Bari mu yi la'akari da aikace-aikacen yin amfani da Windows Active Directory + NPS (sabar 2 don tabbatar da haƙuri ga kuskure) + 802.1x misali don samun damar sarrafawa da amincin masu amfani - kwamfutocin yanki - na'urori. Kuna iya sanin ka'idar bisa ga ma'auni akan Wikipedia, a mahaɗin:
Tun da "ɗakin gwaje-gwaje" na yana iyakance a cikin albarkatun, ayyukan NPS da mai kula da yanki sun dace, amma ina ba da shawarar cewa har yanzu ku raba irin waɗannan ayyuka masu mahimmanci.
Ban san daidaitattun hanyoyin daidaita tsarin Windows NPS (manufofin ba), don haka za mu yi amfani da rubutun PowerShell wanda mai tsara ɗawainiya ya ƙaddamar (marubuci tsohon abokin aikina ne). Don tantance kwamfutocin yanki da na'urorin da ba za su iya ba 802.1x (wayoyi, firinta, da sauransu), za a tsara manufofin rukuni kuma za a ƙirƙiri ƙungiyoyin tsaro.
A karshen labarin, zan gaya muku game da wasu daga cikin rikitattun aiki tare da 802.1x - yadda za ka iya amfani da unmanaged switches, dynamic ACLs, da dai sauransu. Zan raba bayanai game da "glitches" da aka kama. .
Bari mu fara da shigarwa da daidaitawa NPS gazawa akan Windows Server 2012R2 (komai iri ɗaya ne a cikin 2016): ta Manajan Sabar -> Ƙara Matsayi da Mayen Siffofin, zaɓi Sabar Manufofin Sadarwar Sadarwa kawai.
ko amfani da PowerShell:
Install-WindowsFeature NPAS -IncludeManagementToolsKaramin bayani - tun don Kariyar EAP (PEAP) tabbas za ku buƙaci takaddun shaida da ke tabbatar da sahihancin sabar (tare da haƙƙin da suka dace don amfani), wanda za a amince da su akan kwamfutocin abokin ciniki, to tabbas za ku buƙaci shigar da aikin. Hukumar Tantance Takaddun Shaida. Amma za mu ɗauka cewa CA kun riga kun shigar da shi...
Bari mu yi haka a kan uwar garken na biyu. Bari mu ƙirƙiri babban fayil don rubutun C: Rubutun akan sabobin biyu da babban fayil ɗin cibiyar sadarwa akan sabar ta biyu SRV2NPS-daidaita $
Bari mu ƙirƙiri rubutun PowerShell akan sabar farko C:ScriptsExport-NPS-config.ps1 tare da abun ciki mai zuwa:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"Bayan haka, bari mu saita aikin a cikin Task Sheduler: "Export-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Gudu don duk masu amfani - Gudu tare da mafi girman haƙƙoƙi
Kullum - Maimaita aikin kowane minti 10. cikin 8 hours
A madadin NPS, saita shigo da sanyi (manufofin):
Bari mu ƙirƙiri rubutun PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1da aiki don aiwatar da shi kowane minti 10:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Gudu don duk masu amfani - Gudu tare da mafi girman haƙƙoƙi
Kullum - Maimaita aikin kowane minti 10. cikin 8 hours
Yanzu, don bincika, bari mu ƙara zuwa NPS akan ɗayan sabar (!) Ma'aurata biyu a cikin abokan ciniki na RADIUS (IP da Sirrin Shared), manufofin buƙatun haɗin gwiwa guda biyu: WIRED-Haɗa (Sharadi: "Nau'in tashar tashar NAS shine Ethernet") da WiFi-Kasuwanci (Sharadi: "Nau'in tashar tashar tashar NAS shine IEEE 802.11"), da manufofin hanyar sadarwa Shiga Cisco Network Devices (Masu Gudanarwa):
Условия:
Группы Windows - domainsg-network-admins
Ограничения:
Методы проверки подлинности - Проверка открытым текстом (PAP, SPAP)
Параметры:
Атрибуты RADIUS: Стандарт - Service-Type - Login
Зависящие от поставщика - Cisco-AV-Pair - Cisco - shell:priv-lvl=15A bangaren sauya sheka, saituna masu zuwa:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99Bayan daidaitawa, bayan mintuna 10, duk madaidaicin madaidaicin abokan ciniki yakamata su bayyana akan madadin NPS kuma zamu sami damar shiga cikin masu sauyawa ta amfani da asusun ActiveDirectory, memba na rukunin domainsg-network-admins (wanda muka ƙirƙiri a gaba).
Bari mu ci gaba zuwa kafa Active Directory - ƙirƙirar ƙungiyoyi da manufofin kalmar sirri, ƙirƙirar ƙungiyoyi masu mahimmanci.
Manufar Rukuni Kwamfuta-8021x-Saituna:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Mu kirkiro kungiyar tsaro sg-kwamfutoci-8021x-vl100, inda za mu ƙara kwamfutoci waɗanda muke son rarrabawa zuwa vlan 100 kuma mu tsara tacewa don manufofin ƙungiyar da aka ƙirƙira a baya don wannan rukunin:
Kuna iya tabbatar da cewa manufar ta yi aiki cikin nasara ta buɗe "Cibiyar Sadarwa da Rarraba (Network da Internet Saituna) - Canja saitunan adaftan (Hanyar da saitunan adaftan) - Abubuwan Adafta", inda zamu iya ganin shafin "Tabbaci":
Lokacin da ka gamsu cewa an yi amfani da manufar cikin nasara, za ka iya ci gaba da kafa manufofin cibiyar sadarwa akan NPS da samun dama ga tashoshin sauya matakin.
Mu kirkiro tsarin hanyar sadarwa neag-kwamfuta-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Saitunan yau da kullun don tashar tashar sauyawa (lura cewa ana amfani da nau'in tantancewar "multi-domain" - Data & Voice, kuma akwai yuwuwar tantancewa ta adireshin mac. A lokacin “lokacin canji” yana da ma'ana don amfani a cikin sigogi:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
Vlan id ba shine “keɓewa” ba, amma ɗaya ne inda kwamfutar mai amfani ya kamata ta bi bayan shiga cikin nasara - har sai mun tabbatar cewa komai yana aiki kamar yadda ya kamata. Ana iya amfani da waɗannan sigogi iri ɗaya a cikin wasu yanayi, misali, lokacin da aka shigar da na'urar da ba a sarrafa ba a cikin wannan tashar jiragen ruwa kuma kuna son duk na'urorin da ke da alaƙa da ita waɗanda ba su wuce ingantacciyar hanyar shiga cikin wani takamaiman vlan ba ("keɓewa").
canza saitunan tashar jiragen ruwa a cikin yanayin 802.1x mai masaukin baki-yanayin yanki da yawa
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exitKuna iya tabbatar da cewa kwamfutarku da wayarku sun yi nasarar wucewa ta tabbatarwa tare da umarnin:
sh authentication sessions int Gi1/0/39 detYanzu bari mu ƙirƙiri rukuni (misali, sg-fgpp-mab ) a cikin Active Directory don wayoyi kuma ƙara na'ura guda ɗaya a gare ta don gwaji (a cikin akwati na Babban GXP2160 tare da mas address 000b.82ba.a7b1 da resp. asusu yankin 00b82baa7b1).
Ga ƙungiyar da aka ƙirƙira, za mu rage buƙatun manufofin kalmar sirri (ta amfani da via Active Directory Administrative Center -> yanki -> Tsarin -> Saitunan Saitunan Kalmar wucewa) tare da sigogi masu zuwa Kalmar wucewa-Saituna-don-MAB:
Don haka, za mu ƙyale amfani da manyan adireshi na na'ura azaman kalmomin shiga. Bayan wannan, za mu iya ƙirƙirar tsarin hanyar sadarwa don hanyar tabbatarwa ta 802.1x mab, bari mu kira shi neag-na'urori-8021x-murya. Ma'auni sune kamar haka:
- Nau'in tashar tashar NAS - Ethernet
- Rukunin Windows - sg-fgpp-mab
- Nau'in EAP: Tabbacin da ba a ɓoye (PAP, SPAP)
- Halayen RADIUS - Specific Dillali: Cisco - Cisco-AV-Pair - ƙimar sifa: na'urar-traffic-class = murya
Bayan ingantaccen tabbaci (kar a manta da saita tashar tashar sauyawa), bari mu kalli bayanin daga tashar jiragen ruwa:
sh Int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc SuccessYanzu, kamar yadda aka alkawarta, bari mu kalli wasu yanayi guda biyu waɗanda ba a bayyane suke ba. Misali, muna buƙatar haɗa kwamfutocin masu amfani da na'urori ta hanyar sauyawa (canzawa) mara sarrafa. A wannan yanayin, saitunan tashar jiragen ruwa don ita za su yi kama da haka:
canza saitunan tashar jiragen ruwa a cikin yanayin 802.1x mai masaukin baki da yawa
interface GigabitEthernet1/0/1
description *SW – 802.1x – 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! увеличиваем кол-во допустимых мас-адресов
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! – режим аутентификации
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shuPS mun lura da wani baƙon abu mai ban mamaki - idan an haɗa na'urar ta irin wannan maɓalli, sannan kuma an haɗa ta cikin na'ura mai sarrafawa, to ba za ta yi aiki ba har sai mun sake kunna (!) na sauya. Ban sami wasu hanyoyi ba. don magance wannan matsala tukuna.
Wani batu mai alaƙa da DHCP (idan ana amfani da ip dhcp snooping) - ba tare da waɗannan zaɓuɓɓuka ba:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information optionDon wasu dalilai ba zan iya samun adireshin IP daidai ba... ko da yake wannan yana iya zama fasalin sabar DHCP ɗin mu
Kuma Mac OS & Linux (waɗanda ke da goyon bayan 802.1x na asali) suna ƙoƙarin tantance mai amfani, koda an saita ingantaccen adireshin Mac.
A kashi na gaba na labarin, za mu dubi yin amfani da 802.1x don Wireless (dangane da rukunin da asusun mai amfani yake, za mu "jefa" a cikin hanyar sadarwar da ta dace (vlan), ko da yake za su haɗa zuwa. SSID guda).
source: www.habr.com