α
αΌαααΎααα·α
αΆαααΆαααα»αααΆαα’αα»ααααααΆαααααΎααααΆαα Windows Active Directory + NPS (αααΆαααΈααα 2 ααΎααααΈααΆααΆααΆαα’ααα±αααα α»α) + αααααααΆα 802.1x αααααΆααααΆααααααααααααΆαα
αΌαααααΎ αα·αααΆααααααααααΆααα’αααααααΎααααΆαα - domain computers - devices. α’αααβα’αΆα
βααααΆααβααααΉααααΈβαααβααΆαβαααααααΆαβαα
βααΎ Wikipedia ααΆαβαααααααΆααα
αααααΆα "αααααΈααα·ααααα" αααααααα»αααΆαααααα·ααααα»αααααΆα αα½ααΆααΈαααα NPS αα·αα§ααααααααααΆαααααΊααααΌαααααΆ ααα»αααααααα»αααΌαααααΆαα±ααα’ααααα αααααααααααΆααααααααΆαααααααααα
αααα»ααα·αααΉααα·ααΈαααααααΆαααΎααααΈααααΎααααΆαααααααΆαααααααα ααΆαααααααα Windows NPS (αααααΆααα) ααΌα ααααααΎαααΉαααααΎααααααΈα PowerShell αααααΆααα±ααααααΎαααΆαααααααααα·ααΈααααααααααΆααα·α αα (α’ααααα·ααααααΊααΆα’ααΈααα ααΆααΈαααααααα»α)α αααααΆααααΆααααααααααΆααααΆαααααΉαααααΌααααα»αααααΌαααααα αα·ααααααΆααα§αααααααααα·αα’αΆα 802.1x (ααΌαααααα αααΆαααΈαααααα»αααααα) αααααΆααααααα»αααΉαααααΌαααΆαααααα α αΎααααα»ααα»ααααα·ααΆαααΉαααααΌαααΆααααααΎαα
αα
α
α»ααααα
ααααα’ααααα αααα»αααΉαααααΆααα’αααα’αααΈααΆααααα»αααααααΆααα½αα
ααα½αααααΆαααααΎααΆαααΆαα½α 802.1x - αααααααα’αααα’αΆα
ααααΎαα»αααΆααααααα·αα’αΆα
αααααααααααΆα ααΆααααα ACLs ααΆααΎαα αααα»αααΉαα
αααααααααααααΆαα’αααΈ "ααΆααα·αααααααααΈ" αααααααΌαααΆαα
αΆααα. .
α
αΌαα
αΆααααααΎαααΆαα½αααΉαααΆαααα‘αΎα αα·αααααααα
ααΆααααααααααΆααααΆααα NPS αα
ααΎ Windows Server 2012R2 (α’αααΈααααααααΆαααΊααΌα
ααααΆαααα»αααααΆα 2016): ααΆαααα Server Manager -> Add Roles and Features Wizard ααααΎαααΎααα Network Policy Serverα
α¬ααααΎ PowerShellα
Install-WindowsFeature NPAS -IncludeManagementTools
ααΆααααααΆααααΌα αα½α - α αΆααααΆααααΈαααααΆαα ααΆαααΆα EAP (PEAP) α’αααααααΆααααΆααααΌαααΆααα·ααααΆαααααααααααΆααααΈααΆαααααΉαααααΌααααααΆαααΈααα (ααΆαα½αααΉααα·αααα·ααααΎααααΆαααααααα) αααααΉαααααΌαααΆαααΏαα»αα α·αααααΎαα»αααααΌαααα’αα·αα·αα αααααΆααααα’αααααααααΆααααΌαααα‘αΎααα½ααΆααΈ α’αΆααααΆααααααααα·ααααΆαααααα. ααα»ααααααΎαααΉαααααααααΆ CA α’αααααΆαααα‘αΎααα½α α αΎα...
α αΌαααααΎααΌα ααααΆαα ααΎαααΆαααΈαααααΈααΈαα ααααααααΎααααααααΆααααααααΈα C:Scripts αα ααΎ servers αα·α network folder αα ααΎ server ααΈααΈα SRV2NPS-config $
ααααααααΎαααααααΈα PowerShell αα ααΎαααΆαααΈαααααααΌα C:ScriptsExport-NPS-config.ps1 ααΆαα½αααΉαααααΉαααΆαααΌα ααΆααααααα
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"
αααααΆααααΈααα α αΌαααΎαααααααα ααΆααααααααααΆααα·α αα αα αααα»α Task Shedulerα "ααΆαααΆαα αα-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
ααααΎαααΆααααααΆααα’αααααααΎααααΆααααΆααα’αα - ααααΎαααΆαααααα·αααα·ααααααααα»α
αααα
αΆααααα - ααααΎαα·α
αα
ααΆαααααααααααααΆαα 10 ααΆααΈααααα αααα»ααααααα 8 ααααα
αα
ααΎ NPS ααααα»ααα»α ααααααα
ααΆααααααααααΆαααΆαα
αΌαααΆαααααα (αααααΆααα)α
ααααααααΎαααααααΈα PowerShellα
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1
αα·αβααΆααα·α αα βααΎααααΈβα’αα»ααααβααΆβααΆβαααβααΆαα 10 ααΆααΈβ:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
ααααΎαααΆααααααΆααα’αααααααΎααααΆααααΆααα’αα - ααααΎαααΆαααααα·αααα·ααααααααα»α
αααα
αΆααααα - ααααΎαα·α
αα
ααΆαααααααααααααΆαα 10 ααΆααΈααααα αααα»ααααααα 8 ααααα
α₯α‘αΌαααα ααΎααααΈαα·αα·αααααΎα ααΌααααααααα NPS αα ααΎαααΆαααΈααααα½α (!) αα»αααΆααααΈαααΈαα αααα»ααααΆαααΈαααααα RADIUS (IP αα·α Shared Secret) αααααΆαααααααΎαα»αααΆααααααΆααααΈαα WIRED-ααααΆαα (ααααααααα βααααααα ααα NAS ααΊ Ethernetβ) αα·α αααΆαα αααΆα - αα ααααΆα (ααααααααα βααααααα ααα NAS ααΊ IEEE 802.11β) ααααΌα ααΆαααααΆααααααααΆα α αΌαααααΎα§ααααααααααΆααααΈααααΌ (α’αααααααααααααααααΆα)α
Π£ΡΠ»ΠΎΠ²ΠΈΡ:
ΠΡΡΠΏΠΏΡ Windows - domainsg-network-admins
ΠΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ:
ΠΠ΅ΡΠΎΠ΄Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΠΎΠ΄Π»ΠΈΠ½Π½ΠΎΡΡΠΈ - ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΠΎΡΠΊΡΡΡΡΠΌ ΡΠ΅ΠΊΡΡΠΎΠΌ (PAP, SPAP)
ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ:
ΠΡΡΠΈΠ±ΡΡΡ RADIUS: Π‘ΡΠ°Π½Π΄Π°ΡΡ - Service-Type - Login
ΠΠ°Π²ΠΈΡΡΡΠΈΠ΅ ΠΎΡ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° - Cisco-AV-Pair - Cisco - shell:priv-lvl=15
αα αααααααααΌα ααΆααααααααΌα ααΆααααααα
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99
αααααΆααααΈααΆαααααααα ααΆαααααααα αααααΆααααΈ 10 ααΆααΈ ααΆαααααΆαααΆαααααα clientspolicy αα½αααααα α‘αΎααα ααΎ NPS ααααα»ααα»α α αΎαααΎαααΉαα’αΆα α αΌααα αααα»ααα»αααΆαααααααααΎααααΈ ActiveDirectory αααααΆαααΆαα·ααααααα»α domainsg-network-admins (αααααΎαααΆααααααΎαααΆαα»α) α
α αΌααααααα ααΆαααα‘αΎα Active Directory - αααααΎααααααΆααααααα»α αα·αααΆααααααααΆαα αααααΎααααα»αα αΆαααΆα αα
αααααΆααααααα»α αα»αααααΌααα-8021x-ααΆαααααα:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
ααααααααΎααααα»αααααα·αα»α sg-αα»αααααΌααα-8021x-vl100αααααΆαααααααααααΎαααΉααααααααα»αααααΌααααααααΎαα
ααα
ααα
αΆααα
vlan 100 αα·αααααααα
ααΆααααααααααααααααααΆαααααααΆααααααα»ααααααΆααααααΎαααΈαα»ααααααΆαααααα»ααααα
α’αααα’αΆα
αααααααααΆααααΆαααααΆαααααΆαααααΎαααΆαααααααααααααααΎα "αααααΆα αα·ααααααααααα
ααααααα (αααααΆα αα·αααΆααααααα’ααΈαααΊαα·α) - ααΆαααααΆααααααΌαααΆααααααα’αΆααΆααααα (ααΆαααααααα
ααΆααααααααα’αΆααΆααααα) - αααααααααααααα·α’αΆααΆααααα" αααααΎαα’αΆα
ααΎαααααΆαα "ααΆααααααααααΆααααΆαααααΉαααααΌα"α
αα
αααα’αααααΏααΆααααΆαααααΆααααααααααΌαααΆαα’αα»ααααααααααααα α’αααα’αΆα
αααααα
ααΆααααα
ααααααΆααααααααΆααα
ααΎ NPS αα·αα
αααααααΌαααααα·αα
αΌαααααΎα
ααααααααΎααααααΆααααααααΆα neag-αα»αααααΌααα-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
ααΆααααααααααααΆαααααΆααα
αααααααΌα (ααΌαα
αααΆαααΆααααααααΆααααααααααΆαα "αα α»ααα" ααααΌαααΆαααααΎ - αα·αααααα & ααα‘αα α αΎαααΆααααΆαααααααΆαααααΆααααααααααΆαααααα’αΆααααααΆα mac αααααα αααα»αα’αα‘α»αααα "ααΆαααααΆααααααΌα" ααΆααα ααα»αααααα»αααΆαααααΎαα
αααα»α αααΆαααΆααααααα
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
vlan id αα·αβαααβααΆ "quarantine" αα ααα»ααααβααΆβαααβααααβαααβαα»αααααΌαααβααααβα’αααβααααΎβαα½αβαα βαααααβαααβα αΌαβαααβαααααα - αα αΌααααβααΎαβααααΆααβααΆβα’αααΈαβααααΎαααΆαβααΌα βαααβααΆβαα½αα αααΆαααΆααααααααΌα ααααΆααΆαααααα’αΆα ααααΌαααΆαααααΎαα αααα»αααααΆααΈαααΌαααααααα α§ααΆα ααα αα αααααααα»αααΆααααααα·αα’αΆα αααααααααααΆαααααΌαααΆααααα αΌααα αααα»αα αααααα α αΎαα’αααα ααα±ααα§αααααααΆααα’αααααααΆαααααΆαααα ααΆααααα·αααΆαααααααΆααααΆααααααααααΆααααΎααααΈααααΆααα αΌααα αααα»α vlan ααΆααααΆαααα½α ("ααΆαααΆα αααΈαα")α
ααααΌαααΆααααααα ααααααα»α 802.1x host-mode multi-domain mode
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exit
α’αααα’αΆα ααααΆααααΆαα»αααααΌααα αα·αααΌαααααααααα’αααααΆαααααααΆααααΆααααααααααΆααααααααααααααααααΎααΆααααααααΆα
sh authentication sessions int Gi1/0/39 det
α₯α‘αΌαβααΎαβαααααΎαβαααα»α (α§ααΆα ααα sg-fgpp-mab ) αα αααα»α Active Directory αααααΆααααΌααααα α αΎαααααααα§ααααααα½ααα ααΆαααααΆααααΆααααα (αααα»αααααΈαααααααα»αααΆααΆ α ααααααααααααΈαααΈα’ααααΈ α’α‘α£α ααΆαα½αααΉαα’αΆααααααΆα Mas 000b.82ba.a7b1 αα·αααααΎααα ααααΈ ααα 00b82baa7b1).
αααααΆαααααα»ααααααΆααααααΎα ααΎαααΉαααααααααααΌαααΆααααααΆαααααΆααααααααΆαα (αααααααΎ
ααΌα
αααα ααΎαααΉαα’αα»ααααΆαα±ααααααΎα’αΆααααααΆαα§αααααααααΆααΆααααααααΆααα αααααΆααααΈααα ααΎαα’αΆα
αααααΎααααααΆααααααααΆααααααΆααααΆααααααααααΆααααΆαααααΉαααααΌααααα·ααΈααΆααααα 802.1x ααΌαα α
ααΆααΆ neag-devices-8021x-voiceα αααΆαααΆααααααααΆαααΌα
ααΆααααααα
- ααααααα ααα NAS - α’ααΈααΊααα·α
- αααα»αααΈαααΌ - sg-fgpp-mab
- αααααα EAPα ααΆααααααααααΆααααααα·αααΆαα’αα·αααααΈα (PAP, SPAP)
- αα»ααααααα RADIUS β α’ααααααααΆααααΆααα αααΈααααΌ β αααΈααααΌ-α’αα-ααΌ β ααααααα»αααααααα α§ααααα-α ααΆα ααα-ααααΆαα=ααα‘αα
αααααΆααααΈααΆααααααααααΆααααααααααα (αα»αααααα ααααααα ααΆααααααααα αααααααΌα) αααααΎαααααααΆαααΈα αααα
sh authentication se int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
α₯α‘αΌαααα ααΌα αααααΆααααααΆ ααΌααααα‘ααααΎαααααΆαααΆααα½αα ααα½αααααα·αα αααΆααααΆαααααα»αα α§ααΆα ααα ααΎαααααΌαααααΆαααα»αααααΌααα αα·αα§αααααααααα’αααααααΎααααΆααααΆαααααα»αααΆααααααα·αα’αΆα αααααααααααΆα (ααααΌα)α αααα»αααααΈααα ααΆααααααα ααααααααΆααααΆααΉαααΎααα ααΌα αααα
ααααΌαααΆααααααα ααααααα»α 802.1x host-mode multi-auth mode
interface GigabitEthernet1/0/1
description *SW β 802.1x β 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! ΡΠ²Π΅Π»ΠΈΡΠΈΠ²Π°Π΅ΠΌ ΠΊΠΎΠ»-Π²ΠΎ Π΄ΠΎΠΏΡΡΡΠΈΠΌΡΡ
ΠΌΠ°Ρ-Π°Π΄ΡΠ΅ΡΠΎΠ²
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! β ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shu
PS ααΎαααΆαααααααααΆααααΎααααα αΆα ααααααα½α - ααααα·αααΎα§αααααααααΌαααΆαααααΆααααΆαααααα»αααΆαααααααα α αΎααααααΆααααααΆααααΌαααΆααααα αΌααα αααα»ααα»αααΆαααααααΆαααααααααα αααααΆααΉααα·αααααΎαααΆααααα αΌααααααΎααα·αααΎα (!) αα»αααΆααα‘αΎααα·αα αααα»ααα·αααΆαααααΎααα·ααΈαααααααααα ααΎααααΈαααααααΆααααα αΆααααα α‘αΎαα
α ααα»α αα½ααααααΆααααααΉα DHCP (ααααα·αααΎ ip dhcp snooping ααααΌαααΆαααααΎ) - αααααααΆααααααΎαααααααα
ip dhcp snooping vlan 1-100
no ip dhcp snooping information option
αααααΆααα ααα»αααα½αα ααα½αααααααα»ααα·αα’αΆα ααα½αααΆαα’αΆααααααΆα IP ααΆαααααΉαααααΌα... αααααΈααΆααΆα’αΆα ααΆαααααααα·ααααααααααΆαααΈααα DHCP ααααααΎααααααα
α αΎα Mac OS & Linux (αααααΆαααΆαααΆαααα 802.1x ααΎα) ααααΆααΆααααααααααΆααα’αααααααΎααααΆαα αααααΈααΆααΆααααααααααΆαααααα’αΆααααααΆα Mac ααααΌαααΆαααααααα ααΆαααααααααααααα
αα αααα»αααααααααααΆααααα’ααααα ααΎαααΉααα·αα·αααααΎαααΆαααααΎααααΆαα 802.1x αααααΆαα Wireless (α’αΆαααααααΎαααα»ααααααααΈα’αααααααΎααααΆααααΆαααααα·αααα· ααΎαααΉα "ααα" ααΆαα αααα»ααααααΆααααααααΌαααααΆ (vlan) αααααΈααΆαα½αααααΉαααααΆαααα SSID ααΌα ααααΆ) α
ααααα: www.habr.com