshela, oku kulandelayo kwenzeka:
- U-Freeradius uhlola ukuba umsebenzisi ukwi-domain kunye neqela elithile kwaye, ukuba uphumelele, uhlola uphawu lwe-OTP.
Yonke into yayijongeka ilungile de kwaba lixesha apho ndandicinga ukuba "Ndingayibhalisa njani i-OTP kubasebenzisi abangama-300+?"
Umsebenzisi kufuneka ungene kumncedisi nge freeradius kwaye ukusuka phantsi kweakhawunti yakho kwaye uqhube isicelo Google Authenticator, eya kuvelisa ikhowudi ye-QR yesicelo somsebenzisi. Kulapho uncedo lungena khona. ibhokisi yeshelina ngokudibeneyo .bash_profayile.
[root@freeradius ~]# yum install -y shellinabox
Ifayile yoqwalaselo ye daemon ikhona /etc/sysconfig/shellinabox.
Ndichaza i-port 443 apho kwaye ungachaza isatifikethi sakho.
[root@freeradius ~]#systemctl enable --now shellinaboxd
Umsebenzisi ufuna kuphela ukulandela ikhonkco, faka iikhredithi zesizinda kwaye ufumane ikhowudi ye-QR yesicelo.
Ialgorithm imi ngolu hlobo lulandelayo:
- Umsebenzisi ungena kumatshini ngokusebenzisa isikhangeli.
- Ukuba umsebenzisi wesizinda ujongiwe. Ukuba akunjalo, akukho nyathelo lithathwayo.
- Ukuba umsebenzisi ungumsebenzisi wesizinda, ubulungu kwiqela labaLawuli buyakhangelwa.
- Ukuba ayingomlawuli, ijonga ukuba iGoogle Authenticator iqwalaselwe. Ukuba akunjalo, emva koko ikhowudi ye-QR kunye nokuphuma komsebenzisi kuyenziwa.
- Ukuba ayingomlawuli kunye noMqinisekisi kaGoogle uqwalaselwe, phuma nje.
- Ukuba admin, jonga kwakhona iGoogle Authenticator. Ukuba ayiqwalaselwanga, ikhowudi ye-QR iyenziwa.
Yonke ingqiqo yenziwa ngokusebenzisa /etc/skel/.bash_profile.
ikati /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Qinisa ukuseta:
- Siyadala umakha-sangqa-umncedisi
- Senza amaqela ayimfuneko, ukuba kuyimfuneko, ulawulo lokufikelela ngamaqela. Igama leqela livuliwe Hlanganisa kufuneka ingqinelane neqela ekugqithiselwe kulo Uphawu Oluthe ngqo lomthengisi I-Fortinet-Iqela-Igama.
- Ukuhlela okuyimfuneko SSL-iiportals.
- Ukongeza amaqela kwimigaqo-nkqubo.
Iingenelo zesi sisombululo:
- Kuyenzeka ukuqinisekiswa nge-OTP kwi Hlanganisa isisombululo somthombo ovulekileyo.
- Umsebenzisi akayifaki i-password ye-domain xa exhuma nge-VPN, eyenza lula inkqubo yoqhagamshelwano. I-password eneedijithi ezi-6 kulula ukuyifaka kuneyo inikezelwe ngumgaqo-nkqubo wokhuseleko. Ngenxa yoko, inani lamatikiti anesihloko esithi: "Andikwazi ukuxhuma kwi-VPN" iyancipha.
I-PS Siceba ukuphucula esi sisombululo kwisingqinisiso esipheleleyo sezinto ezimbini kunye nomngeni-impendulo.
uhlaziyo:
Njengoko ndandithembisile, ndiyitshintshele kukhetho lokuphendula umngeni.
Ngoko:
Kwifayile /etc/raddb/sites-enabled/default icandelo gunyazisa ujongeka ngoluhlobo:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Icandelo ungqinisisa ngoku kubonakala ngathi:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Ngoku ukuqinisekiswa komsebenzisi kwenzeka ngokuhambelana ne-algorithm ilandelayo:
- Umsebenzisi ufaka iikhredithi zesizinda kumxhasi weVPN.
- I-Freeradius ihlola ukunyaniseka kweakhawunti kunye negama lokugqitha
- Ukuba igama eliyimfihlo lichanekile, ngoko isicelo sophawu sithunyelwa.
- Umqondiso uyaqinisekiswa.
- inzuzo).
umthombo: www.habr.com