Kia whai whakaaro tatou ki te whakamahi i te Windows Active Directory + NPS (e rua nga kaitoro hei whakarite i te hee) + 2x paerewa mo te mana uru me te motuhēhēnga o nga kaiwhakamahi - rorohiko rohe - taputapu. Ka taea e koe te mohio ki te ariā e ai ki te paerewa i runga i Wikipedia, i te hono:
I te mea he iti noa taku "taiwhanga taiwhanga" i roto i nga rauemi, he hototahi nga mahi a te NPS me te kaiwhakahaere rohe, engari e taunaki ana ahau kia wehe tonu koe i aua ratonga whakahirahira.
Kaore au i te mohio ki nga huarahi paerewa ki te tukutahi i nga whirihoranga Windows NPS (kaupapa here), no reira ka whakamahi matou i nga tuhinga PowerShell i whakarewahia e te kaiwhakarite mahi (ko te kaituhi taku hoa mahi o mua). Mo te motuhēhēnga o nga rorohiko rohe me nga taputapu kaore e taea 802.1x (waea, kaituhi, aha atu), ka whirihorahia nga kaupapa here a te roopu, ka hangaia nga roopu haumaru.
I te mutunga o te tuhinga, ka korero ahau ki a koe mo etahi o nga uaua o te mahi me te 802.1x - me pehea e taea ai e koe te whakamahi i nga huringa kore whakahaere, nga ACL hihiri, me era atu. .
Me timata me te whakauru me te whirihora i te failover NPS ki runga i te Windows Server 2012R2 (he rite nga mea katoa i te tau 2016): na roto i te Kaiwhakahaere Tūmau -> Ruānuku Tāpiri Tūnga me ngā Āhuatanga, tohua te Tūmau Kaupapahere Whatunga anake.
te whakamahi ranei i te PowerShell:
Install-WindowsFeature NPAS -IncludeManagementTools
He whakamarama iti - mai mo EAP Parea (PEAP) Ka tino hiahia koe ki tetahi tiwhikete e whakapumau ana i te pono o te tūmau (me nga mana tika hei whakamahi), ka whakawhirinakihia ki runga i nga rorohiko kiritaki, katahi ka hiahia koe ki te whakauru i te mahi. Mana Tiwhikete. Engari ka whakaaro tatou CA kua oti kē i a koe te whakauru...
Kia pera ano i runga i te tūmau tuarua. Me hanga he kōpaki mo te C: Hōtuhi hōtuhi i runga i ngā tūmau e rua me te kōpaki whatunga ki te tūmau tuarua SRV2NPS-config$
Me hanga he tuhinga PowerShell ki te tūmau tuatahi C:ScriptsExport-NPS-config.ps1 me nga ihirangi e whai ake nei:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"
I muri i tenei, me whirihora i te mahi i roto i te Kaiwhakahaere Mahi: "Kaweake-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Whakahaere mo nga kaiwhakamahi katoa - Whakahaere me nga mana teitei
Ia rā - Whakahokia te mahi ia 10 meneti. i roto i nga haora 8
I runga i te NPS taapiri, whirihora te kawemai o te whirihoranga (kaupapa here):
Me hanga he tuhinga PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1
me tetahi mahi hei whakatutuki ia 10 meneti:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Whakahaere mo nga kaiwhakamahi katoa - Whakahaere me nga mana teitei
Ia rā - Whakahokia te mahi ia 10 meneti. i roto i nga haora 8
Inaianei, ki te tirotiro, me taapiri atu ki te NPS i runga i tetahi o nga kaimau (!) he rua nga huringa i roto i nga kaihoko RADIUS (IP me te Tiri Tiri), e rua nga kaupapa here tono hononga: WIRED-Hono (Tuhinga: "Ko te momo tauranga NAS ko Ethernet") me WiFi-Hononga (Tuhinga: "Ko te momo tauranga NAS ko IEEE 802.11"), me te kaupapa here whatunga Uru ki nga Pūrere Whatunga Cisco (Kaiwhakahaere Whatunga):
Условия:
Группы Windows - domainsg-network-admins
Ограничения:
Методы проверки подлинности - Проверка открытым текстом (PAP, SPAP)
Параметры:
Атрибуты RADIUS: Стандарт - Service-Type - Login
Зависящие от поставщика - Cisco-AV-Pair - Cisco - shell:priv-lvl=15
I te taha whakawhiti, ko nga tautuhinga e whai ake nei:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99
Whai muri i te whirihoranga, i muri i nga meneti 10, me puta nga taara kaupapa here katoa ki runga i te NPS taapiri ka taea e matou te whakauru ki nga huringa ma te whakamahi i tetahi kaute ActiveDirectory, he mema o te roopu domainsg-network-admins (i hangaia e matou i mua).
Ka anga whakamua ki te whakatu Active Directory - hanga kaupapa here roopu me te kupuhipa, hangahia nga roopu e tika ana.
Kaupapahere Rōpū Rorohiko-8021x-Tautuhinga:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Me hanga he roopu haumaru sg-rorohiko-8021x-vl100, hei taapiri rorohiko e hiahia ana matou ki te tohatoha ki te vlan 100 me te whirihora i te tātari mo te kaupapa here roopu i hangaia i mua mo tenei roopu:
Ka taea e koe te manatoko i pai te mahi o te kaupapa here ma te whakatuwhera i te "Waihanga me te Tirihanga Pokapū (Whatunga me nga Tautuhinga Ipurangi) - Te huri i nga tautuhinga urutau (Whakaritea nga tautuhinga urutau) - Adapter Properties", ka kite tatou i te ripa "Motuhēhēnga":
Ina tino mohio koe kua tutuki pai te kaupapa here, ka taea e koe te haere ki te whakarite kaupapa here whatunga ki runga i te NPS me nga tauranga whakawhiti taumata uru.
Me hanga kaupapa here whatunga neag-rorohiko-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Tautuhinga angamaheni mo te tauranga whakawhiti (kia mahara kei te whakamahia te momo motuhēhēnga "maha-rohe" - Raraunga me te Reo, kei reira ano hoki te waahi mo te whakamotuhēhē mā te wāhitau mac. I roto i te "waa whakawhiti" he tika te whakamahi i roto i te tawhā:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
Ko te vlan id ehara i te mea "taratahi", engari ko te mea ano me haere te rorohiko a te kaiwhakamahi i muri i te whakaurunga angitu - kia tino mohio kei te mahi nga mea katoa. Ka taea ano enei tawhā ki te whakamahi i etahi atu ahuatanga, hei tauira, ina whakauruhia he pana kaore i te whakahaeretia ki tenei tauranga ka hiahia koe ki nga taputapu katoa e hono ana ki a ia kaore ano i paahitia te whakamotuhēhēnga kia taka ki roto i tetahi vlan ("taratahi").
whakawhiti i nga tautuhinga tauranga i roto i te 802.1x te aratau-kaiwhakahaere aratau rohe-maha
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exit
Ka taea e koe te whakarite kua tutuki pai to rorohiko me to waea i te motuhēhēnga me te whakahau:
sh authentication sessions int Gi1/0/39 det
Inaianei me hanga he roopu (hei tauira, sg-fgpp-mab ) i roto i te Active Directory mo nga waea me te taapiri i tetahi taputapu ki reira hei whakamatautau (i taku keehi ko Grandstream GXP2160 me te wahitau mas 000b.82ba.a7b1 me te resp. pūkete rohe 00b82baa7b1).
Mo te roopu hanga, ka whakahekehia e matou nga whakaritenga kaupapa here kupuhipa (ma te whakamahi
Na, ka whakaaetia e matou te whakamahi i nga wahitau mas taputapu hei kupuhipa. I muri i tenei ka taea e tatou te hanga kaupapa here whatunga mo te 802.1x tikanga mab motuhēhēnga, me karanga e neag-devices-8021x-reo. Ko nga tawhā e whai ake nei:
- Momo Tauranga NAS – Itarangi
- Rōpū Windows – sg-fgpp-mab
- Momo EAP: Motuhēhēnga kore whakamuna (PAP, SPAP)
- Huanga RADIUS – Kaihoko Tauwhāiti: Cisco – Cisco-AV-Pair – Uara Huanga: taputapu-traffic-class=reo
Whai muri i te whakamotuhēhēnga angitu (kaua e wareware ki te whirihora i te tauranga whakawhiti), me titiro ki nga korero mai i te tauranga:
sh motuhēhēnga se int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Inaianei, kia rite ki te oati, me titiro ki etahi ahuatanga kaore i tino kitea. Hei tauira, me hono tatou i nga rorohiko me nga taputapu a nga kaiwhakamahi na roto i te whakawhiti (whakawhiti) kore whakahaere. I tenei take, ka penei te ahua o nga tautuhinga tauranga:
huri i nga tautuhinga tauranga i roto i te 802.1x te aratau-kaiwhakahaere aratau-maha-mana
interface GigabitEthernet1/0/1
description *SW – 802.1x – 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! увеличиваем кол-во допустимых мас-адресов
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! – режим аутентификации
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shu
PS i kite matou i tetahi raru tino rerekee - mena i honoa te taputapu na roto i taua pana, katahi ka honoa ki tetahi pana whakahaere, katahi ka kore e mahi kia whakaara ano tatou(!) i te pana. ki te whakaoti i tenei raruraru ano.
Ko tetahi atu tohu e pa ana ki te DHCP (mehemea ka whakamahia te ip dhcp snooping) - kaore he whiringa penei:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information option
Mo etahi take kaore e taea e au te tiki tika i te wahitau IP ... ahakoa he ahuatanga tenei o to maatau DHCP server
A Mac OS & Linux (kei a ia te tautoko 802.1x taketake) ka ngana ki te whakamotuhēhē i te kaiwhakamahi, ahakoa kua whirihorahia te motuhēhēnga mā te wāhitau Mac.
I te waahanga e whai ake nei o te tuhinga, ka titiro tatou ki te whakamahi i te 802.1x mo te Ahokore (i runga i te roopu kei a ia te kaute kaiwhakamahi, ka "maka" ki te whatunga e tika ana (vlan), ahakoa ka hono atu ki a raatau. te SSID kotahi).
Source: will.com