Kini ti ijẹrisi ifosiwewe meji jẹ mejeeji ti o nifẹ ati prickly, ṣugbọn ko si owo fun awọn ami ohun elo ati ni gbogbogbo wọn funni lati duro ni iṣesi ti o dara.
Ojutu yii kii ṣe nkan atilẹba ti o ga julọ, ṣugbọn dipo apapọ awọn solusan oriṣiriṣi ti a rii lori Intanẹẹti.
Nitorina fun
Момен Iroyin Iroyin.
Awọn olumulo agbegbe ti n ṣiṣẹ nipasẹ VPN kan, bii ọpọlọpọ loni.
Ṣiṣẹ bi ẹnu-ọna VPN Ṣe ariyanjiyan.
Fifipamọ ọrọ igbaniwọle fun alabara VPN jẹ eewọ nipasẹ eto imulo aabo.
Oselu Fortinet ni ibatan si awọn ami ti ara rẹ, iwọ ko le pe o kere ju zhlob kan - ọpọlọpọ bi awọn ami-ami ọfẹ 10, iyokù - ni idiyele ti kii ṣe kosher pupọ. Emi ko gbero RSASEcureID, Duo ati bii, nitori Mo fẹ orisun ṣiṣi.
Awọn ibeere: agbalejo * Nix pẹlu mulẹ freeradius, ssd - tẹ sinu awọn ìkápá, ašẹ awọn olumulo le awọn iṣọrọ jeri lori o.
Awọn akojọpọ afikun: shellina apoti, ọpọtọ, freeradius-ldap, fonti olote.tlf lati ibi ipamọ .
Ninu apẹẹrẹ mi - CentOS 7.8.
Imọye ti iṣẹ yẹ ki o jẹ bi atẹle: nigbati o ba sopọ si VPN, olumulo gbọdọ tẹ iwọle agbegbe ati OTP dipo ọrọ igbaniwọle kan.
Eto awọn iṣẹ
В /etc/raddb/radiusd.conf nikan olumulo ati ẹgbẹ lori dípò ti eyi ti bẹrẹ freeradius, niwon iṣẹ naa rediosi yẹ ki o ni anfani lati ka awọn faili ni gbogbo awọn iwe-ipamọ /ile/.
user = root
group = root
Lati le lo awọn ẹgbẹ ninu awọn eto Ṣe ariyanjiyan, gbọdọ wa ni gbigbe Ataja Specific ikalara. Lati ṣe eyi, ninu awọn iwe raddb/ imulo.d Mo ṣẹda faili kan pẹlu akoonu atẹle:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Lẹhin fifi sori freeradius-ldap ninu liana raddb / mods-wa faili ti wa ni ṣẹda lìp.
Nilo lati ṣẹda ọna asopọ aami si itọsọna naa raddb/mods-sise.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapMo mu awọn akoonu rẹ wa si fọọmu yii:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Ninu awọn faili raddb/ojula-sise/aiyipada и raddb / ojula-sise / inu-eefin ni apakan fun ni aṣẹ Mo ṣafikun orukọ eto imulo lati ṣee lo - group_authorization. Ojuami pataki - orukọ eto imulo ko ni ipinnu nipasẹ orukọ faili ninu itọsọna naa eto imulo.d, ṣugbọn nipasẹ itọsọna inu faili ṣaaju ki o to awọn àmúró.
Ni apakan jẹrisi ni awọn faili kanna ti o nilo lati uncomment ila Pam.
Ninu faili clients.conf paṣẹ awọn paramita pẹlu eyiti yoo sopọ Ṣe ariyanjiyan:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Iṣeto modulu pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Aiyipada lapapo imuse awọn aṣayan freeradius с google authenticator beere lọwọ olumulo lati tẹ awọn iwe-ẹri sii ni ọna kika: orukọ olumulo / ọrọigbaniwọle+OTP.
Nipa riro nọmba awọn egún ti yoo ṣubu si ori, ninu ọran ti lilo lapapo aiyipada freeradius с Google Authenticator, ti o ti pinnu lati lo awọn module iṣeto ni Pam ki àmi nikan ni a le ṣayẹwo Google Authenticator.
Nigbati olumulo kan ba sopọ, atẹle naa yoo ṣẹlẹ:
- Freeradius ṣayẹwo ti olumulo ba wa ni agbegbe ati ni ẹgbẹ kan ati, ti o ba ṣaṣeyọri, ṣayẹwo ami ami OTP naa.
Ohun gbogbo dara to titi di akoko ti Mo ronu “Bawo ni MO ṣe le forukọsilẹ OTP fun awọn olumulo 300+?”
Olumulo gbọdọ buwolu wọle si olupin pẹlu freeradius ati lati labẹ akọọlẹ rẹ ati ṣiṣe ohun elo naa google afọwọsi, eyi ti yoo ṣe ipilẹṣẹ koodu QR kan fun ohun elo fun olumulo. Eyi ni ibi ti iranlọwọ wa. shellina apoti ni idapo pelu .bash_profaili.
[root@freeradius ~]# yum install -y shellinabox
Faili iṣeto daemon wa ni /etc/sysconfig/shellinabox.
Mo pato ibudo 443 nibẹ ati pe o le pato ijẹrisi rẹ.
[root@freeradius ~]#systemctl enable --now shellinaboxdOlumulo nikan nilo lati tẹle ọna asopọ, tẹ awọn kirẹditi agbegbe ati gba koodu QR kan fun ohun elo naa.
Algorithm jẹ bi atẹle:
- Olumulo naa wọle si ẹrọ nipasẹ ẹrọ aṣawakiri kan.
- Boya olumulo agbegbe ti ṣayẹwo. Ti kii ba ṣe bẹ, lẹhinna ko si igbese ti a ṣe.
- Ti olumulo ba jẹ olumulo agbegbe kan, ọmọ ẹgbẹ ninu ẹgbẹ Awọn alabojuto jẹ ayẹwo.
- Ti kii ba ṣe abojuto, o ṣayẹwo boya Google Authenticator ti tunto. Ti kii ba ṣe bẹ, lẹhinna koodu QR kan ati ifilọlẹ olumulo jẹ ipilẹṣẹ.
- Ti kii ba ṣe abojuto ati Google Authenticator ti tunto, lẹhinna o kan jade.
- Ti o ba jẹ alabojuto, lẹhinna ṣayẹwo Google Authenticator lẹẹkansi. Ti ko ba tunto, koodu QR kan ti wa ni ipilẹṣẹ.
Gbogbo kannaa ti wa ni ṣe nipa lilo /etc/skel/.bash_profile.
ologbo /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Eto olodi:
- A ṣẹda rediosi-olupin
- A ṣẹda awọn ẹgbẹ pataki, ti o ba jẹ dandan, iṣakoso wiwọle nipasẹ awọn ẹgbẹ. Orukọ ẹgbẹ lori Ṣe ariyanjiyan gbọdọ baramu awọn ẹgbẹ ti o ti wa kọja ni Ataja Specific ikalara Fortinet-Ẹgbẹ-orukọ.
- Nsatunkọ awọn pataki SSL-awọn ọna abawọle.
- Fifi awọn ẹgbẹ si awọn eto imulo.
Awọn anfani ti ojutu yii:
- O ṣee ṣe lati jẹrisi nipasẹ OTP lori Ṣe ariyanjiyan ìmọ orisun ojutu.
- Olumulo naa ko tẹ ọrọ igbaniwọle agbegbe sii nigbati o ba sopọ nipasẹ VPN, eyiti o rọrun diẹ ninu ilana asopọ naa. Ọrọ igbaniwọle oni-nọmba 6 rọrun lati tẹ sii ju eyiti eto imulo aabo pese lọ. Bi abajade, nọmba awọn tikẹti pẹlu koko-ọrọ: “Emi ko le sopọ si VPN” dinku.
PS A gbero lati ṣe igbesoke ojutu yii si ijẹrisi ifosiwewe meji-kikun pẹlu idahun-ipenija.
imudojuiwọn:
Gẹgẹbi a ti ṣe ileri, Mo tweaked si aṣayan idahun-ipenija.
Nitorina:
Ninu faili /etc/raddb/sites-enabled/default apakan fun ni aṣẹ dabi eleyi:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Abala jẹrisi bayi dabi eyi:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Bayi ijẹrisi olumulo waye ni ibamu si algorithm atẹle:
- Olumulo naa nwọle awọn kirẹditi agbegbe ni alabara VPN.
- Freeradius sọwedowo iwulo ti akọọlẹ ati ọrọ igbaniwọle
- Ti ọrọ igbaniwọle ba tọ, lẹhinna a firanṣẹ ibeere fun ami-ami kan.
- Àmi ti wa ni a wadi.
- èrè).
orisun: www.habr.com