E noʻonoʻo kākou i ka hoʻohana ʻana i ka Windows Active Directory + NPS (2 mau kikowaena e hōʻoia i ka hoʻomanawanui hewa) + 802.1x maʻamau no ka mana komo a me ka hōʻoia o nā mea hoʻohana - nā kamepiula domain - nā mea hana. Hiki iā ʻoe ke kamaʻāina i ke kumumanaʻo e like me ke kūlana ma Wikipedia, ma ka loulou:
Ma muli o ka palena o kaʻu "laboratory" i nā kumuwaiwai, kūpono nā kuleana o ka NPS a me ka mea hoʻokele domain, akā makemake wau e hoʻokaʻawale ʻoe i nā lawelawe koʻikoʻi.
ʻAʻole wau ʻike i nā ala maʻamau e hoʻonohonoho i nā hoʻonohonoho Windows NPS (kulekele), no laila e hoʻohana mākou i nā palapala PowerShell i hoʻokumu ʻia e ka mea hoʻonohonoho hana (ʻo ka mea kākau koʻu hoa hana mua). No ka hōʻoia ʻana i nā kamepiula domain a no nā mea hiki ʻole 802.1x (kelepona, mea paʻi, a me nā mea ʻē aʻe), e hoʻonohonoho ʻia nā kulekele hui a e hana ʻia nā hui palekana.
Ma ka hopena o ka ʻatikala, e haʻi wau iā ʻoe e pili ana i kekahi o nā mea paʻakikī o ka hana ʻana me 802.1x - pehea ʻoe e hoʻohana ai i nā hoʻololi i mālama ʻole ʻia, nā ACL ikaika, a me nā mea ʻē aʻe. .
E hoʻomaka kākou me ka hoʻokomo ʻana a me ka hoʻonohonoho ʻana i ka failover NPS ma Windows Server 2012R2 (ua like nā mea a pau ma 2016): ma o Server Manager -> Add Roles and Features Wizard, koho wale i ka Pūnaewele Policy Server.
a i ʻole ka hoʻohana ʻana iā PowerShell:
Install-WindowsFeature NPAS -IncludeManagementTools
ʻO kahi wehewehe liʻiliʻi - no ka mea EAP i pale ʻia (PEAP) Pono ʻoe i kahi palapala hōʻoia e hōʻoia ana i ka ʻoiaʻiʻo o ka server (me nā kuleana kūpono e hoʻohana ai), e hilinaʻi ʻia ma nā kamepiula o nā mea kūʻai aku, a laila pono ʻoe e hoʻokomo i ka hana. Palapala hōʻoia. Akā, e manaʻo mākou i kēlā CA ua hoʻokomo mua ʻoe ia...
E hana like kāua ma ke kikowaena lua. E hana kākou i waihona no ka C: Scripts script ma nā kikowaena ʻelua a me kahi waihona pūnaewele ma ka kikowaena lua SRV2NPS-config$
E hana kākou i kahi palapala PowerShell ma ke kikowaena mua C:ScriptsExport-NPS-config.ps1 me keia mau mea:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"
Ma hope o kēia, e hoʻonohonoho i ka hana ma ka Task Sheduler: "Export-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Holo no nā mea hoʻohana a pau - Holo me nā kuleana kiʻekiʻe loa
I kēlā me kēia lā - E hana hou i ka hana i kēlā me kēia 10 mau minuke. i loko o 8 hola
Ma ka waihona NPS, hoʻonohonoho i ka hoʻokomo ʻana o ka hoʻonohonoho (nā kulekele):
E hana kākou i kahi palapala PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1
a me kahi hana e hoʻokō ai i kēlā me kēia 10 mau minuke:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Holo no nā mea hoʻohana a pau - Holo me nā kuleana kiʻekiʻe loa
I kēlā me kēia lā - E hana hou i ka hana i kēlā me kēia 10 mau minuke. i loko o 8 hola
I kēia manawa, e nānā, e hoʻohui i ka NPS ma kekahi o nā kikowaena (!) ʻelua mau hoʻololi i nā mea kūʻai aku RADIUS (IP a me Shared Secret), ʻelua mau kulekele noi pili: WIRED-Hoʻohui (Ke kūlana: "ʻO Ethernet ke ʻano port NAS") a ʻO WiFi-ʻoihana (Ke kūlana: "ʻO ke ʻano port NAS ʻo IEEE 802.11"), a me ke kulekele pūnaewele E kiʻi i nā ʻenehana Pūnaewele Cisco (Nā Luna Pūnaewele):
Условия:
Группы Windows - domainsg-network-admins
Ограничения:
Методы проверки подлинности - Проверка открытым текстом (PAP, SPAP)
Параметры:
Атрибуты RADIUS: Стандарт - Service-Type - Login
Зависящие от поставщика - Cisco-AV-Pair - Cisco - shell:priv-lvl=15
Ma ka ʻaoʻao hoʻololi, nā hoʻonohonoho penei:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99
Ma hope o ka hoʻonohonoho ʻana, ma hope o 10 mau minuke, e ʻike ʻia nā mea kūʻai aku a pau ma ka waihona NPS a hiki iā mākou ke komo i nā hoʻololi me ka hoʻohana ʻana i kahi moʻokāki ActiveDirectory, he lālā o ka hui domainsg-network-admins (a mākou i hana ai ma mua).
E neʻe kāua i ka hoʻonohonoho ʻana i ka Active Directory - hana i nā kulekele hui a me ka ʻōlelo huna, hana i nā hui pono.
Kulekele Hui Kamepiula-8021x-Nā hoʻonohonoho:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
E hana kākou i pūʻulu palekana sg-computers-8021x-vl100, kahi e hoʻohui ai mākou i nā kamepiula a mākou e makemake ai e hāʻawi iā vlan 100 a hoʻonohonoho i ka kānana no ke kulekele hui i hana mua ʻia no kēia hui:
Hiki iā ʻoe ke hōʻoia i ka holomua o ke kulekele ma ka wehe ʻana i ka "Network and Sharing Center (Network and Internet Settings) - Ke hoʻololi nei i nā hoʻonohonoho adapter (Configuring adapter settings) - Adapter Properties", kahi e ʻike ai mākou i ka pā "Authentication":
Ke manaʻoʻiʻo ʻoe ua hoʻohana maikaʻi ʻia ke kulekele, hiki iā ʻoe ke hoʻomau i ka hoʻonohonoho ʻana i ke kulekele pūnaewele ma ka NPS a me ke komo ʻana i nā awa hoʻololi.
E hana kāua i kulekele pūnaewele neag-computers-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Nā hoʻonohonoho maʻamau no ke awa hoʻololi (e ʻoluʻolu e hoʻomaopopo i ka hoʻohana ʻia ʻana o ke ʻano hōʻoia "multi-domain" - Data & Voice, a aia nō hoʻi ka hiki ke hōʻoia ʻia e ka mac address. I loko o ka "manawa hoʻololi" kūpono ke hoʻohana nā ʻāpana:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
ʻO ka vlan id ʻaʻole ia he "quarantine", akā ʻo ia kahi e hele ai ka kamepiula o ka mea hoʻohana ma hope o ka hoʻopaʻa inoa ʻana - a hiki i ka wā e maopopo ai mākou e hana ana nā mea a pau e like me ka pono. Hiki ke hoʻohana ʻia kēia mau ʻāpana like i nā hiʻohiʻona ʻē aʻe, no ka laʻana, ke hoʻopili ʻia kahi hoʻololi ʻole i hoʻokele ʻia i loko o kēia awa a makemake ʻoe i nā hāmeʻa a pau e pili ana iā ia i hala ʻole i ka hōʻoia e hāʻule i kekahi vlan ("quarantine").
hoʻololi i nā hoʻonohonoho awa ma 802.1x host-mode multi-domain mode
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exit
Hiki iā ʻoe ke hōʻoia ua holo pono kāu kamepiula a me kāu kelepona i ka hōʻoia me ke kauoha:
sh authentication sessions int Gi1/0/39 det
I kēia manawa e hana mākou i hui (e laʻana, sg-fgpp-mab ) i Active Directory no nā kelepona a hoʻohui i hoʻokahi mea hana iā ia no ka hoʻāʻo ʻana (i koʻu hihia ʻo ia Grandstream GXP2160 me ka helu mas 000b.82ba.a7b1 a resp. mooolelo kahua 00b82baa7b1).
No ka hui i hana ʻia, e hoʻohaʻahaʻa mākou i nā koi kulekele ʻōlelo huna (hoʻohana
No laila, e ʻae mākou i ka hoʻohana ʻana i nā leka uila ma ke ʻano he ʻōlelo huna. Ma hope o kēia hiki iā mākou ke hana i kahi kulekele pūnaewele no ka 802.1x method mab authentication, e kapa mākou iā ia neag-devices-8021x-voice. Penei na palena.
- ʻAno Port NAS – Ethernet
- Nā Pūʻulu Windows – sg-fgpp-mab
- Nā ʻano EAP: ʻO ka hōʻoia ʻole ʻia (PAP, SPAP)
- Nā ʻano RADIUS - Kūʻai Kūʻai Kūʻai: Cisco - Cisco-AV-Pair - Waiwai ʻano: hāmeʻa-traffic-class = leo
Ma hope o ka hoʻokō pono ʻana (mai poina e hoʻonohonoho i ke awa hoʻololi), e nānā i ka ʻike mai ke awa:
sh hōʻoia se int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
I kēia manawa, e like me ka mea i hoʻohiki ʻia, e nānā i nā kūlana ʻaʻole maopopo loa. No ka laʻana, pono mākou e hoʻohui i nā kamepiula mea hoʻohana a me nā mea hana ma o kahi hoʻololi i mālama ʻole ʻia (switch). I kēia hihia, e like me kēia nā hoʻonohonoho awa no ia:
e hoʻololi i nā hoʻonohonoho awa ma 802.1x host-mode multi-auth mode
interface GigabitEthernet1/0/1
description *SW – 802.1x – 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! увеличиваем кол-во допустимых мас-адресов
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! – режим аутентификации
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shu
PS ua ʻike mākou i kahi pōʻino ʻē aʻe - inā pili ka hāmeʻa ma o ia ʻano hoʻololi, a laila hoʻopili ʻia i kahi hoʻololi i hoʻokele ʻia, a laila ʻaʻole e hana a hiki i ka hoʻomaka hou ʻana (!) i ke kī. e hoʻoponopono i kēia pilikia.
ʻO kekahi wahi e pili ana i ka DHCP (inā hoʻohana ʻia ka ip dhcp snooping) - me ka ʻole o ia mau koho:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information option
No kekahi kumu ʻaʻole hiki iaʻu ke kiʻi pololei i ka helu IP ... ʻoiai he hiʻohiʻona paha kēia o kā mākou kikowaena DHCP
A ʻo Mac OS & Linux (ʻo ia ke kākoʻo 802.1x maoli) e hoʻāʻo e hōʻoia i ka mea hoʻohana, ʻoiai inā ua hoʻonohonoho ʻia ka hōʻoia ʻana e ka helu Mac.
Ma ka ʻaoʻao aʻe o ka ʻatikala, e nānā mākou i ka hoʻohana ʻana o 802.1x no Wireless (e pili ana i ka hui i loaʻa ai ka mea hoʻohana, e "hoʻolei" mākou iā ia i loko o ka pūnaewele pili (vlan), ʻoiai e pili pū lākou ka SSID like).
Source: www.habr.com