Te haere tonu i te raupapa o nga tuhinga mo te kaupapa whakahaere VPN Uru Mamao uru Kaore e taea e au te awhina engari te tiri i taku wheako whakaurunga whakamere whirihoranga VPN tino haumaru. He mahi iti noa i tukuna e tetahi kaihoko (he kaihopu kei roto i nga kainga o Ruhia), engari i whakaaetia te Wero me te whakatinana auaha. Ko te hua he ariā whakamere me nga ahuatanga e whai ake nei:
- He maha nga mea hei whakamarumaru i te whakakapinga o te taputapu kapeka (me te tino here ki te kaiwhakamahi);
- Te aromatawai i te tautukunga o te PC a te kaiwhakamahi me te UDID kua tohua o te PC kua whakaaetia i roto i te papaunga raraunga motuhēhēnga;
- Ma te MFA e whakamahi ana i te PC UDID mai i te tiwhikete mo te whakamotuhēhēnga tuarua mā Cisco DUO (Ka taea e koe te taapiri i tetahi SAML/Radius hototahi);
- Motuhēhēnga-maha:
- Tiwhikete Kaiwhakamahi me te manatoko mara me te motuhēhēnga tuarua ki tetahi o ratou;
- Takiuru (kaore e taea te whakarereke, tangohia mai i te tiwhikete) me te kupuhipa;
- Te whakatau tata i te ahua o te kaihautu hono (Posture)
Nga waahanga otinga e whakamahia ana:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Motuhēhēnga / Whakamanatanga / Kaute, Aromatawai State, CA);
- Cisco DUO (Motuhēhēnga Taumaha-maha) (Ka taea e koe te taapiri i tetahi SAML/Radius hototahi);
- Cisco AnyConnect (Kaiwhakahaere maha mo nga teihana mahi me te OS pūkoro);
Me timata me nga whakaritenga a te kaihoko:
- Me taea e te kaiwhakamahi, na roto i tana whakamotuhēhēnga Takiuru/Kupuhipa, te tango i te kiritaki AnyConnect mai i te kuaha VPN; me whakauru aunoa nga waahanga AnyConnect katoa e tika ana kia rite ki te kaupapa here a te kaiwhakamahi;
- Ka taea e te kaiwhakamahi te whakaputa aunoa i tetahi tiwhikete (mo tetahi o nga ahuatanga, ko te ahuatanga matua ko te tuku a-ringa me te tuku i runga i te PC), engari i whakatinanahia e au te take aunoa mo te whakaaturanga (kaore i roa te roa ki te tango).
- Ko te whakamotuhēhēnga taketake me mahi i roto i nga waahanga maha, i te tuatahi ko te tiwhikete tiwhikete me te tātaritanga o nga mara e tika ana me o raatau uara, katahi ka takiuru/kupuhipa, ko tenei wa ko te ingoa kaiwhakamahi kua tohua ki te mara tiwhikete me whakauru ki te matapihi takiuru Ingoa Kaupapa (CN) kahore he kaha ki te whakatika.
- Me mohio koe ko te taputapu kei te takiuru koe ko te pona umanga ka tukuna ki te kaiwhakamahi mo te uru mamao, kaua ko tetahi atu mea. (He maha nga whiringa kua mahia hei whakatutuki i tenei whakaritenga)
- Ko te ahua o te taputapu hono (i tenei waahanga PC) me aromatawaihia ma te tirotiro i te tepu nui o nga whakaritenga a nga kaihoko (whakapoto):
- Ko nga konae me o raatau taonga;
- Nga urunga rehita;
- Ko nga papaa OS mai i te rarangi kua whakaratohia (i muri mai ko te whakauru SCCM);
- Te waatea o te Anti-Virus mai i tetahi kaihanga motuhake me te whaitake o nga waitohu;
- Nga mahi o etahi ratonga;
- Te waatea o etahi papatono kua whakauruhia;
Hei tiimata, ka kii ahau kia tino titiro koe ki te whakaaturanga ataata o te whakatinanatanga ka puta Youtube (5 meneti).
Inaianei ka whakaaro ahau ki nga korero mo te whakatinanatanga kaore i hipokina ki te riipene ataata.
Me whakarite te kōtaha AnyConnect:
I hoatu e ahau i mua he tauira mo te hanga i tetahi korero (i runga i te ahua o te tahua i roto i te ASDM) i roto i taku tuhinga mo te tautuhinga . Inaianei e hiahia ana ahau ki te tuhi wehe i nga whiringa ka hiahiatia e matou:
I roto i te kōtaha, ka tohu matou i te kuaha VPN me te ingoa kōtaha mo te hono ki te kiritaki mutunga:
Me whirihora i te tuku aunoa o te tiwhikete mai i te taha o te whaarangi, e tohu ana, ina koa, nga tawhā tiwhikete, me te tino aro ki te mara. Kupu tuatahi (I), i te mea ka whakauruhia he uara motuhake UDID miihini whakamatautau (Tautuhi taputapu ahurei i hangaia e te kiritaki Cisco AnyConnect).
I konei kei te pirangi au ki te hanga i tetahi rerenga korero, na te mea kei te whakaahua tenei tuhinga i te ariā; mo nga kaupapa whakaatu, ko te UDID mo te tuku tiwhikete ka whakauruhia ki te mara Tuatahi o te AnyConnect profile. Ae ra, i roto i te ora tonu, ki te mahi koe i tenei, ka whiwhi nga kaihoko katoa i tetahi tiwhikete me te UDID kotahi i tenei mara kaore he mea e mahi mo ratou, na te mea e hiahia ana ratou ki te UDID o to raatau PC. Heoi, kaore ano a AnyConnect ki te whakauru i te whakakapinga o te mara UDID ki roto i te whaarangi tono tiwhikete ma te taurangi taiao, penei, hei tauira, me te taurangi. %USER%.
He mea tika kia mahara ko te kaihoko (o tenei ahuatanga) i te tuatahi ka whakaaro ki te whakaputa i nga tiwhikete motuhake me te UDID kua hoatu i roto i te aratau a-ringa ki nga PC kua Tiakihia, ehara i te mea he raru ki a ia. Engari, mo te nuinga o tatou e hiahia ana matou ki te automation (he pai, mo au he pono =)).
A koinei te mea ka taea e au te tuku mo te mahi aunoa. Mena kaore ano a AnyConnect e kaha ki te whakaputa aunoa i tetahi tiwhikete ma te whakakapi i te UDID, tera ano tetahi atu huarahi e hiahia ana ki te whakaaro auaha me nga ringaringa mohio - ka korerotia e ahau ki a koe te kaupapa. Tuatahi, me titiro me pehea te hanga o te UDID i runga i nga punaha whakahaere rereke e te kaihoko AnyConnect:
- Windows — SHA-256 hash o te huinga o te DigitalProductID me te taviri rehita Miihini SID
- OSX — SHA-256 hash PlatformUUID
- Linux — SHA-256 hash o te UUID o te wehenga pakiaka.
- Apple iOS — SHA-256 hash PlatformUUID
- Android – Tirohia te tuhinga kei runga
Na reira, ka hangaia e matou he tuhinga mo a maatau Windows OS, ma tenei tuhinga ka tatau taatau i te UDID ma te whakamahi i nga whakaurunga mohio me te tono tono mo te tuku tiwhikete ma te whakauru i tenei UDID ki te waahi e hiahiatia ana, na te mea ka taea e koe te whakamahi miihini. tiwhikete i tukuna e AD (ma te taapiri i te whakamotuhēhēnga takirua ma te whakamahi i tetahi tiwhikete ki te kaupapa Tiwhikete Maha).
Me whakarite nga tautuhinga i te taha Cisco ASA:
Me hanga he TrustPoint mo te tūmau ISE CA, ko ia te mea ka tukuna he tiwhikete ki nga kaihoko. E kore ahau e whakaaro ki te tikanga kawemai Key-Chain; he tauira kei roto i taku tuhinga tatūnga .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureKa whirihorahia e matou te tohatoha ma te Tunnel-Group i runga i nga ture i runga i nga mara o te tiwhikete e whakamahia ana mo te motuhēhēnga. Ko te tohu AnyConnect i mahia e matou i te waahanga o mua kua whirihorahia ki konei. Kia mahara kei te whakamahi ahau i te uara SECUREBANK-RA, ki te whakawhiti i nga kaiwhakamahi me te tiwhikete kua tukuna ki tetahi roopu kauhanga HAURUA-PEEKE-VPN, kia mohio koe kei a au tenei mara i roto i te AnyConnect tono tohu tohu tohu.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Te whakarite tūmau motuhēhēnga. I roto i taku keehi, ko te ISE tenei mo te waahi tuatahi o te motuhēhēnga me te DUO (Radius Proxy) hei MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Ka hangaia e matou nga kaupapa here a te roopu me nga roopu kauhanga me o raatau waahanga awhina:
Rōpū kauhanga TaunoaWEBVPNGroup ka whakamahia tuatahi ki te tango i te AnyConnect VPN kiritaki me te tuku i tetahi tiwhikete kaiwhakamahi ma te whakamahi i te mahi SCEP-Proxy o te ASA; mo tenei kei a maatau nga waahanga e rite ana ki te whakahohe i runga i te roopu kohanga me te kaupapa here a te roopu. AC-Tikiake, me te kōtaha AnyConnect kua utaina (nga mara mo te tuku tiwhikete, me etahi atu). I roto ano i tenei kaupapa here roopu e tohu ana matou me tango ISE Posture Module.
Rōpū kauhanga HAURUA-PEEKE-VPN ka whakamahia aunoatia e te kiritaki ina whakamotuhēhēhia me te tiwhikete i tukuna i te wahanga o mua, na te mea, i runga i te Mahere Tiwhikete, ka taka te hononga ki runga i tenei roopu kauhanga. Ka korero ahau ki a koe mo nga whiringa pai i konei:
- DUO-whakamotuhēhē-rua-tūmau-rōpū # Tautuhia te motuhēhēnga tuarua ki te tūmau DUO (Radius Proxy)
- ingoa kaiwhakamahi-mai-tiwhiketeCN # Mo te motuhēhēnga tuatahi, ka whakamahia e matou te mara CN o te tiwhikete ki te tango i te takiuru kaiwhakamahi
- ingoa-kaiwhakamahi tuarua-mai-tiwhikete I # Mo te whakamotuhēhēnga tuarua i runga i te tūmau DUO, ka whakamahia e matou te ingoa kaiwhakamahi i tangohia me nga mara (I) o te tiwhikete.
- i mua i te whakakī-kaiwhakamahi kiritaki # kia whakakiia te ingoa kaiwhakamahi ki te matapihi whakamotuhēhēnga me te kore e taea te huri
- tuarua-mua-whakakī-ingoa-kaiwhakamahi huna huna whakamahi-noa-kupuhipa pana # Ka huna e matou te matapihi whakaurunga / kupuhipa mo te whakamotuhēhēnga tuarua DUO me te whakamahi i te tikanga whakamohio (sms / pana / waea) - tauranga ki te tono motuhēhēnga hei utu mo te mara kupuhipa.
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!I muri ka haere tatou ki te ISE:
Ka whirihorahia e matou he kaiwhakamahi rohe (ka taea e koe te whakamahi i te AD / LDAP / ODBC, me etahi atu), mo te ngawari, i hangaia e ahau he kaiwhakamahi rohe i roto i te ISE ake ka tohua ki te mara whakaahuatanga UDID PC mai i reira ka whakaaetia ia ki te takiuru ma te VPN. Mena ka whakamahi ahau i te whakamotuhēhēnga ā-rohe i runga i te ISE, ka whakawhäitihia ahau ki te taputapu kotahi, na te mea kaore i te maha nga waahi, engari i roto i nga papaarangi motuhēhēnga tuatoru kare au e herea.
Kia titiro tatou ki te kaupapa here whakamana, kua wehea kia wha nga waahanga hononga:
- Mahinga 1 — Kaupapa here mo te tango i te kaihoko AnyConnect me te tuku tiwhikete
- Mahinga 2 — Kaupapa here motuhēhēnga tuatahi Takiuru (mai i te tiwhikete)/Kupuhipa + Tiwhikete me te whakamanatanga UDID
- Mahinga 3 — Motuhēhēnga tuarua mā Cisco DUO (MFA) mā te whakamahi i te UDID hei ingoa kaiwhakamahi + Aromatawai State
- Mahinga 4 — Ko te whakamanatanga whakamutunga kei te kawanatanga:
- E tika ana;
- Te whakamanatanga UDID (mai i te tiwhikete + herenga takiuru),
- Cisco DUO MFA;
- Motuhēhēnga mā te takiuru;
- Tiwhikete motuhēhēnga;
Kia titiro tatou ki tetahi ahuatanga whakamere UUID_VALIDATE, ko te ahua o te kaiwhakamahi motuhēhē i ahu mai i te PC me te UDID whakaaetia e hono ana ki te mara Whakaahuatanga kaute, he penei nga tikanga:
Ko te tohu whakamana i whakamahia i nga waahanga 1,2,3 e whai ake nei:
Ka taea e koe te tirotiro me pehea te taenga mai o te UDID mai i te AnyConnect kiritaki ki a matou ma te titiro ki nga korero mo te huihuinga a te kiritaki i ISE. I roto i nga korero ka kite tatou ko AnyConnect ma te miihini ACIDEX ka tukuna e kore anake nga korero mo te turanga, engari ano hoki te UDID o te taputapu hei Cisco-AV-PAIR:
Kia whai whakaaro tatou ki te tiwhikete i tukuna ki te kaiwhakamahi me te mara Kupu tuatahi (I), e whakamahia ana ki te tango hei takiuru mo te motuhēhēnga MFA tuarua ki Cisco DUO:
I te taha o te DUO Radius Proxy i roto i te raarangi ka tino kitea te ahua o te tono motuhēhēnga, ka puta mai ma te whakamahi i te UDID hei ingoa ingoa:
Mai i te tomokanga o DUO ka kite matou i tetahi huihuinga motuhēhēnga angitu:
Na i roto i nga taonga kaiwhakamahi kua whakaritea e ahau Ko te ALIAS, i whakamahia e au mo te takiuru, ko te UDID tenei o te PC kua whakaaetia mo te takiuru:
Ko te mutunga i whiwhi matou:
- Te whakamotuhēhēnga kaiwhakamahi me te taputapu maha;
- Parenga ki te tinihanga i te taputapu a te kaiwhakamahi;
- Te aromatawai i te ahua o te taputapu;
- Ka taea te whakanui ake i te mana me te tiwhikete miihini rohe, me etahi atu;
- Te whakamarumaru whanui i nga waahi mahi mamao me nga waahanga haumaru kua tukuna aunoa;
Hononga ki nga tuhinga raupapa Cisco VPN:
Source: will.com