Takulandilani ku positi yachiwiri pamndandanda wa Cisco ISE. Poyamba ubwino ndi kusiyana kwa njira zothetsera Network Access Control (NAC) kuchokera ku AAA wamba, kusiyanitsa kwa Cisco ISE, kamangidwe kake ndi kakhazikitsidwe kazinthuzo zidawonetsedwa.
M'nkhaniyi, tikambirana za kupanga maakaunti, kuwonjezera ma seva a LDAP, ndikuphatikiza ndi Microsoft Active Directory, komanso ma nuances ogwirira ntchito ndi PassiveID. Musanawerenge, ndikupangira kuti muwerenge .
1. Matchulidwe ena
Chidziwitso cha Wogwiritsa - akaunti ya ogwiritsa ntchito yomwe ili ndi zambiri za wogwiritsa ntchitoyo ndikupanga zidziwitso zake kuti athe kupeza netiweki. Magawo otsatirawa amatchulidwa mu Identity: dzina lolowera, imelo adilesi, mawu achinsinsi, kufotokozera akaunti, gulu la ogwiritsa ntchito, ndi udindo.
Magulu Ogwiritsa Ntchito - magulu ogwiritsa ntchito ndi gulu la ogwiritsa ntchito omwe ali ndi mwayi wofanana womwe umawalola kuti azitha kupeza ntchito ndi ntchito za Cisco ISE.
Magulu Ozindikiritsa Ogwiritsa - Magulu a ogwiritsa ntchito omwe ali kale ndi chidziwitso ndi maudindo ena. Magulu Otsatira Otsatirawa alipo mwachisawawa, mutha kuwonjezera ogwiritsa ntchito ndi magulu ogwiritsa ntchito kwa iwo: Wogwira Ntchito (wogwira ntchito), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts (maakaunti othandizira kuyang'anira malo ochezera alendo), Mlendo (mlendo), ActivatedGuest (mlendo wotsegulidwa).
ntchito- Udindo wa wogwiritsa ntchito ndi mndandanda wa zilolezo zomwe zimatsimikizira ntchito zomwe wogwiritsa ntchito angachite komanso ntchito zomwe angapeze. Nthawi zambiri ntchito yogwiritsira ntchito imagwirizanitsidwa ndi gulu la ogwiritsa ntchito.
Komanso, aliyense wogwiritsa ntchito ndi gulu la ogwiritsa ali ndi zina zowonjezera zomwe zimakulolani kuti musankhe ndikutanthauzira mwachindunji wogwiritsa ntchito (gulu la ogwiritsa ntchito). Zambiri mu .
2. Pangani ogwiritsa ntchito kwanuko
1) Cisco ISE ili ndi kuthekera kopanga ogwiritsa ntchito akumaloko ndikuwagwiritsa ntchito mundondomeko yofikira kapenanso kupereka gawo loyang'anira malonda. Sankhani Administration → Identity Management → Identity → Ogwiritsa → Onjezani.
Chithunzi 1 Kuwonjezera Wogwiritsa Ntchito Wam'deralo ku Cisco ISE
2) Pazenera lomwe likuwoneka, pangani wosuta wamba, ikani mawu achinsinsi ndi magawo ena omveka.
Chithunzi 2. Kupanga Wogwiritsa Ntchito M'deralo ku Cisco ISE
3) Ogwiritsanso akhoza kutumizidwa kunja. Mu tabu yemweyo Administration → Identity Management → Identity → Ogwiritsa sankhani njira Lowani ndikukweza fayilo ya csv kapena txt ndi ogwiritsa ntchito. Kuti mupeze template sankhani Pangani template, ndiye iyenera kudzazidwa ndi zambiri za ogwiritsa ntchito mu fomu yoyenera.
Chithunzi 3 Kulowetsa Ogwiritsa Ntchito mu Cisco ISE
3. Kuwonjezera ma seva a LDAP
Ndiroleni ndikukumbutseni kuti LDAP ndi njira yodziwika bwino yogwiritsira ntchito yomwe imakupatsani mwayi wolandila zidziwitso, kutsimikizira, kusaka maakaunti muzolemba zamaseva a LDAP, imagwira ntchito padoko 389 kapena 636 (SS). Zitsanzo zodziwika bwino za maseva a LDAP ndi Active Directory, Sun Directory, Novell eDirectory, ndi OpenLDAP. Kulowa kulikonse mu bukhu la LDAP kumatanthauzidwa ndi DN (Dzina Lolemekezeka) ndipo ntchito yopeza ma akaunti, magulu a ogwiritsa ntchito ndi zizindikiro zimakwezedwa kuti apange ndondomeko yofikira.
Mu Cisco ISE, ndizotheka kukonza mwayi wofikira ma seva ambiri a LDAP, potero ndikukhazikitsanso kubweza. Ngati seva yoyamba (yoyambirira) ya LDAP sichipezeka, ndiye ISE idzayesa kupeza yachiwiri (yachiwiri) ndi zina zotero. Kuonjezera apo, ngati pali 2 PANs, ndiye kuti LDAP imodzi ikhoza kuikidwa patsogolo pa PAN yoyamba ndi LDAP ina ya PAN yachiwiri.
ISE imathandizira mitundu iwiri ya kuyang'ana (kuyang'ana) mukamagwira ntchito ndi maseva a LDAP: Kufufuza kwa Ogwiritsa ndi Kufufuza Adilesi ya MAC. Kufufuza kwa Ogwiritsa kumakupatsani mwayi wofufuza wogwiritsa ntchito mu nkhokwe ya LDAP ndikupeza mfundo zotsatirazi popanda kutsimikizika: ogwiritsa ntchito ndi mawonekedwe awo, magulu ogwiritsa ntchito. Kuyang'ana Adilesi ya MAC kumakupatsaninso mwayi wofufuza ndi adilesi ya MAC muakalozera a LDAP popanda kutsimikizika ndikupeza zambiri za chipangizocho, gulu la zida zokhala ndi ma adilesi a MAC, ndi zina zake.
Monga chitsanzo chophatikizira, tiyeni tiwonjezere Active Directory ku Cisco ISE ngati seva ya LDAP.
1) Pitani ku tabu Ulamuliro → Kasamalidwe ka Identity → Zochokera Kuzidziwitso Zakunja → LDAP → Onjezani.
Chithunzi 4. Kuwonjezera seva ya LDAP
2) Mu gulu General tchulani dzina la seva ya LDAP ndi dongosolo (kwa ife, Active Directory).
Chithunzi 5. Kuwonjezera seva ya LDAP ndi Active Directory schema
3) Kenako pitani ku Kulumikizana tabu ndikusankha Dzina la alendo/IP adilesi Seva AD, doko (389 - LDAP, 636 - SSL LDAP), zidziwitso za administrator domain (Admin DN - DN yonse), magawo ena akhoza kusiyidwa ngati osakhazikika.
ndemanga: gwiritsani ntchito zambiri za admin domain kuti mupewe zovuta zomwe zingachitike.
Chithunzi 6 Kulowetsa LDAP Server Data
4) Mu tabu Directory Organisation muyenera kufotokozera dera lachikwatu kudzera mu DN komwe mungakokere ogwiritsa ntchito ndi magulu ogwiritsa ntchito.
Chithunzi 7. Kutsimikiza kwa maupangiri komwe magulu a ogwiritsa ntchito angathe kukokera
5) Pitani kuwindo Magulu → Onjezani → Sankhani Magulu Kuchokera pa Kalozera kusankha kukoka magulu kuchokera pa seva ya LDAP.
Chithunzi 8. Kuwonjezera magulu kuchokera pa seva ya LDAP
6) Pazenera lomwe likuwoneka, dinani Pezani Magulu. Ngati magulu adakoka, ndiye kuti zoyambira zatsirizidwa bwino. Kupanda kutero, yesani woyang'anira wina ndikuwona kupezeka kwa ISE ndi seva ya LDAP kudzera pa protocol ya LDAP.
Chithunzi 9. Mndandanda wamagulu ogwiritsira ntchito kukoka
7) Mu tabu zikhumbo mungathe kufotokoza zomwe zili pa seva ya LDAP zomwe ziyenera kukokedwa, komanso pawindo Zaka Zapamwamba yambitsani njira Yambitsani kusintha mawu achinsinsi, zomwe zidzakakamiza ogwiritsa ntchito kusintha mawu achinsinsi ngati atha ntchito kapena kukonzanso. Komabe dinani kugonjera kupitiriza.
8) Seva ya LDAP idawonekera mu tabu yofananira ndipo ingagwiritsidwe ntchito kupanga mfundo zopezera mtsogolo.
Chithunzi 10. Mndandanda wa ma seva owonjezera a LDAP
4. Kuphatikiza ndi Active Directory
1) Powonjezera seva ya Microsoft Active Directory ngati seva ya LDAP, tili ndi ogwiritsa ntchito, magulu a ogwiritsa ntchito, koma palibe zipika. Kenako, ndikupangira kukhazikitsa kuphatikiza kwathunthu kwa AD ndi Cisco ISE. Pitani ku tabu Ulamuliro → Kasamalidwe ka Identity → Zochokera Kuzidziwitso Zakunja → Kalozera Wogwiritsa → Onjezani.
Taonani: Kuti muphatikizidwe bwino ndi AD, ISE iyenera kukhala mu domain ndikukhala ndi kulumikizana kwathunthu ndi ma seva a DNS, NTP ndi AD, apo ayi palibe chomwe chidzachitike.
Chithunzi 11. Kuonjezera seva ya Active Directory
2) Pazenera lomwe likuwoneka, lowetsani zambiri za administrator domain ndikuwunika bokosilo Zikalata Zosungira. Kuphatikiza apo, mutha kutchula OU (Organizational Unit) ngati ISE ili mu OU inayake. Kenako, muyenera kusankha ma Cisco ISE node omwe mukufuna kulumikiza ku domain.
Chithunzi 12. Kulowetsa zidziwitso
3) Musanawonjezere olamulira ankalamulira, onetsetsani kuti pa PSN pa tabu Administration → System → Kutumiza njira yathandizidwa Passive Identity Service. Passive ID - njira yomwe imakupatsani mwayi womasulira Wogwiritsa ntchito ku IP ndi mosemphanitsa. PassiveID imapeza zambiri kuchokera ku AD kudzera pa WMI, othandizira apadera a AD kapena doko la SPAN pa switch (osati njira yabwino kwambiri).
Taonani: kuti muwone momwe Passive ID ilili, lembani ISE console onetsani mawonekedwe a application ise | zikuphatikizapo PassiveID.
Chithunzi 13. Kuthandizira njira ya PassiveID
4) Pitani ku tabu Ulamuliro → Kasamalidwe ka Identity → Malo Odziwika Akunja → Kalozera Wogwira → PassiveID ndi kusankha njira Onjezani ma DC. Kenako, sankhani olamulira ofunikira omwe ali ndi mabokosi ndikudina CHABWINO.
Chithunzi 14. Kuonjezera olamulira a domain
5) Sankhani ma DC owonjezera ndikudina batani Sinthani. Chonde sonyezani Mtengo wa FQDN DC yanu, malowedwe amtundu ndi mawu achinsinsi, ndi njira yolumikizira WMI kapena wothandizila. Sankhani WMI ndikudina CHABWINO.
Chithunzi 15 Lowetsani zambiri za owongolera domain
6) Ngati WMI si njira yabwino yolankhulirana ndi Active Directory, ndiye kuti ma ISE angagwiritsidwe ntchito. Njira yothandizira ndikuti mutha kukhazikitsa othandizira apadera pa maseva omwe amatulutsa zochitika zolowera. Pali 2 unsembe options: automatic ndi manual. Kuti muyike wothandizira pa tabu yomweyo Passive ID sankhani Onjezani Wothandizira → Ikani Wothandizira Watsopano (DC iyenera kukhala ndi intaneti). Kenako lembani magawo ofunikira (dzina la wothandizira, seva FQDN, lolowera / mawu achinsinsi) ndikudina CHABWINO.
Chithunzi 16. Kuyika kwachangu kwa ISE wothandizira
7) Kuti muyike pamanja wothandizira wa Cisco ISE, sankhani chinthucho Lembani Wothandizira Amene Alipo. Mwa njira, mukhoza kukopera wothandizira mu tabu Malo Ogwirira Ntchito → PassiveID → Othandizira → Othandizira → Wothandizira Wotsitsa.
Chithunzi 17. Kutsitsa wothandizira wa ISE
Nkofunika: PassiveID samawerenga zochitika Tulukani! Parameter yomwe imayambitsa kutha kwa nthawi imatchedwa wosuta gawo kukalamba nthawi ndipo zikufanana ndi maola 24 mwachisawawa. Chifukwa chake, muyenera kudzisiya nokha kumapeto kwa tsiku logwira ntchito, kapena kulemba mtundu wina wa script womwe umangochotsa onse ogwiritsa ntchito.
Kuti mudziwe zambiri Tulukani "Endpoint probes" amagwiritsidwa ntchito - ma terminal probes. Pali zofufuza zingapo zomaliza mu Cisco ISE: RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. UTALIZO kufufuza pogwiritsa ntchito CoA (Change of Authorization) phukusi limapereka chidziwitso chokhudza kusintha maufulu a ogwiritsa ntchito (izi zimafunikira ophatikizidwa 802.1X), ndi kusinthidwa pa ma switches SNMP, ipereka chidziwitso chokhudza zida zolumikizidwa ndi zolumikizidwa.
Chitsanzo chotsatirachi ndi chofunikira pakusintha kwa Cisco ISE + AD popanda 802.1X ndi RADIUS: wogwiritsa ntchito alowetsedwa pamakina a Windows, osapanga logoff, lowani kuchokera pa PC ina kudzera pa WiFi. Pachifukwa ichi, gawo pa PC yoyamba lidzakhala likugwirabe ntchito mpaka nthawi yopuma ichitike kapena kutsekedwa mokakamiza kumachitika. Ndiye ngati zipangizozo zili ndi ufulu wosiyana, ndiye kuti womaliza adalowa mu chipangizocho adzagwiritsa ntchito ufulu wake.
8) Zosankha pa tabu Ulamuliro → Kasamalidwe ka Identity → Zochokera Kuzidziwitso Zakunja → Kalozera Wogwiritsa → Magulu → Onjezani → Sankhani Magulu Kuchokera Pakalozera mutha kusankha magulu kuchokera ku AD omwe mukufuna kukoka pa ISE (kwa ife, izi zidachitika mu gawo 3 "Kuwonjezera seva ya LDAP"). Sankhani njira Bweretsani Magulu → Chabwino.
Chithunzi 18 a). Kukoka magulu ogwiritsa ntchito kuchokera ku Active Directory
9) Mu tabu Malo Ogwirira Ntchito → PassiveID → Mwachidule → Dashboard mutha kuwona kuchuluka kwa magawo omwe akugwira ntchito, kuchuluka kwa magwero a data, othandizira, ndi zina zambiri.
Chithunzi 19. Kuyang'anira ntchito za ogwiritsa ntchito madambwe
10) Mu tabu Magawo Okhala Nawo magawo atsopano akuwonetsedwa. Kuphatikizana ndi AD kumakonzedwa.
Chithunzi 20. Magawo achangu a ogwiritsa ntchito madambwe
5. Kutsiliza
Nkhaniyi idafotokoza zamitu yopanga ogwiritsa ntchito aku Cisco ISE, ndikuwonjezera ma seva a LDAP, ndikuphatikiza ndi Microsoft Active Directory. Nkhani yotsatira iwonetsa mwayi wofikira alendo ngati kalozera wosafunikira.
Ngati muli ndi mafunso okhudza mutuwu kapena mukufuna thandizo poyesa malonda, lemberani .
Khalani tcheru kuti mumve zosintha zamakanema athu (, , , , ).
Source: www.habr.com