1. Gabatarwa
Kowane kamfani, har ma mafi ƙanƙanta, yana da buƙatar tantancewa, izini da lissafin mai amfani (AAA iyali na ladabi). A matakin farko, AAA ana aiwatar da shi sosai ta amfani da ladabi kamar RADIUS, TACACS + da DIAMETER. Koyaya, yayin da adadin masu amfani da kamfani ke haɓaka, adadin ayyuka kuma yana haɓaka: matsakaicin iyawar runduna da na'urorin BYOD, tabbatar da abubuwa da yawa, ƙirƙirar manufofin samun dama ga matakai da yawa da ƙari.
Don irin waɗannan ayyuka, aji na NAC (Network Access Control) na mafita cikakke ne - ikon sarrafa hanyar sadarwa. A cikin jerin labaran da aka sadaukar don (Injin Sabis na Identity) - Maganin NAC don samar da ikon fahimtar mahallin ga masu amfani akan hanyar sadarwa na ciki, za mu yi cikakken nazari akan gine-gine, samarwa, daidaitawa da lasisin mafita.
Bari in a taƙaice tunatar da ku cewa Cisco ISE yana ba ku damar:
Da sauri da sauƙi ƙirƙirar damar baƙo akan keɓaɓɓen WLAN;
Gano na'urorin BYOD (misali, kwamfutocin gidan ma'aikata waɗanda suka kawo aiki);
Tsaya da aiwatar da manufofin tsaro a cikin yanki da masu amfani da ba na yanki ta amfani da alamun ƙungiyar tsaro ta SGT );
Bincika kwamfutoci don wasu software da aka shigar da kuma bin ka'idoji (posting);
Rarraba da bayanin bayanan ƙarshen ƙarshen da na'urorin cibiyar sadarwa;
Samar da hangen nesa na ƙarshe;
Aika rajistan ayyukan abubuwan da suka faru na logon/logoff na masu amfani, asusun su (gaskiya) zuwa NGFW don samar da manufar tushen mai amfani;
Haɗa na asali tare da Cisco StealthWatch da keɓance runduna masu tuhuma da ke da hannu a cikin lamuran tsaro ();
Da sauran daidaitattun fasalulluka don sabobin AAA.
Abokan aiki a cikin masana'antar sun riga sun rubuta game da Cisco ISE, don haka ina ba ku shawara ku karanta: ,.
2. Tsarin gine-gine
Gine-ginen Injiniyan Sabis na Identity yana da ƙungiyoyi 4 (nodes): kumburin gudanarwa (Node Administration Policy), kumburin rarraba manufofin (Node Sabis na Manufa), kumburin saka idanu (Node Kulawa) da kumburin PxGrid (PxGrid Node). Cisco ISE na iya kasancewa a cikin tsayayyen shigarwa ko rarrabawa. A cikin sigar Standalone, duk ƙungiyoyi suna kan na'ura mai kama-da-wane ko uwar garken jiki (Secure Network Servers - SNS), yayin da a cikin Sigar Rarraba, ana rarraba nodes a kan na'urori daban-daban.
Node Administration Policy (PAN) kumburi ne da ake buƙata wanda ke ba ku damar yin duk ayyukan gudanarwa akan Cisco ISE. Yana sarrafa duk saitunan tsarin da suka shafi AAA. A cikin tsarin da aka rarraba (ana iya shigar da nodes azaman injunan kama-da-wane daban-daban), zaku iya samun matsakaicin PAN guda biyu don haƙurin kuskure - Yanayin Active/Trandby.
Node Sabis na Manufofin (PSN) kulli ne na wajibi wanda ke ba da damar hanyar sadarwa, jiha, damar baƙo, samar da sabis na abokin ciniki, da bayanin martaba. PSN yana kimanta manufofin kuma yayi amfani da shi. Yawanci, ana shigar da PSNs da yawa, musamman a cikin tsarin da aka rarraba, don ƙarin aiki da rarrabawa. Tabbas, suna ƙoƙarin shigar da waɗannan nodes a cikin sassa daban-daban don kada su rasa ikon samar da ingantacciyar hanya da izini na daƙiƙa guda.
Node Kulawa (MnT) wani kumburi ne na wajibi wanda ke adana rajistan ayyukan, rajistan ayyukan sauran nodes da manufofi akan hanyar sadarwa. Kullin MnT yana ba da kayan aikin ci gaba don sa ido da magance matsala, tattarawa da tattara bayanai daban-daban, kuma yana ba da rahotanni masu ma'ana. Cisco ISE yana ba ku damar samun iyakar MnT nodes guda biyu, ta haka ne ke haifar da haƙura da kuskure - Yanayin Aiki / Jiran aiki. Duk da haka, ana tattara rajistan ayyukan biyu na nodes, duka masu aiki da m.
PxGrid Node (PXG) kumburi ne wanda ke amfani da ka'idar PxGrid kuma yana ba da damar sadarwa tsakanin wasu na'urorin da ke goyan bayan PxGrid.
- yarjejeniya da ke tabbatar da haɗin kai na IT da samfuran kayan aikin tsaro na bayanai daga dillalai daban-daban: tsarin sa ido, gano kutse da tsarin rigakafi, dandamalin sarrafa manufofin tsaro da sauran mafita. Cisco PxGrid yana ba ku damar raba mahallin mahallin ta hanyar unidirectional ko bidirectional tare da dandamali da yawa ba tare da buƙatar APIs ba, ta haka yana ba da damar fasaha. (SGT tags), canza kuma amfani da manufofin ANC (Adaptive Network Control), da kuma yin bayanin martaba - ƙayyade ƙirar na'urar, OS, wuri, da ƙari.
A cikin babban tsarin samuwa, PxGrid nodes suna kwafin bayanai tsakanin nodes akan PAN. Idan an kashe PAN, kumburin PxGrid ya daina tantancewa, ba da izini, da lissafin masu amfani.
Da ke ƙasa akwai wakilcin ƙira na aikin ƙungiyoyin Cisco ISE daban-daban a cikin hanyar sadarwar kamfani.
Hoto 1. Cisco ISE Architecture
3. Abubuwan bukatu
Ana iya aiwatar da Cisco ISE, kamar yawancin mafita na zamani, kusan ko a zahiri azaman uwar garken daban.
Na'urorin jiki masu amfani da software na Cisco ISE ana kiran su SNS (Secure Network Server). Sun zo cikin ƙira uku: SNS-3615, SNS-3655 da SNS-3695 don ƙanana, matsakaita da manyan kasuwanci. Table 1 yana nuna bayanai daga SNS.
Tebur 1. Kwatanta tebur na SNS don ma'auni daban-daban
Alamar
SNS 3615 (Ƙananan)
SNS 3655 (Matsakaici)
SNS 3695 (Babba)
Yawan goyan bayan wuraren ƙarewa a cikin shigarwa kadai
10000
25000
50000
Yawan goyan bayan ƙarshen ƙarshen kowane PSN
10000
25000
100000
CPU (Intel Xeon 2.10 GHz)
8 kwarya
12 kwarya
12 kwarya
RAM
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1 x 600 GB
4 x 600 GB
8 x 600 GB
Hardware RAID
Babu
RAID 10, kasancewar mai sarrafa RAID
RAID 10, kasancewar mai sarrafa RAID
Hanyoyin sadarwa na hanyar sadarwa
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
Касательно виртуальных внедрений, поддерживаются гипервизоры VMware ESXi (рекомендуется минимум VMware версия 11 для ESXi 6.0), Microsoft Hyper-V и Linux KVM (RHEL 7.0). Ресурсы должны быть примерно такие же, как и в таблице выше, либо больше. Тем не менее, минимальные требования виртуальной машины для малого бизнеса: 2 CPU tare da mitar 2.0 GHz da sama, 16 GB RAM и 200 GB HDD.
Don wasu cikakkun bayanan tura Cisco ISE, tuntuɓi ko kuma , .
4. Shigarwa
Kamar yawancin samfuran Cisco, ana iya gwada ISE ta hanyoyi da yawa:
- sabis na girgije na shimfidar dakin gwaje-gwaje da aka riga aka shigar (ana buƙatar asusun Cisco);
- roƙo daga Cisco na wasu software (hanyar abokan hulɗa). Kuna ƙirƙiri wani akwati tare da bayanin da aka saba: Nau'in samfur [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
- tuntuɓi kowane abokin tarayya mai izini don gudanar da aikin matukin jirgi kyauta.
1) Bayan ƙirƙirar injin kama-da-wane, idan kun nemi fayil ɗin ISO ba samfuri na OVA ba, taga zai buɗe wanda ISE ke buƙatar zaɓin shigarwa. Don yin wannan, maimakon shiga da kalmar sirri, ya kamata ku rubuta "saitin“!
Note: idan kun tura ISE daga samfurin OVA, sannan bayanan shiga admin/MyIseYPass2 (wannan da ƙari an nuna su a cikin hukuma ).
Hoto 2. Sanya Cisco ISE
2) Sannan sai ka cika abubuwan da ake bukata kamar IP address, DNS, NTP da sauransu.
Hoto 3. Ƙaddamar da Cisco ISE
3) Bayan haka, na'urar za ta sake yin aiki, kuma za ku iya haɗawa ta hanyar haɗin yanar gizon ta amfani da adireshin IP da aka ƙayyade a baya.
Hoto 4. Cisco ISE Web Interface
4) in tab Gudanarwa> Tsarin> Aiki za ka iya zaɓar waɗanne nodes (hukumomin) aka kunna akan wata na'ura. An kunna kumburin PxGrid anan.
Hoto 5. Cisco ISE Cibiyar Gudanarwa
5) Sannan a cikin tab Gudanarwa> Tsarin> Shiga Admin> Gasktawa Ina ba da shawarar kafa manufar kalmar sirri, hanyar tantancewa (takaddun shaida ko kalmar sirri), kwanan ranar karewa na asusun, da sauran saitunan.
Hoto 6. Saitin nau'in tantancewa
Hoto 7. Saitunan manufofin kalmar sirri
Hoto 8. Saita rufe asusun bayan lokaci ya ƙare
Hoto 9. Saita kulle asusun
6) in tab Gudanarwa > Tsari > Samun Mai Gudanarwa > Masu Gudanarwa > Masu Amfani > Ƙara za ka iya ƙirƙirar sabon mai gudanarwa.
Hoto 10. Ƙirƙirar Mai Gudanarwar Cisco ISE na gida
7) Sabon mai gudanarwa na iya zama wani ɓangare na sabon rukuni ko ƙungiyoyin da aka riga aka ayyana. Ana sarrafa ƙungiyoyin masu gudanarwa a cikin kwamiti ɗaya a cikin shafin Rukunin Gudanarwa. Tebu na 2 yana taƙaita bayanai game da masu gudanar da ISE, haƙƙoƙinsu da matsayinsu.
Tebur 2. Ƙungiyoyin Masu Gudanar da Cisco ISE, Matakan Samun dama, Izini, da Ƙuntatawa
Sunan ƙungiyar gudanarwa
Izini
Ƙuntatawa
Keɓance Admin
Kafa baƙo da hanyoyin ba da tallafi, gudanarwa da gyare-gyare
Rashin iya canza manufofi ko duba rahotanni
Mataimakin Admin
Ikon duba babban gaban dashboard, duk rahotanni, larms da warware matsalar rafukan
Ba za ku iya canzawa, ƙirƙira ko share rahotanni, ƙararrawa da rajistan ayyukan tantancewa ba
Identity Admin
Sarrafa masu amfani, gata da matsayi, ikon duba rajistan ayyukan, rahotanni da ƙararrawa
Ba za ku iya canza manufofi ko yin ayyuka a matakin OS ba
MnT Admin
Cikakken sa ido, rahotanni, ƙararrawa, rajistan ayyukan da sarrafa su
Rashin iya canza kowane manufofi
Mai Gudanarwar Na'urar Yanar Gizo
Hakkoki don ƙirƙira da canza abubuwan ISE, duba rajistan ayyukan, rahotanni, babban dashboard
Ba za ku iya canza manufofi ko yin ayyuka a matakin OS ba
Policy Admin
Cikakken sarrafa duk manufofin, canza bayanan martaba, saituna, rahotannin kallo
Rashin iya yin saituna tare da takaddun shaida, abubuwan ISE
RBAC Admin
Duk saituna a shafin Ayyuka, saitunan manufofin ANC, sarrafa rahoto
Ba za ku iya canza manufofi ban da ANC ko yin ayyuka a matakin OS
Super Admin
Haƙƙoƙin duk saituna, bayar da rahoto da gudanarwa, na iya sharewa da canza bayanan shaidar mai gudanarwa
Ba za a iya canjawa ba, share wani bayanin martaba daga rukunin Super Admin
tsarin Admin
Duk saituna a shafin Ayyuka, sarrafa saitunan tsarin, manufofin ANC, rahotannin kallo
Ba za ku iya canza manufofi ban da ANC ko yin ayyuka a matakin OS
External RESTful Services (ERS) Admin
Cikakken damar zuwa Cisco ISE REST API
Sai kawai don izini, sarrafa masu amfani da gida, runduna da ƙungiyoyin tsaro (SG)
Ma'aikacin Sabis na RESTful na Waje (ERS).
Izini karanta Cisco ISE REST API
Sai kawai don izini, sarrafa masu amfani da gida, runduna da ƙungiyoyin tsaro (SG)
Hoto 11. Ƙungiyoyin Gudanarwa na Cisco ISE da aka ƙayyade
8) Zabi a cikin shafin Izini> Izini> Manufar RBAC Kuna iya shirya haƙƙoƙin da aka riga aka ayyana.
Hoto 12. Cisco ISE Administrator Saita Bayanan Bayanan Bayanan Kulawa
9) in tab Gudanarwa > Tsari > Saituna Ana samun duk saitunan tsarin (DNS, NTP, SMTP da sauransu). Kuna iya cika su anan idan kun rasa su yayin fara na'urar ta farko.
5. Kammalawa
Wannan ya ƙare labarin farko. Mun tattauna tasiri na Cisco ISE NAC bayani, gine-ginensa, mafi ƙarancin buƙatu da zaɓuɓɓukan turawa, da shigarwa na farko.
A cikin labarin na gaba, za mu duba ƙirƙirar asusu, haɗawa tare da Microsoft Active Directory, da ƙirƙirar damar baƙi.
Idan kuna da tambayoyi game da wannan batu ko buƙatar taimako don gwada samfurin, tuntuɓi .
Ku kasance da mu domin samun labarai da dumi-duminsu a tashoshin mu (, , , , ).
source: www.habr.com
