
Cia peb xav txog kev siv hauv kev xyaum Windows Active Directory + NPS (ob lub servers rau kev ua txhaum cai) + tus qauv 802.1x rau kev tswj hwm kev nkag mus thiab kev lees paub cov neeg siv, cov khoos phis tawj hauv domain, thiab cov khoom siv. Koj tuaj yeem nyeem lub tswv yim tom qab tus qauv ntawm Wikipedia ntawm qhov txuas hauv qab no:
Txij li thaum kuv "lab" muaj kev txwv nyob rau hauv cov peev txheej, lub luag haujlwm ntawm NPS thiab tus tswj hwm sau npe tau sib xws, tab sis kuv xav kom koj tseem cais cov kev pabcuam tseem ceeb.
Cov txheej txheem txheem rau kev sib dhos cov teeb tsa (cov cai) Windows Kuv tsis paub NPS, yog li peb yuav siv PowerShell scripts khiav los ntawm Task Scheduler (sau los ntawm kuv tus npoj yaig yav dhau los). Rau kev lees paub cov khoos phis tawj hauv domain thiab rau cov khoom siv uas tsis txhawb nqa 802.1x (xov tooj, tshuab luam ntawv, thiab lwm yam), pab pawg neeg txoj cai yuav raug teeb tsa thiab kev ruaj ntseg pab pawg yuav raug tsim.
Thaum kawg ntawm tsab xov xwm, kuv mam li qhia rau koj txog qee qhov intricacies ntawm kev ua haujlwm nrog 802.1x - koj tuaj yeem siv cov keyboards tsis muaj kev tswj hwm, dynamic ACLs, thiab lwm yam. .
Cia peb pib nrog kev teeb tsa thiab teeb tsa failover NPS rau Windows Server 2012R2 (2016 zoo ib yam): los ntawm Server Manager -> Add Roles and Features Wizard, xaiv tsuas yog Network Policy Server xwb.

los yog siv PowerShell:
Install-WindowsFeature NPAS -IncludeManagementToolsIb qho kev qhia me me - txij li rau Protected EAP (PEAP) koj yuav xav tau daim ntawv pov thawj lees paub qhov tseeb ntawm cov neeg rau zaub mov (nrog cov cai tsim nyog siv), uas yuav ntseeg tau ntawm cov neeg siv khoom siv computer, ces koj yuav xav tau los nruab lub luag haujlwm. Daim Ntawv Tso Cai. Tab sis peb yuav xav tias CA koj twb muaj nws ntsia...
Cia wb ua ib yam ntawm lub server thib ob. Cia peb tsim ib daim nplaub tshev rau C: Scripts tsab ntawv ntawm ob lub servers thiab lub network folder ntawm tus neeg rau zaub mov thib ob SRV2NPS-config $
Wb tsim ib tsab ntawv PowerShell ntawm thawj tus neeg rau zaub mov C:ScriptsExport-NPS-config.ps1 nrog cov ntsiab lus hauv qab no:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"Tom qab ntawd, cia peb teeb tsa txoj haujlwm hauv Task Sheduler: "Export-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1" Khiav rau txhua tus neeg siv - Khiav nrog cov cai siab tshaj plaws
Txhua hnub - Rov ua txoj haujlwm txhua 10 feeb. hauv 8 teev
Ntawm qhov thaub qab NPS, teeb tsa ntshuam ntawm kev teeb tsa (txoj cai):
Wb tsim ib tsab ntawv PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1thiab ib txoj haujlwm los ua nws txhua 10 feeb:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1" Khiav rau txhua tus neeg siv - Khiav nrog cov cai siab tshaj plaws
Txhua hnub - Rov ua txoj haujlwm txhua 10 feeb. hauv 8 teev
Tam sim no, txhawm rau txheeb xyuas, cia peb ntxiv rau NPS ntawm ib qho ntawm cov servers (!) ob peb lub keyboards hauv RADIUS cov neeg siv khoom (IP thiab Shared Secret), ob txoj cai thov kev sib txuas: WIRED-Txuas (Cov xwm txheej: "NAS hom chaw nres nkoj yog Ethernet") thiab WiFi-kev lag luam (Kev mob: "NAS hom chaw nres nkoj yog IEEE 802.11"), nrog rau txoj cai network Nkag mus rau Cisco Network Devices (Network Admins):
Условия:
Группы Windows - domainsg-network-admins
Ограничения:
Методы проверки подлинности - Проверка открытым текстом (PAP, SPAP)
Параметры:
Атрибуты RADIUS: Стандарт - Service-Type - Login
Зависящие от поставщика - Cisco-AV-Pair - Cisco - shell:priv-lvl=15Ntawm qhov hloov pauv, cov kev teeb tsa hauv qab no:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99Tom qab kev teeb tsa, tom qab 10 feeb, tag nrho cov neeg siv kev cai tswjfwm yuav tsum tshwm sim ntawm NPS thaub qab thiab peb yuav tuaj yeem nkag mus rau hauv cov keyboards siv ActiveDirectory account, tus tswv cuab ntawm pawg domainsg-network-admins (uas peb tsim ua ntej).
Cia peb mus rau kev teeb tsa Active Directory - tsim pab pawg thiab password txoj cai, tsim cov pab pawg tsim nyog.
Pawg Txoj Cai Computers-8021x-Settings:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Cia peb tsim ib pab pawg neeg ruaj ntseg txz | | |-- sg-computers-8021x-vl100, qhov twg peb yuav ntxiv cov khoos phis tawj uas peb xav muab faib rau vlan 100 thiab teeb tsa kev lim dej rau pawg tswj hwm yav dhau los rau pawg no:

Koj tuaj yeem txheeb xyuas tau tias txoj cai tau ua tiav los ntawm kev qhib "Network and Sharing Center (Network and Internet Settings) - Hloov kho adapter settings (Configuring adapter settings) - Adapter Properties", qhov twg peb tuaj yeem pom "Authentication" tab:

Thaum koj ntseeg tias txoj cai tau ua tiav, koj tuaj yeem mus teeb tsa txoj cai network ntawm NPS thiab nkag mus rau theem hloov chaw nres nkoj.
Cia peb tsim txoj cai network neag-computers-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN) 
Cov chaw teeb tsa rau qhov hloov chaw nres nkoj (thov nco ntsoov tias "ntau lub npe" authentication hom yog siv - Cov ntaub ntawv & Lub suab, thiab tseem muaj peev xwm ua pov thawj los ntawm mac chaw nyob. tsis muaj:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
Tus ID vlan tsis yog "quarantine" ib qho, tab sis tib qhov uas tus neeg siv lub khoos phis tawj yuav tsum mus tom qab nkag mus tau zoo - txog thaum peb paub tseeb tias txhua yam ua haujlwm raws li nws yuav tsum tau ua. Cov kev txwv tib yam no tuaj yeem siv tau rau lwm qhov xwm txheej, piv txwv li, thaum qhov hloov tsis tau tswj tau ntsaws rau hauv qhov chaw nres nkoj no thiab koj xav kom txhua yam khoom siv txuas nrog nws uas tsis dhau qhov kev lees paub kom poob rau hauv qee qhov vlan ("quarantine").
hloov chaw nres nkoj nqis hauv 802.1x host-hom multi-domain hom
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exitKoj tuaj yeem paub tseeb tias koj lub khoos phis tawj thiab lub xov tooj tau ua tiav dhau qhov kev lees paub nrog cov lus txib:
sh authentication sessions int Gi1/0/39 detTam sim no cia peb tsim ib pab pawg (piv txwv li, sg-fgpp-mab ) hauv Active Directory rau cov xov tooj thiab ntxiv ib lub cuab yeej rau nws rau kev sim (hauv kuv rooj plaub nws yog Grandstream GXP 2160 nrog mas address 000b.82b7b 1 thiab resp. tus account npe 00b82baa7b1).
Rau cov pab pawg tsim, peb yuav txo tus password txoj cai (siv ntawm Active Directory Administration Center -> domain -> System -> Password Settings Container) nrog rau cov kev txwv hauv qab no Password-Settings-for-MAB:

Yog li, peb yuav tso cai siv cov cuab yeej siv qhov chaw nyob ua tus password. Tom qab no peb tuaj yeem tsim txoj cai network rau 802.1x txoj kev mab authentication, cia peb hu nws neag-devices-8021x-lub suab. Cov parameter yog raws li nram no:
- NAS Port Type - Ethernet
- Windows Cov Pab Pawg - sg-fgpp-mab
- Hom EAP: Unencrypted authentication (PAP, SPAP)
- RADIUS Tus cwj pwm - Tus neeg muag khoom tshwj xeeb: Cisco - Cisco-AV-Pair - Tus nqi tus nqi: ntaus ntawv-tsheb-chav kawm = suab
Tom qab ua tiav authentication (tsis txhob hnov qab txhim kho qhov hloov chaw), cia saib cov ntaub ntawv los ntawm qhov chaw nres nkoj:
sh authentication se int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc SuccessTam sim no, raws li tau cog lus tseg, cia saib ob peb yam tsis pom tseeb kiag li. Piv txwv li, peb yuav tsum txuas cov neeg siv cov khoos phis tawj thiab cov khoom siv los ntawm kev hloov pauv tsis tau tswj hwm (hloov). Hauv qhov no, qhov chaw nres nkoj rau nws yuav zoo li no:
hloov chaw nres nkoj nqis hauv 802.1x host-hom multi-auth hom
interface GigabitEthernet1/0/1
description *SW – 802.1x – 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! увеличиваем кол-во допустимых мас-адресов
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! – режим аутентификации
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shuPS peb pom ib qho txawv txawv heev - yog tias lub cuab yeej txuas nrog los ntawm kev hloov pauv, thiab tom qab ntawd nws tau ntsaws rau hauv qhov kev tswj hwm, ces nws yuav tsis ua haujlwm kom txog thaum peb rov pib dua (!) qhov hloov. Kuv tsis tau pom lwm txoj hauv kev. daws qhov teeb meem no tsis tau.
Lwm cov ntsiab lus ntsig txog DHCP (yog tias siv ip dhcp snooping) - tsis muaj cov kev xaiv zoo li no:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information optionRau qee qhov laj thawj kuv tsis tuaj yeem tau txais qhov chaw nyob IP kom raug ... txawm hais tias qhov no yuav yog ib qho ntawm peb DHCP server
Thiab tseem Mac OS & Linux (uas txhawb nqa 802.1x natively) sim txheeb xyuas tus neeg siv, txawm tias kev txheeb xyuas los ntawm MAC chaw nyob tau teeb tsa.
Hauv seem tom ntej ntawm tsab xov xwm, peb yuav saib txog kev siv 802.1x rau Wireless (nyob ntawm cov pab pawg uas tus neeg siv nyiaj koom nrog, peb yuav "pov" nws mus rau hauv lub network sib txuas (vlan), txawm hais tias lawv yuav txuas rau. tib yam SSID).
Tau qhov twg los: www.hab.com
