Isidingo sokubonelela ngokufikelela kude kwindawo yenkampani sivela ngokuphindaphindiweyo, kungakhathaliseki ukuba ngaba abasebenzisi bakho okanye amaqabane adinga ukufikelela kwiseva ethile kwintlangano yakho.
Ngezi njongo, ezininzi iinkampani zisebenzisa iteknoloji ye-VPN, eye yazibonakalisa njengendlela ekhuselekileyo ekhuselekileyo yokubonelela ngokufikelela kwimithombo yendawo yombutho.
Inkampani yam yayingenjalo, kwaye thina, njengabanye abaninzi, sisebenzisa obu buchwepheshe. Kwaye, njengabanye abaninzi, sisebenzisa iCisco ASA 55xx njengesango lokungena elikude.
Njengoko inani labasebenzisi abakude likhula, kukho imfuneko yokwenza lula inkqubo yokukhupha iziqinisekiso. Kodwa kwangaxeshanye, oku kufuneka kwenziwe ngaphandle kokuphazamisa ukhuseleko.
Thina ngokwethu, sifumene isisombululo ekusebenziseni ukuqinisekiswa kwezinto ezimbini zokuxhuma ngeCisco SSL VPN, usebenzisa iiphasiwedi zexesha elilodwa. Kwaye olu papasho luya kukuxelela indlela yokucwangcisa isisombululo esinjalo kunye nexesha elincinci kunye neendleko zero ze-software efunekayo (ngaphandle kokuba sele unayo i-Cisco ASA kwisiseko sakho).
Imarike igcwele izisombululo zebhokisi zokuvelisa iiphasiwedi zexesha elinye, ngelixa inikezela ngeendlela ezininzi zokuzifumana, nokuba kukuthumela igama eliyimfihlo ngeSMS okanye usebenzisa amathokheni, zombini ihardware kunye nesoftware (umzekelo, kwifowuni ephathwayo). Kodwa umnqweno wokugcina imali kunye nomnqweno wokulondoloza imali kumqeshi wam, kwingxaki ekhoyo ngoku, kwandinyanzela ukuba ndifumane indlela yamahhala yokuphumeza inkonzo yokuvelisa iiphasiwedi zexesha elinye. Yiyiphi, ngelixa ikhululekile, ayikho ngaphantsi kakhulu kwizisombululo zorhwebo (apha kufuneka senze ugcino, siqaphele ukuba le mveliso nayo inenguqulo yorhwebo, kodwa savumelana ukuba iindleko zethu, ngemali, ziya kuba zero).
Ke, kufuneka:
- Umfanekiso weLinux oneseti eyakhelwe-ngaphakathi yezixhobo-i-multiOTP, i-FreeRADIUS kunye ne-nginx, yokufikelela kwiseva ngewebhu (http://download.multiotp.net/ - Ndisebenzise umfanekiso osele ulungile weVMware)
β Iseva kavimba weefayili osebenzayo
β ICisco ASA ngokwayo (ukwenzela lula, ndisebenzisa iASDM)
β Nayiphi na ithokheni yesoftware exhasa umatshini weTOTP (Mna, umzekelo, ndisebenzisa isiQinisekiso sikaGoogle, kodwa iFreeOTP efanayo iya kwenza)
Andiyi kungena kwiinkcukacha zendlela umfanekiso ovela ngayo. Ngenxa yoko, uya kufumana iDebian Linux enemultiOTP kunye neFreeRADIUS esele ifakiwe, ilungiselelwe ukusebenza kunye, kunye nojongano lwewebhu lolawulo lweOTP.
Inyathelo 1. Siqala inkqubo kwaye siyilungiselele inethiwekhi yakho
Ngokungagqibekanga, inkqubo iza neengcambu zenkcazi zengcambu. Ndicinga ukuba wonke umntu uqikelele ukuba iya kuba licebo elilungileyo ukutshintsha igama eligqithisiweyo lomsebenzisi emva kokungena kokuqala. Kwakhona kufuneka utshintshe izicwangciso zenethiwekhi (ngokungagqibekanga ngu-'192.168.1.44' kunye nesango '192.168.1.1'). Emva koko unokuphinda uqalise inkqubo.
Masidale umsebenzisi kwi-Active Directory otp, kunye negama lokugqitha MySuperPassword.
Inyathelo 2. Cwangcisa uqhagamshelo kwaye ungenise abasebenzisi be-Active Directory
Ukwenza oku, sifuna ukufikelela kwi-console, kwaye ngokuthe ngqo kwifayile multiotp.php, sisebenzisa apho siya kuqwalasela izicwangciso zoqhagamshelwano kwi-Active Directory.
Yiya kulawulo /usr/yendawo/umgqomo/multiotp/ kwaye uphumeze le miyalelo ilandelayo ngokulandelelana:
./multiotp.php -config default-request-prefix-pin=0Imisela ukuba iphini elongezelelweyo (elisisigxina) liyafuneka xa ufaka isikhonkwane sexesha elinye (0 okanye 1)
./multiotp.php -config default-request-ldap-pwd=0Imisela ukuba igama lokugqithisa ledomeyini liyafuneka xa ufaka iphini lexesha elinye (0 okanye 1)
./multiotp.php -config ldap-server-type=1Uhlobo lweseva ye-LDAP lubonisiwe (0 = iseva ye-LDAP eqhelekileyo, kwimeko yethu 1 = Uluhlu olusebenzayo)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Ixela ifomati yokubonisa igama lomsebenzisi (eli xabiso liza kubonisa kuphela igama, ngaphandle kwendawo)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Into enye, kuphela kwiqela
./multiotp.php -config ldap-group-attribute="memberOf"Ikhankanya indlela yokumisela ukuba umsebenzisi ungoweqela na
./multiotp.php -config ldap-ssl=1Ngaba ndingasebenzisa uqhagamshelwano olukhuselekileyo kumncedisi we LDAP (kakade, ewe!)
./multiotp.php -config ldap-port=636Isiqhagamshelanisi sokuqhagamshela kwiseva ye-LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localIdilesi yakho yeseva kavimba weefayili oSebenzayo
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Sibonisa apho ungaqala khona ukukhangela abasebenzisi kwidomeyini
./multiotp.php -config ldap-bind-dn="[email protected]"Chaza umsebenzisi onamalungelo okukhangela kwi-Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Cacisa igama eligqithisiweyo lomsebenzisi ukuze uqhagamshele kwi-Active Directory
./multiotp.php -config ldap-network-timeout=10Ukuseta ixesha lokuvala ukuqhagamshela kwi-Active Directory
./multiotp.php -config ldap-time-limit=30Sibeka umda wexesha lomsebenzi wokungenisa elizweni
./multiotp.php -config ldap-activated=1Ivula ulungelelwaniso lukavimba weefayili oSebenzayo
./multiotp.php -debug -display-log -ldap-users-syncSingenisa abasebenzisi kwi-Active Directory
Inyathelo 3. Yenza ikhowudi ye-QR yomqondiso
Yonke into elapha ilula kakhulu. Vula ujongano lwewebhu lweseva ye-OTP kwisikhangeli, ngena (ungalibali ukutshintsha igama eliyimfihlo lomlawuli!), kwaye ucofe iqhosha elithi "Shicilela":
Isiphumo sesi senzo siya kuba liphepha eliqulethe iikhowudi ezimbini zeQR. Ngesibindi siyayihoya eyokuqala (ngaphandle kombhalo onomtsalane weGoogle Authenticator / Authenticator / 2 Steps Authenticator), kwaye kwakhona siskena ngenkalipho ikhowudi yesibini kwithokheni yesoftware kwifowuni:
(ewe, ndonakalise ngamabomu ikhowudi ye-QR ukuze ndiyenze ingafundeki).
Emva kokugqiba ezi ntshukumo, igama lokugqitha elinemivo emithandathu liyakuqala ukwenziwa kwisicelo sakho rhoqo kwimizuzwana engamashumi amathathu.
Ukuqinisekisa, unokuyijonga kujongano olufanayo:
Ngokufaka igama lakho lomsebenzisi kunye negama lokugqitha lexesha elinye ukusuka kwisicelo kwifowuni yakho. Ngaba uye wafumana impendulo eyakhayo? Ngoko masiqhubele phambili.
Inyathelo 4. Uqwalaselo olongezelelweyo kunye novavanyo lwe-FreeRADIUS yokusebenza
Njengoko benditshilo ngasentla, i-multiOTP sele iqwalaselwe ukuba isebenze kunye neFreeRADIUS, konke okuseleyo kukuqhuba iimvavanyo kunye nokongeza ulwazi malunga nesango lethu leVPN kwifayile yoqwalaselo yeFreeRADIUS.
Sibuyela kwi-console yomncedisi, kuluhlu /usr/yendawo/umgqomo/multiotp/, ngenisa:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Kubandakanya ukugawulwa kwemithi.
Kwifayile yoqwalaselo yabathengi beFreeRADIUS (/etc/freeradius/clinets.conf) phawula yonke imigca enxulumene ne localhost kwaye wongeze amangeniso amabini:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- kuvavanyo
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}-yesango lethu leVPN.
Qala kwakhona iFreeRADIUS kwaye uzame ukungena:
radtest username 100110 localhost 1812 testing321apho lomsebenzisi = igama lomsebenzisi, 100110 = igama lokugqitha esilinikwe sisicelo efowunini, localhost = idilesi yeseva yeRADIUS, 1812 -Izibuko leseva yeRADIUS, vavanyo321 - Iphasiwedi yomxhasi weseva yeRADIUS (esiyichazile kuqwalaselo).
Isiphumo salo myalelo siya kuphuma malunga noku kulandelayo:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Ngoku kufuneka siqinisekise ukuba umsebenzisi uqinisekisiwe ngempumelelo. Ukwenza oku, siza kujonga kwilog yemultiotp ngokwayo:
tail /var/log/multiotp/multiotp.logKwaye ukuba ingeniso yokugqibela ikhona:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Emva koko yonke into ihambe kakuhle kwaye sinokugqiba
Inyathelo 5: Qwalasela iCisco ASA
Masivume ukuba sele sineqela elimiselweyo kunye nemigaqo-nkqubo yokufikelela nge-SLL VPN, elungiselelwe ngokubambisana ne-Active Directory, kwaye kufuneka songeze ukuqinisekiswa kwezinto ezimbini kule profayile.
1. Yongeza iqela elitsha leseva ye-AAA:
2. Yongeza iseva yethu ye-multiOTP kwiqela:
3. Siyahlela iprofayile yoqhagamshelwano, ukucwangcisa iqela leseva kavimba weefayili osebenzayo njengomncedisi wobubhali ongundoqo:
4. Kwithebhu Ikwinqanaba eliphezulu -> Uqinisekiso Sikwakhetha iqela leseva likaVimba oSebenzayo:
5. Kwithebhu Ikwinqanaba eliphezulu -> Eyesibini uqinisekiso, khetha iqela leseva elenziweyo apho iseva ye-multiOTP ibhaliswe khona. Qaphela ukuba igama lomsebenzisi leSeshini lizuzwe kwiqela eliphambili leseva ye-AAA:
Faka useto kunye
Inyathelo lesi-6, aka lelokugqibela
Makhe sijonge ukuba ukuqinisekiswa kwezinto ezimbini kusebenza kwi-SLL VPN:
Voila! Xa uqhagamshela ngeCisco AnyConnect VPN Client, uya kucelwa kwakhona okwesibini, igama lokugqitha lexesha elinye.
Ndiyathemba ukuba eli nqaku liza kunceda umntu, kwaye liya kunika umntu ukutya okucinga malunga nendlela yokusebenzisa le nto, simahla Iseva ye-OTP, yeminye imisebenzi. Yabelana kwizimvo ukuba unqwenela.
umthombo: www.habr.com