Na-aga n'ihu na usoro isiokwu gbasara isiokwu nhazi Nweta ohere VPN nweta enweghị m ike ịnyere aka ma kesaa ahụmịhe mbugharị m na-atọ ụtọ Nhazi VPN dị oke nchebe. Otu onye ahịa gosipụtara ọrụ na-adịghị mkpa (enwere ndị na-emepụta ihe na obodo ndị Russia), ma a nabatara ihe ịma aka ahụ ma jiri ya mee ihe. Nsonaazụ bụ echiche na-adọrọ mmasị nwere njirimara ndị a:
- Ọtụtụ ihe na-echebe megide ngbanwe nke ngwaọrụ ọnụ (na njide siri ike na onye ọrụ);
- Nyochaa nrube isi nke PC onye ọrụ na UDID ekenyere PC ekwenyere na nchekwa data nyocha;
- Site na MFA na-eji PC UDID sitere na asambodo maka nyocha nke abụọ site na Cisco DUO (Ị nwere ike itinye SAML/Radius ọ bụla dakọtara);
- Nyocha ọtụtụ ihe:
- Asambodo onye ọrụ nwere nkwenye mpaghara na nyocha nke abụọ megide otu n'ime ha;
- Nbanye (anaghị agbanwe agbanwe, ewepụtara na asambodo) na paswọọdụ;
- Na-eme atụmatụ steeti njikọ njikọ (Posture)
A na-eji ihe ngwọta eme ihe:
- Cisco ASA (ọnụ ụzọ VPN);
- Cisco ISE (Nnwale / ikike / Akaụntụ, Nyocha steeti, CA);
- Cisco DUO (Nnwale ọtụtụ ihe) (Ị nwere ike itinye SAML/Radius ọ bụla dakọtara);
- Cisco AnyConnect (onye na-eweta ọtụtụ ebumnuche maka ebe arụ ọrụ na os mkpanaka);
Ka anyị malite na ihe ndị ahịa chọrọ:
- Onye ọrụ ga-, site na nbanye/Paswọdu njirimara ya, nwee ike ibudata onye ahịa AnyConnect site na ọnụ ụzọ VPN; a ga-etinyerịrị modul AnyConnect niile dị mkpa na-akpaghị aka dịka iwu onye ọrụ siri dị;
- Onye ọrụ ga-enwe ike ịnye asambodo na-akpaghị aka (maka otu n'ime ọnọdụ ndị a, isi ihe dị na ya bụ iwepụta akwụkwọ ntuziaka na bulite na PC), mana etinyere m mbipụta akpaka maka ngosipụta (ọ naghị ewe oge iwepu ya).
- Asambodo nyocha ga-ewererịrị ọnọdụ n'ọtụtụ ọkwa, nke mbụ enwere nzere asambodo na nyocha nke mpaghara ndị dị mkpa na ụkpụrụ ha, wee banye / paswọọdụ, naanị oge a ka etinyere aha njirimara akọwapụtara na ngalaba asambodo na windo nbanye. Aha isiokwu (CN) na-enweghị ike dezie.
- Ịkwesịrị ijide n'aka na ngwaọrụ ị na-abanye bụ laptọọpụ ụlọ ọrụ nyere onye ọrụ maka ịnweta ohere, ọ bụghị ihe ọzọ. (Emere ọtụtụ nhọrọ iji gboo ihe a chọrọ)
- Ekwesịrị inyocha ọnọdụ ngwaọrụ njikọ (n'oge a PC) site na nlele nke tebụl siri ike nke ihe ndị ahịa chọrọ (nchịkọta):
- Faịlụ na akụrụngwa ha;
- Ndenye ndekọ;
- Os patches sitere na ndepụta enyere (mmekọrịta SCCM mechara);
- Ịnweta mgbochi nje sitere n'aka onye nrụpụta kpọmkwem yana mkpa nke mbinye aka;
- Ọrụ nke ụfọdụ ọrụ;
- Nnweta ụfọdụ mmemme arụnyere;
Iji malite, a na m atụ aro ka ị lelee vidiyo vidiyo nke mmejuputa a ga-esi na ya pụta Youtube (nkeji ise).
Ugbu a, m na-atụ aro ka ị tụlee nkọwa mmejuputa a na-ekpuchighị na vidiyo vidiyo.
Ka anyị kwado profaịlụ AnyConnect:
M na mbụ nyere ihe atụ nke ịmepụta profaịlụ (n'usoro nke ihe nchịkọta nhọrọ na ASDM) na edemede m na nhazi . Ugbu a ọ ga-amasị m iche iche iche nhọrọ ndị anyị ga-achọ:
Na profaịlụ, anyị ga-egosi ọnụ ụzọ VPN na aha profaịlụ maka ijikọ na onye ahịa ikpeazụ:
Ka anyị hazie inye akwụkwọ ikike akpaaka site na profaịlụ profaịlụ, na-egosi, ọkachasị, paramita asambodo na, n'ụzọ mara mma, gee ntị n'ọhịa. Mmalite (I), ebe ejiri aka tinye otu uru UID igwe nyocha (ihe njirimara ngwaọrụ pụrụ iche nke onye ahịa Cisco AnyConnect mepụtara).
N'ebe a, achọrọ m ịme egwu egwu egwu, ebe ọ bụ na isiokwu a na-akọwa echiche ahụ; maka ebumnuche ngosi, UDID maka ịnye akwụkwọ ntinye akwụkwọ na-abanye na ngalaba mmalite nke profaịlụ AnyConnect. N'ezie, na ndụ n'ezie, ọ bụrụ na ị na-eme nke a, ndị ahịa niile ga-enweta akwụkwọ na otu UDID na ubi a na ọ dịghị ihe ga-arụ ọrụ maka ha, ebe ọ bụ na ha chọrọ UDID nke ha kpọmkwem PC. AnyConnect, ọ dị mwute ikwu, emebeghị itinye ngbanwe nke ubi UDID n'ime profaịlụ arịrịọ asambodo site na mgbanwe gburugburu ebe obibi, dịka ọ na-eme, dịka ọmụmaatụ, yana mgbanwe. %USER%.
Ọ dị mma ịmara na onye ahịa (nke dị n'ọnọdụ a) na mbụ na-ezube ịnye UDID asambodo n'onwe ya na PC echekwara dị otú ahụ, nke abụghị nsogbu nye ya. Agbanyeghị, maka ọtụtụ n'ime anyị anyị chọrọ akpaaka (ọ dị mma, maka m ọ bụ eziokwu =)).
Ma nke a bụ ihe m nwere ike ịnye n'ihe gbasara akpaaka. Ọ bụrụ na AnyConnect enwebeghị ike ịnye asambodo na-akpaghị aka site na iji ike dochie UDID, mgbe ahụ enwere ụzọ ọzọ ga-achọ obere echiche okike na aka nwere nka - aga m agwa gị echiche ahụ. Nke mbụ, ka anyị leba anya ka esi emepụta UDID na sistemụ arụmọrụ dị iche iche site n'aka onye ọrụ AnyConnect:
- Windows - SHA-256 hash nke nchikota nke DigitalProductID na igwe SID igodo ndekọ
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash nke UUID nke mgbọrọgwụ nkebi.
- Apple iOS - SHA-256 hash PlatformUUID
- android – Lee akwụkwọ na
N'ihi ya, anyị na-emepụta a script maka ụlọ ọrụ anyị Windows OS, na nke a script, anyị na mpaghara na-agbakọ UDID site na-eji ntinye mara ma na-akpụ a arịrịọ maka ịnye akwụkwọ site na itinye UDID a n'ubi achọrọ, n'ụzọ, ị nwekwara ike iji igwe. asambodo AD nyere (site n'itinye nkwenye ugboro abụọ site na iji asambodo na atụmatụ a Asambodo otutu).
Ka anyị kwado ntọala n'akụkụ Cisco ASA:
Ka anyị mepụta TrustPoint maka sava ISE CA, ọ ga-abụ nke ga-enye ndị ahịa asambodo. Agaghị m atụle usoro mbubata Key-Chain; A kọwara ihe atụ n'isiokwu m na nhazi .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureAnyị na-ahazi nkesa site na Tunnel-Group dabere na iwu dabere na mpaghara dị na asambodo ejiri mee nyocha. A na-ahazi profaịlụ AnyConnect anyị mere na ọkwa gara aga ebe a. Biko mara na m na-eji uru ahụ Ụlọ ọrụ SECUREBANK-RA, ịnyefe ndị ọrụ nwere asambodo enyerela na otu ọwara SECURE-BANK-VPN, biko mara na enwere m ubi a na kọlụm akwụkwọ arịrịọ profaịlụ AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Ịtọlite sava nyocha. N'okwu m, nke a bụ ISE maka ọkwa mbụ nke nyocha na DUO (Radius Proxy) dị ka MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Anyị na-ekepụta atumatu otu na otu ọwara na ihe enyemaka ha:
Otu ọwara Ndị otu WEBVPNG A ga-eji ya budata onye ahịa AnyConnect VPN wee nye asambodo onye ọrụ site na iji ọrụ SCEP-Proxy nke ASA; maka nke a, anyị nwere nhọrọ ndị kwekọrọ ekwekọ na-arụ ọrụ ma na otu ọwara n'onwe ya yana na amụma otu metụtara. AC-Budata, na na profaịlụ AnyConnect eburula ibu (ubi maka ịnye asambodo, wdg). Nakwa na iwu otu a anyị na-egosi mkpa ibudata ISE Ngosipụta Module.
Otu ọwara SECURE-BANK-VPN onye ahịa ga-eji ya na-akpaghị aka mgbe ị na-enyocha akwụkwọ ikike enyere na ọkwa gara aga, ebe ọ bụ na, dị ka eserese akwụkwọ ikike, njikọ ahụ ga-adaba kpọmkwem na otu ọwara a. Aga m agwa gị gbasara nhọrọ na-atọ ụtọ ebe a:
- secondary-authentication-server-otu DUO # Tọọ nkwenye nke abụọ na sava DUO (Radius Proxy)
- aha njirimara-si-certificateCN # Maka njirimara izizi, anyị na-eji mpaghara CN nke akwụkwọ ikike eketa nbanye onye ọrụ
- Aha njirimara nke abụọ-site na asambodo I # Maka nyocha nke abụọ na sava DUO, anyị na-eji aha njirimara ewepụtara yana ngalaba izizi (I) nke asambodo.
- tupu-ejuputa-aha njirimara ahịa # mee ka aha njirimara jupụta na windo nyocha na-enweghị ike ịgbanwe
- secondary-pre-fill-username client zoo use-common-password push # Anyị na-ezochi windo ntinye / okwuntughe maka nyocha nke abụọ DUO wee jiri usoro ngosi (sms/push/phone) - dock rịọ maka nyocha kama mpaghara paswọọdụ.
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Ọzọ, anyị ga-aga n'ihu na ISE:
Anyị na-ahazi onye ọrụ mpaghara (ị nwere ike iji AD/LDAP/ODBC, wdg), maka ịdị mfe, m mepụtara onye ọrụ mpaghara na ISE n'onwe ya wee kenye ya n'ọhịa. nkọwa PC UDID nke a na-ahapụ ya ka ọ banye site na VPN. Ọ bụrụ na m na-eji njirimara mpaghara na ISE, a ga-ejedebe naanị otu ngwaọrụ, ebe ọ bụ na ọ bụghị ọtụtụ ubi, mana na nchekwa data nke ndị ọzọ, agaghị m enwe ihe mgbochi dị otú ahụ.
Ka anyị leba anya na amụma ikike, ekewara ya ụzọ njikọ anọ:
- Nkeji 1 - Amụma maka nbudata onye nnọchi anya AnyConnect na ịnye asambodo
- Nkeji 2 - Amụma nyocha nke mbụ nbanye (site na akwụkwọ)/Paswọdu + Asambodo nwere nkwado UDID
- Nkeji 3 - Nyocha nke abụọ site na Cisco DUO (MFA) iji UDID dị ka aha njirimara + steeti nyocha
- Nkeji 4 - ikike ikpeazụ dị na steeti:
- Dabara;
- Nkwenye UDID (site na akwụkwọ + njide nbanye),
- Cisco DUO MFA;
- Nyocha site na nbanye;
- Nyocha akwụkwọ;
Ka anyị lelee ọnọdụ na-adọrọ mmasị UUID_VALIDATED, ọ dị ka onye ọrụ na-enyocha ya sitere na PC nwere UDID ekwenyere na mpaghara ahụ. Description akaụntụ, ọnọdụ dị ka nke a:
Profaịlụ ikike ejiri na ọkwa 1,2,3 bụ nke a:
Ị nwere ike ịlele kpọmkwem ka UDID si n'aka onye ahịa AnyConnect na-abịakwute anyị site na ilele nkọwa nnọkọ ndị ahịa na ISE. N'ụzọ zuru ezu anyị ga-ahụ na AnyConnect site na usoro ACIDEX na-eziga ọ bụghị naanị banyere ikpo okwu, kamakwa UDID nke ngwaọrụ dị ka Cisco-AV-PAIR:
Ka anyị ṅaa ntị na asambodo enyere onye ọrụ na ubi Mmalite (I), nke a na-eji were were dị ka nbanye maka nyocha MFA nke abụọ na Cisco DUO:
N'akụkụ DUO Radius Proxy na log anyị nwere ike ịhụ nke ọma ka esi eme arịrịọ nyocha, ọ na-abịa site na iji UDID dị ka aha njirimara:
Site na Portal DUO anyị na-ahụ mmemme nyocha na-aga nke ọma:
Na n'ime njirimara onye ọrụ enwere m ya ỌMA, nke m na-eji maka nbanye, n'aka nke ya, nke a bụ UDID nke PC kwere maka nbanye:
N'ihi ya, anyị nwetara:
- Multi-factor onye ọrụ na njirimara ngwaọrụ;
- Nchedo megide spoofing nke ngwaọrụ onye ọrụ;
- Nyochaa ọnọdụ nke ngwaọrụ;
- Enwere ike ijikwa njikwa na asambodo igwe ngalaba, wdg;
- Nchedo ebe ọrụ dịpụrụ adịpụ nke nwere modul nchekwa etinyere na-akpaghị aka;
Njikọ na akụkọ usoro Cisco VPN:
isi: www.habr.com