Txuas ntxiv cov kab lus ntawm cov ncauj lus ntawm lub koom haum Chaw taws teeb-Access VPN nkag mus Kuv tsis tuaj yeem pab tab sis qhia kuv qhov kev nthuav dav xa tawm ruaj ntseg VPN configuration. Ib txoj hauj lwm tsis tseem ceeb tau nthuav tawm los ntawm ib tus neeg siv khoom (muaj cov neeg tsim khoom hauv cov zos Lavxias), tab sis qhov kev sib tw tau txais thiab siv tswv yim zoo. Qhov tshwm sim yog ib lub tswv yim nthuav nrog cov yam ntxwv hauv qab no:
- Ntau yam ntawm kev tiv thaiv kev hloov pauv ntawm cov khoom siv davhlau ya nyob twg (nrog kev khi nruj rau tus neeg siv);
- Kev soj ntsuam kev ua raws li tus neeg siv lub PC nrog UDID tso cai ntawm PC hauv cov ntaub ntawv pov thawj;
- Nrog MFA siv PC UDID los ntawm daim ntawv pov thawj rau kev lees paub thib ob ntawm Cisco DUO (Koj tuaj yeem xa ib qho SAML / Radius tshaj ib qho);
- Multi-factor authentication:
- Cov neeg siv daim ntawv pov thawj nrog kev pov thawj hauv teb thiab kev lees paub thib ob tawm tsam ib qho ntawm lawv;
- Nkag mus (tsis hloov pauv, coj los ntawm daim ntawv pov thawj) thiab tus password;
- Kev kwv yees lub xeev ntawm tus tswv tsev txuas (Posture)
Cov khoom siv tshuaj siv tau:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Authentication / Tso Cai / Accounting, Lub Xeev Kev Ntsuas, CA);
- Cisco DUO (Multi-Factor Authentication) (Koj tuaj yeem xa ib qho SAML / Radius tshaj ib qho);
- Cisco AnyConnect (Multi-purpose tus neeg saib xyuas rau chaw ua haujlwm thiab mobile OS);
Cia peb pib nrog cov neeg siv khoom xav tau:
- Tus neeg siv yuav tsum, los ntawm nws tus ID nkag mus / lo lus zais authentication, muaj peev xwm rub tawm AnyConnect tus neeg siv khoom los ntawm lub rooj vag VPN; txhua qhov tsim nyog AnyConnect modules yuav tsum tau nruab rau hauv raws li tus neeg siv txoj cai;
- Tus neeg siv yuav tsum tau txais daim ntawv pov thawj (rau ib qho ntawm cov xwm txheej, qhov xwm txheej tseem ceeb yog kev tshaj tawm phau ntawv thiab muab tso rau hauv PC), tab sis kuv siv qhov teeb meem tsis siv neeg rau kev ua qauv qhia (nws tsis lig dhau los tshem nws).
- Basic authentication yuav tsum muaj nyob rau hauv ob peb theem, ua ntej muaj daim ntawv pov thawj authentication nrog kev tsom xam ntawm qhov tsim nyog teb thiab lawv cov nqi, ces tus ID nkag mus / lo lus zais, tsuas yog lub sij hawm no tus neeg siv lub npe teev nyob rau hauv daim ntawv pov thawj teb yuav tsum tau muab tso rau hauv lub qhov rais ID nkag mus. Lub npe kawm (CN) tsis muaj peev xwm kho tau.
- Koj yuav tsum xyuas kom meej tias cov cuab yeej los ntawm qhov koj nkag rau hauv yog lub tuam txhab lub laptop muab rau tus neeg siv rau kev nkag mus rau tej thaj chaw deb, thiab tsis yog lwm yam. (Muaj ntau txoj kev xaiv tau los ua kom tau raws li qhov xav tau no)
- Lub xeev ntawm cov khoom sib txuas (ntawm theem no PC) yuav tsum tau soj ntsuam nrog ib daim tshev ntawm tag nrho cov lus hefty ntawm cov neeg siv khoom xav tau (cov ntsiab lus):
- Cov ntaub ntawv thiab lawv cov khoom;
- Cov ntawv sau npe;
- OS thaj ua rau thaj los ntawm cov npe muab (tom qab SCCM kev koom ua ke);
- Muaj Anti-Virus los ntawm ib lub chaw tsim khoom tshwj xeeb thiab qhov tseeb ntawm kev kos npe;
- Kev ua haujlwm ntawm qee qhov kev pabcuam;
- Muaj tej yam kev pab cuam ntsia;
Yuav pib nrog, kuv xav kom koj twv yuav raug hu saib cov yeeb yaj kiab ua qauv qhia ntawm qhov kev ua tiav ntawm qhov tshwm sim Youtube (5 feeb).
Tam sim no kuv thov kom txiav txim siab txog kev siv cov ntsiab lus tsis suav nrog hauv daim video clip.
Cia peb npaj AnyConnect profile:
Yav dhau los kuv tau muab piv txwv ntawm kev tsim ib qhov profile (nyob rau hauv cov nqe lus ntawm cov ntawv qhia zaub mov hauv ASDM) hauv kuv tsab xov xwm ntawm kev teeb tsa . Tam sim no kuv xav cais cov kev xaiv uas peb yuav xav tau:
Hauv qhov profile, peb yuav qhia lub rooj vag VPN thiab lub npe profile rau kev txuas mus rau tus neeg siv khoom kawg:
Cia peb teeb tsa qhov tsis siv neeg muab daim ntawv pov thawj los ntawm sab profile, qhia, tshwj xeeb, daim ntawv pov thawj tsis zoo thiab, yam ntxwv, them sai sai rau thaj chaw. Thawj (I), qhov twg tus nqi tshwj xeeb yog manually nkag UDID kuaj tshuab (Cov cim cim tshwj xeeb uas yog tsim los ntawm Cisco AnyConnect tus neeg siv khoom).
Ntawm no kuv xav ua kom lub suab hais lus tsis txaus ntseeg, txij li tsab xov xwm no piav qhia txog lub tswv yim; rau lub hom phiaj ua qauv qhia, UDID rau kev tshaj tawm daim ntawv pov thawj tau nkag rau hauv Initials teb ntawm AnyConnect profile. Tau kawg, hauv lub neej tiag tiag, yog tias koj ua qhov no, ces txhua tus neeg siv yuav tau txais daim ntawv pov thawj nrog tib UDID hauv daim teb no thiab tsis muaj dab tsi yuav ua haujlwm rau lawv, vim lawv xav tau UDID ntawm lawv cov PC tshwj xeeb. AnyConnect, hmoov tsis, tseem tsis tau siv qhov hloov pauv ntawm UDID teb rau hauv daim ntawv pov thawj thov profile ntawm ib puag ncig hloov pauv, raws li nws ua, piv txwv li, nrog qhov sib txawv. %USER%.
Nws yog ib qho tsim nyog sau cia tias tus neeg siv khoom (ntawm qhov xwm txheej no) pib npaj rau nws tus kheej tawm daim ntawv pov thawj nrog UDID muab rau hauv phau ntawv hom rau cov PCs tiv thaiv, uas tsis yog teeb meem rau nws. Txawm li cas los xij, rau peb feem ntau peb xav tau automation (zoo, rau kuv nws yog qhov tseeb =)).
Thiab qhov no yog qhov kuv tuaj yeem muab rau hauv cov nqe lus ntawm automation. Yog tias AnyConnect tseem tsis tuaj yeem muab daim ntawv pov thawj tau txais los ntawm kev hloov pauv UDID, ces muaj lwm txoj hauv kev uas yuav xav tau me ntsis kev xav thiab txawj txhais tes - Kuv yuav qhia koj lub tswv yim. Ua ntej, cia saib yuav ua li cas UDID yog tsim los ntawm kev khiav hauj lwm sib txawv los ntawm AnyConnect tus neeg sawv cev:
- lub qhov rais - SHA-256 hash ntawm kev sib txuas ntawm DigitalProductID thiab Tshuab SID sau npe yuam sij
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash ntawm UUID ntawm lub hauv paus muab faib.
- Kua iOS - SHA-256 hash PlatformUUID
- Android - Saib cov ntaub ntawv ntawm
Raws li, peb tsim ib tsab ntawv rau peb lub tuam txhab Windows OS, nrog rau tsab ntawv no peb hauv zos suav UDID siv cov ntaub ntawv paub thiab tsim daim ntawv thov kom muab daim ntawv pov thawj los ntawm kev nkag mus rau UDID no hauv qhov xav tau, los ntawm txoj kev, koj tuaj yeem siv lub tshuab. daim ntawv pov thawj uas muab los ntawm AD (los ntawm kev ntxiv ob chav authentication siv daim ntawv pov thawj rau lub tswv yim Ntau Daim Ntawv Pov Thawj).
Cia peb npaj cov chaw ntawm Cisco ASA sab:
Cia peb tsim TrustPoint rau ISE CA server, nws yuav yog ib qho uas yuav muab daim ntawv pov thawj rau cov neeg siv khoom. Kuv yuav tsis xav txog cov txheej txheem ntshuam Key-Chain; ib qho piv txwv tau piav qhia hauv kuv tsab xov xwm ntawm kev teeb tsa .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configurePeb teeb tsa kev faib tawm los ntawm Tunnel-Group raws li cov cai raws li cov teb hauv daim ntawv pov thawj uas siv rau kev lees paub. Lub AnyConnect profile peb tau ua nyob rau theem dhau los kuj tau teeb tsa ntawm no. Thov nco ntsoov tias kuv siv tus nqi SECUREBANK-RA, hloov cov neeg siv nrog daim ntawv pov thawj tawm mus rau ib pawg tunnel SECURE-BANK-VPN, thov nco ntsoov tias kuv muaj daim teb no hauv AnyConnect profile daim ntawv thov kab lus.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Teeb tsa cov servers uas muaj kev lees paub. Hauv kuv rooj plaub, qhov no yog ISE rau thawj theem ntawm kev lees paub thiab DUO (Radius Proxy) raws li MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Peb tsim pab pawg cov cai thiab cov pab pawg qhov av thiab lawv cov koom haum pabcuam:
Tunnel pawg DefaultWEBVPNGGroup yuav siv feem ntau los rub tawm AnyConnect VPN tus neeg siv khoom thiab muab daim ntawv pov thawj siv siv SCEP-Proxy muaj nuj nqi ntawm ASA; rau qhov no peb muaj cov kev xaiv sib raug tau qhib ob qho tib si ntawm pawg qhov av nws tus kheej thiab ntawm pawg neeg txoj cai. AC-Download, thiab ntawm qhov loaded AnyConnect profile (thaj chaw rau kev muab daim ntawv pov thawj, thiab lwm yam). Tsis tas li ntawd nyob rau hauv pawg no txoj cai peb qhia qhov yuav tsum tau mus download tau ISE Posture Module.
Tunnel pawg SECURE-BANK-VPN yuav tau txais kev siv los ntawm tus neeg siv khoom thaum muaj kev lees paub nrog daim ntawv pov thawj uas tau muab tso rau hauv theem dhau los, txij li, raws li daim ntawv qhia daim ntawv pov thawj, kev sib txuas yuav poob tshwj xeeb ntawm pawg qhov av no. Kuv mam li qhia koj txog cov kev xaiv nthuav ntawm no:
- Secondary-authentication-server-group DUO # Teeb tsa qhov kev lees paub thib ob ntawm DUO server (Radius Proxy)
- username-from-certificateCN # Rau kev lees paub thawj zaug, peb siv CN daim teb ntawm daim ntawv pov thawj los ua tus neeg siv nkag mus
- Secondary-username-los ntawm-certificate I # Rau kev lees paub thib ob ntawm DUO server, peb siv lub npe siv tau muab rho tawm thiab qhov pib (I) ntawm daim ntawv pov thawj.
- ua ntej sau-username tus thov kev pab # ua tus username pre-filled nyob rau hauv lub qhov rais authentication yam tsis muaj peev xwm hloov
- Secondary-pre-sau-username neeg siv zais siv-ntau-password thawb # Peb zais qhov nkag / lo lus zais lub qhov rais rau qhov kev lees paub thib ob DUO thiab siv txoj kev ceeb toom (sms / thawb / xov tooj) - ntsaws rau thov kev lees paub tsis siv tus password
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Tom ntej no peb tsiv mus rau ISE:
Peb teeb tsa tus neeg siv hauv zos (koj tuaj yeem siv AD / LDAP / ODBC, thiab lwm yam), rau qhov yooj yim, Kuv tau tsim ib tus neeg siv hauv zos hauv ISE nws tus kheej thiab muab tso rau hauv thaj chaw. piav qhia UDID PC los ntawm qhov uas nws tau tso cai nkag los ntawm VPN. Yog tias kuv siv qhov kev lees paub hauv zos ntawm ISE, kuv yuav raug txwv rau ib qho khoom siv nkaus xwb, vim tsis muaj ntau qhov chaw, tab sis hauv cov ntaub ntawv pov thawj thib peb kuv yuav tsis muaj kev txwv zoo li no.
Cia peb saib ntawm txoj cai tso cai, nws tau muab faib ua plaub theem txuas:
- Qib 1 - Txoj cai rub tawm AnyConnect tus neeg sawv cev thiab muab daim ntawv pov thawj
- Qib 2 - Thawj qhov kev lees paub txoj cai nkag mus (los ntawm daim ntawv pov thawj) / Password + Daim ntawv pov thawj nrog UDID validation
- Qib 3 - Kev lees paub thib ob ntawm Cisco DUO (MFA) siv UDID raws li tus neeg siv lub npe + Kev ntsuas lub xeev
- Qib 4 - Kev tso cai zaum kawg yog nyob rau hauv lub xeev:
- Ua raws li;
- UDID validation (los ntawm daim ntawv pov thawj + tus ID nkag mus khi),
- Cisco DUO MFA;
- Kev lees paub los ntawm kev nkag mus;
- Daim ntawv pov thawj authentication;
Cia peb saib ib qho kev nthuav dav UUID_VALIDATED, nws tsuas yog zoo li tus neeg siv kev lees paub tseeb los ntawm PC nrog kev tso cai UDID cuam tshuam hauv thaj teb Hauj lwm account, cov xwm txheej zoo li no:
Cov ntawv tso cai siv nyob rau theem 1,2,3 yog raws li hauv qab no:
Koj tuaj yeem tshawb xyuas raws nraim li cas UDID los ntawm AnyConnect tus neeg siv tuaj txog rau peb los ntawm kev saib cov ntsiab lus ntawm cov neeg siv khoom hauv ISE. Hauv kev nthuav dav peb yuav pom tias AnyConnect los ntawm lub tshuab ACIDEX xa tsis tau tsuas yog cov ntaub ntawv hais txog lub platform, tab sis kuj UDID ntawm lub cuab yeej raws li Cisco-AV-PAIR:
Cia peb them sai sai rau daim ntawv pov thawj muab rau tus neeg siv thiab daim teb Thawj (I), uas yog siv los coj nws los ua tus ID nkag mus rau lwm qhov MFA authentication ntawm Cisco DUO:
Ntawm DUO Radius Proxy sab hauv lub cav peb tuaj yeem pom meej tias qhov kev thov kev lees paub tau ua li cas, nws los siv UDID raws li tus neeg siv lub npe:
Los ntawm DUO portal peb pom qhov kev lees paub ua tiav tiav:
Thiab nyob rau hauv cov neeg siv khoom kuv muaj nws teem ALIAS, uas kuv tau siv rau tus ID nkag mus, qhov no yog UDID ntawm lub PC tso cai rau kev nkag mus:
Raws li qhov tshwm sim peb tau txais:
- Multi-factor neeg siv thiab ntaus ntawv authentication;
- Kev tiv thaiv kev spoofing ntawm tus neeg siv lub cuab yeej;
- Kev ntsuas qhov xwm txheej ntawm lub cuab yeej;
- Muaj peev xwm nce kev tswj hwm nrog daim ntawv pov thawj tshuab sau, thiab lwm yam .;
- Kev tiv thaiv chaw ua hauj lwm tej thaj chaw deb nrog tau siv cov kev ruaj ntseg modules;
Txuas rau Cisco VPN series kab lus:
Tau qhov twg los: www.hab.com