Kuthiwani uma ukuqinisekiswa kwezinto ezimbili kufiseleka futhi kuyi-prickly, kodwa ayikho imali yamathokheni we-hardware futhi ngokujwayelekile banikeza ukuhlala besesimweni esihle.
Lesi sixazululo asiyona into yoqobo kakhulu, kodwa siyingxube yezixazululo ezahlukahlukene ezitholakala ku-inthanethi.
Ngakho inikezwe
Isizinda I-Active Directory.
Abasebenzisi besizinda abasebenza nge-VPN, njengabaningi namuhla.
I-VPN isebenza njengesango Hlanganisa.
Ukulondoloza iphasiwedi yeklayenti le-VPN kunqatshelwe inqubomgomo yokuphepha.
Ezombusazwe Fortinet ngokuphathelene namathokheni akho, awukwazi ukubiza ngaphansi kwe-zhlob - kunamathokheni amahhala angu-10, amanye - ngentengo engeyona i-kosher kakhulu. Angizange ngicabangele i-RSSecureID, i-Duo nokunye okunjalo, ngoba ngifuna umthombo ovulekile.
Okudingekayo: umsingathi * nix ngokusungulwa freeradius, ssd - Kufakwe esizindeni, abasebenzisi besizinda bangaqinisekisa kalula kuso.
Amaphakheji engeziwe: i-shelinabox, i-figlet, freeradius-ldap, ifonti hlubuka.tlf kusuka endaweni yokugcina .
Esibonelweni sami - i-CentOS 7.8.
I-logic yomsebenzi kufanele ibe kanje: lapho uxhuma ku-VPN, umsebenzisi kufanele afake ukungena ngemvume kwesizinda kanye ne-OTP esikhundleni sephasiwedi.
Ukusetha amasevisi
В /etc/raddb/radiusd.conf umsebenzisi kuphela neqembu eliqalayo esikhundleni salo freeradius, kusukela enkonzweni i-radiusd kufanele ikwazi ukufunda amafayela kuwo wonke ama-subdirectories / ekhaya /.
user = root
group = root
Ukuze ukwazi ukusebenzisa amaqembu kuzilungiselelo Hlanganisa, kufanele idluliselwe Isibaluli Esiqondile Somthengisi. Ukuze wenze lokhu, ku-directory raddb/policy.d Ngidala ifayela elinokuqukethwe okulandelayo:
group_authorization {
if (&LDAP-Group[*] == "CN=vpn_admins,OU=vpn-groups,DC=domain,DC=local") {
update reply {
&Fortinet-Group-Name = "vpn_admins" }
update control {
&Auth-Type := PAM
&Reply-Message := "Welcome Admin"
}
}
else {
update reply {
&Reply-Message := "Not authorized for vpn"
}
reject
}
}
Ngemva kokufaka freeradius-ldap ohlwini lwemibhalo raddb/mods-available ifayela liyadalwa ldap.
Udinga ukudala isixhumanisi esingokomfanekiso kuhla lwemibhalo raddb/mods-enabled.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapNgiletha okuqukethwe kwayo kuleli fomu:
ldap {
server = 'domain.local'
identity = 'CN=freerad_user,OU=users,DC=domain,DC=local'
password = "SupeSecretP@ssword"
base_dn = 'dc=domain,dc=local'
sasl {
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=Group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberOf'
}
}
Kumafayela raddb/sites-enabled/default и raddb/sites-enabled/inner-tunnel esigabeni gunyaza Ngengeza igama lenqubomgomo ezosetshenziswa - group_authorization. Iphuzu elibalulekile - igama lenqubomgomo alinqunywa igama lefayela ohlwini lwemibhalo inqubomgomo.d, kodwa ngomyalelo ngaphakathi kwefayela ngaphambi kwezikaki ezigoqekile.
Esigabeni qinisekisa kumafayela afanayo udinga ukukhulula umugqa pam.
Kufayela amaklayenti.conf chaza amapharamitha ezoxhuma ngawo Hlanganisa:
client fortigate {
ipaddr = 192.168.1.200
secret = testing123
require_message_authenticator = no
nas_type = other
}
Ukumiswa kwemodyuli pam.d/radiusd:
#%PAM-1.0
auth sufficient pam_google_authenticator.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
Izinketho ezizenzakalelayo zokuqalisa inqwaba freeradius с i-authenticator ye-google dinga umsebenzisi ukuthi afake imininingwane ngefomethi: igama lomsebenzisi/iphasiwedi+I-OTP.
Ngokucabangela inani leziqalekiso ezizowela ekhanda, esimweni sokusebenzisa inqwaba ezenzakalelayo freeradius с I-Google Authenticator, kwanqunywa ukuthi kusetshenziswe ukucushwa kwemojula pam ukuze kuhlolwe uphawu kuphela I-Google Authenticator.
Lapho umsebenzisi exhuma, okulandelayo kwenzeka:
- U-Freeradius uhlola ukuthi umsebenzisi usesizindeni futhi useqenjini elithile futhi, uma ephumelele, uhlola ithokheni ye-OTP.
Yonke into yayibukeka iphumelele ngaze ngacabanga, “Ngingayibhalisa kanjani i-OTP kubasebenzisi abangu-300+?”
Umsebenzisi kufanele angene ngemvume kuseva nge freeradius naku-akhawunti yakho bese wethula uhlelo lokusebenza I-Google Authenticator, ezokhiqiza ikhodi ye-QR yohlelo lokusebenza lomsebenzisi. Yilapho esiza khona ukuhlenga i-shelinabox ngokuhlangana ne- .bash_profile.
[root@freeradius ~]# yum install -y shellinabox
Ifayela lokumisa le-daemon litholakala kokuthi /etc/sysconfig/shellinabox.
Ngicacisa i-port 443 lapho futhi ungacacisa isitifiketi sakho.
[root@freeradius ~]#systemctl enable --now shellinaboxdUmsebenzisi angalandela isixhumanisi kuphela, afake imininingwane yesizinda futhi athole ikhodi ye-QR yohlelo lokusebenza.
I-algorithm imi kanjena:
- Umsebenzisi ungena emshinini esebenzisa isiphequluli.
- Ukuthi umsebenzisi wesizinda uhloliwe. Uma kungenjalo, akukho sinyathelo esithathwayo.
- Uma umsebenzisi engumsebenzisi wesizinda, ubulungu eqenjini Labalawuli buyahlolwa.
- Uma kungeyena umlawuli, ihlola ukuthi i-Google Autheticator imisiwe yini. Uma kungenjalo, kuzobe sekwenziwa ikhodi ye-QR bese umsebenzisi ephuma.
- Uma kungeyena umlawuli kanye ne-Google Authenticator emisiwe, vele uphume.
- Uma ungumqondisi, bese uhlola UbuFakazi buka-Google futhi. Uma ingalungiselelwe, ikhodi ye-QR iyakhiqizwa.
Yonke i-logic yenziwa ngokusebenzisa /etc/skel/.bash_profile.
ikati /etc/skel/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# Make several commands available from user shell
if [[ -z $(id $USER | grep "admins") || -z $(cat /etc/passwd | grep $USER) ]]
then
[[ ! -d $HOME/bin ]] && mkdir $HOME/bin
[[ ! -f $HOME/bin/id ]] && ln -s /usr/bin/id $HOME/bin/id
[[ ! -f $HOME/bin/google-auth ]] && ln -s /usr/bin/google-authenticator $HOME/bin/google-auth
[[ ! -f $HOME/bin/grep ]] && ln -s /usr/bin/grep $HOME/bin/grep
[[ ! -f $HOME/bin/figlet ]] && ln -s /usr/bin/figlet $HOME/bin/figlet
[[ ! -f $HOME/bin/rebel.tlf ]] && ln -s /usr/share/figlet/rebel.tlf $HOME/bin/rebel.tlf
[[ ! -f $HOME/bin/sleep ]] && ln -s /usr/bin/sleep $HOME/bin/sleep
# Set PATH env to <home user directory>/bin
PATH=$HOME/bin
export PATH
else
PATH=PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
fi
if [[ -n $(id $USER | grep "domain users") ]]
then
if [[ ! -e $HOME/.google_authenticator ]]
then
if [[ -n $(id $USER | grep "admins") ]]
then
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/stor/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password connecting to VPN."
else
figlet -t -f $HOME/bin/rebel.tlf "Welcome to Company GAuth setup portal"
sleep 1.5
echo "Please, run any of these software on your device, where you would like to setup OTP:
Google Autheticator:
AppStore - https://apps.apple.com/us/app/google-authenticator/id388497605
Play Market - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
FreeOTP:
AppStore - https://apps.apple.com/us/app/freeotp-authenticator/id872559395
Play Market - https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en
And prepare to scan QR code.
"
sleep 5
google-auth -f -t -w 3 -r 3 -R 30 -d -e 1
echo "Congratulations, now you can use an OTP token from application as a password to VPN."
logout
fi
else
echo "You have already setup a Google Authenticator"
if [[ -z $(id $USER | grep "admins") ]]
then
logout
fi
fi
else
echo "You don't need to set up a Google Authenticator"
fi
Qinisa ukusetha:
- Siyadala Ububanzi-seva
- Sakha amaqembu adingekayo, uma kunesidingo, ukulawula ukufinyelela ngamaqembu. Igama leqembu livuliwe Hlanganisa kufanele ifane neqembu elidluliselwe kulo Isibaluli Esiqondile Somthengisi I-Fortinet-Iqembu-Igama.
- Ukuhlela okudingekayo I-SSL-izingosi.
- Yengeza amaqembu kuzinqubomgomo.
Izinzuzo zalesi sixazululo:
- Kuyenzeka ukugunyazwa nge-OTP kuvuliwe Hlanganisa isixazululo somthombo ovulekile.
- Umsebenzisi akayifaki iphasiwedi yesizinda lapho exhuma nge-VPN, okwenza inqubo yokuxhuma ibe lula. Iphasiwedi enezinhlamvu ezingu-6 kulula ukuyifaka kunaleyo enikezwe umgomo wokuphepha. Ngenxa yalokho, inani lamathikithi anesihloko esithi: "Angikwazi ukuxhuma ku-VPN" liyehla.
PS Sihlela ukuthuthukisa lesi sixazululo ekuqinisekiseni okugcwele kwezinto ezimbili ngokuphendula inselele.
buyekeza:
Njengoba ngithembisile, ngiyishintshele kunketho yokuphendula inselele.
Ngakho:
Kufayela /etc/raddb/sites-enabled/default ingxenye gunyaza kubukeka kanjena:
authorize {
filter_username
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
-sql
#-ldap
expiration
logintime
if (!State) {
if (&User-Password) {
# If !State and User-Password (PAP), then force LDAP:
update control {
Ldap-UserDN := "%{User-Name}"
Auth-Type := LDAP
}
}
else {
reject
}
}
else {
# If State, then proxy request:
group_authorization
}
pap
}
Ingxenye qinisekisa manje kubukeka kanje:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
# Attempt authentication with a direct LDAP bind:
Auth-Type LDAP {
ldap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
# Return Access-Challenge:
challenge
}
}
pam
eap
}
Manje ukuqinisekiswa komsebenzisi kwenzeka ngokuya nge-algorithm elandelayo:
- Umsebenzisi ufaka amakhredithi esizinda kuklayenti le-VPN.
- I-Freeradius ihlola ubuqiniso be-akhawunti nephasiwedi
- Uma igama eliyimfihlo lilungile, khona-ke isicelo sethokheni sithunyelwa.
- Ithokheni iyaqinisekiswa.
- inzuzo).
Source: www.habr.com