Ayo nimbang ing laku nggunakake Windows Active Directory + NPS (2 server kanggo mesthekake toleransi fault) + 802.1x standar kanggo akses kontrol lan otentikasi pangguna - komputer domain - piranti. Sampeyan bisa kenalan karo teori miturut standar ing Wikipedia, ing link:
Wiwit "laboratorium" saya winates ing sumber daya, peran NPS lan pengontrol domain kompatibel, nanging aku nyaranake sampeyan isih misahake layanan kritis kasebut.
Aku ora ngerti cara standar kanggo nyinkronake konfigurasi Windows NPS (kabijakan), mula kita bakal nggunakake skrip PowerShell sing diluncurake dening panjadwal tugas (penulis minangka mantan kolega). Kanggo otentikasi komputer domain lan kanggo piranti sing ora bisa 802.1x (telpon, printer, etc.), kabijakan grup bakal dikonfigurasi lan grup keamanan bakal digawe.
Ing pungkasan artikel, aku bakal menehi pitutur marang kowe babagan sawetara kerumitan nggarap 802.1x - carane sampeyan bisa nggunakake saklar sing ora dikelola, ACL dinamis, lan sapiturute. Aku bakal nuduhake informasi babagan "glitches" sing kejiret. .
Ayo dadi miwiti karo nginstal lan konfigurasi failover NPS ing Windows Server 2012R2 (kabeh padha ing 2016): liwat Server Manager -> Tambah Peran lan Fitur Wisaya, pilih mung Network Policy Server.
utawa nggunakake PowerShell:
Install-WindowsFeature NPAS -IncludeManagementTools
A klarifikasi cilik - wiwit kanggo EAP sing Dilindungi (PEAP) sampeyan mesthi mbutuhake sertifikat sing ngonfirmasi keaslian server (kanthi hak sing cocog kanggo digunakake), sing bakal dipercaya ing komputer klien, mula sampeyan kudu nginstal peran kasebut. Otoritas Sertifikasi. Nanging kita bakal nganggep CA sampeyan wis nginstal ...
Ayo padha nindakake ing server kapindho. Ayo nggawe folder kanggo skrip C: Scripts ing loro server lan folder jaringan ing server kapindho SRV2NPS-config$
Ayo nggawe skrip PowerShell ing server pisanan C:ScriptsExport-NPS-config.ps1 kanthi isi ing ngisor iki:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"
Sawise iki, ayo ngatur tugas ing Task Sheduler: "Ekspor-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Mbukak kanggo kabeh pangguna - Mbukak kanthi hak paling dhuwur
Saben dina - Baleni tugas saben 10 menit. ing 8 jam
Ing NPS serep, konfigurasi impor konfigurasi (kabijakan):
Ayo nggawe skrip PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1
lan tugas kanggo nindakake saben 10 menit:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Mbukak kanggo kabeh pangguna - Mbukak kanthi hak paling dhuwur
Saben dina - Baleni tugas saben 10 menit. ing 8 jam
Saiki, kanggo mriksa, ayo nambah NPS ing salah sawijining server (!) sawetara switch ing klien RADIUS (IP lan Rahasia Bersama), rong kabijakan panjaluk sambungan: WIRED-Sambungake (Kahanan: "jinis port NAS punika Ethernet") lan WiFi-Perusahaan (Kahanan: "jinis port NAS yaiku IEEE 802.11"), uga kabijakan jaringan Ngakses Piranti Jaringan Cisco (Admin Jaringan):
Π£ΡΠ»ΠΎΠ²ΠΈΡ:
ΠΡΡΠΏΠΏΡ Windows - domainsg-network-admins
ΠΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ:
ΠΠ΅ΡΠΎΠ΄Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΠΎΠ΄Π»ΠΈΠ½Π½ΠΎΡΡΠΈ - ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΠΎΡΠΊΡΡΡΡΠΌ ΡΠ΅ΠΊΡΡΠΎΠΌ (PAP, SPAP)
ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ:
ΠΡΡΠΈΠ±ΡΡΡ RADIUS: Π‘ΡΠ°Π½Π΄Π°ΡΡ - Service-Type - Login
ΠΠ°Π²ΠΈΡΡΡΠΈΠ΅ ΠΎΡ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° - Cisco-AV-Pair - Cisco - shell:priv-lvl=15
Ing sisih ngalih, setelan ing ngisor iki:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99
Sawise konfigurasi, sawise 10 menit, kabeh clientspolicyparameters kudu katon ing NPS serep lan kita bakal bisa kanggo mlebu menyang ngalih nggunakake akun ActiveDirectory, anggota saka domainsg-jaringan-admins grup (sing digawe ing advance).
Ayo pindhah menyang nyetel Active Directory - nggawe grup lan kawicaksanan sandi, nggawe grup perlu.
Kebijakan Grup Komputer-8021x-Setelan:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Ayo nggawe grup keamanan sg-komputer-8021x-vl100, ing ngendi kita bakal nambah komputer sing arep disebarake menyang vlan 100 lan ngatur nyaring kanggo kabijakan grup sing wis digawe sadurunge kanggo grup iki:
Sampeyan bisa verifikasi manawa kabijakan kasebut wis sukses kanthi mbukak "Pusat Jaringan lan Nuduhake (Setelan Jaringan lan Internet) - Ngganti setelan adaptor (Konfigurasi setelan adaptor) - Properti Adaptor", ing ngendi kita bisa ndeleng tab "Otentikasi":
Yen sampeyan yakin yen kabijakan kasebut kasil ditrapake, sampeyan bisa nerusake nyetel kabijakan jaringan ing NPS lan port switch level akses.
Ayo nggawe kabijakan jaringan neag-komputer-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Setelan khas kanggo port switch (mangga dicathet yen jinis otentikasi "multi-domain" digunakake - Data & Voice, lan ana uga kemungkinan otentikasi kanthi alamat mac. Sajrone "periode transisi" iku ndadekake pangertèn kanggo nggunakake ing paramèter:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
ID vlan dudu "karantina", nanging sing padha karo komputer pangguna sawise kasil mlebu - nganti kita yakin manawa kabeh bisa digunakake. Parameter sing padha iki bisa digunakake ing skenario liyane, contone, nalika saklar sing ora dikelola disambungake menyang port iki lan sampeyan pengin kabeh piranti sing disambungake menyang sing durung lulus otentikasi tiba ing vlan tartamtu ("karantina").
ngalih setelan port ing 802.1x host-mode multi-domain mode
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exit
Sampeyan bisa mesthekake yen komputer lan telpon wis kasil ngliwati otentikasi kanthi prentah:
sh authentication sessions int Gi1/0/39 det
Saiki ayo gawe grup (contone, sg-fgpp-mab ) ing Direktori Aktif kanggo telpon lan tambahake siji piranti kanggo dites (ing kasusku GXP2160 Grandstream karo alamate mas 000b.82ba.a7b1 lan resp. akun domain 00b82baa7b1).
Kanggo grup sing digawe, kita bakal nyuda syarat kabijakan sandhi (nggunakake
Mangkono, kita bakal ngidini nggunakake alamat mas piranti minangka sandhi. Sawise iki, kita bisa nggawe kabijakan jaringan kanggo otentikasi mab metode 802.1x, ayo nyebataken neag-devices-8021x-voice. Paramèter kasebut kaya ing ngisor iki:
- Tipe Port NAS β Ethernet
- Windows Groups β sg-fgpp-mab
- Jenis EAP: Otentikasi sing ora dienkripsi (PAP, SPAP)
- Atribut RADIUS β Spesifik Vendor: Cisco β Cisco-AV-Pair β Nilai atribut: device-traffic-class=voice
Sawise otentikasi sukses (aja lali ngatur port switch), ayo goleki informasi saka port kasebut:
sh otentikasi se int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Saiki, kaya sing dijanjekake, ayo goleki sawetara kahanan sing ora jelas. Contone, kita kudu nyambungake komputer pangguna lan piranti liwat saklar (switch) sing ora dikelola. Ing kasus iki, setelan port bakal katon kaya iki:
ngalih setelan port ing 802.1x host-mode multi-auth mode
interface GigabitEthernet1/0/1
description *SW β 802.1x β 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! ΡΠ²Π΅Π»ΠΈΡΠΈΠ²Π°Π΅ΠΌ ΠΊΠΎΠ»-Π²ΠΎ Π΄ΠΎΠΏΡΡΡΠΈΠΌΡΡ
ΠΌΠ°Ρ-Π°Π΄ΡΠ΅ΡΠΎΠ²
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! β ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shu
PS kita ngeweruhi glitch banget aneh - yen piranti disambungake liwat ngalih kuwi, lan banjur kepasang menyang ngalih ngatur, banjur ora bakal bisa nganti kita urip maneh (!) Ngalih. Aku wis ora nemu cara liyane. kanggo ngatasi masalah iki durung.
Titik liyane sing ana gandhengane karo DHCP (yen ip dhcp snooping digunakake) - tanpa opsi kasebut:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information option
Kanggo sawetara alasan aku ora bisa njaluk alamat IP kanthi bener ... sanajan iki bisa dadi fitur saka server DHCP kita
Lan Mac OS & Linux (sing duwe dhukungan 802.1x asli) nyoba kanggo otentikasi pangguna, sanajan otentikasi dening alamat Mac dikonfigurasi.
Ing bagean sabanjure artikel, kita bakal ndeleng panggunaan 802.1x kanggo Nirkabel (gumantung saka klompok sing dadi akun pangguna, kita bakal "mbuwang" menyang jaringan sing cocog (vlan), sanajan bakal nyambung menyang SSID sing padha).
Source: www.habr.com