Ci gaba da jerin labaran kan batun kungiya VPN mai nisa samun damar ba zan iya taimakawa ba sai raba gwaninta na turawa mai ban sha'awa ingantaccen tsarin VPN. Wani abokin ciniki ɗaya ya gabatar da wani aiki maras muhimmanci (akwai masu ƙirƙira a ƙauyukan Rasha), amma an karɓi Kalubalen kuma an aiwatar da su cikin ƙirƙira. Sakamakon ra'ayi ne mai ban sha'awa tare da halaye masu zuwa:
- Abubuwa da yawa na kariya daga musanya na'urar tasha (tare da tsananin ɗaure ga mai amfani);
- Ƙimar yarda da PC mai amfani tare da UDID da aka ba da izini na PC a cikin bayanan tantancewa;
- Tare da MFA ta amfani da PC UDID daga takaddun shaida don tabbatar da sakandare ta hanyar Cisco DUO (Zaka iya haɗa kowane SAML/Radius mai dacewa);
- Tabbatar da abubuwa da yawa:
- Takaddun shaida na mai amfani tare da tabbacin filin da ingantaccen tabbaci akan ɗayansu;
- Shiga (ba za a iya canzawa ba, an karɓa daga takaddun shaida) da kalmar wucewa;
- Ƙididdiga yanayin mahaɗin haɗin gwiwa (Posture)
Abubuwan da aka yi amfani da su na maganin:
- Cisco ASA (Ƙofar VPN);
- Cisco ISE (Tabbataccen / izini / Lissafi, Ƙimar Jiha, CA);
- Cisco DUO (Tabbacin Factor Multi-Factor) (Zaka iya haɗa kowane SAML/Radius mai dacewa);
- Cisco AnyConnect (Wakilin manufa da yawa don wuraren aiki da OS ta hannu);
Bari mu fara da bukatun abokin ciniki:
- Dole ne mai amfani, ta hanyar gaskatawar Login/Password, ya sami damar zazzage abokin ciniki AnyConnect daga ƙofar VPN; duk mahimman abubuwan AnyConnect dole ne a shigar da su ta atomatik bisa ga manufofin mai amfani;
- Ya kamata mai amfani ya sami damar ba da takaddun shaida ta atomatik (don ɗayan al'amuran, babban yanayin shine bayarwa na hannu da lodawa akan PC), amma na aiwatar da batun atomatik don nunawa (bai yi latti don cire shi ba).
- Tabbacin asali dole ne ya gudana a matakai da yawa, da farko akwai tantancewar takaddun shaida tare da nazarin filayen da ake buƙata da ƙimar su, sannan shiga / kalmar sirri, kawai a wannan lokacin dole ne a saka sunan mai amfani da aka ƙayyade a cikin filin takaddun shaida a cikin taga shiga. Sunan Magana (CN) ba tare da ikon gyarawa ba.
- Kuna buƙatar tabbatar da cewa na'urar da kuke shiga ita ce kwamfutar tafi-da-gidanka ta kamfanoni da aka ba wa mai amfani don samun damar nesa, ba wani abu dabam ba. (An yi zaɓuɓɓuka da yawa don biyan wannan bukata)
- Ya kamata a tantance yanayin na'urar haɗi (a wannan matakin PC) tare da duba cikakken tebur na buƙatun abokin ciniki (takaice):
- Fayiloli da kaddarorinsu;
- Shigar da rajista;
- Faci na OS daga lissafin da aka bayar (haɗin SCCM daga baya);
- Samun Anti-Virus daga takamaiman masana'anta da kuma dacewa da sa hannu;
- Ayyukan wasu ayyuka;
- Samuwar wasu shirye-shiryen da aka shigar;
Da farko, ina ba da shawarar cewa lallai ku kalli nunin bidiyo na sakamakon aiwatarwa akan Youtube (minti 5).
Yanzu ina ba da shawarar yin la'akari da cikakkun bayanan aiwatar da ba a rufe a cikin shirin bidiyo ba.
Bari mu shirya bayanan AnyConnect:
A baya na ba da misalin ƙirƙira bayanin martaba (dangane da abin menu a cikin ASDM) a cikin labarina akan saiti . Yanzu zan so in lura daban-daban zaɓuɓɓukan da za mu buƙaci:
A cikin bayanin martaba, za mu nuna ƙofar VPN da sunan bayanin martaba don haɗawa zuwa abokin ciniki na ƙarshe:
Bari mu saita bayar da takaddun shaida ta atomatik daga gefen bayanin martaba, yana nuna, musamman, sigogin takaddun shaida kuma, a zahiri, kula da filin. Na farko (I), inda aka shigar da takamaiman ƙima da hannu UDID injin gwaji (Mai gano na'ura na musamman wanda abokin ciniki na Cisco AnyConnect ke samarwa).
Anan ina so in yi digression lyrical, tun da wannan labarin ya bayyana ra'ayi; don dalilai na zanga-zanga, UDID don bayar da takaddun shaida an shigar da shi a cikin filin farko na bayanan AnyConnect. Tabbas, a rayuwa ta ainihi, idan kun yi haka, duk abokan ciniki za su sami takardar shaidar tare da UDID iri ɗaya a cikin wannan filin kuma babu abin da zai yi musu aiki, tunda suna buƙatar UDID na takamaiman PC ɗin su. AnyConnect, da rashin alheri, har yanzu bai aiwatar da musanya filin UDID a cikin bayanan buƙatun takaddun shaida ta hanyar canjin yanayi ba, kamar yadda yake yi, misali, tare da m % USER%.
Ya kamata a lura cewa abokin ciniki (na wannan yanayin) da farko yana shirin ba da takaddun shaida da kansa tare da UDID da aka ba a cikin yanayin hannu zuwa irin waɗannan kwamfutoci masu kariya, wanda ba shi da matsala. Koyaya, ga yawancin mu muna son sarrafa kansa (da kyau, a gare ni gaskiya ne =)).
Kuma wannan shine abin da zan iya bayarwa dangane da sarrafa kansa. Idan AnyConnect bai iya ba da takaddun shaida ta atomatik ta hanyar canza UDID ba, to akwai wata hanyar da za ta buƙaci ɗan ƙaramin tunani da ƙwararrun hannaye - Zan gaya muku manufar. Da farko, bari mu kalli yadda ake samar da UDID akan tsarin aiki daban-daban ta wakilin AnyConnect:
- Windows - SHA-256 hash na haɗin DigitalProductID da maɓallin rajista na Machine SID
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash na UUID na tushen bangare.
- apple iOS - SHA-256 hash PlatformUUID
- Android – Duba daftarin aiki
Don haka, mun ƙirƙira rubutun ga kamfani na Windows OS, tare da wannan rubutun a cikin gida muna ƙididdige UDID ta hanyar amfani da abubuwan da aka sani da kuma samar da buƙatun bayar da satifiket ta shigar da wannan UDID a cikin filin da ake buƙata, ta hanyar, zaku iya amfani da na'ura. takardar shaidar da AD ya bayar (ta ƙara tabbatarwa sau biyu ta amfani da takaddun shaida ga tsarin Takaddun shaida da yawa).
Bari mu shirya saituna a gefen Cisco ASA:
Bari mu ƙirƙiri TrustPoint don uwar garken ISE CA, shine zai ba da takaddun shaida ga abokan ciniki. Ba zan yi la'akari da hanyar shigo da Sarkar Maɓalli ba; an kwatanta misali a cikin labarin saitin na .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureMuna saita rarraba ta Tunnel-Group bisa ƙa'idodi daidai da filayen cikin takaddun shaida da ake amfani da su don tantancewa. An kuma daidaita bayanan AnyConnect da muka yi a matakin da ya gabata a nan. Lura cewa ina amfani da ƙimar SECUREBANK-RA, don canja wurin masu amfani tare da takardar shaidar da aka bayar zuwa rukunin rami SECURE-BANK-VPN, da fatan za a lura cewa ina da wannan filin a cikin ginshiƙin neman takardar shaidar bayanin martaba na AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Saita sabar tantancewa. A cikin yanayina, wannan shine ISE don matakin farko na tabbatarwa da DUO (Radius Proxy) azaman MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Mun ƙirƙiri manufofin rukuni da ƙungiyoyin rami da abubuwan da ke taimaka musu:
Rukunin rami DefaultWEBVPNGrop za a yi amfani da farko don zazzage abokin ciniki na AnyConnect VPN kuma a ba da takardar shaidar mai amfani ta amfani da aikin SCEP-Proxy na ASA; saboda wannan muna da zaɓuɓɓukan da suka dace da aka kunna duka akan rukunin ramin kanta da kuma manufofin ƙungiyar masu alaƙa. AC-Download, kuma a kan bayanan AnyConnect da aka ɗora (filaye don bayar da takaddun shaida, da sauransu). Haka kuma a cikin wannan tsarin na rukuni muna nuna buƙatar saukewa Module Matsayin ISE.
Rukunin rami SECURE-BANK-VPN abokin ciniki zai yi amfani da shi ta atomatik lokacin tantancewa tare da takardar shaidar da aka bayar a matakin baya, tunda, daidai da Taswirar Takaddun shaida, haɗin zai faɗi musamman akan wannan rukunin rami. Zan gaya muku game da zaɓuɓɓuka masu ban sha'awa anan:
- na biyu-tabbatar da-uwar garke-rukunin DUO # Saita ingantaccen tabbaci akan sabar DUO (Radius Proxy)
- sunan mai amfani-daga-certificateCN # Don tantancewa na farko, muna amfani da filin CN na takaddun shaida don gadon shiga mai amfani
- sakandare-sunan mai amfani-daga-takardar shaida I # Don tabbatarwa na biyu akan sabar DUO, muna amfani da sunan mai amfani da aka fitar da filayen farko (I) na takaddun shaida.
- abokin ciniki pre-cika sunan mai amfani # sanya sunan mai amfani ya riga ya cika a cikin tagar tantancewa ba tare da ikon canzawa ba
- Abokin ciniki-pre-cika-sunan mai amfani yana ɓoye amfani da kalmar wucewa ta gama gari # Muna ɓoye taga shigar da kalmar shiga / kalmar sirri don DUO na biyu kuma muna amfani da hanyar sanarwa (sms / turawa / waya) - dock don neman tabbaci maimakon filin kalmar sirri
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Na gaba mu matsa zuwa ISE:
Muna saita mai amfani na gida (zaka iya amfani da AD/LDAP/ODBC, da sauransu), don sauƙi, Na ƙirƙiri mai amfani na gida a cikin ISE kanta kuma na sanya shi a cikin filin. description PC UDID daga inda aka ba shi damar shiga ta VPN. Idan na yi amfani da amincin gida akan ISE, za a iyakance ni ga na'ura ɗaya kawai, tunda babu filayen da yawa, amma a cikin bayanan tantancewa na ɓangare na uku ba zan sami irin wannan ƙuntatawa ba.
Bari mu dubi manufar ba da izini, an raba ta zuwa matakan haɗin gwiwa guda huɗu:
- Stage 1 - Manufar don zazzage wakilin AnyConnect da bayar da takaddun shaida
- Stage 2 - Manufar tabbatarwa ta farko Shiga (daga takaddun shaida)/Password + Takaddun shaida tare da ingantaccen UDID
- Stage 3 - Tabbatar da na biyu ta hanyar Cisco DUO (MFA) ta amfani da UDID azaman sunan mai amfani + ƙimar Jiha
- Stage 4 - Izinin ƙarshe yana cikin jihar:
- Mai yarda;
- Tabbatar da UDID (daga takardar shaidar + ɗaurin shiga),
- Cisco DUO MFA;
- Tabbatarwa ta hanyar shiga;
- Tabbatar da takaddun shaida;
Bari mu dubi yanayi mai ban sha'awa UUID_VALIDATED, yana kama da ainihin mai amfani ya fito daga PC tare da UDID da aka yarda a cikin filin. description asusu, sharuɗɗan sun kasance kamar haka:
Bayanan izini da aka yi amfani da shi a matakai 1,2,3 kamar haka:
Kuna iya bincika daidai yadda UDID daga abokin ciniki AnyConnect ya zo mana ta hanyar duba cikakkun bayanan zaman abokin ciniki a cikin ISE. Dalla-dalla za mu ga cewa AnyConnect ta hanyar injin ACIDEX aika ba kawai bayanai game da dandamali, amma kuma da UDID na na'urar kamar yadda Cisco-AV-PAIR:
Bari mu kula da takardar shaidar da aka ba mai amfani da filin Na farko (I), wanda ake amfani dashi don ɗaukar shi azaman shiga don tabbatar da MFA na biyu akan Cisco DUO:
A gefen DUO Radius Proxy a cikin log ɗin za mu iya ganin yadda ake buƙatar tabbatarwa, yana zuwa ta amfani da UDID azaman sunan mai amfani:
Daga tashar DUO muna ganin nasarar tantancewa:
Kuma a cikin kaddarorin masu amfani Ina da saita shi ALIYASA, wanda na yi amfani da shi don shiga, bi da bi, wannan shine UDID na PC da aka yarda don shiga:
A sakamakon haka mun samu:
- Multi-factor mai amfani da ingantaccen na'urar;
- Kariya daga zubewar na'urar mai amfani;
- Tantance yanayin na'urar;
- Mai yuwuwar haɓaka iko tare da takardar shaidar injin yanki, da sauransu;
- Cikakken kariyar wurin aiki mai nisa tare da kayan aikin tsaro da aka tura ta atomatik;
Hanyoyin haɗi zuwa jerin labaran Cisco VPN:
source: www.habr.com