Isidingo sokuhlinzeka ngokufinyelela kude endaweni yebhizinisi sivela kaningi, kungakhathaliseki ukuthi abasebenzisi bakho noma ozakwethu abadinga ukufinyelela kuseva ethile enhlanganweni yakho.
Ngalezi zinhloso, izinkampani eziningi zisebenzisa ubuchwepheshe be-VPN, obuzibonakalise buyindlela evikelekile enokwethenjelwa yokunikeza ukufinyelela ezinsizeni zendawo zenhlangano.
Inkampani yami ayizange ihluke, futhi nathi, njengabanye abaningi, sisebenzisa lobu buchwepheshe. Futhi, njengabanye abaningi, sisebenzisa i-Cisco ASA 55xx njengesango lokufinyelela kude.
Njengoba inani labasebenzisi bekude likhula, kunesidingo sokwenza lula inqubo yokukhishwa kwemininingwane. Kodwa ngesikhathi esifanayo, lokhu kufanele kwenziwe ngaphandle kokuyekethisa ukuphepha.
Thina ngokwethu, sithole isixazululo ekusebenziseni ukuqinisekiswa kwezinto ezimbili ukuze sixhume nge-Cisco SSL VPN, sisebenzisa amaphasiwedi esikhathi esisodwa. Futhi lolu shicilelo luzokutshela ukuthi ungasihlela kanjani isisombululo esinjalo ngesikhathi esincane nezindleko ze-zero zesofthiwe edingekayo (inqobo nje uma usunayo kakade i-Cisco ASA kungqalasizinda yakho).
Imakethe igcwele izixazululo zebhokisi zokukhiqiza amaphasiwedi esikhathi esisodwa, kuyilapho ihlinzeka ngezinketho eziningi zokuwathola, kungaba ukuthumela iphasiwedi nge-SMS noma ukusebenzisa amathokheni, kokubili ihadiwe nesofthiwe (isibonelo, kumakhalekhukhwini). Kodwa isifiso sokulondoloza imali kanye nesifiso sokulondoloza imali kumqashi wami, kule nkinga yamanje, kwangiphoqa ukuba ngithole indlela yamahhala yokusebenzisa isevisi yokukhiqiza amaphasiwedi esikhathi esisodwa. Okungukuthi, ngenkathi kukhululekile, akuyona into ephansi kakhulu kunezixazululo zezentengiselwano (lapha kufanele senze ukubhuka, siphawula ukuthi lo mkhiqizo unenguqulo yezohwebo, kodwa savumelana ukuthi izindleko zethu, ngemali, zizoba zero).
Ngakho, sizodinga:
- Isithombe se-Linux esinesethi eyakhelwe ngaphakathi yamathuluzi - i-multiOTP, i-FreeRADIUS ne-nginx, yokufinyelela iseva ngewebhu (http://download.multiotp.net/ - Ngisebenzise isithombe esenziwe ngomumo se-VMware)
β Iseva Yohlu Lwemibhalo Esebenzayo
- I-Cisco ASA ngokwayo (ukuze kube lula, ngisebenzisa i-ASDM)
β Noma iyiphi ithokheni yesofthiwe esekela indlela ye-TOTP (Mina, ngokwesibonelo, ngisebenzisa Isiqinisekisi se-Google, kodwa i-FreeOTP efanayo izokwenza)
Ngeke ngingene emininingwaneni yokuthi isithombe senzeka kanjani. Njengomphumela, uzothola i-Debian Linux ene-multiOTP ne-FreeRADIUS esezifakiwe, elungiselelwe ukusebenza ndawonye, ββkanye nesixhumi esibonakalayo sewebhu sokuphatha kwe-OTP.
Isinyathelo 1. Siqala uhlelo futhi silulungiselele inethiwekhi yakho
Ngokuzenzakalelayo, uhlelo luza nemininingwane yezimpande. Ngicabanga ukuthi wonke umuntu uqagele ukuthi kungaba umqondo omuhle ukushintsha iphasiwedi yomsebenzisi oyimpande ngemuva kokungena kokuqala. Udinga futhi ukushintsha izilungiselelo zenethiwekhi (ngokuzenzakalelayo yi-'192.168.1.44' ne-gateway '192.168.1.1'). Ngemva kwalokho ungaqalisa kabusha isistimu.
Masidale umsebenzisi Kuhla Lwemibhalo Olusebenzayo i-otp, nephasiwedi I-MySuperPassword.
Isinyathelo sesi-2. Setha ukuxhumana futhi ungenise abasebenzisi bohlu Lwemibhalo Esebenzayo
Ukuze senze lokhu, sidinga ukufinyelela kukhonsoli, futhi ngqo kufayela i-multiotp.php, lapho sizomisa khona izilungiselelo zokuxhuma ku-Active Directory.
Iya kusiqondisi /usr/local/bin/multiotp/ bese ukhipha imiyalo elandelayo ngokulandelana:
./multiotp.php -config default-request-prefix-pin=0Inquma ukuthi iphinikhodi eyengeziwe (engunaphakade) iyadingeka yini uma ufaka iphinikhodi yesikhathi esisodwa (0 noma 1)
./multiotp.php -config default-request-ldap-pwd=0Inquma ukuthi iphasiwedi yesizinda iyadingeka yini uma ufaka iphinikhodi yesikhathi esisodwa (0 noma 1)
./multiotp.php -config ldap-server-type=1Uhlobo lweseva ye-LDAP lubonisiwe (0 = iseva evamile ye-LDAP, esimweni sethu 1 = Uhla Lwemibhalo Olusebenzayo)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Icacisa indlela okwethulwa ngayo igama lomsebenzisi (leli nani lizobonisa kuphela igama, ngaphandle kwesizinda)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Into efanayo, okweqembu kuphela
./multiotp.php -config ldap-group-attribute="memberOf"Icacisa indlela yokunquma ukuthi umsebenzisi uyingxenye yeqembu
./multiotp.php -config ldap-ssl=1Ingabe kufanele ngisebenzise uxhumano oluvikelekile kuseva ye-LDAP (Yebo - yebo!)
./multiotp.php -config ldap-port=636Imbobo yokuxhuma kuseva ye-LDAP
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localIkheli lakho leseva ye-Active Directory
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Sikhombisa ukuthi ungaqala kuphi ukusesha abasebenzisi esizindeni
./multiotp.php -config ldap-bind-dn="[email protected]"Cacisa umsebenzisi onamalungelo okusesha ku-Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Cacisa iphasiwedi yomsebenzisi ukuze uxhume ku-Active Directory
./multiotp.php -config ldap-network-timeout=10Isetha isikhathi sokuvala sokuxhuma ku-Active Directory
./multiotp.php -config ldap-time-limit=30Sibeka umkhawulo wesikhathi somsebenzi wokungenisa
./multiotp.php -config ldap-activated=1Ivula ukucushwa kohlu lwemibhalo esebenzayo
./multiotp.php -debug -display-log -ldap-users-syncSingenisa abasebenzisi ku-Active Directory
Isinyathelo sesi-3. Khiqiza ikhodi ye-QR yethokheni
Konke lapha kulula kakhulu. Vula isixhumi esibonakalayo sewebhu seseva ye-OTP esipheqululini, ngena ngemvume (ungakhohlwa ukushintsha iphasiwedi ezenzakalelayo yomlawuli!), bese uchofoza inkinobho ethi βPhrintaβ:
Umphumela walesi senzo uzoba ikhasi eliqukethe amakhodi amabili e-QR. Siziba ngesibindi eyokuqala (naphezu kombhalo okhangayo we-Google Authenticator / Authenticator / 2 Steps Authenticator), futhi futhi siskena ngesibindi ikhodi yesibili ibe ithokheni yesofthiwe ocingweni:
(yebo, ngonakalise ngamabomu ikhodi ye-QR ukuze ngiyenze ingafundeki).
Ngemva kokuqeda lezi zenzo, iphasiwedi enezinhlamvu eziyisithupha izoqala ukwenziwa ohlelweni lwakho lokusebenza njalo ngemizuzwana engamashumi amathathu.
Ukuze uqiniseke, ungayihlola kusixhumi esibonakalayo esifanayo:
Ngokufaka igama lakho lomsebenzisi nephasiwedi yesikhathi esisodwa kusukela kuhlelo lokusebenza efonini yakho. Ingabe uthole impendulo evumayo? Ngakho siqhubekela phambili.
Isinyathelo 4. Ukucushwa okwengeziwe nokuhlolwa komsebenzi we-FreeRADIUS
Njengoba ngishilo ngenhla, i-multiOTP isivele ilungiselelwe ukusebenza ne-FreeRADIUS, okusele nje ukuqhuba izivivinyo nokwengeza ulwazi mayelana nesango lethu le-VPN kufayela lokucushwa le-FreeRADIUS.
Sibuyela kukhonsoli yesiphakeli, kumkhombandlela /usr/local/bin/multiotp/, faka:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Kubandakanya ukugawula okuningiliziwe.
Kufayela lokucushwa lamakhasimende e-FreeRADIUS (/etc/freeradius/clinets.conf) phawula yonke imigqa ehlobene nayo localhost bese wengeza okufakiwe okubili:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- ukuhlolwa
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- yesango lethu le-VPN.
Qala kabusha i-FreeRADIUS bese uzama ukungena ngemvume:
radtest username 100110 localhost 1812 testing321kuphi igama lomsebenzisi = igama lomsebenzisi, 100110 = iphasiwedi esinikezwe isicelo ocingweni, localhost = Ikheli leseva ye-RADIUS, 1812 - Imbobo yeseva ye-RADIUS, ukuhlola321 - Iphasiwedi yeklayenti leseva ye-RADIUS (esiyishilo ku-config).
Umphumela walo myalo uzophuma cishe ngale ndlela elandelayo:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Manje sidinga ukwenza isiqiniseko sokuthi umsebenzisi ugunyazwe ngempumelelo. Ukuze senze lokhu, sizobheka ilogi ye-multiotp ngokwayo:
tail /var/log/multiotp/multiotp.logFuthi uma okokugcina kukhona:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Khona-ke konke kuhambe kahle futhi singaqedela
Isinyathelo sesi-5: Lungiselela i-Cisco ASA
Masivume ukuthi sesivele sineqembu elimisiwe nezinqubomgomo zokufinyelela nge-SLL VPN, elungiselelwe ngokuhlanganyela ne-Active Directory, futhi sidinga ukungeza ukuqinisekiswa kwezinto ezimbili kule phrofayela.
1. Engeza iqembu elisha leseva ye-AAA:
2. Engeza iseva yethu ye-multiOTP eqenjini:
3. Siyahlela iphrofayili yokuxhumana, ukusetha iqembu leseva ye-Active Directory njengeseva yokuqinisekisa eyinhloko:
4. Kuthebhu Okuthuthukisiwe -> Ukuqinisekisa Futhi sikhetha iqembu leseva ye-Active Directory:
5. Kuthebhu Okuthuthukile -> Kwesibili ukufakazela ubuqiniso, khetha iqembu leseva elakhiwe lapho iseva ye-multiOTP ibhaliswe khona. Qaphela ukuthi igama lomsebenzisi leSeshini lizuzwa njengefa eqenjini leseva eliyinhloko le-AAA:
Sebenzisa izilungiselelo futhi
Isinyathelo sesi-6, aka esokugcina
Ake sihlole ukuthi ukuqinisekiswa kwezinto ezimbili kusebenza yini ku-SLL VPN:
Voila! Lapho uxhuma nge-Cisco AnyConnect VPN Client, uzocelwa futhi iphasiwedi yesibili, yesikhathi esisodwa.
Ngethemba ukuthi lesi sihloko sizosiza othile, futhi sizonikeza othile ukucabanga ukuthi angakusebenzisa kanjani lokhu, mahhala Iseva ye-OTP, yeminye imisebenzi. Yabelana kumazwana uma ufisa.
Source: www.habr.com