ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1

1. Taw qhia

Txhua lub tuam txhab, txawm tias qhov tsawg tshaj plaws, muaj qhov xav tau rau kev lees paub, kev tso cai thiab cov neeg siv nyiaj (AAA tsev neeg ntawm cov txheej txheem). Thaum pib, AAA tau ua tiav zoo siv cov txheej txheem xws li RADIUS, TACACS + thiab DIAMETER. Txawm li cas los xij, raws li tus naj npawb ntawm cov neeg siv thiab lub tuam txhab loj hlob tuaj, cov haujlwm tseem ceeb kuj nce ntxiv: qhov pom tau siab tshaj plaws ntawm cov tswv thiab BYOD cov cuab yeej, ntau qhov kev lees paub tseeb, tsim kom muaj ntau txoj cai nkag mus thiab ntau ntxiv.

Rau cov haujlwm zoo li no, NAC (Network Access Control) chav kawm ntawm cov kev daws teeb meem yog qhov zoo tshaj plaws - kev tswj xyuas kev nkag mus rau hauv network. Nyob rau hauv ib tug series ntawm cov khoom mob siab rau Cisco ISE (Identity Services Engine) - NAC kev daws teeb meem rau kev muab cov ntsiab lus-paub txog kev nkag mus tswj rau cov neeg siv ntawm lub network sab hauv, peb yuav ua tib zoo saib cov qauv tsim, kev npaj, teeb tsa thiab kev tso cai ntawm kev daws teeb meem.

Cia kuv qhia luv luv rau koj tias Cisco ISE tso cai rau koj:

  • Yooj yim thiab yooj yim tsim cov qhua nkag rau ntawm lub siab WLAN;

  • Tshawb xyuas BYOD cov khoom siv (piv txwv li, cov neeg ua haujlwm hauv tsev PCs uas lawv coj mus ua haujlwm);

  • Centralize thiab tswj hwm txoj cai kev nyab xeeb thoob plaws cov npe thiab cov neeg siv tsis yog sau npe siv SGT cov ntawv cim kev nyab xeeb TrustSec);

  • Tshawb xyuas cov khoos phis tawj rau qee qhov software nruab thiab ua raws li cov qauv (posturing);

  • Classify thiab profile endpoint thiab network pab kiag li lawm;

  • Muab qhov kawg visibility;

  • Xa cov xwm txheej ntawm lub logon/logoff ntawm cov neeg siv, lawv cov nyiaj (tus kheej) rau NGFW los tsim ib txoj cai raws li cov neeg siv khoom;

  • Kev koom ua ke ib txwm nyob nrog Cisco StealthWatch thiab cais cov neeg tsis txaus siab koom nrog hauv qhov xwm txheej kev nyab xeeb (ntau info);

  • Thiab lwm yam qauv qauv rau AAA servers.

Cov npoj yaig hauv kev lag luam twb tau sau txog Cisco ISE, yog li kuv qhia koj kom nyeem: Cisco ISE kev coj ua, Yuav Ua Li Cas Npaj Rau Cisco ISE Implementation.

2. Kev tsim vaj tsev

Lub Chaw Pabcuam Tus Kheej muaj 4 qhov chaw (nodes): kev tswj ntawm qhov (Policy Administration Node), txoj cai faib ntawm (Policy Service Node), kev saib xyuas ntawm (Monitoring Node) thiab PxGrid node (PxGrid Node). Cisco ISE tuaj yeem nyob hauv ib leeg lossis faib kev teeb tsa. Hauv Standalone version, txhua qhov chaw nyob ntawm ib lub tshuab virtual lossis lub cev neeg rau zaub mov (Secure Network Servers - SNS), thaum nyob rau hauv Distributed version, cov nodes tau faib thoob plaws cov khoom siv sib txawv.

Txoj Cai Tswjfwm Ntiag Tug (PAN) yog qhov xav tau ntawm qhov tso cai rau koj ua txhua yam kev tswj hwm ntawm Cisco ISE. Nws tuav tag nrho cov kev teeb tsa uas cuam tshuam nrog AAA. Nyob rau hauv ib tug faib configuration (nodes tuaj yeem ntsia tau raws li cais cov tshuab virtual), koj tuaj yeem muaj qhov siab tshaj plaws ntawm ob lub PAN rau kev ua txhaum cai - Active / Standby hom.

Txoj Cai Pabcuam Node (PSN) yog qhov yuav tsum tau ua ntawm kev nkag mus rau hauv lub network, lub xeev, kev nkag mus rau cov qhua, kev pabcuam rau cov neeg siv khoom, thiab profileing. PSN ntsuam xyuas txoj cai thiab siv nws. Feem ntau, ntau PSNs raug teeb tsa, tshwj xeeb tshaj yog nyob rau hauv ib qho kev faib tawm, rau ntau dua thiab faib ua haujlwm. Tau kawg, lawv sim nruab cov nodes hauv cov ntu sib txawv kom tsis txhob poob lub peev xwm los muab cov ntaub ntawv pov thawj thiab tso cai nkag rau ib pliag.

Monitoring Node (MnT) yog ib qho yuav tsum tau khaws cov ntaub ntawv teev tseg, cov ntaub ntawv ntawm lwm cov nodes thiab cov cai ntawm lub network. MnT node muab cov cuab yeej tshaj lij rau kev saib xyuas thiab daws teeb meem, sau thiab sib txuas ntau yam ntaub ntawv, thiab tseem muab cov ntaub ntawv tseem ceeb. Cisco ISE tso cai rau koj kom muaj qhov siab tshaj plaws ntawm ob lub MnT nodes, yog li tsim kev ua txhaum cai - Active / Standby hom. Txawm li cas los xij, cov cav tau sau los ntawm ob lub nodes, ob qho tib si nquag thiab passive.

PxGrid Node (PXG) yog qhov node uas siv PxGrid raws tu qauv thiab tso cai rau kev sib txuas lus ntawm lwm yam khoom siv uas txhawb nqa PxGrid.

PxGrid  - cov txheej txheem uas ua kom muaj kev sib koom ua ke ntawm IT thiab cov ntaub ntawv kev ruaj ntseg cov khoom lag luam los ntawm cov neeg muag khoom sib txawv: kev soj ntsuam xyuas, kev nkag mus rau kev tshawb nrhiav thiab kev tiv thaiv kab ke, kev tswj hwm txoj cai tswjfwm kev nyab xeeb thiab ntau yam kev daws teeb meem. Cisco PxGrid tso cai rau koj los qhia cov ntsiab lus hauv unidirectional lossis bidirectional yam nrog ntau lub platform yam tsis xav tau APIs, yog li ua kom cov thev naus laus zis TrustSec (SGT cov cim npe), hloov thiab siv ANC (Adaptive Network Control) txoj cai, nrog rau kev ua cov profile - txiav txim siab tus qauv ntaus ntawv, OS, qhov chaw, thiab ntau dua.

Hauv kev teeb tsa muaj ntau, PxGrid nodes rov luam cov ntaub ntawv ntawm cov nodes dhau PAN. Yog tias tus PAN tsis ua haujlwm, PxGrid node nres kev lees paub, tso cai, thiab sau nyiaj rau cov neeg siv. 

Hauv qab no yog schematic sawv cev ntawm kev ua haujlwm ntawm Cisco ISE cov koom haum sib txawv hauv cov koom haum koom tes.

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 1. Cisco ISE Architecture

3. Kev xav tau

Cisco ISE tuaj yeem siv tau, zoo li cov kev daws teeb meem niaj hnub no, zoo li lossis lub cev ua ib lub server cais. 

Cov khoom siv lub cev khiav Cisco ISE software hu ua SNS (Secure Network Server). Lawv tuaj hauv peb tus qauv: SNS-3615, SNS-3655 thiab SNS-3695 rau cov lag luam me, nruab nrab thiab loj. Table 1 qhia cov ntaub ntawv los ntawm daim ntawv qhia SNS.

Table 1. Cov lus sib piv ntawm SNS rau cov nplai sib txawv

Parameter

SNS 3615 (me me)

SNS 3655 (Medium)

SNS 3695 (loj)

Tus naj npawb ntawm cov ntsiab lus txhawb nqa hauv kev teeb tsa Standalone

10000

25000

50000

Tus naj npawb ntawm cov ntsiab lus txhawb nqa rau PSN

10000

25000

100000

CPU (Intel Xeon 2.10 GHz)

8 cev

12 cev

12 cev

RAM 

32 GB (2 x 16 GB)

96 GB (6 x 16 GB)

256 GB (16 x 16 GB)

HDD

1 x 600 GB

4 x 600 GB

8 x 600 GB

Kho vajtse RAID

Tsis

RAID 10, muaj RAID maub los

RAID 10, muaj RAID maub los

Network sib cuam tshuam

2 x 10 Gbase-T

4 x 1 Gbase-T 

2 x 10 Gbase-T

4 x 1 Gbase-T 

2 x 10 Gbase-T

4 x 1 Gbase-T

Hais txog kev siv virtual, kev txhawb nqa hypervisors yog VMware ESXi (yam tsawg VMware version 11 rau ESXi 6.0 yog pom zoo), Microsoft Hyper-V thiab Linux KVM (RHEL 7.0). Cov peev txheej yuav tsum yog kwv yees ib yam li hauv cov lus saum toj no, lossis ntau dua. Txawm li cas los xij, yam tsawg kawg nkaus uas yuav tsum muaj rau lub lag luam me virtual tshuab yog: 2 CPU nrog lub zaus ntawm 2.0 GHz thiab siab dua, 16 GB RAM ΠΈ 200 GB HDD. 

Yog xav paub ntxiv txog Cisco ISE, thov hu rau rau peb los yog peev txheej #1, peev txheej #2.

4. Kev teeb tsa

Zoo li feem ntau lwm cov khoom Cisco, ISE tuaj yeem kuaj tau ntau txoj hauv kev:

  • dcloud - huab kev pabcuam ntawm kev teeb tsa chav kuaj ua ntej (Cisco tus lej yuav tsum tau);

  • GVE thov - thov los ntawm thaj chaw Cisco ntawm qee yam software (txoj kev rau cov neeg koom tes). Koj tsim ib rooj plaub nrog cov lus piav qhia hauv qab no: yam khoom [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x86.64];

  • pilot project - tiv tauj ib tus neeg koom tes uas tau tso cai los ua qhov kev sim dawb.

1) Tom qab tsim lub tshuab virtual, yog tias koj thov cov ntaub ntawv ISO thiab tsis yog OVA template, lub qhov rais yuav tshwm sim uas ISE xav kom koj xaiv qhov kev teeb tsa. Txhawm rau ua qhov no, tsis yog koj tus lej nkag thiab tus password, koj yuav tsum sau "teebβ€œ!

Nco ntsoov: Yog tias koj siv ISE los ntawm OVA template, ces cov ntaub ntawv nkag mus admin/MyIseYPass2 (qhov no thiab ntau ntxiv yog qhia nyob rau hauv official qhia).

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 2. Txhim kho Cisco ISE

2) Tom qab ntawd koj yuav tsum sau rau hauv qhov xav tau xws li IP chaw nyob, DNS, NTP thiab lwm yam.

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 3. Initializing Cisco ISE

3) Tom qab ntawd, lub cuab yeej yuav rov pib dua, thiab koj tuaj yeem txuas ntawm lub vev xaib interface siv qhov chaw nyob IP yav dhau los.

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 4. Cisco ISE Web Interface

4) Se tab Kev tswj hwm> System> Deployment koj tuaj yeem xaiv cov nodes (cov chaw) tau qhib rau ntawm ib lub cuab yeej tshwj xeeb. Lub PxGrid node tau qhib ntawm no.

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 5. Cisco ISE Entity Management

5) Tom qab ntawd hauv tab Kev tswj hwm> Qhov System> Kev Nkag Mus Nkag> authentication Kuv pom zoo kom teeb tsa tus password txoj cai, txoj kev lees paub (daim ntawv pov thawj lossis tus password), hnub tas sij hawm ntawm tus account, thiab lwm yam teeb tsa.

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 6. Authentication type settingCisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 7. Kev teeb tsa tus passwordCisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 8. Teeb tsa tus account kaw tom qab lub sij hawm tasCisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 9. Teeb tsa tus account xauv

6) Se tab Kev tswj hwm> Txheej Txheem> Kev Nkag Mus Nkag> Tus Thawj Coj> Cov Neeg Siv Khoom Siv> Ntxiv koj tuaj yeem tsim tus thawj tswj hwm tshiab.

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 10. Tsim ib lub zos Cisco ISE Administrator

7) Tus thawj tswj hwm tshiab tuaj yeem ua ib feem ntawm pab pawg tshiab lossis cov pab pawg uas twb tau teev tseg lawm. Pawg thawj tswj hwm raug tswj hwm hauv tib lub vaj huam sib luag hauv tab Admin Pawg. Table 2 qhia txog cov ntaub ntawv hais txog ISE cov thawj coj, lawv txoj cai thiab lub luag haujlwm.

Table 2. Cisco ISE Administrator Groups, Access Levels, Permissions, and Restrictions

Tus thawj tswj pab pawg npe

Kev Tso Cai

Kev txwv

Customization Admin

Kev teeb tsa qhua thiab kev txhawb nqa portals, kev tswj hwm thiab kev hloov kho

Tsis muaj peev xwm hloov txoj cai lossis saib cov ntawv ceeb toom

Helpdesk Admin

Muaj peev xwm saib lub ntsiab dashboard, tag nrho cov ntawv ceeb toom, larms thiab teeb meem kwj

Koj tsis tuaj yeem hloov, tsim lossis tshem tawm cov ntawv ceeb toom, tswb thiab cov ntawv pov thawj

Identity Admin

Tswj cov neeg siv, muaj cai thiab lub luag haujlwm, muaj peev xwm saib cov cav, cov ntawv ceeb toom thiab lub tswb

Koj tsis tuaj yeem hloov txoj cai lossis ua haujlwm ntawm OS qib

MnT Admin

Kev saib xyuas tag nrho, ceeb toom, ceeb toom, cav thiab lawv cov kev tswj hwm

Tsis muaj peev xwm hloov txhua txoj cai

Network Device Admin

Txoj cai los tsim thiab hloov ISE cov khoom, saib cov cav, cov ntawv ceeb toom, lub ntsiab dashboard

Koj tsis tuaj yeem hloov txoj cai lossis ua haujlwm ntawm OS qib

Txoj Cai Admin

Kev tswj hwm tag nrho ntawm txhua txoj cai, hloov pauv profile, teeb tsa, saib cov ntawv ceeb toom

Tsis muaj peev xwm ua qhov chaw nrog cov ntawv pov thawj, cov khoom ISE

RWB Admin

Txhua qhov chaw nyob hauv Kev Ua Haujlwm tab, ANC txoj cai teeb tsa, tshaj tawm kev tswj hwm

Koj tsis tuaj yeem hloov cov cai uas tsis yog ANC lossis ua haujlwm ntawm qib OS

Super Admin

Cov cai rau txhua qhov chaw, kev tshaj tawm thiab kev tswj hwm, tuaj yeem tshem tawm thiab hloov cov ntaub ntawv pov thawj tus thawj coj

Hloov tsis tau, rho tawm lwm qhov profile los ntawm pawg Super Admin

Zog ntawm Admin

Txhua qhov chaw nyob hauv Kev Ua Haujlwm tab, tswj kev teeb tsa, ANC txoj cai, saib cov ntawv ceeb toom

Koj tsis tuaj yeem hloov cov cai uas tsis yog ANC lossis ua haujlwm ntawm qib OS

External RESTful Services (ERS) Admin

Tag nrho nkag mus rau Cisco ISE REST API

Tsuas yog rau kev tso cai, kev tswj hwm cov neeg siv hauv zos, hosts thiab pab pawg kev ruaj ntseg (SG)

Sab Nraud RESTful Services (ERS) tus neeg khiav dej num

Cisco ISE REST API Nyeem Tso Cai

Tsuas yog rau kev tso cai, kev tswj hwm cov neeg siv hauv zos, hosts thiab pab pawg kev ruaj ntseg (SG)

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 11. Predefined Cisco ISE Administrator Groups

8) Ntxiv rau hauv tab Kev Tso Cai> Tso Cai> RBAC Txoj Cai Koj tuaj yeem hloov kho cov cai ntawm cov thawj coj ua ntej.

Cisco ISE: Taw qhia, yuav tsum tau, installation. Ntu 1Daim duab 12. Cisco ISE Administrator Preset Profile Rights Management

9) Se tab Kev tswj hwm> System> Chaw Txhua qhov kev teeb tsa muaj nyob hauv (DNS, NTP, SMTP thiab lwm yam). Koj tuaj yeem sau lawv tawm ntawm no yog tias koj tsis nco lawv thaum lub sijhawm pib ntaus ntawv pib.

5. Xaus

Qhov no xaus thawj tsab xov xwm. Peb tau tham txog qhov ua tau zoo ntawm Cisco ISE NAC kev daws teeb meem, nws cov qauv tsim, yam tsawg kawg nkaus uas yuav tsum tau ua thiab kev xaiv xa mus, thiab kev teeb tsa thawj zaug.

Hauv tsab xov xwm tom ntej, peb yuav saib txog kev tsim cov nyiaj, koom nrog Microsoft Active Directory, thiab tsim cov qhua tuaj.

Yog tias koj muaj lus nug txog lub ncauj lus no lossis xav tau kev pab hauv kev sim cov khoom, thov hu rau txuas.

Ua raws li peb cov channel rau kev hloov tshiab (TelegramFacebookVKTS Solution BlogYandex.Zen).

Tau qhov twg los: www.hab.com

Ntxiv ib saib