Cisco ISE: Haɓaka Samun Baƙi akan FortiAP. Kashi na 3

Barka da zuwa matsayi na uku a cikin jerin Cisco ISE. Ana ba da hanyoyin haɗi zuwa duk labaran da ke cikin jerin a ƙasa:

1. Cisco ISE: Gabatarwa, buƙatu, shigarwa. Kashi na 1

2. Cisco ISE: Ƙirƙirar masu amfani, ƙara sabar LDAP, haɗawa tare da AD. Kashi na 2

3. Cisco ISE: Haɓaka Samun Baƙi akan FortiAP. Kashi na 3

A cikin wannan sakon, za ku nutse cikin samun damar baƙi, da kuma jagorar mataki-mataki don haɗa Cisco ISE da FortiGate don saita FortiAP, hanyar shiga daga Fortinet (gaba ɗaya, duk na'urar da ke goyan bayan RADIUS COA - Canjin izini).

Haɗe da labaran mu. Fortinet - zaɓi na kayan aiki masu amfani.

ПримечаниеA: Duba Point Na'urorin SMB basa goyan bayan RADIUS CoA.

ban mamaki jagora ya bayyana a cikin Ingilishi yadda ake ƙirƙirar damar baƙo ta amfani da Cisco ISE akan Cisco WLC (Mai sarrafa mara waya). Bari mu gane shi!

1. Gabatarwa

Samun damar baƙi (portal) yana ba ku damar samar da hanyar shiga Intanet ko zuwa albarkatu na ciki don baƙi da masu amfani waɗanda ba kwa son shigar da su cikin hanyar sadarwar ku. Akwai ƙayyadaddun nau'ikan tashar baƙo guda 3 (tashar baƙo):

1. Hotspot Guest portal - Ana ba da damar shiga hanyar sadarwar ga baƙi ba tare da bayanan shiga ba. Ana buƙatar masu amfani gabaɗaya su karɓi "Manufar Amfani da Sirri" na kamfanin kafin shiga hanyar sadarwar.

2. Tashar baƙo mai ɗaukar nauyi - damar shiga hanyar sadarwa da bayanan shiga dole ne mai ɗaukar nauyin bayar da shi - mai amfani da alhakin ƙirƙirar asusun baƙo akan Cisco ISE.

3. Portal Guest Mai Rijista - A wannan yanayin, baƙi suna amfani da bayanan shiga data kasance, ko ƙirƙirar asusu don kansu tare da bayanan shiga, amma ana buƙatar tabbatar da tallafi don samun damar shiga hanyar sadarwar.

Ana iya tura mashiyoyi da yawa akan Cisco ISE a lokaci guda. Ta hanyar tsoho, a cikin tashar baƙo, mai amfani zai ga tambarin Cisco da daidaitattun jimlolin gama gari. Duk waɗannan ana iya keɓance su har ma da saita su don duba tallace-tallacen dole kafin samun dama.

Za a iya rushe saitin samun damar baƙi zuwa manyan matakai 4: Saitin FortiAP, Cisco ISE da haɗin FortiAP, ƙirƙirar tashar baƙo, da saitin manufofin shiga.

2. Saita FortiAP akan FortiGate

FortiGate shine mai sarrafa wurin shiga kuma an yi duk saitunan akan sa. Abubuwan samun damar FortiAP suna goyan bayan PoE, don haka da zarar kun haɗa shi zuwa hanyar sadarwar ta hanyar Ethernet, zaku iya fara daidaitawa.

1) A kan FortiGate, je zuwa shafin WiFi & Mai Sarrafa Canjawa> FortiAPs Sarrafa> Ƙirƙiri Sabuwa> AP Sarrafa. Yin amfani da lambar serial na musamman na wurin shiga, wanda aka buga akan wurin shiga kanta, ƙara shi azaman abu. Ko kuma zai iya nuna kansa sannan ya danna Izini ta amfani da maɓallin linzamin kwamfuta na dama.

2) Saitunan FortiAP na iya zama tsoho, misali, bar kamar yadda yake a cikin hoton allo. Ina ba da shawarar sosai kunna yanayin 5 GHz, saboda wasu na'urori ba sa goyan bayan 2.4 GHz.

3) Sannan a cikin tab WiFi & Mai Sarrafa Canjawa> Bayanan martaba na FortiAP> Ƙirƙiri sababbi muna ƙirƙirar bayanin martabar saiti don madaidaicin shiga (version 802.11 yarjejeniya, yanayin SSID, mitar tashoshi da lambar su).

Misalin saitunan FortiAP

4) Mataki na gaba shine ƙirƙirar SSID. Jeka tab WiFi & Mai Sarrafa Canjawa> SSIDs> Ƙirƙiri Sabuwa> SSID. Anan daga muhimmin abu yakamata a daidaita shi:

• sarari adireshin don WLAN baƙo - IP/Netmask

• RADIUS Accounting and Secure Fabric Connection in the Administrative Access field

• Zaɓin Gane na'ura

• SSID da Watsa SSID zaɓi

• Saitunan Yanayin Tsaro > Tashar Tsaro 

• Portal Tabbaci - Na waje kuma saka hanyar haɗi zuwa tashar baƙo da aka ƙirƙira daga Cisco ISE daga mataki na 20

• Ƙungiya mai amfani - Ƙungiyar Baƙi - Na waje - ƙara RADIUS zuwa Cisco ISE (shafi na 6 gaba)

Misalin saitin SSID

5) Sa'an nan kuma ya kamata ka ƙirƙiri dokoki a cikin manufofin samun dama akan FortiGate. Jeka tab Manufa & Abubuwan> Manufar Wuta kuma ƙirƙirar doka kamar haka:

3. RADIUS saitin

6) Je zuwa shafin yanar gizon Cisco ISE zuwa shafin Manufa> Abubuwan Siyasa> Kamus> Tsarin> Radius> Dillalai na RADIUS> Ƙara. A cikin wannan shafin, za mu ƙara Fortinet RADIUS zuwa jerin ka'idoji masu goyan baya, tun da kusan kowane mai siyarwa yana da takamaiman halayensa - VSA (Halayen Masu Tallace-tallace).

Ana iya samun jerin halayen Fortinet RADIUS a nan. VSAs an bambanta su ta musamman lambar ID mai siyarwa. Fortinet yana da wannan ID = 12356... Cikakkun jerin IANA ce ta buga VSA.

7) Saita sunan ƙamus, saka ID mai siyarwa (12356) kuma latsa Submitaddamarwa.

8) Bayan mun tafi Gudanarwa > Bayanan martaba na na'urar cibiyar sadarwa > Ƙara da ƙirƙirar sabon bayanin martaba na na'ura. A cikin filin Kamus na RADIUS, zaɓi ƙamus na Fortinet RADIUS wanda aka ƙirƙira a baya kuma zaɓi hanyoyin CoA don amfani daga baya a cikin manufofin ISE. Na zaɓi RFC 5176 da Port Bounce (kashewa/babu hanyar sadarwar cibiyar sadarwa) da VSAs masu dacewa: 

Fortinet-Access-Profile=karanta-rubuta

Fortinet-Group-Sunan = fmg_faz_admins

9) Na gaba, ƙara FortiGate don haɗin kai tare da ISE. Don yin wannan, je zuwa shafin Gudanarwa > Albarkatun hanyar sadarwa > Bayanan martaba na na'urar cibiyar sadarwa > Ƙara. Filayen da za a canza Suna, Dillali, Kamus na RADIUS (FortiGate ne ke amfani da Adireshin IP, ba FortiAP ba).

Misali na daidaita RADIUS daga gefen ISE

10) Bayan haka, yakamata ku saita RADIUS akan gefen FortiGate. A cikin mahaɗin yanar gizo na FortiGate, je zuwa Mai amfani & Tabbatarwa> Sabar RADIUS> Ƙirƙiri sabo. Ƙayyade suna, adireshin IP da Sirrin da aka raba (kalmar sirri) daga sakin layi na baya. Danna gaba Gwada Shaidar Mai Amfani kuma shigar da kowane takaddun shaida waɗanda za a iya cire su ta hanyar RADIUS (misali, mai amfani na gida akan Cisco ISE).

11) Ƙara uwar garken RADIUS zuwa Guest-Group (idan babu shi) da kuma tushen masu amfani na waje.

12) Kar a manta da ƙara Guest-Group zuwa SSID da muka ƙirƙira a baya a mataki na 4.

4. Saitin Tabbatar da Mai amfani

13) Optionally, zaku iya shigo da takaddun shaida zuwa tashar baƙo ta ISE ko ƙirƙirar takardar shedar sa hannu a cikin shafin. Cibiyoyin Aiki> Samun Baƙi> Gudanarwa> Takaddun shaida> Takaddun shaida.

14)Bayan in tab Cibiyoyin Aiki > Samun Baƙi > Ƙungiyoyin Identity > Ƙungiyoyin Shaida na Mai amfani > Ƙara ƙirƙiri sabon ƙungiyar masu amfani don samun damar baƙo, ko amfani da waɗanda suka saba.

15) Ƙari a cikin shafin Gudanarwa> Identities ƙirƙirar masu amfani da baƙi kuma ƙara su zuwa ƙungiyoyi daga sakin layi na baya. Idan kuna son amfani da asusun ɓangare na uku, to ku tsallake wannan matakin.

16) Bayan mun je saitunan Cibiyoyin Aiki> Samun Baƙi> Halayen> Jerin Tushen Shaida> Jerin Tashar Baƙi - wannan shine tsarin tantancewar tsoho don masu amfani da baƙi. Kuma a cikin filin Jerin Neman Tabbatarwa zaɓi odar tabbatar da mai amfani.

17) Don sanar da baƙi da kalmar sirri ta lokaci ɗaya, zaku iya saita masu samar da SMS ko sabar SMTP don wannan dalili. Jeka tab Cibiyoyin Aiki > Samun Baƙi > Gudanarwa > Sabar SMTP ko Masu Bayar da Ƙofar SMS don waɗannan saitunan. A cikin yanayin sabar SMTP, kuna buƙatar ƙirƙirar asusu don ISE kuma saka bayanai a cikin wannan shafin.

18) Don sanarwar SMS, yi amfani da shafin da ya dace. ISE tana da bayanan martaba na mashahuran masu samar da SMS, amma yana da kyau ka ƙirƙiri naka. Yi amfani da waɗannan bayanan martaba azaman misali na saiti SMS Email Gatewayy ko SMS HTTP API.

Misali na kafa uwar garken SMTP da ƙofar SMS don kalmar sirri ta lokaci ɗaya

5. Saita tashar baƙo

19) Kamar yadda aka ambata a farkon, akwai nau'ikan tashoshin baƙi da aka riga aka shigar da su: Hotspot, Sponsored, Self-Registered. Ina ba da shawarar zabar zaɓi na uku, saboda shi ne ya fi kowa. Ko ta yaya, saitunan sun kasance iri ɗaya. Don haka mu je shafin. Cibiyoyin Aiki> Samun Baƙi> Shafukan yanar gizo & Abubuwan Haɓakawa> Hanyoyin Baƙi> Portal Guest Mai Rijista Kai (tsoho). 

20) Na gaba, a cikin Portal Page Customization tab, zaɓi "Duba cikin Rashanci - Rashanci", ta yadda za a nuna portal a cikin harshen Rashanci. Kuna iya canza rubutun kowane shafin, ƙara tambarin ku, da ƙari. A hannun dama a kusurwa akwai samfoti na tashar baƙo don kyakkyawan gani.

Misali na daidaita tashar baƙo tare da rijistar kai

21) Danna kan jimla Portal gwajin URL da kwafi URL ɗin tashar zuwa SSID akan FortiGate a mataki na 4. Samfurin URL https://10.10.30.38:8433/portal/PortalSetup.action?portal=deaaa863-1df0-4198-baf1-8d5b690d4361

Don nuna yankinku, dole ne ku loda takardar shaidar zuwa tashar baƙo, duba mataki na 13.

22) Je zuwa shafin Cibiyoyin Aiki > Samun Baƙi > Abubuwan Siyasa > Sakamako > Bayanan Bayanin izini > Ƙara don ƙirƙirar bayanin martabar izini ƙarƙashin wanda aka ƙirƙira a baya Bayanan Na'urar hanyar sadarwa.

23) in tab Cibiyoyin Aiki > Samun Baƙi > Saitin Manufofi shirya manufofin samun dama ga masu amfani da WiFi.

24) Bari muyi kokarin haɗi zuwa SSID baƙo. Nan take ta tura ni zuwa shafin shiga. Anan zaku iya shiga tare da asusun baƙo da aka kirkira a gida akan ISE, ko yin rijista azaman mai amfani baƙo.

25) Idan kun zaɓi zaɓin yin rajista, to ana iya aika bayanan shiga lokaci ɗaya ta wasiƙa, ta SMS, ko buga.

26) A cikin RADIUS> Live Logs shafin akan Cisco ISE, zaku ga rajistan ayyukan shiga daidai.

6. Kammalawa

A cikin wannan dogon labarin, mun sami nasarar daidaita damar baƙo akan Cisco ISE, inda FortiGate ke aiki azaman mai sarrafa hanyar shiga, kuma FortiAP yana aiki azaman hanyar shiga. Ya juya wani nau'in haɗin kai maras muhimmanci, wanda ya sake tabbatar da yaduwar amfani da ISE.

Don gwada Cisco ISE, tuntuɓi mahadasannan ku kasance da mu a tashoshin mu (sakon waya, Facebook, VK, TS Magani Blog, Yandex Zen).

source: www.habr.com