Kupitiliza mndandanda wa zolemba pamutu wa bungwe VPN yakutali kupeza sindingachitire mwina koma kugawana zomwe ndakumana nazo zosangalatsa za kutumiza kasinthidwe ka VPN kotetezedwa kwambiri. Ntchito yosakhala yaing'ono idaperekedwa ndi kasitomala m'modzi (pali oyambitsa m'midzi yaku Russia), koma Vutoli lidavomerezedwa ndikukhazikitsidwa mwaluso. Zotsatira zake ndi lingaliro losangalatsa lomwe lili ndi izi:
- Zinthu zingapo zodzitchinjiriza pakulowa m'malo mwa cholumikizira (chomangirira kwambiri kwa wogwiritsa);
- Kuwunika kutsata kwa PC ya wogwiritsa ntchito ndi UDID yopatsidwa ya PC yololedwa mu nkhokwe yotsimikizika;
- Ndi MFA pogwiritsa ntchito PC UDID kuchokera ku satifiketi yotsimikizira yachiwiri kudzera pa Cisco DUO (Mutha kuphatikizira iliyonse yogwirizana ndi SAML/Radius);
- Kutsimikizika kwazinthu zambiri:
- Satifiketi ya wogwiritsa ntchito yotsimikizira kumunda ndi kutsimikizika kwachiwiri motsutsana ndi mmodzi wa iwo;
- Lowani (osasinthika, otengedwa ku satifiketi) ndi mawu achinsinsi;
- Kuyerekeza momwe wolumikizirayo alili (Posture)
Zomwe zimagwiritsidwa ntchito poyankha:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Kutsimikizika / Kuvomerezeka / Kuwerengera, Kuwunika kwa State, CA);
- Cisco DUO (Multi-Factor Authentication) (Mutha kuphatikizira iliyonse yogwirizana ndi SAML/Radius);
- Cisco AnyConnect (Multi-purpose agent for workstations and mobile OS);
Tiyeni tiyambe ndi zomwe kasitomala amafuna:
- Wogwiritsa ntchito ayenera, kudzera mu kutsimikizika kwake kwa Login/Password, athe kutsitsa kasitomala wa AnyConnect kuchokera pachipata cha VPN; ma module onse ofunikira a AnyConnect ayenera kukhazikitsidwa okha malinga ndi mfundo za wogwiritsa ntchito;
- Wogwiritsa ntchitoyo azitha kutulutsa satifiketi (pachimodzi mwazinthuzi, chochitika chachikulu ndikutulutsa pamanja ndikuyika pa PC), koma ndidakhazikitsa zongowonetsera (sindinachedwe kuyichotsa).
- Kutsimikizika koyambira kuyenera kuchitika m'magawo angapo, choyamba pamakhala chitsimikiziro cha satifiketi ndikuwunika magawo ofunikira ndi zikhalidwe zawo, kenako kulowa / mawu achinsinsi, nthawi ino yokha dzina la ogwiritsa lomwe latchulidwa m'gawo la satifiketi liyenera kuyikidwa pawindo lolowera. Dzina la Mutu (CN) wopanda luso lotha kusintha.
- Muyenera kuwonetsetsa kuti chipangizo chomwe mukulowera ndi laputopu yamakampani yomwe imaperekedwa kwa wogwiritsa ntchito kuti mupeze mwayi wakutali, osati china. (Zosankha zingapo zapangidwa kuti zikwaniritse izi)
- Mkhalidwe wa chipangizo cholumikizira (panthawiyi PC) uyenera kuyesedwa ndi cheke cha tebulo lonse lazofunikira za kasitomala (mwachidule):
- Mafayilo ndi katundu wawo;
- Zolemba za registry;
- Zigamba za OS kuchokera pamndandanda woperekedwa (pambuyo pake SCCM kuphatikiza);
- Kupezeka kwa Anti-Virus kuchokera kwa wopanga mwapadera ndi kufunikira kwa siginecha;
- Ntchito za mautumiki ena;
- Kupezeka kwa mapulogalamu ena omwe adayikidwa;
Poyamba, ndikupangira kuti muyang'ane vidiyo yomwe ikuwonetsa zotsatira zake Youtube (5 mphindi).
Tsopano ndikulingalira kuti tiganizire zambiri za kukhazikitsa zomwe sizinafotokozedwe muvidiyoyi.
Tiyeni tikonzekere mbiri ya AnyConnect:
M'mbuyomu ndidapereka chitsanzo chopanga mbiri (molingana ndi chinthu cha menyu mu ASDM) m'nkhani yanga yokhazikitsa . Tsopano ndikufuna kuzindikira padera zosankha zomwe tidzafunikira:
Pambiri, tiwonetsa chipata cha VPN ndi dzina la mbiri yolumikizira kasitomala womaliza:
Tiyeni tikonze kuperekedwa kwa chiphaso chodziwikiratu kuchokera kumbali ya mbiri, kuwonetsa, makamaka, magawo a satifiketi ndipo, makamaka, tcherani khutu kumunda. Zoyamba (I), pomwe mtengo wake umalowetsedwa pamanja UDID makina oyesera (Chizindikiritso cha chipangizo chapadera chomwe chimapangidwa ndi kasitomala wa Cisco AnyConnect).
Apa ndikufuna kuti ndisinthe mawu, popeza nkhaniyi ikufotokoza lingaliro; pazolinga zowonetsera, UDID yopereka satifiketi imalowetsedwa m'gawo loyambira la mbiri ya AnyConnect. Inde, m'moyo weniweni, ngati muchita izi, ndiye kuti makasitomala onse adzalandira chiphaso chokhala ndi UDID yomweyo m'munda uno ndipo palibe chomwe chidzawathandize, chifukwa amafunikira UDID ya PC yawo yeniyeni. AnyConnect, mwatsoka, sichikuyikabe m'malo mwa gawo la UDID m'malo ofunsira satifiketi kudzera pakusintha kwachilengedwe, monga momwe zimakhalira, mwachitsanzo, ndikusintha. %USER%.
Ndizofunikira kudziwa kuti kasitomala (mwachiwonetserochi) poyambirira akukonzekera kutulutsa ziphaso zodziyimira pawokha ndi UDID yoperekedwa mumayendedwe apamanja ku Ma PC Otetezedwa, omwe sivuto kwa iye. Komabe, kwa ambiri aife tikufuna zokha (chabwino, kwa ine ndizowona =)).
Ndipo izi ndi zomwe ndingathe kupereka pankhani ya automation. Ngati AnyConnect sanathebe kutulutsa satifiketi yokha mwa kulowetsa UDID mwachangu, pali njira ina yomwe ingafune kulingalira pang'ono ndi manja aluso - ndikuwuzani lingalirolo. Choyamba, tiyeni tiwone momwe UDID imapangidwira pamakina osiyanasiyana ogwiritsira ntchito ndi AnyConnect wothandizira:
- Windows - SHA-256 hash ya kuphatikiza kwa DigitalProductID ndi kiyi yolembetsa ya Machine SID
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash ya UUID ya magawo a mizu.
- apulo iOS - SHA-256 hash PlatformUUID
- Android - Onani chikalata pa
Chifukwa chake, timapanga script ya Windows OS yathu yamakampani, ndi script iyi timawerengera UDID m'dera lanu pogwiritsa ntchito zolowa zodziwika ndikupanga pempho lopereka satifiketi polowetsa UDID iyi pagawo lofunikira, mwa njira, mutha kugwiritsanso ntchito makina. satifiketi yoperekedwa ndi AD (powonjezera kutsimikizika kawiri pogwiritsa ntchito satifiketi ku chiwembu Satifiketi Yambiri).
Tiyeni tikonzekere makonda kumbali ya Cisco ASA:
Tiyeni tipange TrustPoint ya seva ya ISE CA, ndi yomwe idzapereke ziphaso kwa makasitomala. Sindingaganizire njira yolowetsa Key-Chain; chitsanzo chikufotokozedwa m'nkhani yanga yokhazikitsira .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureTimakonza zogawa ndi Tunnel-Group kutengera malamulo malinga ndi magawo omwe ali pa satifiketi yomwe imagwiritsidwa ntchito kutsimikizira. Mbiri ya AnyConnect yomwe tidapanga kale idakonzedwanso pano. Chonde dziwani kuti ndikugwiritsa ntchito mtengo wake Chithunzi cha SECUREBANK-RA, kusamutsa ogwiritsa ntchito satifiketi yoperekedwa ku gulu la ngalande SECURE-BANK-VPN, chonde dziwani kuti ndili ndi gawo ili pamndandanda wofunsira satifiketi ya mbiri ya AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Kukhazikitsa ma seva otsimikizira. Kwa ine, iyi ndi ISE pagawo loyamba la kutsimikizika ndi DUO (Radius Proxy) monga MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Timapanga ndondomeko zamagulu ndi magulu a tunnel ndi zigawo zake zothandizira:
Gulu la tunnel ZokhazikikaWEBVPNGulu idzagwiritsidwa ntchito makamaka kutsitsa kasitomala wa AnyConnect VPN ndikupereka satifiketi yogwiritsa ntchito SCEP-Proxy function ya ASA; chifukwa cha ichi tili ndi zosankha zomwe zakhazikitsidwa pagulu lokha komanso pagulu lomwe likugwirizana nawo. AC-kutsitsa, ndi mbiri yodzaza ya AnyConnect (magawo operekera satifiketi, ndi zina). Komanso mu ndondomeko ya gululi tikuwonetsa kufunika kotsitsa ISE Posture Module.
Gulu la tunnel SECURE-BANK-VPN idzagwiritsidwa ntchito ndi kasitomala potsimikizira ndi satifiketi yomwe idaperekedwa kale, chifukwa, molingana ndi Mapu a Satifiketi, kulumikizanaku kudzagwera makamaka pagulu ili. Ndikuuzani zosankha zosangalatsa apa:
- secondary-authentication-server-group DUO # Khazikitsani kutsimikizika kwachiwiri pa seva ya DUO (Radius Proxy)
- username-from-certificateCN # Pakutsimikizira koyambirira, timagwiritsa ntchito gawo la CN la satifiketi kuti tilandire kulowa kwa wosuta
- wachiwiri-wogwiritsa-kuchokera-satifiketi I # Pakutsimikizika kwachiwiri pa seva ya DUO, timagwiritsa ntchito dzina lolowera ndi magawo oyambira (I) a satifiketi.
- tsitsanitu-username kasitomala # pangani dzina lolowera lidadzaza pawindo lotsimikizira popanda kusintha
- kasitomala wachiwiri-asanadzaze-dzina-wogwiritsa ntchito amabisa kankhani-wamba-achinsinsi # Timabisa zenera lolowera / mawu achinsinsi kuti mutsimikizire DUO yachiwiri ndikugwiritsa ntchito njira yodziwitsa (sms/push/foni) - dock kuti mupemphe kutsimikizika m'malo mwa mawu achinsinsi
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Kenako timapita ku ISE:
Timakonza wogwiritsa ntchito wamba (mutha kugwiritsa ntchito AD/LDAP/ODBC, ndi zina zotero), kuti zikhale zosavuta, ndidapanga wogwiritsa ntchito wamba mu ISE yomwe ndikuipereka m'munda. Kufotokoza UDID PC komwe amaloledwa kulowa kudzera pa VPN. Ngati ndigwiritsa ntchito kutsimikizika kwanuko pa ISE, ndikhala ndi chida chimodzi chokha, popeza palibe magawo ambiri, koma m'malo ovomerezeka a chipani chachitatu sindikhala ndi zoletsa zotere.
Tiyeni tiwone ndondomeko yovomerezeka, yagawidwa m'magawo anayi ogwirizanitsa:
- Gawo 1 - Ndondomeko yotsitsa wothandizira wa AnyConnect ndikupereka satifiketi
- Gawo 2 - Ndondomeko yotsimikizika yoyambira Lowani (kuchokera pa satifiketi)/Password + Sitifiketi yokhala ndi UDID yovomerezeka
- Gawo 3 - Kutsimikizika kwachiwiri kudzera pa Cisco DUO (MFA) pogwiritsa ntchito UDID monga dzina lolowera + State assessment
- Gawo 4 - Chilolezo chomaliza chili m'boma:
- Wogwirizana;
- Chitsimikizo cha UDID (kuchokera ku satifiketi + yomangiriza kulowa),
- Cisco DUO MFA;
- Kutsimikizira ndi kulowa;
- Chitsimikizo cha satifiketi;
Tiyeni tiwone mkhalidwe wosangalatsa UUID_VALIDATED, zikuwoneka ngati wogwiritsa ntchitoyo adachokera pa PC yokhala ndi UDID yololedwa yolumikizidwa m'mundamo. Kufotokozera akaunti, zinthu zikuwoneka motere:
Mbiri yovomerezeka yomwe imagwiritsidwa ntchito pamagawo 1,2,3 ndi motere:
Mutha kuyang'ana ndendende momwe UDID yochokera kwa kasitomala wa AnyConnect imafikira kwa ife poyang'ana tsatanetsatane wamakasitomala mu ISE. Mwatsatanetsatane tiwona kuti AnyConnect kudzera pamakina ACIDEX imatumiza osati zambiri zokhudza nsanja, komanso UDID ya chipangizo monga Cisco-AV-PAIR:
Tiyeni tiyang'ane pa satifiketi yoperekedwa kwa wogwiritsa ntchito komanso gawo Zoyamba (I), yomwe imagwiritsidwa ntchito kuitenga ngati malowedwe ovomerezeka a MFA yachiwiri pa Cisco DUO:
Pa mbali ya DUO Radius Proxy mu chipikacho titha kuona bwino momwe pempho lovomerezeka limapangidwira, limabwera pogwiritsa ntchito UDID monga dzina lolowera:
Kuchokera pa doko la DUO tikuwona chochitika chotsimikizika chopambana:
Ndipo muzogwiritsa ntchito zomwe ndakhazikitsa ALIAS, yomwe ndidagwiritsa ntchito polowera, iyi ndiye UDID ya PC yololedwa kulowa:
Chifukwa chake tapeza:
- Multi-factor wosuta ndi chipangizo kutsimikizika;
- Chitetezo ku kuwonongeka kwa chipangizo cha wosuta;
- Kuwunika momwe chipangizocho chilili;
- Kuthekera kwa kuwongolera kowonjezereka ndi satifiketi yamakina amtundu, ndi zina;
- Chitetezo chokwanira chakutali ndi ma module otetezedwa;
Maulalo azolemba za Cisco VPN:
Source: www.habr.com