Barka da zuwa matsayi na biyu a cikin jerin Cisco ISE. A cikin farko Abubuwan amfani da bambance-bambance na hanyoyin sadarwa na hanyar sadarwa (NAC) daga daidaitattun AAA, bambancin Cisco ISE, gine-gine da tsarin shigarwa na samfurin an nuna su.
A cikin wannan labarin, za mu zurfafa cikin ƙirƙirar asusu, ƙara sabar LDAP, da haɗawa da Microsoft Active Directory, da kuma abubuwan da ke tattare da aiki tare da PassiveID. Kafin karantawa, ina ba da shawarar ku karanta .
1. Wasu kalmomi
Shaidar mai amfani - asusun mai amfani wanda ya ƙunshi bayanai game da mai amfani da kuma samar da takaddun shaidarsa don shiga hanyar sadarwar. Ana yin ƙayyadaddun sigogi masu zuwa a cikin Shaidar Mai amfani: sunan mai amfani, adireshin imel, kalmar sirri, bayanin asusun, ƙungiyar mai amfani, da rawar.
Groupungiyoyin Masu Amfani - Ƙungiyoyin masu amfani tarin masu amfani ne waɗanda ke da tsarin gata na gama gari wanda ke ba su damar samun dama ga takamaiman sabis da ayyuka na Cisco ISE.
Ƙungiyoyin Shaida Mai Amfani - Ƙungiyoyin masu amfani waɗanda suka riga sun sami takamaiman bayanai da matsayi. Ƙungiyoyin Shaida Masu Amfani masu zuwa suna wanzu ta tsohuwa, zaku iya ƙara masu amfani da ƙungiyoyi masu amfani zuwa gare su: Ma'aikaci (ma'aikaci), SponsorAllAccounts, SponsorGroupAccounts, SponsorOwnAccounts (asusun masu tallafawa don sarrafa tashar baƙo), Baƙo (baƙo), Baƙo mai kunnawa (baƙo mai kunnawa).
rawar mai amfani - Matsayin mai amfani shine saitin izini wanda ke ƙayyade ayyukan da mai amfani zai iya yi da waɗanne ayyuka zasu iya shiga. Yawancin lokaci rawar mai amfani yana haɗuwa da ƙungiyar masu amfani.
Bugu da ƙari, kowane mai amfani da ƙungiyar mai amfani yana da ƙarin halaye waɗanda ke ba ku damar zaɓar da ƙarin ayyana wannan mai amfani (ƙungiyar masu amfani). Karin bayani a ciki .
2. Ƙirƙirar masu amfani da gida
1) Cisco ISE yana da ikon ƙirƙirar masu amfani da gida da amfani da su a cikin manufofin samun dama ko ma ba da gudummawar gudanarwar samfur. Zaɓi Gudanarwa → Gudanar da Identity → Identities → Users → Add.
Hoto 1 Ƙara mai amfani na gida zuwa Cisco ISE
2) A cikin taga da ya bayyana, ƙirƙiri mai amfani na gida, saita kalmar sirri da sauran sigogi masu fahimta.
Hoto 2. Ƙirƙirar mai amfani a cikin Cisco ISE
3) Hakanan ana iya shigo da masu amfani. A cikin wannan shafin Gudanarwa → Gudanar da Identity → Identities → Masu amfani zaɓi wani zaɓi Import da loda csv ko txt fayil tare da masu amfani. Don samun samfuri zaɓi Ƙirƙirar Samfura, to ya kamata a cika shi da bayanai game da masu amfani a cikin tsari mai dacewa.
Hoto 3 Ana Shigo da Masu Amfani zuwa Cisco ISE
3. Ƙara sabobin LDAP
Bari in tunatar da ku cewa LDAP shahararriyar ƙa'idar matakin aikace-aikacen ce wacce ke ba ku damar karɓar bayanai, aiwatar da tantancewa, bincika asusu a cikin kundayen adireshi na sabar LDAP, tana aiki akan tashar jiragen ruwa 389 ko 636 (SS). Fitattun misalai na sabar LDAP sune Active Directory, Sun Directory, Novell eDirectory, da OpenLDAP. Kowace shigarwa a cikin littafin LDAP an bayyana shi ta hanyar DN (Sunan Mai Girma) kuma aikin maido da asusu, ƙungiyoyin masu amfani da halayen suna haɓaka don samar da manufar samun dama.
A cikin Cisco ISE, yana yiwuwa a saita damar zuwa sabar LDAP da yawa, ta yadda za a aiwatar da sakewa. Idan uwar garken LDAP na farko (na farko) ba ta samuwa, to ISE za ta yi ƙoƙarin samun damar shiga sakandare (na biyu) da sauransu. Bugu da ƙari, idan akwai PANs guda biyu, to LDAP ɗaya za a iya ba da fifiko ga PAN na farko da wani LDAP na PAN na sakandare.
ISE tana goyan bayan nau'ikan bincike guda 2 (neman) lokacin aiki tare da sabar LDAP: Neman Mai amfani da Duba Adireshin MAC. Neman mai amfani yana ba ku damar nemo mai amfani a cikin bayanan LDAP kuma ku sami bayanan masu zuwa ba tare da tantancewa ba: masu amfani da halayensu, ƙungiyoyin masu amfani. Duba Adireshin MAC kuma yana ba ku damar bincika ta adireshin MAC a cikin kundayen adireshi na LDAP ba tare da tantancewa ba kuma ku sami bayanai game da na'urar, rukunin na'urori ta adiresoshin MAC, da sauran takamaiman halaye.
A matsayin misalin haɗin kai, bari mu ƙara Active Directory zuwa Cisco ISE azaman uwar garken LDAP.
1) Je zuwa shafin Gudanarwa → Gudanar da Identity → Tushen Shaida na waje → LDAP → Ƙara.
Hoto 4. Ƙara uwar garken LDAP
2) A cikin panel Janar saka sunan uwar garken LDAP da makirci (a cikin yanayin mu, Active Directory).
Hoto 5. Ƙara uwar garken LDAP tare da tsarin Jagora mai Active
3) Na gaba zuwa Connection tab kuma zaɓi Sunan mai masauki / adireshin IP AD ɗin uwar garken, tashar jiragen ruwa (389 - LDAP, 636 - SSL LDAP), sharuɗɗan masu gudanarwa na yanki (Admin DN - cikakken DN), za a iya barin wasu sigogi azaman tsoho.
Примечание: yi amfani da bayanan yankin admin don guje wa matsalolin da za a iya fuskanta.
Hoto 6 Shigar da Bayanan Sabar LDAP
4) in tab Kungiyar Darakta ya kamata ka ƙayyade yankin directory ta hanyar DN daga inda za a ja masu amfani da ƙungiyoyi masu amfani.
Hoto 7. Ƙayyade kundayen adireshi daga inda ƙungiyoyin masu amfani zasu iya ɗagawa
5) Je zuwa taga Ƙungiyoyi → Ƙara → Zaɓi Ƙungiya Daga Lissafi don zaɓar ƙungiyoyi daga uwar garken LDAP.
Hoto 8. Ƙara ƙungiyoyi daga uwar garken LDAP
6) A cikin taga da ya bayyana, danna Mai da Ƙungiyoyi. Idan ƙungiyoyi sun tashi, to an kammala matakan farko cikin nasara. In ba haka ba, gwada wani mai gudanarwa kuma duba samuwar ISE tare da sabar LDAP ta hanyar ka'idar LDAP.
Hoto 9. Jerin ƙungiyoyin masu amfani da aka ja
7) in tab halayen Kuna iya zaɓin zaɓin waɗanne sifofi daga uwar garken LDAP ya kamata a ja sama, kuma a cikin taga Advanced Saituna ba da damar zaɓi Kunna canjin kalmar sirri, wanda zai tilasta masu amfani da su canza kalmar sirri idan ya ƙare ko kuma an sake saita su. Duk da haka danna Aika a ci gaba.
8) uwar garken LDAP ya bayyana a cikin madaidaicin shafin kuma ana iya amfani dashi don samar da manufofin samun dama a nan gaba.
Hoto 10. Jerin sabbin sabbin LDAP
4. Haɗin kai tare da Active Directory
1) Ta ƙara sabar Microsoft Active Directory azaman uwar garken LDAP, mun sami masu amfani, ƙungiyoyin masu amfani, amma babu rajistan ayyukan. Na gaba, Ina ba da shawarar kafa cikakken haɗin AD tare da Cisco ISE. Jeka tab Gudanarwa → Gudanar da Identity → Tushen Shaida na Waje → Littattafai Mai Aiki → Ƙara.
Note: don nasarar haɗin kai tare da AD, ISE dole ne ya kasance a cikin yanki kuma yana da cikakken haɗin kai tare da DNS, NTP da AD sabobin, in ba haka ba babu abin da zai zo daga ciki.
Hoto 11. Ƙara uwar garken Directory Active
2) A cikin taga da ya bayyana, shigar da bayanan mai gudanarwa na yanki kuma duba akwatin Takardun Shaida. Bugu da ƙari, zaku iya ƙayyade OU (Ƙungiya ta Ƙungiya) idan ISE tana cikin takamaiman OU. Na gaba, zaku zaɓi nodes na Cisco ISE waɗanda kuke son haɗawa zuwa yankin.
Hoto 12. Shigar da takaddun shaida
3) Kafin ƙara masu kula da yanki, tabbatar cewa akan PSN a cikin shafin Gudanarwa → Tsarin → Ƙaddamarwa an kunna zaɓi Sabis na Identity Passive. ID mai wucewa - zaɓi wanda ke ba ku damar fassara Mai amfani zuwa IP kuma akasin haka. PassiveID yana samun bayanai daga AD ta hanyar WMI, wakilan AD na musamman ko tashar SPAN akan maɓalli (ba zaɓi mafi kyau ba).
Note: don duba matsayin Passive ID, rubuta a cikin na'ura mai kwakwalwa ta ISE nuna matsayin aikace-aikace ise | sun haɗa da PassiveID.
Hoto 13. Ba da damar zaɓi PassiveID
4) Je zuwa shafin Gudanarwa → Gudanar da Identity → Tushen Shaida na Waje → Directory Active → PassiveID kuma zaɓi zaɓi Ƙara DCs. Na gaba, zaɓi masu kula da yanki masu mahimmanci tare da akwatunan rajista kuma danna KO.
Hoto 14. Ƙara masu kula da yanki
5) Zaɓi DCs da aka ƙara kuma danna maɓallin Shirya. Nuna FQDN DC ɗinku, wurin shiga da kalmar sirri, da zaɓin hanyar haɗi WMI ko Agent. Zaɓi WMI kuma danna KO.
Hoto 15 Shigar da bayanan mai sarrafa yanki
6) Idan WMI ba shine hanyar da aka fi so don sadarwa tare da Active Directory ba, to ana iya amfani da wakilan ISE. Hanyar wakili shine zaku iya shigar da wakilai na musamman akan sabar da zasu fitar da abubuwan shiga. Akwai zaɓuɓɓukan shigarwa guda 2: atomatik da manual. Don shigar da wakili ta atomatik a cikin wannan shafin ID mai wucewa zaɓi abu Ƙara Wakili → Aika Sabon Wakili (Dole ne DC ya sami damar Intanet). Sannan cika filayen da ake buƙata (sunan wakili, uwar garken FQDN, login/password mai gudanarwa) kuma danna KO.
Hoto 16. Shigarwa ta atomatik na wakilin ISE
7) Don shigar da wakilin Cisco ISE da hannu, zaɓi abu Yi Rajista Mai Wakilci. Ta hanyar, zaku iya zazzage wakili a cikin shafin Cibiyoyin Aiki → PassiveID → Masu bayarwa → Wakilai → Wakilin Zazzagewa.
Hoto 17. Zazzage wakilin ISE
Yana da muhimmanci a: PassiveID baya karanta abubuwan da suka faru tambarin! Ana kiran siga da ke da alhakin ƙarewar lokaci zaman mai amfani tsufa lokacin kuma yayi daidai 24 hours ta tsohuwa. Don haka, ko dai ka sa kanka a ƙarshen ranar aiki, ko kuma ka rubuta wani nau'in rubutun wanda zai cire duk masu amfani da shi kai tsaye.
Domin bayani tambarin Ana amfani da "Endpoint probes" - bincike na ƙarshe. Akwai da yawa na ƙarshen bincike a cikin Cisco ISE: RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. radius bincike ta amfani da CoA Fakitin (Canjin izini) yana ba da bayani game da canza haƙƙin mai amfani (wannan yana buƙatar sakawa 802.1X), kuma an saita shi akan maɓallan samun damar SNMP, zai ba da bayanai game da na'urorin da aka haɗa da waɗanda aka cire.
Misali mai zuwa yana dacewa da tsarin Cisco ISE + AD ba tare da 802.1X da RADIUS ba: an shigar da mai amfani akan injin Windows, ba tare da yin tambari ba, shiga daga wani PC ta WiFi. A wannan yanayin, zaman a kan PC na farko zai kasance yana aiki har sai an ƙare lokaci ko alamar tilastawa ta auku. Sannan idan na'urorin suna da haƙƙin daban-daban, to na'urar ta ƙarshe za ta yi amfani da haƙƙoƙin ta.
8) Zabi a cikin shafin Gudanarwa → Gudanar da Identity → Tushen Shaida na Waje → Directory Mai Aiki → Ƙungiyoyi → Ƙara → Zaɓi Ƙungiya Daga Directory zaku iya zaɓar ƙungiyoyi daga AD waɗanda kuke son ci gaba akan ISE (a cikin yanayinmu, an yi wannan a mataki na 3 “Ƙara uwar garken LDAP”). Zaɓi zaɓi Mai da Ƙungiyoyi → Ok.
Hoto na 18 a). Ana ja ƙungiyoyin masu amfani daga Active Directory
9) in tab Cibiyoyin Aiki → PassiveID → Dubawa → Dashboard za ku iya lura da adadin lokuta masu aiki, adadin tushen bayanai, wakilai, da ƙari.
Hoto 19. Kula da ayyukan masu amfani da yanki
10) in tab Ganawar Rayuwa ana nuna zaman yanzu. An saita haɗin kai tare da AD.
Hoto 20. Zaman aiki na masu amfani da yanki
5. Kammalawa
Wannan labarin ya rufe batutuwan ƙirƙirar masu amfani na gida a cikin Cisco ISE, ƙara sabar LDAP, da haɗawa da Microsoft Active Directory. Labari na gaba zai haskaka damar baƙo a cikin hanyar jagorar da ba ta da yawa.
Idan kuna da tambayoyi game da wannan batu ko buƙatar taimako don gwada samfurin, tuntuɓi .
Ku kasance da mu domin samun labarai da dumi-duminsu a tashoshin mu (, , , , ).
source: www.habr.com