VPN MFA (Keycloak) с openconnect

Я пытаюсь развернуть VPN с двойной аутентификацией. Читая документацию ocserv, я нашел опцию oicd (https://gitlab.com/openconnect/ocserv/-/blob/master/doc/README-oidc.md). Сейчас я пытаюсь связать свой VPN с моим SSO Keycloack.

Моя конфигурация:

/etc/ocserv/ocserv.conf :

      auth = "oidc[config=/etc/ocserv/oidc.json]"

/etc/ocserv/oidc.json :

      {
    "openid_configuration_url": "http://10.1.1.1:8080/auth/realms/master/.well-known/openid-configuration",
    "user_name_claim": "preferred_username",
    "required_claims": {
    "aud": "http://10.1.1.1:8080/auth/realms/master",
    "iss": "http://10.1.1.1:8080/auth/realms/master"
    }
}

При запуске ocserv (версия 1.1.6) я вижу запись конфигурации SSO Keycloak, показывающую конфигурацию openid:

      ocserv[590033]: main: initialized ocserv 1.1.6
ocserv[590034]: sec-mod: reading supplemental config from files
ocserv[590034]: ocserv-oidc: fetched new JWK XXX
ocserv[590034]: ocserv-oidc: fetched new JWK XXX
ocserv[590034]: sec-mod: loaded 1 keys
ocserv[590034]: sec-mod: sec-mod initialized (socket: /run/ocserv.socket.1891ca24.0)

Когда я пытаюсь подключиться с помощью openconnect в cli (в Debian или Fedora), мой клиент не может подключиться и выходит из строя.

      # openconnect --protocol=anyconnect https://10.1.1.1 --servercert pin-sha256:XXX -v
POST https://10.1.1.1/
Attempting to connect to server 10.1.1.1:443
Connected to 10.1.1.1:443
SSL negotiation with 10.1.1.1
Server certificate verify failed: signer not found
Connected to HTTPS on 10.1.1.1
Got HTTP response: HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer
Content-Length: 0
HTTP body length:  (0)
Server '10.1.1.1' requested Basic authentication which is disabled by default
GET https://10.1.1.1/
Attempting to connect to server 10.1.1.1:443
Connected to 10.1.1.1:443
SSL negotiation with 10.1.1.1
Server certificate verify failed: signer not found
Connected to HTTPS on 10.1.1.1
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure; HttpOnly
Content-Type: text/xml
Content-Length: 250
X-Transcend-Version: 1
HTTP body length:  (250)
Please enter your username.
Failed to obtain WebVPN cookie

Серверная часть:

      ocserv[590033]: main: added 1 points (total 1) for IP '10.2.2.2' to ban list
ocserv[590123]: main: map worker serving remote address 10.2.2.2:20264 to secmod instance 0
note: vhost:default: setting 'oidc' as primary authentication method
ocserv[590034]: sec-mod: received request from pid 590123 and uid 0
ocserv[590034]: sec-mod: cmd [size=57] sm: sign
note: setting 'file' as supplemental config option
ocserv[590123]: worker: 10.2.2.2 accepted connection
ocserv[590034]: sec-mod: received request from pid 590123 and uid 65534
ocserv[590034]: sec-mod: cmd [size=38] sm: sign hash
ocserv[590123]: worker: 10.2.2.2 TLS handshake completed
ocserv[590123]: worker: 10.2.2.2 sending message 'session info' to main
ocserv[590033]: main:10.2.2.2:20264 main received worker's message 'session info' of 66 bytes
ocserv[590123]: worker: 10.2.2.2 User-agent: 'Open AnyConnect VPN Agent v8.05-1'
ocserv[590123]: worker: 10.2.2.2 Detected OpenConnect v4 or newer
ocserv[590033]: main:10.2.2.2:20264 worker terminated
ocserv[590033]: main:10.2.2.2:20264 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[590033]: main: added 1 points (total 2) for IP '10.2.2.2' to ban list
ocserv[590124]: main: map worker serving remote address 10.2.2.2:16254 to secmod instance 0
note: vhost:default: setting 'oidc' as primary authentication method
ocserv[590034]: sec-mod: received request from pid 590124 and uid 0
ocserv[590034]: sec-mod: cmd [size=57] sm: sign
note: setting 'file' as supplemental config option
ocserv[590124]: worker: 10.2.2.2 accepted connection
ocserv[590034]: sec-mod: received request from pid 590124 and uid 65534
ocserv[590034]: sec-mod: cmd [size=38] sm: sign hash
ocserv[590124]: worker: 10.2.2.2 TLS handshake completed
ocserv[590124]: worker: 10.2.2.2 sending message 'session info' to main
ocserv[590124]: worker: 10.2.2.2 User-agent: 'Open AnyConnect VPN Agent v8.05-1'
ocserv[590033]: main:10.2.2.2:16254 main received worker's message 'session info' of 66 bytes
ocserv[590124]: worker: 10.2.2.2 Detected OpenConnect v4 or newer
ocserv[590033]: main:10.2.2.2:16254 worker terminated
ocserv[590033]: main:10.2.2.2:16254 user disconnected (reason: unspecified, rx: 0, tx: 0)

Похоже, проблема связана с клиентом openconnect, который не может обрабатывать часть oidc. Кто-нибудь когда-нибудь успешно входил в систему с помощью этого метода аутентификации на ocserv?

Спасибо за вашу помощь !

Источник

0 ответов

Другие вопросы по тегам