Iwulo lati pese iraye si latọna jijin si agbegbe ile-iṣẹ n farahan siwaju ati siwaju sii nigbagbogbo, laibikita boya o jẹ awọn olumulo tabi awọn alabaṣiṣẹpọ ti o nilo iraye si olupin kan pato ninu agbari rẹ.
Fun awọn idi wọnyi, ọpọlọpọ awọn ile-iṣẹ lo imọ-ẹrọ VPN, eyiti o ti fi ara rẹ han lati jẹ ọna aabo ti o gbẹkẹle ti ipese iraye si awọn orisun agbegbe ti ajo.
Ile-iṣẹ mi kii ṣe iyatọ, ati pe awa, bii ọpọlọpọ awọn miiran, lo imọ-ẹrọ yii. Ati, bii ọpọlọpọ awọn miiran, a lo Sisiko ASA 55xx bi ẹnu-ọna iwọle latọna jijin.
Bi nọmba awọn olumulo latọna jijin ṣe n pọ si, iwulo wa lati ṣe simplify ilana fun ipinfunni awọn iwe-ẹri. Ṣugbọn ni akoko kanna, eyi gbọdọ ṣee ṣe laisi ibajẹ aabo.
Fun ara wa, a rii ojutu kan ni lilo ijẹrisi ifosiwewe meji fun sisopọ nipasẹ Sisiko SSL VPN, lilo awọn ọrọ igbaniwọle akoko kan. Ati pe atẹjade yii yoo sọ fun ọ bi o ṣe le ṣeto iru ojutu kan pẹlu akoko diẹ ati awọn idiyele odo fun sọfitiwia pataki (ti o pese pe o ti ni Sisiko ASA tẹlẹ ninu awọn amayederun rẹ).
Ọja naa kun pẹlu awọn solusan apoti fun ṣiṣẹda awọn ọrọ igbaniwọle akoko kan, lakoko ti o nfunni ọpọlọpọ awọn aṣayan fun gbigba wọn, boya fifiranṣẹ ọrọ igbaniwọle nipasẹ SMS tabi lilo awọn ami, ohun elo ati sọfitiwia mejeeji (fun apẹẹrẹ, lori foonu alagbeka). Ṣugbọn ifẹ lati ṣafipamọ owo ati ifẹ lati fi owo pamọ fun agbanisiṣẹ mi, ninu aawọ lọwọlọwọ, fi agbara mu mi lati wa ọna ọfẹ lati ṣe iṣẹ kan fun ṣiṣẹda awọn ọrọ igbaniwọle akoko kan. Eyi ti, lakoko ti o ni ọfẹ, ko kere pupọ si awọn iṣeduro iṣowo (nibi a yẹ ki o ṣe ifiṣura kan, ṣe akiyesi pe ọja yii tun ni ikede iṣowo, ṣugbọn a gba pe awọn owo wa, ni owo, yoo jẹ odo).
Nitorina, a yoo nilo:
- Aworan Linux kan pẹlu awọn irinṣẹ ti a ṣe sinu - multiOTP, FreeRADIUS ati nginx, fun iraye si olupin nipasẹ oju opo wẹẹbu (http://download.multiotp.net/ - Mo lo aworan ti a ti ṣetan fun VMware)
- Active Directory Server
- Cisco ASA funrararẹ (fun irọrun, Mo lo ASDM)
- Eyikeyi ami sọfitiwia ti o ṣe atilẹyin ẹrọ TOTP (Mo, fun apẹẹrẹ, lo Google Authenticator, ṣugbọn FreeOTP kanna yoo ṣe)
Emi kii yoo lọ sinu awọn alaye ti bi aworan ṣe n ṣii. Bi abajade, iwọ yoo gba Linux Debian pẹlu multiOTP ati FreeRADIUS ti fi sii tẹlẹ, tunto lati ṣiṣẹ pọ, ati wiwo wẹẹbu fun iṣakoso OTP.
Igbese 1. A pilẹ eto ati tunto o fun nẹtiwọki rẹ
Nipa aiyipada, eto naa wa pẹlu awọn ẹri root root. Mo ro pe gbogbo eniyan ṣe akiyesi pe yoo jẹ imọran ti o dara lati yi ọrọ igbaniwọle olumulo root pada lẹhin iwọle akọkọ. O tun nilo lati yi awọn eto nẹtiwọki pada (nipa aiyipada o jẹ '192.168.1.44' pẹlu ẹnu-ọna '192.168.1.1'). Lẹhinna o le tun atunbere eto naa.
Jẹ ki a ṣẹda olumulo ni Active Directory otp, pẹlu ọrọigbaniwọle MySuperPassword.
Igbese 2. Ṣeto soke awọn asopọ ati ki o gbe wọle Iroyin Directory awọn olumulo
Lati ṣe eyi, a nilo wiwọle si console, ati taara si faili naa multiotp.php, lilo eyi ti a yoo tunto awọn eto asopọ si Active Directory.
Lọ si liana /usr/agbegbe/bin/multiotp/ ati ṣiṣe awọn aṣẹ wọnyi ni titan:
./multiotp.php -config default-request-prefix-pin=0Ṣe ipinnu boya afikun PIN (iduroṣinṣin) nilo fun nigba titẹ PIN-akoko kan (0 tabi 1)
./multiotp.php -config default-request-ldap-pwd=0Ṣe ipinnu boya o nilo ọrọ igbaniwọle agbegbe kan nigbati o ba n tẹ PIN-akoko kan sii (0 tabi 1)
./multiotp.php -config ldap-server-type=1Iru olupin LDAP jẹ itọkasi (0 = olupin LDAP deede, ninu ọran wa 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Ni pato ọna kika ninu eyiti lati ṣafihan orukọ olumulo (iye yii yoo ṣafihan orukọ nikan, laisi ibugbe)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Ohun kanna, nikan fun ẹgbẹ kan
./multiotp.php -config ldap-group-attribute="memberOf"Sọ ọna kan fun ṣiṣe ipinnu boya olumulo kan jẹ ti ẹgbẹ kan
./multiotp.php -config ldap-ssl=1Ṣe Mo lo asopọ to ni aabo si olupin LDAP (dajudaju - bẹẹni!)
./multiotp.php -config ldap-port=636Ibudo fun sisopọ si olupin LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localAdirẹsi olupin Itọsọna Active rẹ
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"A tọkasi ibiti o ti bẹrẹ wiwa fun awọn olumulo ni agbegbe naa
./multiotp.php -config ldap-bind-dn="[email protected]"Pato olumulo kan ti o ni awọn ẹtọ wiwa ni Itọsọna Active
./multiotp.php -config ldap-server-password="MySuperPassword"Pato ọrọ igbaniwọle olumulo lati sopọ si Itọsọna Active
./multiotp.php -config ldap-network-timeout=10Ṣiṣeto akoko ipari fun sisopọ si Itọsọna Iroyin
./multiotp.php -config ldap-time-limit=30A ṣeto iye akoko fun iṣẹ agbewọle olumulo
./multiotp.php -config ldap-activated=1Ṣiṣẹ iṣeto ni Active Directory asopọ
./multiotp.php -debug -display-log -ldap-users-syncA gbe awọn olumulo wọle lati Active Directory
Igbesẹ 3. Ṣẹda koodu QR kan fun ami-ami naa
Ohun gbogbo nibi jẹ lalailopinpin o rọrun. Ṣii wiwo wẹẹbu ti olupin OTP ninu ẹrọ aṣawakiri, wọle (maṣe gbagbe lati yi ọrọ igbaniwọle aiyipada pada fun abojuto!), Ki o tẹ bọtini “Tẹjade”:
Abajade iṣe yii yoo jẹ oju-iwe kan ti o ni awọn koodu QR meji ninu. A fi igboya foju foju kọ akọkọ ninu wọn (laibikita akọle ti o wuyi Google Authenticator / Authenticator / 2 Igbesẹ Authenticator), ati lẹẹkansi a fi igboya ṣayẹwo koodu keji sinu ami sọfitiwia lori foonu:
(bẹẹni, Mo mọọmọ ba koodu QR jẹ lati jẹ ki o ko le ka).
Lẹhin ipari awọn iṣe wọnyi, ọrọ igbaniwọle oni-nọmba mẹfa yoo bẹrẹ lati ṣe ipilẹṣẹ ninu ohun elo rẹ ni gbogbo ọgbọn iṣẹju.
Lati ni idaniloju, o le ṣayẹwo ni wiwo kanna:
Nipa titẹ orukọ olumulo rẹ ati ọrọ igbaniwọle igba kan lati inu ohun elo lori foonu rẹ. Njẹ o gba esi rere bi? Nitorinaa jẹ ki a tẹsiwaju.
Igbesẹ 4. Iṣeto ni afikun ati idanwo ti iṣẹ FreeRADIUS
Gẹgẹbi Mo ti sọ loke, multiOTP ti tunto tẹlẹ lati ṣiṣẹ pẹlu FreeRADIUS, gbogbo ohun ti o ku ni lati ṣiṣe awọn idanwo ati ṣafikun alaye nipa ẹnu-ọna VPN wa si faili iṣeto FreeRADIUS.
A pada si console olupin, si liana /usr/agbegbe/bin/multiotp/, wọle:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Pẹlu gedu alaye diẹ sii.
Ninu faili iṣeto awọn alabara FreeRADIUS (/etc/freeradius/clinets.conf) ọrọìwòye jade gbogbo awọn ila jẹmọ si localhost ki o si fi awọn titẹ sii meji kun:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- fun igbeyewo
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- fun ẹnu-ọna VPN wa.
Tun FreeRADIUS bẹrẹ ki o gbiyanju lati wọle:
radtest username 100110 localhost 1812 testing321nibi ti olumulo = orukọ olumulo, 100110 = ọrọ igbaniwọle ti a fun wa nipasẹ ohun elo lori foonu, localhost = adirẹsi olupin RADIUS, 1812 - ibudo olupin RADIUS, test321 - ọrọ igbaniwọle alabara olupin RADIUS (eyiti a sọ pato ninu atunto).
Abajade aṣẹ yii yoo jade ni isunmọ bi atẹle:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Bayi a nilo lati rii daju wipe olumulo ti wa ni ifijišẹ nile. Lati ṣe eyi, a yoo wo log ti multiotp funrararẹ:
tail /var/log/multiotp/multiotp.logAti pe ti titẹsi ikẹhin ba wa:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Lẹhinna ohun gbogbo lọ daradara ati pe a le pari
Igbesẹ 5: Tunto Cisco ASA
Jẹ ki a gba pe a ti ni ẹgbẹ ti a tunto ati awọn eto imulo fun iraye si nipasẹ SLL VPN, tunto ni apapo pẹlu Active Directory, ati pe a nilo lati ṣafikun ijẹrisi ifosiwewe meji fun profaili yii.
1. Ṣafikun ẹgbẹ olupin AAA tuntun kan:
2. Ṣafikun olupin multiOTP wa si ẹgbẹ naa:
3. A ṣatunkọ profaili asopọ, ṣeto ẹgbẹ olupin Active Directory gẹgẹbi olupin ijẹrisi akọkọ:
4. Ninu taabu To ti ni ilọsiwaju -> Ijeri A tun yan ẹgbẹ olupin Active Directory:
5. Ninu taabu To ti ni ilọsiwaju -> Atẹle ijẹrisi, yan ẹgbẹ olupin ti o ṣẹda ninu eyiti olupin multiOTP ti forukọsilẹ. Ṣe akiyesi pe orukọ olumulo Ikoni jẹ jogun lati ọdọ ẹgbẹ olupin AAA akọkọ:
Waye awọn eto ati
Igbesẹ 6, aka kẹhin
Jẹ ki a ṣayẹwo boya ijẹrisi ifosiwewe meji ṣiṣẹ fun SLL VPN:
Voila! Nigbati o ba sopọ nipasẹ Sisiko AnyConnect VPN Client, iwọ yoo tun beere fun igba keji, ọrọ igbaniwọle akoko kan.
Mo nireti pe nkan yii yoo ran ẹnikan lọwọ, ati pe yoo fun ẹnikan ni ounjẹ fun ironu bi o ṣe le lo eyi, ọfẹ Olupin OTP, fun awọn iṣẹ-ṣiṣe miiran. Pin ninu awọn asọye ti o ba fẹ.
orisun: www.habr.com