Kampani iliyonse, ngakhale yaying'ono kwambiri, imafunikira kutsimikizika, kuvomerezedwa ndi kuwerengera kwa ogwiritsa ntchito (AAA family of protocols). Poyamba, AAA imayendetsedwa bwino pogwiritsa ntchito ma protocol monga RADIUS, TACACS + ndi DIAMETER. Komabe, pamene chiwerengero cha ogwiritsa ntchito ndi kampani ikukula, chiwerengero cha ntchito chimakulanso: kuwonekera kwakukulu kwa makamu ndi zipangizo za BYOD, kutsimikizika kwazinthu zambiri, kupanga ndondomeko yofikira maulendo angapo ndi zina zambiri.
Pazochita zotere, gulu la NAC (Network Access Control) la mayankho ndilabwino - kuwongolera kulumikizana kwamaneti. Mu mndandanda wa zolemba zoperekedwa kwa Cisco ISE (Identity Services Engine) - Yankho la NAC popereka njira zodziwikiratu kwa ogwiritsa ntchito pa netiweki yamkati, tiwona mwatsatanetsatane kamangidwe, kupereka, masinthidwe ndi kupereka chilolezo kwa yankho.
Ndiroleni ndikukumbutseni mwachidule kuti Cisco ISE imakupatsani mwayi:
Mwachangu komanso mosavuta pangani mwayi wofikira alendo pa WLAN yodzipereka;
Dziwani zida za BYOD (mwachitsanzo, ma PC apanyumba a antchito omwe adabwera nawo kuntchito);
Ikani pakati ndikukhazikitsa mfundo zachitetezo pamadomeni onse ndi omwe si a domain pogwiritsa ntchito zilembo zamagulu achitetezo a SGT TrustSec);
Tumizani zipika za zochitika za logon/logoff ya ogwiritsa ntchito, maakaunti awo (zidziwitso) ku NGFW kuti apange ndondomeko yotengera ogwiritsa ntchito;
Phatikizani kwanuko ndi Cisco StealthWatch ndikuyika kwaokha anthu okayikitsa omwe akukhudzidwa ndi zochitika zachitetezo (zambiri);
Zomangamanga za Identity Services Engine zili ndi mabungwe a 4 (node): malo otsogolera (Policy Administration Node), ndondomeko yogawa ndondomeko (Policy Service Node), ndondomeko yowunikira (Monitoring Node) ndi PxGrid node (PxGrid Node). Cisco ISE ikhoza kukhala yoyimirira kapena kugawa. Mu mtundu wa Standalone, mabungwe onse ali pamakina amodzi kapena seva yakuthupi (Secure Network Servers - SNS), pomwe mu Distributed version, ma node amagawidwa pazida zosiyanasiyana.
Policy Administration Node (PAN) ndi njira yofunikira yomwe imakulolani kuchita ntchito zonse zoyang'anira pa Cisco ISE. Imagwira masinthidwe onse okhudzana ndi AAA. Mu kasinthidwe kagawidwe (node ββimatha kukhazikitsidwa ngati makina odzipatula), mutha kukhala ndi ma PAN awiri opitilira kulekerera zolakwika - Active / Standby mode.
Policy Service Node (PSN) ndi njira yovomerezeka yomwe imapereka mwayi wofikira pa netiweki, boma, mwayi wa alendo, kupereka chithandizo kwamakasitomala, ndi mbiri. PSN imawunika ndondomekoyi ndikuigwiritsa ntchito. Nthawi zambiri, ma PSN angapo amayikidwa, makamaka pamasinthidwe ogawidwa, kuti agwire ntchito mochulukirapo komanso yogawa. Inde, amayesa kukhazikitsa mfundozi m'magawo osiyanasiyana kuti asataye mwayi wopereka mwayi wovomerezeka ndi wovomerezeka kwa sekondi imodzi.
Monitoring Node (MnT) ndi njira yovomerezeka yomwe imasunga zipika za zochitika, zipika za node zina ndi mfundo pamaneti. Node ya MnT imapereka zida zapamwamba zowunikira ndi kuthetsa mavuto, kusonkhanitsa ndi kulumikiza deta zosiyanasiyana, komanso kupereka malipoti omveka. Cisco ISE imakulolani kuti mukhale ndi ma node awiri a MnT, motero mumapanga kulolerana kwa zolakwika - Active / Standby mode. Komabe, zipika zimasonkhanitsidwa ndi mfundo zonse ziwiri, zonse zogwira ntchito komanso zopanda pake.
PxGrid Node (PXG) ndi mfundo yomwe imagwiritsa ntchito protocol ya PxGrid ndipo imalola kulumikizana pakati pa zida zina zomwe zimathandizira PxGrid.
PxGrid - ndondomeko yomwe imatsimikizira kuphatikizidwa kwa IT ndi katundu wa chitetezo cha chitetezo cha chidziwitso kuchokera kwa ogulitsa osiyanasiyana: machitidwe oyang'anira, kufufuza ndi kulepheretsa machitidwe, ndondomeko zoyendetsera ndondomeko za chitetezo ndi zina zambiri zothetsera. Cisco PxGrid imakupatsani mwayi wogawana nkhani m'njira zosagwirizana kapena zapawiri ndi nsanja zambiri popanda kufunikira kwa ma API, ndikupangitsa ukadaulo. TrustSec (ma SGT tags), sinthani ndikugwiritsa ntchito mfundo za ANC (Adaptive Network Control), komanso kupanga mbiri - kudziwa mtundu wa chipangizocho, OS, malo, ndi zina zambiri.
Pakukhazikika kwakukulu, ma PxGrid node amabwereza zambiri pakati pa nodi pa PAN. Ngati PAN yayimitsidwa, node ya PxGrid imasiya kutsimikizira, kuvomereza, ndi kuwerengera ndalama kwa ogwiritsa ntchito.
Pansipa pali chithunzithunzi cha magwiridwe antchito a mabungwe osiyanasiyana a Cisco ISE mu network yamakampani.
Chithunzi 1. Cisco ISE Architecture
3. Zofunikira
Cisco ISE ikhoza kukhazikitsidwa, monga mayankho amakono, pafupifupi kapena mwakuthupi ngati seva yosiyana.
Zida zakuthupi zomwe zimagwiritsa ntchito pulogalamu ya Cisco ISE zimatchedwa SNS (Secure Network Server). Amabwera mumitundu itatu: SNS-3615, SNS-3655 ndi SNS-3695 yamabizinesi ang'onoang'ono, apakatikati ndi akulu. Gulu 1 likuwonetsa zambiri kuchokera tsamba lazambiri Zithunzi za SNS.
Table 1. Gome lofananitsa la SNS la masikelo osiyanasiyana
chizindikiro
SNS 3615 (Yaing'ono)
SNS 3655 (Yapakatikati)
SNS 3695 (Chachikulu)
Nambala ya malekezero othandizidwa poyika Standalone
10000
25000
50000
Chiwerengero cha malekezero othandizidwa pa PSN iliyonse
10000
25000
100000
CPU (Intel Xeon 2.10 GHz)
8 kozo
12 kozo
12 kozo
Ram
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1 x 600 GB
4 x 600 GB
8 x 600 GB
Hardware kunkhondo
No
RAID 10, kukhalapo kwa wowongolera RAID
RAID 10, kukhalapo kwa wowongolera RAID
Malo ochezera
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
Ponena za kukhazikitsidwa kwenikweni, ma hypervisors omwe amathandizidwa ndi VMware ESXi (ochepera VMware mtundu 11 wa ESXi 6.0 akulimbikitsidwa), Microsoft Hyper-V ndi Linux KVM (RHEL 7.0). Zothandizira ziyenera kukhala zofanana ndi zomwe zili pamwambapa, kapena kupitilira apo. Komabe, zofunika zochepa pamakina ang'onoang'ono abizinesi ndi awa: 2 CPU ndi ma frequency a 2.0 GHz ndi apamwamba, 16 GB RAM ΠΈ 200 GBHDD.
Monga zinthu zina zambiri za Cisco, ISE imatha kuyesedwa m'njira zingapo:
dcloud - ntchito yamtambo yamakonzedwe a labotale omwe adakhazikitsidwa kale (akaunti ya Cisco ikufunika);
Pempho la GVE - pempho lochokera malowa Cisco ya mapulogalamu ena (njira ya othandizana nawo). Mumapanga chigamulo chokhala ndi malongosoledwe awa: Mtundu wazinthu [ISE], Mapulogalamu a ISE [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
1) Mukapanga makina enieni, ngati munapempha fayilo ya ISO osati template ya OVA, zenera lidzatulukira momwe ISE ikufuna kuti musankhe kukhazikitsa. Kuti muchite izi, m'malo molowera ndi mawu achinsinsi, muyenera kulemba "khazikitsa"!
Taonani: ngati mudatumiza ISE kuchokera ku template ya OVA, ndiye tsatanetsatane wolowera admin/MyIseYPass2 (izi ndi zina zambiri zikuwonetsedwa mu boma wotsogolera).
Chithunzi 2. Kuyika Cisco ISE
2) Kenako muyenera kudzaza magawo ofunikira monga adilesi ya IP, DNS, NTP ndi ena.
Chithunzi 3. Kuyambitsa Cisco ISE
3) Pambuyo pake, chipangizocho chidzayambiranso, ndipo mudzatha kulumikiza pa intaneti pogwiritsa ntchito adilesi ya IP yomwe yatchulidwa kale.
Chithunzi 4. Cisco ISE Web Interface
4) Mu tabu Administration> Dongosolo> Kutumiza mutha kusankha ma node (mabungwe) omwe amayatsidwa pa chipangizo china. Node ya PxGrid imayatsidwa apa.
Chithunzi 5. Cisco ISE Entity Management
5) Kenako mu tabu Administration> System> Admin Access>kutsimikizika Ndikupangira kukhazikitsa ndondomeko yachinsinsi, njira yotsimikizira (chiphaso kapena mawu achinsinsi), tsiku lotha ntchito ya akaunti, ndi zina.
Kutha kuwona dashboard yayikulu, malipoti onse, mphutsi ndi mitsinje yothetsa mavuto
Simungathe kusintha, kupanga kapena kuchotsa malipoti, ma alarm ndi zipika zotsimikizira
Identity Admin
Kuwongolera ogwiritsa ntchito, mwayi ndi maudindo, kuthekera kowonera zipika, malipoti ndi ma alarm
Simungathe kusintha ndondomeko kapena kuchita ntchito pamlingo wa OS
MnT Admin
Kuyang'anira kwathunthu, malipoti, ma alarm, zipika ndi kasamalidwe kawo
Kulephera kusintha ndondomeko iliyonse
Network Device Admin
Ufulu wopanga ndi kusintha zinthu za ISE, kuwona zipika, malipoti, dashboard yayikulu
Simungathe kusintha ndondomeko kapena kuchita ntchito pamlingo wa OS
Woyang'anira Policy
Kuwongolera kwathunthu kwa ndondomeko zonse, kusintha mbiri, makonda, malipoti owonera
Kulephera kuchita makonda ndi zidziwitso, zinthu za ISE
RBAC Admin
Zokonda zonse pagawo la Operations, makonda a ANC, kasamalidwe ka malipoti
Simungasinthe mfundo zina kupatula ANC kapena kuchita ntchito pamlingo wa OS
Super boma
Ufulu kuzikhazikiko zonse, malipoti ndi kasamalidwe, zitha kufufuta ndikusintha mbiri ya woyang'anira
Sitingasinthe, chotsani mbiri ina pagulu la Super Admin
Njira Yogwirira Ntchito
Zokonda zonse pagawo la Ntchito, kuyang'anira makonda adongosolo, mfundo za ANC, malipoti owonera
Simungasinthe mfundo zina kupatula ANC kapena kuchita ntchito pamlingo wa OS
Kunja kwa RESTful Services (ERS) Admin
Kufikira kwathunthu ku Cisco ISE REST API
Kungovomerezeka, kasamalidwe ka ogwiritsa ntchito am'deralo, makamu ndi magulu achitetezo (SG)
Ogwiritsa Ntchito Akunja a RESTful Services (ERS).
Cisco ISE REST API Werengani Zilolezo
Kungovomerezeka, kasamalidwe ka ogwiritsa ntchito am'deralo, makamu ndi magulu achitetezo (SG)
Chithunzi 11. Predefined Cisco ISE Administrator Groups
8) Zosankha pa tabu Chilolezo> Zilolezo> Ndondomeko ya RBAC Mutha kusintha maufulu a oyang'anira omwe afotokozedwatu.
Chithunzi 12. Cisco ISE Administrator Preset Profile Rights Management
9) Mu tabu Administration> Dongosolo> ZikhazikikoZokonda pamakina onse zilipo (DNS, NTP, SMTP ndi ena). Mutha kuzilemba apa ngati mudaziphonya poyambitsa chipangizocho.
5. Kutsiliza
Izi zikumaliza nkhani yoyamba. Tidakambirana za mphamvu ya yankho la Cisco ISE NAC, kamangidwe kake, zofunikira zochepa ndi njira zotumizira, komanso kukhazikitsa koyambirira.
M'nkhani yotsatira, tiwona kupanga maakaunti, kuphatikiza ndi Microsoft Active Directory, ndikupanga mwayi wofikira alendo.