×× × ××× ×Š× ×Š×ש××¢×× ××××Ö·× ×ַקסעס ×Š× ×Ö· ×€Ö¿×ך××¢ ס××××××¢ ××× ××עך××ש×× × ×עך ××× ×עך ×Öž×€×, ק××× ×¢× ×× ×Š× ×¢×¡ ××¢× ×¢× ×××× ××××¢×š× ×Öž×עך ×€ÖŒ×ַך×× ×¢×š×¡ ×××֞ס ××Ö·×š×€Ö¿× ×ַקסעס ×Š× ×Ö· ××Ö·××× ×עך סעך××עך ××× ×××× ×֞ך××Ö·× ×××ַ׊××¢.
×€Ö¿×ַך ×× ×Š××עק×, ך××Ö¿ ק×Öž××€ÖŒ×Ö·× ×עס × ××Š× VPN ××¢×× ×Öž××Öž×××¢, ×××֞ס ××× ×€ÖŒ×š×Öž×××¢× ××× ×Š× ×××× ×Ö· ך×××××Ö·××× ×€ÖŒ×š×Öž×עק××¢× ×××¢× ×Š× ×Š×ש××¢×× ×ַקסעס ×Š× ×× ××××¢ ךעס××š×¡× ×€×× ×עך ×֞ך××Ö·× ×××ַ׊××¢.
×××Ö·× ×€×ך××¢ ××× ××¢×××¢× ×§××× ×××¡× ×¢×, ××× ××ך, ××× ×€×××¢ ×× ×עךע, × ××Š× ××¢× ××¢×× ×Öž××Öž×××¢. ×××, ××× ×€×××¢ ×× ×עךע, ××ך × ××Š× Cisco ASA 55xx ××× ×Ö· ××××Ö·× ×ַקסעס ××××××××.
××× ×× × ××עך ×€×× ××××Ö·× × ×׊עךס ×× ×§×š×ס××, עס ××× ×Ö· × ××× ×Š× ×€×ַך׀֌×֞שע××¢×š× ×× ×€ÖŒ×š×֞׊ע××ך ×€Ö¿×ַך ×ך××ס××¢×× ×§×š×Ö·××¢× ×ש×Ö·××. ××עך ××× ×עך ××¢×××קעך ׊××Ö·×, ××֞ס ×××× ×××× ××¢××× ×Öž× ×§×Ö·×׀֌ך×Ö·×××××× × ×××עךק××Ö·×.
×€Ö¿×ַך ×××, ××ך ××¢×€Ö¿×× ×¢× ×Ö· ×××××× × ××× × ××Š× ×Š××××-×€×ַק××֞ך ×Öž××¢× ××ַק××ש×Ö·× ×€Ö¿×ַך ק×Ö·× ×¢×§××× × ×××š× Cisco SSL VPN, × ××Š× ××××-׊××Ö·× ×€ÖŒ×ַס××עך××. ××× ×× ××ס××Ö·××¢ ×××¢× ××Öž×× ××ך ××× ×Š× ×֞ך××Ö·× ××××š× ×Ö·××Ö· ×Ö· ×××××× × ××× ××× ×××Ö·× ×Š××× ××× × ×× ×§×֞ס ×€Ö¿×ַך ×× × ××××ק ×××××××××š× (׊××עש××¢×× ×Ö·× ××ך ש××× ××Öž×× Cisco ASA ××× ×××× ×× ×€×š×ַס×ך×ַק×שעך).
×עך ××ַךק ××× ×š××€ÖŒ××× ××× ××Öž×§×¡×¢× ×¡×Ö·××ש×Ö·× × ×€Ö¿×ַך ×××©×¢× ×¢×š××××× × ××××-׊××Ö·× ×€ÖŒ×ַס××עך××, ××× ×֞׀׀עךס ×Ö· ×€ÖŒ××Ö·×¥ ×€×× ×֞׀֌׊×עס ×Š× ××ַק×××¢× ×××, ×××× ×¢×¡ ש××§× ×× ×€ÖŒ×ַך×Öž× ×××š× SMS ×Öž×עך × ××Š× ××Öž×§×¢× ×¡, ×××××¢ ××Ö·×× ×××Ö·×š× ××× ×××××××××š× (××ש×, ××××£ ×Ö· ך×ךע××××ק ××¢××¢×€×Öž×). ×Öž×עך ×עך ×€×ַך××Ö·× × ×Š× ×©×€ÖŒ×Öž×š× ××¢×× ××× ×עך ×€×ַך××Ö·× × ×Š× ×©×€ÖŒ×Öž×š× ××¢×× ×€Ö¿×ַך ×××× ××Ö·××¢××֞ס, ××× ××¢× ×§×š×Ö·× × ×§×š×××ס, ×ע׊×××× ××¢× ××ך ×Š× ××¢×€Ö¿×× ×¢× ×Ö· ׀ך×× ×××¢× ×Š× ×× ×¡×ך×××¢× × ×Ö· ××× ×¡× ×€Ö¿×ַך ×××©×¢× ×¢×š××××× × ××××-׊××Ö·× ×€ÖŒ×ַס××עך××. ×××֞ס, ××Öž×ש ׀ך××, ××× × ××©× ×€×× ×¢×š×עך ×Š× ××¢×©×¢×€× ×¡×Ö·××ש×Ö·× × (××Öž ××ך ××Öž× ××Ö·×× ×Ö· ךע×עך×××ַ׊××¢, ××××¢×š×§× ×Ö·× ××¢× ×€ÖŒ×š×Öž×××§× ×××× ××× ×Ö· ××¢×©×¢×€× ××עךס××¢, ×Öž×עך ××ך ×ס××× ×Ö·× ××× ××עך ק×֞ס ××× ××¢×× ×××¢× ×××× × ××).
×Ö·×××, ××ך ×××¢×× ××ַך׀ֿ×:
- × ××× ×קס ×××× ××× ×Ö· ××¢××××-××× ××Ö·× × ×€×× ××ש×ך×× - ××××××Öž××€ÖŒ, ׀ךעעך×Ö·×××ס ××× × ××× ×§×¡, ×€Ö¿×ַך ×ַקסעס ×× ×¡×¢×š××עך ×××š× ×× ×××¢× (http://download.multiotp.net/ - ××× ××¢××××× × ×Ö· ×€×ַך××ק ×××× ×€Ö¿×ַך VMware)
- ×ַק×××× Directory סעך×××ךעך
- Cisco ASA ××× (×€Ö¿×ַך ק×Ö·× ×××× ××Ö·× ×¡, ××× × ××Š× ASDM)
- ק××× ×××××××××š× ×¡×××¢× ×××֞ס ש×××Š× ×× TOTP ×עק×Ö·× ×××Ö·× (×××, ××ש×, × ××Š× Google Authenticator, ×Öž×עך ×עך ××¢×××קעך FreeOTP ×××¢× ××Öž×)
××× ×××¢× × ××©× ×××× ××× ×€×š××× ×€×× ××× ×× ×××× ×Ö·× ×€×Öž××××. ××× ×Ö· ךע×××××Ö·×, ××ך ×××¢× ××ַק×××¢× ××¢×××Ö·× ××× ×קס ××× MultiOTP ××× FreeRADIUS ש××× ××× ×¡××Ö·××ך×, ק×Ö·× ×€××××¢×š× ×Š× ×ַך××¢×× ×Š×××Ö·××¢× ××× ×Ö· ×××¢× ×Š×××× × ×€Ö¿×ַך ×Öž××€ÖŒ ×Ö·×××× ×ס×ך×ַ׊××¢.
שך×× 1. ××ך ×Öž× ××××× ×× ×¡×ס××¢× ××× ×§×Ö·× ×€×××עך עס ×€Ö¿×ַך ×××× × ×¢×¥
×××š× ×€×¢××ק××Ö·×, ×× ×¡×ס××¢× ×§××× ××× ×××Öž×š×Š× ×××Öž×š×Š× ×§×š×Ö·××¢× ×ש×Ö·××. ××× ×ך×Ö·××× ×Ö·××¢××¢× ××¢×¡× ×Ö·× ×¢×¡ ×××Öž×× ×××× ×Ö· ××××¢ ××¢××Ö·× ×§ ×Š× ××××©× ×× ×××Öž×š×Š× ××Ö·× ×׊עך ×€ÖŒ×ַך×Öž× × ×Öž× ×עך עךש×עך ××Öž×××. ××ך ×××× ××Ö·×š×€Ö¿× ×Š× ××××©× ×× × ×¢×¥ סע×××× ×ס (×××š× ×€×¢××ק××Ö·× ×¢×¡ ××× '192.168.1.44' ××× ×× ×××××××× '192.168.1.1'). ××¢×š× ×Öž× ××ך ×§×¢× ×¢× ×š×ס××Ö·×š× ×× ×¡×ס××¢×.
××Öž××ך ש×Ö·×€Ö¿× ×Ö· ××Ö·× ×׊עך ××× ×ַק×××× Directory ×Öž××€ÖŒ, ××× ×€ÖŒ×ַך×Öž× MySuperPassword.
שך×× 2. ש××¢×× ×ַך×××£ ×× ×§×©×š ××× ×ַך××Ö·× ×€×ך ×ַק×××××¢ Directory × ×׊עךס
×Š× ××Öž× ××֞ס, ××ך ××Ö·×š×€Ö¿× ×ַקסעס ×Š× ×× ×§×Ö·× ×¡×Öž×× ××× ××××Ö·× ×Š× ×עך ×עקע multiotp.php, × ××Š× ×××֞ס ××ך ×××¢×× ×§×Ö·× ×€×××עך קשך סע×××× ×ס ×Š× Active Directory.
×××× ×Š× ×××¢×××××Ö·×עך /usr/local/bin/multiotp/ ××× ××ך××€××š× ×× ×€××××¢× ××¢ ק×Ö·××Ö·× ×× ××× ×ך××Ö·:
./multiotp.php -config default-request-prefix-pin=0
××ַש××××¢× ×Š× ×Ö·× × ×Öž× (ש××¢× ××ק) ש×××€× ××× ×€×ך××× ×× ×××¢× ×ַך××Ö·× ×Ö· ××××-׊××Ö·× ×©×××€× (0 ×Öž×עך 1)
./multiotp.php -config default-request-ldap-pwd=0
×××עך××Ö·× × ×Š× ×Ö· ×€×¢×× ×€ÖŒ×ַך×Öž× ××× ×€×ך××× ×× ×××¢× ×ַך××Ö·× ×Ö· ××××-׊××Ö·× ×©×××€× (0 ×Öž×עך 1)
./multiotp.php -config ldap-server-type=1
×עך ×××€ÖŒ ×€×× LDAP סעך××עך ××× ×× ××¢××××× (0 = ךע×××עך LDAP סעך××עך, ××× ××× ××עך ×€×Ö·× 1 = ×ַק×××× Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"
ס׀֌ע׊××€×׊××š× ×× ×€Ö¿×֞ך××Ö·× ××× ×××֞ס ×Š× ×€×֞ךש××¢×× ××¢× × ×××¢× (××¢× ×××¢×š× ×××¢× ××××Ö·×× ××××× ×× × ×Öž××¢×, ×Öž× ×× ×€×¢××)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"
×× ××¢×××¢ ××Ö·×, × ×֞ך ×€Ö¿×ַך ×Ö· ×ך×׀֌ע
./multiotp.php -config ldap-group-attribute="memberOf"
ס׀֌ע׊××€×׊××š× ×Ö· ××¢××Öž× ×Š× ××ַש×××¡× ×Š× ×Ö· ××Ö·× ×׊עך ××¢××¢×š× ×Š× ×Ö· ×ך×׀֌ע
./multiotp.php -config ldap-ssl=1
××Öž× ××× × ××Š× ×Ö· ×××עך קשך ×Š× ×× LDAP סעך××עך (×€×× ×§×ךס - ××Öž!)
./multiotp.php -config ldap-port=636
×€ÖŒ×Öž×š× ×€Ö¿×ַך ק×Ö·× ×¢×§××× × ×Š× ×× LDAP סעך××עך
./multiotp.php -config ldap-domain-controllers=adSRV.domain.local
×××× ×ַק×××××¢ Directory סעך××עך ×Ö·×ךעס
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"
××ך ×Öž× ××××Ö·×× ××× ×Š× ×Öž× ××××× ×××× ×€Ö¿×ַך × ×׊עךס ××× ×× ×€×¢××
./multiotp.php -config ldap-bind-dn="[email protected]"
ס׀֌ע׊××€×׊××š× ×Ö· ××Ö·× ×׊עך ×××ס ××× ×××× ×š×¢×× ××× ×ַק×××× Directory
./multiotp.php -config ldap-server-password="MySuperPassword"
ס׀֌ע׊××€×׊××š× ×× ××Ö·× ×׊עך ×€ÖŒ×ַך×Öž× ×Š× ×€×ַך××× ×× ×Š× Active Directory
./multiotp.php -config ldap-network-timeout=10
××ַש××¢×××§× ×× ×××××Ö·×× ×€Ö¿×ַך ק×Ö·× ×¢×§××× × ×Š× Active Directory
./multiotp.php -config ldap-time-limit=30
××ך ש××¢×× ×Ö· ׊××× ××××× ×€Ö¿×ַך ×× ××Ö·× ×׊עך ×ַך××Ö·× ×€×ך ×֞׀֌עך×ַ׊××¢
./multiotp.php -config ldap-activated=1
×ַק××Ö·××××××× × ×× ×§×Ö·× ×€×××עך××ש×Ö·× ×€×× Active Directory ×€Ö¿×ַך××× ××× ×
./multiotp.php -debug -display-log -ldap-users-sync
××ך ×ַך××Ö·× ×€×ך × ×׊עךס ×€×× ×ַק×××× Directory
שך×× 3. ×××©×¢× ×¢×š××× ×Ö· QR ק×Öž× ×€Ö¿×ַך ×× ×¡×××¢×
×Ö·××¥ ××Öž ××× ××֞ך ׀֌ש××. ×¢×€Ö¿×¢× ×¢× ×× ×××¢× ×Š×××× × ×€×× ×× ×Öž××€ÖŒ סעך××עך ××× ××¢× ×××¢×עךעך, ââק××Öž×¥ ××× (××Öž× × ×× ×€×ַך××¢×¡× ×Š× ××××©× ×× ×€×¢××ק××Ö·× ×€ÖŒ×ַך×Öž× ×€Ö¿×ַך ×× ×Ö·×××× ×ס×ך×Ö·××֞ך!), ××× ××× ×× "×ך×ק" ×§× ×¢×€ÖŒ×:
×עך ךע×××××Ö·× ×€×× ××¢× ×§×Ö·××£ ×××¢× ×××× ×Ö· ×××Ö·× ×××֞ס ×ÖŒ××× ×Š×××× QR ק×Öž×××. ××ך ××××ק ×××× ×֞ך××š× ×עך עךש×עך ×€×× ××× (×ך×Öž×¥ ×× ×Ö·×ך×ַק×××× ×× ×¡×§×š×׀֌ש×Ö·× Google Authenticator / Authenticator / 2 Steps Authenticator), ××× ××××עך, ××ך ××××ק ××עךק××§× ×× ×š××¢ ק×Öž× ××× ×Ö· ×××××××××š× ×¡×××¢× ××××£ ×× ××¢××¢×€×Öž×:
(××Öž, ××× ×××××ך×Ö·× ×§×Ö·×××¢ ×× QR ק×Öž× ×Š× ××Ö·×× ×¢×¡ ×Ö·× ×š×××Ö·××Ö·×).
× ×Öž× ×§×Ö·××€ÖŒ××××× × ×× ×ַקש×Ö·× ×, ×Ö· ×עקס-׊×׀ֿעך ×€ÖŒ×ַך×Öž× ×××¢× ×××× ×××©×¢× ×¢×š××××Ö·× ××× ×××× ×Ö·×€ÖŒ××ַק××ש×Ö·× ××¢×עך ×ך××ס×ק סעק×× ×עס.
×Š× ×××× ×××עך, ××ך ×§×¢× ×¢× ×§×Öž× ×ך×Öž×××š× ×¢×¡ ××× ×עך ××¢×××קעך ׊×××× ×:
×××š× ×ַך××Ö·× ×××× × ×××¢× ××× ×××× ××Öž× ×€ÖŒ×ַך×Öž× ×€Ö¿×× ×× ×Ö·×€ÖŒ××ַק××ש×Ö·× ××××£ ×××× ××¢××¢×€×Öž×. ××Öž× ××ך ××ַק×××¢× ×Ö· positive ×¢× ×׀עך? ×Ö·××× ××ך ××Ö·× ××××£.
שך×× 4. × ×Öž× ×§×Ö·× ×€×××עך××ש×Ö·× ××× ×עס××× × ×€×× FreeRADIUS ×֞׀֌עך×ַ׊××¢
××× ××× ×עך××× × ×××××, MultiOTP ××× ×©××× ×§×Ö·× ×€××××¢×š× ×Š× ×ַך××¢×× ××× FreeRADIUS, ×Ö·××¢ ×××֞ס ×××××× ×Š× ××××€× ×עסץ ××× ××××× ××× ×€Ö¿×֞ך××ַ׊××¢ ×××¢×× ××× ××עך VPN ×××××××× ×Š× ×× FreeRADIUS ק×Ö·× ×€×××עך××ש×Ö·× ×עקע.
××ך ׊×ך×קק×××¢× ×Š× ×× ×¡×¢×š××עך ק×Ö·× ×¡×Öž××, ×Š× ×× ×××¢×××××Ö·×עך /usr/local/bin/multiotp/, ×ַך××Ö·×:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1
×ַך××Ö·× ×עךע×× × ×עך ××××××× ××Öž××× ×.
××× ×× FreeRADIUS ק××××Ö·× ×¥ ק×Ö·× ×€×××עך××ש×Ö·× ×עקע (/etc/freeradius/clinets.conf) ××Ö·××¢×š×§× ×Ö·××¢ ש×ך×ת ש××Ö·××ת ×Š× ××֞ק×Ö·×××Öž×¡× ××× ×××× ×Š×××× ×××× ×¡×:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}
- ×€Ö¿×ַך ׀֌ך×××ך×
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}
- ×€Ö¿×ַך ××× ××עך VPN ××××××××.
ך×ס××Ö·×š× FreeRADIUS ××× ×€ÖŒ×š××××š× ×Š× ×§××Öž×¥ ×××:
radtest username 100110 localhost 1812 testing321
××× × ×××¢× = ××Ö·× ×׊עך × ×Öž××¢×, 100110 = ×€ÖŒ×ַך×Öž× ××¢××¢×× ×Š× ××× ×× ×××š× ×× ×Ö·×€ÖŒ××ַק××ש×Ö·× ××××£ ×× ××¢××¢×€×Öž×, ××֞ק×Ö·×××Öž×¡× = RADIUS סעך××עך ×Ö·×ךעס, 1812 - RADIUS סעך××עך ×€ÖŒ×֞ך×, testing321 - RADIUS סעך××עך ק×××¢× × ×€ÖŒ×ַך×Öž× (×××֞ס ××ך ס׀֌עס××€××¢× ××× ×× ×§×Ö·× ×€×××עך××ש×Ö·×).
×עך ךע×××××Ö·× ×€×× ××¢× ××Ö·×€Ö¿×¢× ×××¢× ×××× ×š×¢×××××Ö·× ××¢×¢×š×¢× ××× ××××:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20
×××Š× ××ך ××Ö·×š×€Ö¿× ×Š× ××Ö·×× ×××עך ×Ö·× ×עך ××Ö·× ×׊עך ××× ×׊××× ×Öž××¢× ××ַק××××Ö·×. ×Š× ××Öž× ××֞ס, ××ך ×××¢×× ×§××§× ××× ×× ××Öž× ×€×× ××××××Öž××€ÖŒ ×××:
tail /var/log/multiotp/multiotp.log
××× ×××× ×× ×ע׊××¢ ×€ÖŒ×Öž××׊××¢ ×××:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1
××¢×š× ×Öž× ×Ö·××¥ ××× ××× ××× ××ך ×§×¢× ×¢× ×€×Ö·×š×¢× ××ק×
שך×× 5: ק×Ö·× ×€×××עך Cisco ASA
××Öž××ך ש××××¢× ×Ö·× ××ך ××Öž×× ×©××× ×Ö· ק×Ö·× ×€××××¢×š× ×ך×׀֌ע ××× ×€ÖŒ×Ö·××ַס×× ×€Ö¿×ַך ×ַקסעס ×××š× SLL VPN, ק×Ö·× ×€××××¢×š× ××× ×§×Ö·× ××ש×Ö·× ×קש×Ö·× ××× ×ַק×××× Directory, ××× ××ך ××Ö·×š×€Ö¿× ×Š× ××××× ×Š××××-×€×ַק××֞ך ×Öž××¢× ××ַק××ש×Ö·× ×€Ö¿×ַך ××¢× ×€ÖŒ×š×Öž×€××.
1. ×××× ×Ö· × ××Ö·×¢ AAA סעך××עך ×ך×׀֌ע:
2. ×××× ××× ××עך ××××××Öž××€ÖŒ סעך××עך ×Š× ×עך ×ך×׀֌ע:
3. ××ך ךע××Ö·×××š× ×§×©×š ׀֌ך×Öž×€××, ××ַש××¢×××§× ×× ×ַק×××××¢ Directory סעך××עך ×ך×׀֌ע ××× ×× ××××€ÖŒ× ×Öž××¢× ××ַק××ש×Ö·× ×¡×¢×š××עך:
4. ××× ×× ×§××××× ×Ö·×××Ö·× ×¡×ך××¢ -> ×Öž××¢× ××ַק××ש×Ö·× ××ך ×××× ×××סק×××Ö·×× ×× ×ַק×××××¢ Directory סעך××עך ×ך×׀֌ע:
5. ××× ×× ×§××××× ×Ö·×××Ö·× ×¡×ך××¢ -> ׊××××××ק ×Öž××¢× ××ַק××ש×Ö·×, ×××סק×××Ö·×× ×× ××ש××€× ×¡×¢×š××עך ×ך×׀֌ע ××× ×××֞ס ×× ××××××Öž××€ÖŒ סעך××עך ××× ×š×¢××ס×ך×ך×. ××Ö·×עךק×× × ×Ö·× ×× ×¡×¢×¡××¢ × ×××¢× ××× ×× ×עך×Ö·××× ×€×× ×× ×¢×š×©××ק ×Ö·×Ö·×Ö· סעך××עך ×ך×׀֌ע:
׊×××××× ×× ×¡×¢×××× ×ס ×××
שך×× 6, ×××× ×× ×ע׊××¢
××Öž××ך ק×Öž× ×ך×Öž×××š× ×××× ×Š××××-×€×ַק××֞ך ×Öž××¢× ××ַק××ש×Ö·× ×ַך××¢× ×€Ö¿×ַך SLL VPN:
×××Öž×××Ö·! ×××¢× ×§×Ö·× ×¢×§××× × ×××š× Cisco AnyConnect VPN ק×××¢× ×, ××ך ×××¢× ×××× ×××× ××¢××¢×× ×€Ö¿×ַך ×Ö· ׊××××× ××××-׊××Ö·× ×€ÖŒ×ַך×Öž×.
××× ××Öž×€Ö¿× ×Ö·× ×עך ×ַך×××§× ×××¢× ××¢××€Ö¿× ×¢×ע׊עך, ××× ×Ö·× ×¢×¡ ×××¢× ××¢×× ×¢×ע׊עך ×Š× ×ך×Ö·××× ×××¢×× ××× ×Š× × ××Š× ××¢×, ׀ך×× ×Öž××€ÖŒ סעך××עך, ×€Ö¿×ַך ×× ×עךע ××ַסקס. ××Ö·× ××××× ××× ×× ××Ö·×עךק×× ××¢× ×××× ××ך ×××××.
×ק×ך: www.habr.com