Cia peb xav txog hauv kev xyaum siv Windows Active Directory + NPS (2 servers los xyuas kom meej qhov ua txhaum cai) + 802.1x tus qauv rau kev tswj xyuas thiab kev lees paub ntawm cov neeg siv - domain computers - khoom siv. Koj tuaj yeem paub txog qhov kev xav raws li tus qauv ntawm Wikipedia, ntawm qhov txuas:
Txij li thaum kuv "lab" muaj kev txwv nyob rau hauv cov peev txheej, lub luag haujlwm ntawm NPS thiab tus tswj hwm sau npe tau sib xws, tab sis kuv xav kom koj tseem cais cov kev pabcuam tseem ceeb.
Kuv tsis paub cov txheej txheem los synchronize Windows NPS configurations (txoj cai), yog li peb yuav siv PowerShell scripts launched los ntawm lub sij hawm ua hauj lwm (tus sau yog kuv tus qub npoj yaig). Rau authentication ntawm sau computers thiab rau cov khoom siv uas ua tsis tau 802.1x (xov tooj, tshuab luam ntawv, thiab lwm yam), pab pawg neeg txoj cai yuav raug teeb tsa thiab kev ruaj ntseg pab pawg yuav raug tsim.
Thaum kawg ntawm tsab xov xwm, kuv mam li qhia rau koj txog qee qhov intricacies ntawm kev ua haujlwm nrog 802.1x - koj tuaj yeem siv cov keyboards tsis muaj kev tswj hwm, dynamic ACLs, thiab lwm yam. .
Cia peb pib nrog kev txhim kho thiab teeb tsa kev ua tsis tiav NPS ntawm Windows Server 2012R2 (txhua yam zoo ib yam hauv 2016): los ntawm Tus Thawj Saib Xyuas Neeg rau zaub mov -> Ntxiv Roles thiab Cov Nta Wizard, xaiv nkaus xwb Network Policy Server.
los yog siv PowerShell:
Install-WindowsFeature NPAS -IncludeManagementToolsIb qho kev qhia me me - txij li rau Protected EAP (PEAP) koj yuav xav tau daim ntawv pov thawj lees paub qhov tseeb ntawm cov neeg rau zaub mov (nrog cov cai tsim nyog siv), uas yuav ntseeg tau ntawm cov neeg siv khoom siv computer, ces koj yuav xav tau los nruab lub luag haujlwm. Daim Ntawv Tso Cai. Tab sis peb yuav xav tias CA koj twb muaj nws ntsia...
Cia wb ua ib yam ntawm lub server thib ob. Cia peb tsim ib daim nplaub tshev rau C: Scripts tsab ntawv ntawm ob lub servers thiab lub network folder ntawm tus neeg rau zaub mov thib ob SRV2NPS-config $
Wb tsim ib tsab ntawv PowerShell ntawm thawj tus neeg rau zaub mov C:ScriptsExport-NPS-config.ps1 nrog cov ntsiab lus hauv qab no:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"Tom qab ntawd, cia peb teeb tsa txoj haujlwm hauv Task Sheduler: "Export-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Khiav rau txhua tus neeg siv - Khiav nrog cov cai siab tshaj plaws
Txhua hnub - Rov ua txoj haujlwm txhua 10 feeb. hauv 8 teev
Ntawm qhov thaub qab NPS, teeb tsa ntshuam ntawm kev teeb tsa (txoj cai):
Wb tsim ib tsab ntawv PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1thiab ib txoj haujlwm los ua nws txhua 10 feeb:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Khiav rau txhua tus neeg siv - Khiav nrog cov cai siab tshaj plaws
Txhua hnub - Rov ua txoj haujlwm txhua 10 feeb. hauv 8 teev
Tam sim no, txhawm rau txheeb xyuas, cia peb ntxiv rau NPS ntawm ib qho ntawm cov servers (!) ob peb lub keyboards hauv RADIUS cov neeg siv khoom (IP thiab Shared Secret), ob txoj cai thov kev sib txuas: WIRED-Txuas (Cov xwm txheej: "NAS hom chaw nres nkoj yog Ethernet") thiab WiFi-kev lag luam (Kev mob: "NAS hom chaw nres nkoj yog IEEE 802.11"), nrog rau txoj cai network Nkag mus rau Cisco Network Devices (Network Admins):
Π£ΡΠ»ΠΎΠ²ΠΈΡ:
ΠΡΡΠΏΠΏΡ Windows - domainsg-network-admins
ΠΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ:
ΠΠ΅ΡΠΎΠ΄Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΠΎΠ΄Π»ΠΈΠ½Π½ΠΎΡΡΠΈ - ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΠΎΡΠΊΡΡΡΡΠΌ ΡΠ΅ΠΊΡΡΠΎΠΌ (PAP, SPAP)
ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ:
ΠΡΡΠΈΠ±ΡΡΡ RADIUS: Π‘ΡΠ°Π½Π΄Π°ΡΡ - Service-Type - Login
ΠΠ°Π²ΠΈΡΡΡΠΈΠ΅ ΠΎΡ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° - Cisco-AV-Pair - Cisco - shell:priv-lvl=15Ntawm qhov hloov pauv, cov kev teeb tsa hauv qab no:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99Tom qab kev teeb tsa, tom qab 10 feeb, tag nrho cov neeg siv kev cai tswjfwm yuav tsum tshwm sim ntawm NPS thaub qab thiab peb yuav tuaj yeem nkag mus rau hauv cov keyboards siv ActiveDirectory account, tus tswv cuab ntawm pawg domainsg-network-admins (uas peb tsim ua ntej).
Cia peb mus rau kev teeb tsa Active Directory - tsim pab pawg thiab password txoj cai, tsim cov pab pawg tsim nyog.
Pawg Txoj Cai Computers-8021x-Settings:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Cia peb tsim ib pab pawg neeg ruaj ntseg txz | | |-- sg-computers-8021x-vl100, qhov twg peb yuav ntxiv cov khoos phis tawj uas peb xav muab faib rau vlan 100 thiab teeb tsa kev lim dej rau pawg tswj hwm yav dhau los rau pawg no:
Koj tuaj yeem txheeb xyuas tau tias txoj cai tau ua tiav los ntawm kev qhib "Network and Sharing Center (Network and Internet Settings) - Hloov kho adapter settings (Configuring adapter settings) - Adapter Properties", qhov twg peb tuaj yeem pom "Authentication" tab:
Thaum koj ntseeg tias txoj cai tau ua tiav, koj tuaj yeem mus teeb tsa txoj cai network ntawm NPS thiab nkag mus rau theem hloov chaw nres nkoj.
Cia peb tsim txoj cai network neag-computers-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Cov chaw teeb tsa rau qhov hloov chaw nres nkoj (thov nco ntsoov tias "ntau lub npe" authentication hom yog siv - Cov ntaub ntawv & Lub suab, thiab tseem muaj peev xwm ua pov thawj los ntawm mac chaw nyob. tsis muaj:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
Tus ID vlan tsis yog "quarantine" ib qho, tab sis tib qhov uas tus neeg siv lub khoos phis tawj yuav tsum mus tom qab nkag mus tau zoo - txog thaum peb paub tseeb tias txhua yam ua haujlwm raws li nws yuav tsum tau ua. Cov kev txwv tib yam no tuaj yeem siv tau rau lwm qhov xwm txheej, piv txwv li, thaum qhov hloov tsis tau tswj tau ntsaws rau hauv qhov chaw nres nkoj no thiab koj xav kom txhua yam khoom siv txuas nrog nws uas tsis dhau qhov kev lees paub kom poob rau hauv qee qhov vlan ("quarantine").
hloov chaw nres nkoj nqis hauv 802.1x host-hom multi-domain hom
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exitKoj tuaj yeem paub tseeb tias koj lub khoos phis tawj thiab lub xov tooj tau ua tiav dhau qhov kev lees paub nrog cov lus txib:
sh authentication sessions int Gi1/0/39 detTam sim no cia peb tsim ib pab pawg (piv txwv li, sg-fgpp-mab ) hauv Active Directory rau cov xov tooj thiab ntxiv ib lub cuab yeej rau nws rau kev sim (hauv kuv rooj plaub nws yog Grandstream GXP 2160 nrog mas address 000b.82b7b 1 thiab resp. tus account npe 00b82baa7b1).
Rau cov pab pawg tsim, peb yuav txo tus password txoj cai (siv ntawm Active Directory Administration Center -> domain -> System -> Password Settings Container) nrog rau cov kev txwv hauv qab no Password-Settings-for-MAB:
Yog li, peb yuav tso cai siv cov cuab yeej siv qhov chaw nyob ua tus password. Tom qab no peb tuaj yeem tsim txoj cai network rau 802.1x txoj kev mab authentication, cia peb hu nws neag-devices-8021x-lub suab. Cov parameter yog raws li nram no:
- NAS Port Type - Ethernet
- Windows Groups β sg-fgpp-mab
- Hom EAP: Unencrypted authentication (PAP, SPAP)
- RADIUS Tus cwj pwm - Tus neeg muag khoom tshwj xeeb: Cisco - Cisco-AV-Pair - Tus nqi tus nqi: ntaus ntawv-tsheb-chav kawm = suab
Tom qab ua tiav authentication (tsis txhob hnov ββββqab txhim kho qhov hloov chaw), cia saib cov ntaub ntawv los ntawm qhov chaw nres nkoj:
sh authentication se int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc SuccessTam sim no, raws li tau cog lus tseg, cia saib ob peb yam tsis pom tseeb kiag li. Piv txwv li, peb yuav tsum txuas cov neeg siv cov khoos phis tawj thiab cov khoom siv los ntawm kev hloov pauv tsis tau tswj hwm (hloov). Hauv qhov no, qhov chaw nres nkoj rau nws yuav zoo li no:
hloov chaw nres nkoj nqis hauv 802.1x host-hom multi-auth hom
interface GigabitEthernet1/0/1
description *SW β 802.1x β 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! ΡΠ²Π΅Π»ΠΈΡΠΈΠ²Π°Π΅ΠΌ ΠΊΠΎΠ»-Π²ΠΎ Π΄ΠΎΠΏΡΡΡΠΈΠΌΡΡ
ΠΌΠ°Ρ-Π°Π΄ΡΠ΅ΡΠΎΠ²
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! β ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shuPS peb pom ib qho txawv txawv heev - yog tias lub cuab yeej txuas nrog los ntawm kev hloov pauv, thiab tom qab ntawd nws tau ntsaws rau hauv qhov kev tswj hwm, ces nws yuav tsis ua haujlwm kom txog thaum peb rov pib dua (!) qhov hloov. Kuv tsis tau pom lwm txoj hauv kev. daws qhov teeb meem no tsis tau.
Lwm cov ntsiab lus ntsig txog DHCP (yog tias siv ip dhcp snooping) - tsis muaj cov kev xaiv zoo li no:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information optionRau qee qhov laj thawj kuv tsis tuaj yeem tau txais qhov chaw nyob IP kom raug ... txawm hais tias qhov no yuav yog ib qho ntawm peb DHCP server
Thiab Mac OS & Linux (uas muaj haiv neeg 802.1x kev txhawb nqa) sim kom lees paub tus neeg siv, txawm tias kev lees paub los ntawm Mac chaw nyob yog teeb tsa.
Hauv seem tom ntej ntawm tsab xov xwm, peb yuav saib txog kev siv 802.1x rau Wireless (nyob ntawm cov pab pawg uas tus neeg siv nyiaj koom nrog, peb yuav "pov" nws mus rau hauv lub network sib txuas (vlan), txawm hais tias lawv yuav txuas rau. tib yam SSID).
Tau qhov twg los: www.hab.com