Ka hoʻokō ʻana i ka manaʻo o ka loaʻa ʻana o kahi mamao palekana
Ke hoʻomau nei i ke ʻano o nā ʻatikala e pili ana i ke kumuhana o ka hui Loaʻa mamao VPN ʻAʻole hiki iaʻu ke kaʻana like i kaʻu ʻike hoʻolaha hoihoi hoʻonohonoho VPN paʻa loa. Ua hōʻike ʻia kahi hana koʻikoʻi e kekahi mea kūʻai aku (aia nā mea hana i nā kauhale Lūkini), akā ua ʻae ʻia ka Challenge a hoʻokō ʻia. ʻO ka hopena he manaʻo hoihoi me kēia mau hiʻohiʻona:
Nui nā kumu o ka pale ʻana i ka hoʻololi ʻana i ka mea hoʻohana (me ka paʻa paʻa i ka mea hoʻohana);
Ka loiloi ʻana i ka hoʻokō ʻana o ka PC o ka mea hoʻohana me ka UDID i hāʻawi ʻia o ka PC i ʻae ʻia ma ka waihona hōʻoia;
Me ka MFA e hoʻohana ana i ka PC UDID mai ka palapala hōʻoia no ka hōʻoia lua ma o Cisco DUO (Hiki iā ʻoe ke hoʻopili i kekahi SAML/Radius kūpono);
ʻO ka hōʻoia ʻana i nā kumu he nui:
Palapala mea hoʻohana me ka hōʻoia kahua a me ka hōʻoia lua e kūʻē i kekahi o lākou;
E komo (hiki ke hoʻololi, lawe ʻia mai ka palapala hōʻoia) a me ka ʻōlelo huna;
Ka helu ʻana i ke kūlana o ka pūʻali hoʻohui (Posture)
Hoʻohana ʻia nā ʻāpana hoʻonā:
Cisco ASA (VPN Gateway);
Cisco ISE (Hōʻoiaʻiʻo / Manaʻo / Helu, Hoʻoponopono Moku'āina, CA);
Cisco DUO (Hōʻoiaʻiʻo Nui-Factor) (Hiki iā ʻoe ke hoʻopili i kekahi SAML/Radius kūpono);
ʻO Cisco AnyConnect (ʻoihana multi-purpose no nā hale hana a me OS mobile);
E hoʻomaka kākou me nā koi o ka mea kūʻai:
Pono ka mea hoʻohana, ma o kāna hōʻoia Login/Password, hiki iā ia ke hoʻoiho i ka mea kūʻai aku ʻo AnyConnect mai ka ʻīpuka VPN; pono e hoʻokomo pono ʻia nā modules AnyConnect pono āpau e like me ke kulekele o ka mea hoʻohana;
Hiki i ka mea hoʻohana ke hoʻopuka maʻalahi i kahi palapala hōʻoia (no kekahi o nā hiʻohiʻona, ʻo ka hiʻohiʻona nui ka hoʻopuka manual a me ka hoʻouka ʻana ma kahi PC), akā ua hoʻokō wau i ka pilikia maʻalahi no ka hōʻike (ʻaʻole i lōʻihi ka wehe ʻana).
Pono e hoʻokō ʻia ka hōʻoia kumu ma nā ʻano he nui, ʻo ka mua aia ka hōʻoia hōʻoia me ka nānā ʻana i nā kahua kūpono a me ko lākou mau waiwai, a laila login / password, ʻo kēia wale nō ka inoa o ka mea hoʻohana i kuhikuhi ʻia i ka kahua palapala e pono e hoʻokomo ʻia i ka puka komo. Ka inoa kumuhana (CN) me ka hiki ole ke hooponopono.
Pono ʻoe e hōʻoia ʻo ka hāmeʻa āu e hoʻopaʻa inoa nei ʻo ia ka pona ʻoihana i hāʻawi ʻia i ka mea hoʻohana no ke komo mamao, ʻaʻole kahi mea ʻē aʻe. (Ua hana ʻia kekahi mau koho e hoʻokō i kēia koi)
Pono e loiloi ʻia ke kūlana o ka mea hoʻopili (ma kēia kaʻina PC) me ka nānā ʻana i kahi papa nui o nā koi o nā mea kūʻai aku (e hōʻuluʻulu ana):
Nā waihona a me kā lākou mau waiwai;
Kakau inoa;
ʻO nā ʻāpana OS mai ka papa inoa i hāʻawi ʻia (hoʻohui ʻia ʻo SCCM ma hope);
Loaʻa i ka Anti-Virus mai kahi mea hana kūikawā a me ka pili o nā pūlima;
Ka hana o kekahi mau lawelawe;
Loaʻa i kekahi mau polokalamu i hoʻokomo ʻia;
E hoʻomaka me, au manao ia oe e nana pono i ka wikiō hōʻike o ka hopena hoʻokō ma Youtube (5 minuke).
I kēia manawa, manaʻo wau e noʻonoʻo i nā kikoʻī hoʻokō ʻaʻole i uhi ʻia i ka wikiō wikiō.
E hoʻomākaukau kākou i ka moʻolelo AnyConnect:
Ua hāʻawi mua wau i kahi hiʻohiʻona o ka hana ʻana i kahi ʻaoʻao (ma ke ʻano o kahi papa kuhikuhi ma ASDM) ma kaʻu ʻatikala ma ka hoʻonohonoho ʻO ka hui hoʻopaʻa ʻana VPN. I kēia manawa makemake wau e hoʻokaʻawale i nā koho e pono ai mākou:
Ma ka ʻaoʻao, e hōʻike mākou i ka ʻīpuka VPN a me ka inoa ʻaoʻao no ka hoʻopili ʻana i ka mea kūʻai hope:
E hoʻonohonoho i ka hoʻopuka maʻalahi o kahi palapala hōʻoia mai ka ʻaoʻao profile, e hōʻike ana, ʻo ia hoʻi, nā ʻāpana palapala hōʻoia a, ʻano, e hoʻolohe i ke kahua. Inimua (I), kahi i hoʻokomo lima ʻia ai kahi waiwai kikoʻī UID mīkini hoʻāʻo (Ka mea ʻike mea ʻokoʻa i hana ʻia e ka mea kūʻai aku ʻo Cisco AnyConnect).
Maʻaneʻi makemake wau e hana i kahi digression lyrical, ʻoiai ua wehewehe kēia ʻatikala i ka manaʻo; no nā kumu hōʻike, ua hoʻokomo ʻia ka UDID no ka hoʻopuka ʻana i kahi palapala i loko o ke kahua Initials o ka profile AnyConnect. ʻOiaʻiʻo, ma ke ola maoli, inā ʻoe e hana i kēia, a laila e loaʻa i nā mea kūʻai aku kahi palapala me ka UDID like ma kēia kahua a ʻaʻohe mea e hana no lākou, no ka mea pono lākou i ka UDID o kā lākou PC kikoʻī. ʻO ka mea pōʻino, ʻaʻole i hoʻokō ʻo AnyConnect i ka hoʻololi ʻana o ke kahua UDID i loko o ka palapala noi palapala hōʻoia ma o ka hoʻololi kaiapuni, e like me ia, no ka laʻana, me kahi loli. %USER%.
He mea pono e hoʻomaopopo i ka mea kūʻai aku (o kēia hiʻohiʻona) i hoʻolālā mua e hoʻopuka kūʻokoʻa i nā palapala hōʻoia me kahi UDID i hāʻawi ʻia ma ke ʻano manual i kēlā PC Protected, ʻaʻole ia he pilikia nona. Eia naʻe, no ka hapanui o mākou makemake mākou i ka automation (maikaʻi, noʻu he ʻoiaʻiʻo =)).
A ʻo kēia ka mea hiki iaʻu ke hāʻawi aku ma ke ʻano o ka automation. Inā ʻaʻole hiki iā AnyConnect ke hoʻopuka maʻalahi i kahi palapala hōʻoia ma ka hoʻololi ʻana i ka UDID, a laila aia kekahi ala ʻē aʻe e koi ai i kahi noʻonoʻo noʻonoʻo a me nā lima akamai - e haʻi aku wau iā ʻoe i ka manaʻo. ʻO ka mea mua, e nānā i ka hana ʻana o ka UDID ma nā ʻōnaehana hana like ʻole e ka AnyConnect agent:
Windows — SHA-256 hash o ka hui ʻana o ke kī hoʻopaʻa inoa DigitalProductID a me Machine SID
No laila, hana mākou i kahi palapala no kā mākou ʻoihana Windows OS, me kēia ʻatikala mākou i ka helu kūloko i ka UDID me ka hoʻohana ʻana i nā mea hoʻokomo i ʻike ʻia a hana i kahi noi no ka hāʻawi ʻana i kahi palapala hōʻoia ma ke komo ʻana i kēia UDID i ke kahua i koi ʻia, ma ke ala, hiki iā ʻoe ke hoʻohana i kahi mīkini. palapala hōʻoia i hāʻawi ʻia e AD (ma ka hoʻohui ʻana i ka hōʻoia ʻelua me ka hoʻohana ʻana i kahi palapala i ka papahana Palapala Nui).
E hoʻomākaukau kākou i nā hoʻonohonoho ma ka ʻaoʻao Cisco ASA:
E hana kākou i TrustPoint no ka server ISE CA, ʻo ia ka mea nāna e hoʻopuka i nā palapala hōʻoia i nā mea kūʻai aku. ʻAʻole wau e noʻonoʻo i ke kaʻina hana lawe Key-Chain; ua wehewehe ʻia kahi laʻana ma kaʻu ʻatikala ma ka hoʻonohonoho ʻO ka hui hoʻopaʻa ʻana VPN.
crypto ca trustpoint ISE-CA
enrollment terminal
crl configure
Hoʻonohonoho mākou i ka hāʻawi ʻana e Tunnel-Group e pili ana i nā lula e like me nā māla i ka palapala hōʻoia i hoʻohana ʻia no ka hōʻoia. Ua hoʻonohonoho pū ʻia ka ʻaoʻao AnyConnect a mākou i hana ai ma ka pae mua. E ʻoluʻolu, e hoʻohana wau i ka waiwai SECUREBANK-RA, e hoʻoili i nā mea hoʻohana me kahi palapala i hāʻawi ʻia i kahi hui tunnel SECURE-BANK-VPN, e ʻoluʻolu e ʻoluʻolu e loaʻa iaʻu kēia kahua ma ka kolamu noi palapala hōʻike profile AnyConnect.
Hoʻonohonoho i nā kikowaena hōʻoia. I koʻu hihia, ʻo kēia ka ISE no ka pae mua o ka hōʻoia a me DUO (Radius Proxy) ma ke ʻano he MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!
Hana mākou i nā kulekele hui a me nā hui tunnel a me kā lākou mau mea kōkua:
Pūʻulu tunnel DefaultWEBVPNGroup e hoʻohana mua ʻia e hoʻoiho i ka mea kūʻai aku ʻo AnyConnect VPN a hāʻawi i kahi palapala mea hoʻohana me ka hoʻohana ʻana i ka hana SCEP-Proxy o ka ASA; no kēia mea, loaʻa iā mākou nā koho kūpono i hoʻāla ʻia ma ka hui tunnel ponoʻī a ma ke kulekele hui pili. AC-Hoʻoiho, a ma ka ʻaoʻao AnyConnect i hoʻouka ʻia (nā kahua no ka hoʻopuka ʻana i kahi palapala hōʻoia, etc.). Eia kekahi ma kēia kulekele hui hōʻike mākou i ka pono e hoʻoiho ISE Posture Module.
Pūʻulu tunnel SECURE-BANK-VPN E hoʻohana maʻalahi ʻia e ka mea kūʻai aku i ka wā e hōʻoiaʻiʻo ai me ka palapala i hāʻawi ʻia i ka pae mua, no ka mea, e like me ka palapala palapala palapala, e hāʻule pono ka pilina ma kēia pūʻulu tunnel. E haʻi wau iā ʻoe e pili ana i nā koho hoihoi ma aneʻi:
lua-hōʻoia-server-hui DUO # Hoʻonohonoho i ka hōʻoia lua ma ka server DUO (Radius Proxy)
inoa inoa-mai-certificateCN # No ka hōʻoia mua, hoʻohana mākou i ke kahua CN o ka palapala hōʻoia e hoʻoili i ka inoa o ka mea hoʻohana
lua-mea hoʻohana-mai ka palapala hōʻoia I # No ka hōʻoia lua ma ka server DUO, hoʻohana mākou i ka inoa inoa i unuhi ʻia a me nā kahua Initials (I) o ka palapala.
pre-fill-username client # hana i ka inoa inoa i hoʻopiha mua ʻia i ka pukaaniani hōʻoia me ka hiki ʻole ke hoʻololi
Second-pre-fill-username huna huna hoʻohana-common-password push # Hūnā mākou i ka puka komo komo / ʻōlelo huna no ka DUO hōʻoia kiʻekiʻe a hoʻohana i ke ala hoʻolaha (sms/push/phone) - dock e noi i ka hōʻoia ma kahi o ka ʻōlelo huna. maanei
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!
A laila neʻe mākou i ISE:
Hoʻonohonoho mākou i kahi mea hoʻohana kūloko (hiki iā ʻoe ke hoʻohana iā AD/LDAP/ODBC, a me nā mea ʻē aʻe), no ka maʻalahi, hana wau i kahi mea hoʻohana kūloko ma ISE ponoʻī a hāʻawi iā ia i ke kahua. hōʻikeʻanoUDID PC kahi i ʻae ʻia ai ʻo ia e komo ma o VPN. Inā wau e hoʻohana i ka hōʻoia kūloko ma ISE, e kaupalena ʻia wau i hoʻokahi mea wale nō, no ka mea, ʻaʻole nui nā kahua, akā i nā ʻikepili hōʻoia ʻaoʻao ʻekolu ʻaʻole wau e loaʻa iaʻu nā palena.
E nānā kākou i ke kulekele ʻae, ua māhele ʻia i ʻehā mau ʻanuʻu pili:
Hana 1 — Kulekele no ka hoʻoiho ʻana i ka ʻelele AnyConnect a hoʻopuka i kahi palapala
Hana 2 — Kulekele hoʻopaʻa kumu mua e komo (mai ka palapala hōʻoia)/Password + Palapala me ka hōʻoia UDID
Hana 3 - ʻO ka hōʻoia lua ma o Cisco DUO (MFA) me ka hoʻohana ʻana iā UDID ma ke ʻano inoa inoa + loiloi mokuʻāina
Hana 4 — Aia ka mana hope ma ka moku'āina:
Hoʻokō;
Hōʻoia UDID (mai ka palapala hōʻoia + hoʻopaʻa inoa inoa),
Cisco DUO MFA;
ʻO ka hōʻoia ʻana ma ke komo ʻana;
Palapala hōʻoia;
E nānā kākou i kahi kūlana hoihoi UUID_VALIDATE, me he mea lā ua hele mai ka mea hoʻohana hōʻoia mai kahi PC me kahi UDID i ʻae ʻia e pili ana i ke kahua. Description moʻolelo, ua like nā kūlana:
ʻO ka palapala ʻae i hoʻohana ʻia ma nā pae 1,2,3 penei:
Hiki iā ʻoe ke nānā pono i ke ʻano o ka hiki ʻana mai o ka UDID mai ka mea kūʻai aku ʻo AnyConnect iā mākou ma ka nānā ʻana i nā kikoʻī o ka hālāwai mea kūʻai ma ISE. Ma ka kikoʻī e ʻike mākou iā AnyConnect ma o ka mīkini KĀKIKA ʻAʻole hoʻouna wale i ka ʻike e pili ana i ka paepae, akā ʻo ka UDID o ka hāmeʻa e like me Cisco-AV-PAIR:
E nānā kākou i ka palapala hōʻoia i hāʻawi ʻia i ka mea hoʻohana a me ke kahua Inimua (I), i hoʻohana ʻia e lawe iā ia ma ke ʻano he inoa no ka hōʻoia MFA lua ma Cisco DUO:
Ma ka ʻaoʻao DUO Radius Proxy i ka lāʻau hiki iā mākou ke ʻike maopopo i ke ʻano o ka noi hōʻoia ʻana, hele mai me ka hoʻohana ʻana iā UDID ma ke ʻano he inoa inoa:
Mai ka puka DUO ʻike mākou i kahi hanana hōʻoia holomua:
A i loko o nā mea hoʻohana aʻu i hoʻonoho ai Alia, ka mea aʻu i hoʻohana ai no ka hoʻopaʻa inoa, ʻo ia ka UDID o ka PC i ʻae ʻia no ke komo ʻana:
ʻO ka hopena ua loaʻa iā mākou:
ʻO ka hōʻoia o nā mea hoʻohana a me nā mea hoʻohana;
Palekana mai ka hoʻopunipuni ʻana o ka mea hoʻohana;
Ka loiloi i ke kūlana o ka mea hana;
Hiki ke hoʻonui i ka mana me ka palapala mīkini domain, etc.;
ʻO ka pale ʻana i ka wahi hana mamao me nā modula palekana i hoʻonohonoho ʻia;