Potreboval by som pripojit externy book do organizacie. Aktualne mam l2tp + ipsec ktory funguje, ale nemam ho ako pouzit pri vpn before login vo win (shared vpn).
Toto samozrejme mozem sprevadzkovat, ale vzhladom na hesla v domene to nechcem pouzit na pripajanie mimo organizaciu (zo sveta).
Pozdava sa mi openvpn ako sluzba vo win ktora sa automaticky logne, ale v configu sa uklada plain heslo a to nejak nemusim (:
Je nieco co sa da vyuzit s mikrotikom ako vpn serverom ? Chcem nezavisly vpn ucet ktory by siel pouzit pred lognutim do win a heslo z klienta nie je easy ziskat. Asi to komplikujem, ale nic ma nejak nenapada, teda v rovine opensource. A nechcem zbytocne instalovat dalsie veci na DC masinu ak nemusim.
Zrejme sa na odpoved zmohne iba had, ale lepsie ako nic
arigato ...
VPN + domena - idealna kombinacia
- Hexaris
- Sponzor fóra gold
- Príspevky: 782
- Dátum registrácie: Št 11. Júl, 2019, 19:35
- Bydlisko: Nekde na zahori
VPN + domena - idealna kombinacia
Your value does not decrease because of someone's inability to see your worth.
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE
Re: VPN + domena - idealna kombinacia
Hmm, v OpenVPN sa neda teoreticky nastavit prihlasovanie klucom/certifikatom namiesto meno/heslo?
Neviem ci to je riesenie pre teba ako sa skrabat pravou rukou za lavym uchom
Neviem ci to je riesenie pre teba ako sa skrabat pravou rukou za lavym uchom
- Hexaris
- Sponzor fóra gold
- Príspevky: 782
- Dátum registrácie: Št 11. Júl, 2019, 19:35
- Bydlisko: Nekde na zahori
Re: VPN + domena - idealna kombinacia
Bohuzial tato fce neni v mikrotiku implementovana. Mozem si spravit virtual s openvpn (linux), ale to zrovna mozem zacat uvazovat o RAS ...
Your value does not decrease because of someone's inability to see your worth.
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE
Re: VPN + domena - idealna kombinacia
sak na narkotiku si rovno nastav overovanie certom (neviem ci ide IKEv2 ale SSTP isto pojde, aj ked uprimne ja by som si rozbehol RRAS/NPS na toto, uz len kvoli loggingu), sprav si always on vpn a netreba ani nikam klikat. Ale naozaj neviem aky je use case, aky je rozdiel v tom ked budes mat RADIUS auth na VPN (co narkotik vie nativne), vs. to ze budes mat solo VPN a ptoom cez neho budes pustat domain credentials? Pri <>nach typu OpenVPN to mozes mat este horsie lebo ak sa ti klient ocitne na rovnakom subnete aky mas nastaveny (/8) a niekto sikovny ti tam spravi KDC poisoning tak ti auth vyleti von pekne plaintext :D, ale to uz dramatizujeme.
alebo varianta dva ist s dobou a spravit si workplace join na AAD ktore su federated s onpremise DC
PS - instalovat cokolvek ine na DC nez ADDS/ADLDS je tak na dve facky :)))
alebo varianta dva ist s dobou a spravit si workplace join na AAD ktore su federated s onpremise DC
PS - instalovat cokolvek ine na DC nez ADDS/ADLDS je tak na dve facky :)))
skoro som si to zobral osobneZrejme sa na odpoved zmohne iba had, ale lepsie ako nic
.
- Hexaris
- Sponzor fóra gold
- Príspevky: 782
- Dátum registrácie: Št 11. Júl, 2019, 19:35
- Bydlisko: Nekde na zahori
Re: VPN + domena - idealna kombinacia
Nic zle v tom nehladaj, mozno som sa iba zle vyjadril. Predpokladal som, ze nieco k veci napises iba ty a budem rad aj za to ... (: Teda vzdy si vecne poradil a nie prvy krat. Historiu nebudem rozoberat. A samozrejme + pre Sugyi za ochotu (:
K teme: Always on VPN ma laka, len som sa k tomu nedostal. Zrejme to vyriesi vacsinu problemov. Napisem neskor co som nasadil
P.S. ano na DC nic ine nepatri, suhlasim, na to mam dalsi stroj kde mam kvm, lxc ...
K teme: Always on VPN ma laka, len som sa k tomu nedostal. Zrejme to vyriesi vacsinu problemov. Napisem neskor co som nasadil
P.S. ano na DC nic ine nepatri, suhlasim, na to mam dalsi stroj kde mam kvm, lxc ...
Your value does not decrease because of someone's inability to see your worth.
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE
Re: VPN + domena - idealna kombinacia
AoO VPN je trivialita, jedno blbe XMLko importes a je to tam , ked ho mas v domene nemusis riesit ani certifikat
.
Re: VPN + domena - idealna kombinacia
Zajtra nasadzujem toto ak ti to pomoze, cez EAP-MSCHAPv2 na RRAS, neni to ale device tunnel lebo ten vie iba enterprise/education
Kód: Vybrať všetko
$ProfileName = 'PROFIL'
$Server = 'vpn.HOSTNAME.cz'
$DnsSuffix = 'HOSTNAME.local'
$DomainName = '.HOSTNAME.local'
$DNSServers = '192.168.66.252,192.168.66.251'
$TrustedNetwork = 'HOSTNAME.local'
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'
$ProfileXML = '<VPNProfile>
<DnsSuffix>'+$DnsSuffix+'</DnsSuffix>
<NativeProfile>
<Servers>'+$Server+'</Servers>
<NativeProtocolType>SSTP</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>true</UseWinLogonCredentials></EapType></Eap></Config></EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
<TrustedNetworkDetection>'+$TrustedNetwork+'</TrustedNetworkDetection>
<DomainNameInformation>
<DomainName>'+$DomainName+'</DomainName>
<DnsServers>'+$DNSServers+'</DnsServers>
</DomainNameInformation>
</VPNProfile>'
$ProfileXML = $ProfileXML -replace '<', '<'
$ProfileXML = $ProfileXML -replace '>', '>'
$ProfileXML = $ProfileXML -replace '"', '"'
$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = 'root\cimv2\mdm\dmmap'
$className = 'MDM_VPNv2_01'
try
{
$username = Gwmi -Class Win32_ComputerSystem | select username
$objuser = New-Object System.Security.Principal.NTAccount($username.username)
$sid = $objuser.Translate([System.Security.Principal.SecurityIdentifier])
$SidValue = $sid.Value
$Message = "User SID is $SidValue."
Write-Host "$Message"
}
catch [Exception]
{
$Message = "Unable to get user SID. User may be logged on over Remote Desktop: $_"
Write-Host "$Message"
exit
}
$session = New-CimSession
$options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions
$options.SetCustomOption('PolicyPlatformContext_PrincipalContext_Type', 'PolicyPlatform_UserContext', $false)
$options.SetCustomOption('PolicyPlatformContext_PrincipalContext_Id', "$SidValue", $false)
try
{
$deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options)
foreach ($deleteInstance in $deleteInstances)
{
$InstanceId = $deleteInstance.InstanceID
if ("$InstanceId" -eq "$ProfileNameEscaped")
{
$session.DeleteInstance($namespaceName, $deleteInstance, $options)
$Message = "Removed $ProfileName profile $InstanceId"
Write-Host "$Message"
} else {
$Message = "Ignoring existing VPN profile $InstanceId"
Write-Host "$Message"
}
}
}
catch [Exception]
{
$Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_"
Write-Host "$Message"
exit
}
try
{
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)
$session.CreateInstance($namespaceName, $newInstance, $options)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Script Complete"
Write-Host "$Message"
.
- Hexaris
- Sponzor fóra gold
- Príspevky: 782
- Dátum registrácie: Št 11. Júl, 2019, 19:35
- Bydlisko: Nekde na zahori
Re: VPN + domena - idealna kombinacia
Dik, ja to mam prave zajtra sprevadzkovat, takze super ... uz tu na fore chyba iba like (:
Your value does not decrease because of someone's inability to see your worth.
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE
BOOK: MB Air M1 2020 AMP: Topping DX3Pro+ HEADPHONES: HiFiMAN HE400SE