1. Taw qhia
Txhua lub tuam txhab, txawm tias qhov tsawg tshaj plaws, muaj qhov xav tau rau kev lees paub, kev tso cai thiab cov neeg siv nyiaj (AAA tsev neeg ntawm cov txheej txheem). Thaum pib, AAA tau ua tiav zoo siv cov txheej txheem xws li RADIUS, TACACS + thiab DIAMETER. Txawm li cas los xij, raws li tus naj npawb ntawm cov neeg siv thiab lub tuam txhab loj hlob tuaj, cov haujlwm tseem ceeb kuj nce ntxiv: qhov pom tau siab tshaj plaws ntawm cov tswv thiab BYOD cov cuab yeej, ntau qhov kev lees paub tseeb, tsim kom muaj ntau txoj cai nkag mus thiab ntau ntxiv.
Rau cov haujlwm zoo li no, NAC (Network Access Control) chav kawm ntawm cov kev daws teeb meem yog qhov zoo tshaj plaws - kev tswj xyuas kev nkag mus rau hauv network. Nyob rau hauv ib tug series ntawm cov khoom mob siab rau (Identity Services Engine) - NAC kev daws teeb meem rau kev muab cov ntsiab lus-paub txog kev nkag mus tswj rau cov neeg siv ntawm lub network sab hauv, peb yuav ua tib zoo saib cov qauv tsim, kev npaj, teeb tsa thiab kev tso cai ntawm kev daws teeb meem.
Cia kuv qhia luv luv rau koj tias Cisco ISE tso cai rau koj:
Yooj yim thiab yooj yim tsim cov qhua nkag rau ntawm lub siab WLAN;
Tshawb xyuas BYOD cov khoom siv (piv txwv li, cov neeg ua haujlwm hauv tsev PCs uas lawv coj mus ua haujlwm);
Centralize thiab tswj hwm txoj cai kev nyab xeeb thoob plaws cov npe thiab cov neeg siv tsis yog sau npe siv SGT cov ntawv cim kev nyab xeeb );
Tshawb xyuas cov khoos phis tawj rau qee qhov software nruab thiab ua raws li cov qauv (posturing);
Classify thiab profile endpoint thiab network pab kiag li lawm;
Muab qhov kawg visibility;
Xa cov xwm txheej ntawm lub logon/logoff ntawm cov neeg siv, lawv cov nyiaj (tus kheej) rau NGFW los tsim ib txoj cai raws li cov neeg siv khoom;
Kev koom ua ke ib txwm nyob nrog Cisco StealthWatch thiab cais cov neeg tsis txaus siab koom nrog hauv qhov xwm txheej kev nyab xeeb ();
Thiab lwm yam qauv qauv rau AAA servers.
Cov npoj yaig hauv kev lag luam twb tau sau txog Cisco ISE, yog li kuv qhia koj kom nyeem: ,.
2. Kev tsim vaj tsev
Lub Chaw Pabcuam Tus Kheej muaj 4 qhov chaw (nodes): kev tswj ntawm qhov (Policy Administration Node), txoj cai faib ntawm (Policy Service Node), kev saib xyuas ntawm (Monitoring Node) thiab PxGrid node (PxGrid Node). Cisco ISE tuaj yeem nyob hauv ib leeg lossis faib kev teeb tsa. Hauv Standalone version, txhua qhov chaw nyob ntawm ib lub tshuab virtual lossis lub cev neeg rau zaub mov (Secure Network Servers - SNS), thaum nyob rau hauv Distributed version, cov nodes tau faib thoob plaws cov khoom siv sib txawv.
Txoj Cai Tswjfwm Ntiag Tug (PAN) yog qhov xav tau ntawm qhov tso cai rau koj ua txhua yam kev tswj hwm ntawm Cisco ISE. Nws tuav tag nrho cov kev teeb tsa uas cuam tshuam nrog AAA. Nyob rau hauv ib tug faib configuration (nodes tuaj yeem ntsia tau raws li cais cov tshuab virtual), koj tuaj yeem muaj qhov siab tshaj plaws ntawm ob lub PAN rau kev ua txhaum cai - Active / Standby hom.
Txoj Cai Pabcuam Node (PSN) yog qhov yuav tsum tau ua ntawm kev nkag mus rau hauv lub network, lub xeev, kev nkag mus rau cov qhua, kev pabcuam rau cov neeg siv khoom, thiab profileing. PSN ntsuam xyuas txoj cai thiab siv nws. Feem ntau, ntau PSNs raug teeb tsa, tshwj xeeb tshaj yog nyob rau hauv ib qho kev faib tawm, rau ntau dua thiab faib ua haujlwm. Tau kawg, lawv sim nruab cov nodes hauv cov ntu sib txawv kom tsis txhob poob lub peev xwm los muab cov ntaub ntawv pov thawj thiab tso cai nkag rau ib pliag.
Monitoring Node (MnT) yog ib qho yuav tsum tau khaws cov ntaub ntawv teev tseg, cov ntaub ntawv ntawm lwm cov nodes thiab cov cai ntawm lub network. MnT node muab cov cuab yeej tshaj lij rau kev saib xyuas thiab daws teeb meem, sau thiab sib txuas ntau yam ntaub ntawv, thiab tseem muab cov ntaub ntawv tseem ceeb. Cisco ISE tso cai rau koj kom muaj qhov siab tshaj plaws ntawm ob lub MnT nodes, yog li tsim kev ua txhaum cai - Active / Standby hom. Txawm li cas los xij, cov cav tau sau los ntawm ob lub nodes, ob qho tib si nquag thiab passive.
PxGrid Node (PXG) yog qhov node uas siv PxGrid raws tu qauv thiab tso cai rau kev sib txuas lus ntawm lwm yam khoom siv uas txhawb nqa PxGrid.
- cov txheej txheem uas ua kom muaj kev sib koom ua ke ntawm IT thiab cov ntaub ntawv kev ruaj ntseg cov khoom lag luam los ntawm cov neeg muag khoom sib txawv: kev soj ntsuam xyuas, kev nkag mus rau kev tshawb nrhiav thiab kev tiv thaiv kab ke, kev tswj hwm txoj cai tswjfwm kev nyab xeeb thiab ntau yam kev daws teeb meem. Cisco PxGrid tso cai rau koj los qhia cov ntsiab lus hauv unidirectional lossis bidirectional yam nrog ntau lub platform yam tsis xav tau APIs, yog li ua kom cov thev naus laus zis (SGT cov cim npe), hloov thiab siv ANC (Adaptive Network Control) txoj cai, nrog rau kev ua cov profile - txiav txim siab tus qauv ntaus ntawv, OS, qhov chaw, thiab ntau dua.
Hauv kev teeb tsa muaj ntau, PxGrid nodes rov luam cov ntaub ntawv ntawm cov nodes dhau PAN. Yog tias tus PAN tsis ua haujlwm, PxGrid node nres kev lees paub, tso cai, thiab sau nyiaj rau cov neeg siv.
Hauv qab no yog schematic sawv cev ntawm kev ua haujlwm ntawm Cisco ISE cov koom haum sib txawv hauv cov koom haum koom tes.
Daim duab 1. Cisco ISE Architecture
3. Kev xav tau
Cisco ISE tuaj yeem siv tau, zoo li cov kev daws teeb meem niaj hnub no, zoo li lossis lub cev ua ib lub server cais.
Cov khoom siv lub cev khiav Cisco ISE software hu ua SNS (Secure Network Server). Lawv tuaj hauv peb tus qauv: SNS-3615, SNS-3655 thiab SNS-3695 rau cov lag luam me, nruab nrab thiab loj. Table 1 qhia cov ntaub ntawv los ntawm SNS.
Table 1. Cov lus sib piv ntawm SNS rau cov nplai sib txawv
Parameter
SNS 3615 (me me)
SNS 3655 (Medium)
SNS 3695 (loj)
Tus naj npawb ntawm cov ntsiab lus txhawb nqa hauv kev teeb tsa Standalone
10000
25000
50000
Tus naj npawb ntawm cov ntsiab lus txhawb nqa rau PSN
10000
25000
100000
CPU (Intel Xeon 2.10 GHz)
8 cev
12 cev
12 cev
RAM
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1 x 600 GB
4 x 600 GB
8 x 600 GB
Kho vajtse RAID
Tsis
RAID 10, muaj RAID maub los
RAID 10, muaj RAID maub los
Network sib cuam tshuam
2 x 10 Gbase-T
4 x 1 Gbase-T
2 x 10 Gbase-T
4 x 1 Gbase-T
2 x 10 Gbase-T
4 x 1 Gbase-T
Hais txog kev siv virtual, cov hypervisors txhawb nqa yog VMware ESXi (tsawg kawg yog VMware version 11 raug pom zoo rau ESXi 6.0), Microsoft Hyper-V thiab Linux KVM (RHEL 7.0). Cov peev txheej yuav tsum zoo ib yam li hauv lub rooj saum toj no, lossis siab dua. Txawm li cas los xij, qhov yuav tsum tau ua tsawg kawg nkaus rau lub tshuab virtual rau cov lag luam me yog: 2 CPU nrog lub zaus ntawm 2.0 GHz thiab siab dua, 16 GB RAM и 200 GB HDD.
Yog xav paub ntxiv txog Cisco ISE, thov hu rau los yog , .
4. Kev teeb tsa
Zoo li feem ntau lwm cov khoom Cisco, ISE tuaj yeem kuaj tau ntau txoj hauv kev:
- huab kev pabcuam ntawm kev teeb tsa chav kuaj ua ntej (Cisco tus lej yuav tsum tau);
- thov los ntawm Cisco ntawm qee yam software (txoj kev rau cov neeg koom tes). Koj tsim ib rooj plaub nrog cov lus piav qhia hauv qab no: yam khoom [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x86.64];
- tiv tauj ib tus neeg koom tes uas tau tso cai los ua qhov kev sim dawb.
1) Tom qab tsim lub tshuab virtual, yog tias koj thov cov ntaub ntawv ISO thiab tsis yog OVA template, lub qhov rais yuav tshwm sim uas ISE xav kom koj xaiv qhov kev teeb tsa. Txhawm rau ua qhov no, tsis yog koj tus lej nkag thiab tus password, koj yuav tsum sau "teeb“!
Nco ntsoov: Yog tias koj siv ISE los ntawm OVA template, ces cov ntaub ntawv nkag mus admin/MyIseYPass2 (qhov no thiab ntau ntxiv yog qhia nyob rau hauv official ).
Daim duab 2. Txhim kho Cisco ISE
2) Tom qab ntawd koj yuav tsum sau rau hauv qhov xav tau xws li IP chaw nyob, DNS, NTP thiab lwm yam.
Daim duab 3. Initializing Cisco ISE
3) Tom qab ntawd, lub cuab yeej yuav rov pib dua, thiab koj tuaj yeem txuas ntawm lub vev xaib interface siv qhov chaw nyob IP yav dhau los.
Daim duab 4. Cisco ISE Web Interface
4) Se tab Kev tswj hwm> System> Deployment koj tuaj yeem xaiv cov nodes (cov chaw) tau qhib rau ntawm ib lub cuab yeej tshwj xeeb. Lub PxGrid node tau qhib ntawm no.
Daim duab 5. Cisco ISE Entity Management
5) Tom qab ntawd hauv tab Kev tswj hwm> Qhov System> Kev Nkag Mus Nkag> authentication Kuv pom zoo kom teeb tsa tus password txoj cai, txoj kev lees paub (daim ntawv pov thawj lossis tus password), hnub tas sij hawm ntawm tus account, thiab lwm yam teeb tsa.
Daim duab 6. Authentication type setting
Daim duab 7. Kev teeb tsa tus password
Daim duab 8. Teeb tsa tus account kaw tom qab lub sij hawm tas
Daim duab 9. Teeb tsa tus account xauv
6) Se tab Kev tswj hwm> Txheej Txheem> Kev Nkag Mus Nkag> Tus Thawj Coj> Cov Neeg Siv Khoom Siv> Ntxiv koj tuaj yeem tsim tus thawj tswj hwm tshiab.
Daim duab 10. Tsim ib lub zos Cisco ISE Administrator
7) Tus thawj tswj hwm tshiab tuaj yeem ua ib feem ntawm pab pawg tshiab lossis cov pab pawg uas twb tau teev tseg lawm. Pawg thawj tswj hwm raug tswj hwm hauv tib lub vaj huam sib luag hauv tab Admin Pawg. Table 2 qhia txog cov ntaub ntawv hais txog ISE cov thawj coj, lawv txoj cai thiab lub luag haujlwm.
Table 2. Cisco ISE Administrator Groups, Access Levels, Permissions, and Restrictions
Tus thawj tswj pab pawg npe
Kev Tso Cai
Kev txwv
Customization Admin
Kev teeb tsa qhua thiab kev txhawb nqa portals, kev tswj hwm thiab kev hloov kho
Tsis muaj peev xwm hloov txoj cai lossis saib cov ntawv ceeb toom
Helpdesk Admin
Muaj peev xwm saib lub ntsiab dashboard, tag nrho cov ntawv ceeb toom, larms thiab teeb meem kwj
Koj tsis tuaj yeem hloov, tsim lossis tshem tawm cov ntawv ceeb toom, tswb thiab cov ntawv pov thawj
Identity Admin
Tswj cov neeg siv, muaj cai thiab lub luag haujlwm, muaj peev xwm saib cov cav, cov ntawv ceeb toom thiab lub tswb
Koj tsis tuaj yeem hloov txoj cai lossis ua haujlwm ntawm OS qib
MnT Admin
Kev saib xyuas tag nrho, ceeb toom, ceeb toom, cav thiab lawv cov kev tswj hwm
Tsis muaj peev xwm hloov txhua txoj cai
Network Device Admin
Txoj cai los tsim thiab hloov ISE cov khoom, saib cov cav, cov ntawv ceeb toom, lub ntsiab dashboard
Koj tsis tuaj yeem hloov txoj cai lossis ua haujlwm ntawm OS qib
Txoj Cai Admin
Kev tswj hwm tag nrho ntawm txhua txoj cai, hloov pauv profile, teeb tsa, saib cov ntawv ceeb toom
Tsis muaj peev xwm ua qhov chaw nrog cov ntawv pov thawj, cov khoom ISE
RWB Admin
Txhua qhov chaw nyob hauv Kev Ua Haujlwm tab, ANC txoj cai teeb tsa, tshaj tawm kev tswj hwm
Koj tsis tuaj yeem hloov cov cai uas tsis yog ANC lossis ua haujlwm ntawm qib OS
Super Admin
Cov cai rau txhua qhov chaw, kev tshaj tawm thiab kev tswj hwm, tuaj yeem tshem tawm thiab hloov cov ntaub ntawv pov thawj tus thawj coj
Hloov tsis tau, rho tawm lwm qhov profile los ntawm pawg Super Admin
Zog ntawm Admin
Txhua qhov chaw nyob hauv Kev Ua Haujlwm tab, tswj kev teeb tsa, ANC txoj cai, saib cov ntawv ceeb toom
Koj tsis tuaj yeem hloov cov cai uas tsis yog ANC lossis ua haujlwm ntawm qib OS
External RESTful Services (ERS) Admin
Tag nrho nkag mus rau Cisco ISE REST API
Tsuas yog rau kev tso cai, kev tswj hwm cov neeg siv hauv zos, hosts thiab pab pawg kev ruaj ntseg (SG)
Sab Nraud RESTful Services (ERS) tus neeg khiav dej num
Cisco ISE REST API Nyeem Tso Cai
Tsuas yog rau kev tso cai, kev tswj hwm cov neeg siv hauv zos, hosts thiab pab pawg kev ruaj ntseg (SG)
Daim duab 11. Predefined Cisco ISE Administrator Groups
8) Ntxiv rau hauv tab Kev Tso Cai> Tso Cai> RBAC Txoj Cai Koj tuaj yeem hloov kho cov cai ntawm cov thawj coj ua ntej.
Daim duab 12. Cisco ISE Administrator Preset Profile Rights Management
9) Se tab Kev tswj hwm> System> Chaw Txhua qhov kev teeb tsa muaj nyob hauv (DNS, NTP, SMTP thiab lwm yam). Koj tuaj yeem sau lawv tawm ntawm no yog tias koj tsis nco lawv thaum lub sijhawm pib ntaus ntawv pib.
5. Xaus
Qhov no xaus thawj tsab xov xwm. Peb tau tham txog qhov ua tau zoo ntawm Cisco ISE NAC kev daws teeb meem, nws cov qauv tsim, yam tsawg kawg nkaus uas yuav tsum tau ua thiab kev xaiv xa mus, thiab kev teeb tsa thawj zaug.
Hauv tsab xov xwm tom ntej, peb yuav saib txog kev tsim cov nyiaj, koom nrog Microsoft Active Directory, thiab tsim cov qhua tuaj.
Yog tias koj muaj lus nug txog lub ncauj lus no lossis xav tau kev pab hauv kev sim cov khoom, thov hu rau .
Ua raws li peb cov channel rau kev hloov tshiab (, , , , ).
Tau qhov twg los: www.hab.com
