1. Folasaga
Soʻo se kamupani, e oʻo lava i le laʻititi laʻititi, e manaʻomia le faʻamaonia, faʻatagaina ma le faʻamatalaga o tagata faʻaoga (AAA family of protocols). I le laasaga muamua, AAA e faʻatinoina lelei e faʻaaoga ai faʻasalalauga e pei ole RADIUS, TACACS + ma DIAMETER. Ae ui i lea, a o faʻatupulaia le numera o tagata faʻaoga ma le kamupani, o le numera o galuega e faʻatupulaia foi: maualuga le vaʻaia o tagata talimalo ma masini BYOD, faʻamaoniga tele-factor, fatuina o se faiga faʻavae avanoa e tele ma sili atu.
Mo ia galuega, o le NAC (Network Access Control) vasega o vaifofo e atoatoa - fa'atonuga feso'ota'iga. I se faasologa o tala e tuuto atu i (Identity Services Engine) - NAC fofo mo le tuʻuina atu o le faʻaogaina o le faʻaogaina o fesoʻotaʻiga i tagata faʻaoga i luga o fesoʻotaiga i totonu, o le a matou vaʻavaʻai auʻiliʻili i le fausaga, tuʻuina atu, faʻatulagaina ma le laiseneina o le fofo.
Sei ou faamanatu puupuu atu ia te oe o Cisco ISE e faatagaina oe e:
-
Fa'atopetope ma faigofie le fa'atupuina o avanoa fa'apitoa ile WLAN tu'ufa'atasi;
-
Su'e masini BYOD (mo se fa'ata'ita'iga, PC fale a tagata faigaluega na latou aumaia i le galuega);
-
Fa'atotonugalemu ma fa'amalosia faiga fa'apolopolo i luga ole laiga ma tagata e le o ni fa'aoga ile fa'aogaina ole igoa ole vaega ole puipuiga ole SGT );
-
Siaki komepiuta mo nisi polokalama faʻapipiʻi ma tausisia tulaga faʻatulagaina (posturing);
-
Fa'avasegaina ma fa'ailoga fa'ailoga pito ma masini feso'otaiga;
-
Tuuina atu le va'aiga pito i'u;
-
Auina atu tala o mea na tutupu o logon/logoff o tagata e faaaogāina, latou tala (faasinomaga) i le NGFW e fai ai se faiga faavae e faavae i tagata;
-
Fa'atasi fa'atasi ma Cisco StealthWatch ma karantina tagata masalomia masalomia o lo'o a'afia i fa'alavelave fa'alavelave ();
-
Ma isi tulaga faʻapitoa mo AAA servers.
Ua uma ona tusia e uo i le alamanuia e uiga ia Cisco ISE, o lea ou te fautuaina oe e faitau: ,.
2. Faʻafanua
O le fausaga o le Identity Services Engine e 4 fa'alapotopotoga (nodes): o le node pulega (Policy Administration Node), o le fa'asoaina o faiga fa'avae (Policy Service Node), o le node mata'ituina (Monitoring Node) ma le PxGrid node (PxGrid Node). Cisco ISE e mafai ona i totonu o se faʻapipiʻi tutoʻatasi pe tufatufaina. I le Standalone version, o faʻalapotopotoga uma o loʻo i luga o se masini komepiuta e tasi poʻo se faʻaumau faʻapitoa (Secure Network Servers - SNS), aʻo i totonu o le Distributed version, o loʻo tufatufaina atu nodes i masini eseese.
Faiga Fa'atonu Node (PAN) o se node mana'omia e mafai ai e oe ona fa'atino galuega fa'afoe uma ile Cisco ISE. E fa'atautaia uma fa'atonuga faiga e feso'ota'i ma le AAA. I se faʻasalalauga faʻasalalau (e mafai ona faʻapipiʻi nodes e pei o masini masini eseese), e mafai ona e maua le maualuga o le lua PAN mo le faʻapalepale faʻaletonu - Active/Standby mode.
Polokalama Auaunaga Fa'avae (PSN) ose fa'atulafonoina node e maua ai feso'ota'iga feso'ota'iga, setete, avanoa mo tagata asiasi, tu'uina atu o auaunaga a tagata o tausia, ma fa'amatalaga. E iloilo e le PSN le faiga fa'avae ma fa'aaogaina. E masani lava, e tele PSN e faʻapipiʻiina, aemaise lava i se faʻasalalauga faʻasalalau, mo le tele o faʻagaioiga ma tufatufaina atu. Ioe, latou te taumafai e faʻapipiʻi nei nodes i vaega eseese ina ia aua neʻi leiloa le gafatia e tuʻuina atu faʻamaonia ma faʻatagaina avanoa mo se lua.
Mata'ituina Node (MnT) ose fa'atulafonoina node e teu ai ogalaau o mea na tutupu, ogalaau o isi pona ma faiga fa'avae i luga o feso'otaiga. O le MnT node e tuʻuina atu meafaigaluega faʻapitoa mo le mataʻituina ma faʻafitauli, aoina ma faʻasoa faʻamatalaga eseese, ma maua ai foi lipoti anoa. Cisco ISE fa'atagaina oe e maua le maualuga o le lua MnT nodes, ma fa'atupuina le fa'apalepale fa'aletonu - Active/Standby mode. Ae ui i lea, o ogalaau e aoina e nodes uma e lua, o loʻo galue ma passive.
PxGrid Node (PXG) o se node e faʻaogaina le PxGrid protocol ma faʻatagaina fesoʻotaʻiga i le va o isi masini e lagolagoina PxGrid.
- o se faʻasalalauga e faʻamautinoa ai le tuʻufaʻatasia o IT ma faʻamatalaga faʻamatalaga atinaʻe atinaʻe mai faʻatau eseese: faiga mataʻituina, faʻalavelave faʻalavelave ma faiga puipuia, faʻavae pulega faʻavae puipuiga ma le tele o isi fofo. Cisco PxGrid e faʻatagaina oe e faʻasoa faʻamatalaga i se tulaga e tasi pe lua faʻatasi ma le tele o faʻavae e aunoa ma le manaʻomia o API, ma mafai ai ona faʻaogaina tekinolosi. (SGT tags), sui ma faʻaoga le ANC (Adaptive Network Control), faʻapea foʻi ma le faʻatinoina o faʻamatalaga - fuafuaina le faʻataʻitaʻiga o le masini, OS, nofoaga, ma isi mea.
I se fa'atulagaga maualuga avanoa, o PxGrid nodes e fa'atusalia fa'amatalaga i le va o nodes i luga o se PAN. Afai e le atoatoa le PAN, o le PxGrid node e taofi le faʻamaonia, faʻatagaina, ma faʻamatalaga mo tagata faʻaoga.
Lalo o se faʻataʻitaʻiga faʻataʻitaʻiga o le faʻaogaina o faʻalapotopotoga eseese Cisco ISE i totonu o se fesoʻotaʻiga faʻatasi.
Ata 1. Cisco ISE Architecture
3. Manaoga
Cisco ISE e mafai ona faʻatinoina, pei o le tele o fofo faʻaonaponei, toetoe lava pe faʻaletino e avea o se 'auʻaunaga ese.
O masini faʻaletino o loʻo faʻaogaina le Cisco ISE software e taʻua o le SNS (Secure Network Server). E tolu fa'ata'ita'iga e maua mai ai: SNS-3615, SNS-3655 ma SNS-3695 mo pisinisi laiti, feololo ma tetele. Siata 1 o lo'o fa'aalia ai fa'amatalaga mai SNS.
Laulau 1. Fa'atusatusaga o le SNS mo fua eseese
Parakalafa
SNS 3615 (Laiti)
SNS 3655 (Medium)
SNS 3695 (Teletele)
Numera o fa'ai'uga lagolago ile fa'apipi'i Tutoatasi
10000
25000
50000
Numera o fa'ai'uga lagolago ile PSN
10000
25000
100000
PPU (Intel Xeon 2.10 GHz)
8 fatu
12 fatu
12 fatu
pa'ū
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1 x 600 GB
4 x 600 GB
8 x 600 GB
FUAFUAGA mea faigaluega
leai
RAID 10, i ai le pule RAID
RAID 10, i ai le pule RAID
Fesoʻotaiga i fesoʻotaiga
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
E tusa ai ma faʻatinoga faʻapitoa, o le hypervisors lagolago o VMware ESXi (laʻititi VMware version 11 mo ESXi 6.0 ua fautuaina), Microsoft Hyper-V ma Linux KVM (RHEL 7.0). O punaoa e tatau ona tutusa ma le laulau i luga, pe sili atu. Ae ui i lea, o manaʻoga maualalo mo se masini komepiuta pisinisi laiti e: 2 PPU fa'atasi ai ma le taimi ole 2.0 GHz ma maualuga atu, 16 GB RAM и 200 GB HDD
Mo isi Cisco ISE deployment faʻamatalaga, faʻamolemole faʻafesoʻotaʻi pe ia , .
4. Fa'apipi'i
E pei o le tele o isi oloa Cisco, ISE e mafai ona tofotofoina i ni auala se tele:
-
- tautua ao o faʻatulagaga falesuesue na faʻapipiʻiina (Cisco account manaʻomia);
-
– talosaga mai Cisco o nisi polokalama (auala mo paaga). E te fatuina se mataupu ma faʻamatalaga masani nei: Ituaiga o oloa [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
-
— fa'afeso'ota'i so'o se paaga fa'atagaina e fa'atino se galuega fa'ata'ita'i fua.
1) A maeʻa ona fatuina se masini komepiuta, afai na e talosagaina se faila ISO ae le o se faʻataʻitaʻiga OVA, o le a faʻaalia se faamalama lea e manaʻomia ai oe e le ISE e filifili se faʻapipiʻi. Ina ia faia lenei mea, nai lo lou saini ma lau upu faataga, e tatau ona e tusia "seti“!
Manatua: afai na e faʻaogaina le ISE mai le OVA faʻataʻitaʻiga, ona faʻamatalaga lea o faʻamatalaga admin/MyIseYPass2 (o lenei ma sili atu o loʻo faʻaalia i le ofisa aloaia ).
Ata 2. Fa'apipi'i Cisco ISE
2) Ona tatau lea ona e faʻatumu fanua manaʻomia e pei ole tuatusi IP, DNS, NTP ma isi.
Ata 3. Amataina Cisco ISE
3) A maeʻa lena, o le a toe faʻafouina le masini, ma o le a mafai ona e faʻafesoʻotaʻi e ala i le upega tafaʻilagi e faʻaaoga ai le tuatusi IP na faʻamaonia muamua.
Ata 4. Cisco ISE Web Interface
4) I le tab Pulega > Fa'atonu > Fa'asoa e mafai ona e filifili po o fea nodes (meatino) e mafai i luga o se masini faapitoa. O le PxGrid node ua mafai iinei.
Ata 5. Cisco ISE Pulega Fa'alapotopotoga
5) Ona i ai lea i le tab Pulega > Fa'atonu > Pule Avanoa > Authentication Ou te fautuaina le setiina o se faiga faʻaupuga, auala faʻamaonia (tusi faʻamaonia poʻo le upu faʻamaonia), aso e muta ai le tala, ma isi faʻatulagaga.
Ata 6. Fa'atulagaina ituaiga fa'amaonigaAta 7. Fa'atonu faiga fa'apolokalameAta 8. Fa'atulagaina le tapunia o teugatupe pe a uma le taimiAta 9. Fa'atulagaina le lokaina o teugatupe
6) I le tab Pulega> Faʻatonu> Pule Avanoa> Pule> Pule Faʻaoga> Faʻaopoopo e mafai ona e faia se pule fou.
Ata 10. Fausiaina ole Cisco ISE Administrator
7) O le pule fou e mafai ona avea ma vaega o se vaega fou poʻo vaega ua uma ona faʻatulagaina. O vaega fa'atonu o lo'o pulea i le laulau lava e tasi i le fa'ailoga Pule Vaega. O le laulau 2 o lo'o aoteleina ai fa'amatalaga e uiga i fa'atonu ISE, a latou aia tatau ma matafaioi.
Laulau 2. Cisco ISE Administrator Groups, Avanoa Tulaga, Faʻatagaga, ma Faʻatapulaʻa
Igoa vaega pule
Faʻatagaga
Tapulaa
Fa'atonu Pule
Fa'atūina faitoto'a fa'amālō ma sponsorship portals, pulega ma aganu'u
Le mafai ona sui faiga fa'avae pe va'ai lipoti
Helpdesk Admin
Malosiaga e matamata i le dashboard autu, lipoti uma, larms ma fofo faafitauli vaitafe
E le mafai ona e suia, fai pe tape lipoti, fa'ailo ma fa'amaumauga fa'amaonia
Fa'asinomaga Pule
Puleaina o tagata fa'aoga, avanoa ma matafaioi, le mafai ona matamata i ogalaau, lipoti ma fa'ailo
E le mafai ona e suia faiga fa'avae pe fa'atino galuega ile tulaga ole OS
MnT Pule
Mata'ituina atoatoa, lipoti, fa'ailo, ogalaau ma latou pulega
Le mafai ona sui so'o se faiga fa'avae
Pule o masini feso'ota'iga
Aia tatau e fatu ma suia mea ISE, va'ai ogalaau, lipoti, dashboard autu
E le mafai ona e suia faiga fa'avae pe fa'atino galuega ile tulaga ole OS
Pule Faiga Faavae
Pulea atoatoa o faiga faavae uma, suiga o talaaga, tulaga, matamata lipoti
Le mafai ona faʻatino faʻatulagaga ma faʻamaoniga, mea ISE
RBAC Pule
Fa'atonuga uma i le Fa'agaoioiga tab, fa'avae faiga fa'avae ANC, pulega fa'amatalaga
E le mafai ona e suia faiga fa'avae e ese mai i le ANC pe fa'atino galuega ile tulaga ole OS
maoae tufa
Aia tatau i fa'atulagaga uma, lipoti ma pulega, e mafai ona tape ma suia fa'ailoga fa'atonu
Le mafai ona sui, tape se isi fa'amatalaga mai le vaega Super Admin
Faiga Faʻavae
Fa'atonuga uma i le Fa'agaoioiga fa'amaufa'ailoga, fa'afoeina fa'atulagaina o faiga, faiga fa'avae ANC, matamata i lipoti
E le mafai ona e suia faiga fa'avae e ese mai i le ANC pe fa'atino galuega ile tulaga ole OS
Au'aunaga RESTful i fafo (ERS) Pule
Avanoa atoatoa ile Cisco ISE REST API
Na'o le fa'atagaga, pulega o tagata fa'apitonu'u, 'au talimalo ma vaega o le puipuiga (SG)
Au'aunaga RESTful i fafo (ERS).
Cisco ISE REST API Faitau Faatagaga
Na'o le fa'atagaga, pulega o tagata fa'apitonu'u, 'au talimalo ma vaega o le puipuiga (SG)
Ata 11. Vaega Fa'atonu Cisco ISE
8) Filifili i le lisi Fa'atagaga > Fa'atagaga > Faiga Fa'avae RBAC E mafai ona e fa'asa'o aiā tatau a pule fa'atonu.
Ata 12. Cisco ISE Administrator Preset Profile Rights Management
9) I le tab Pulega> Faʻatonu> Faʻatonu O lo'o avanoa uma fa'atonuga (DNS, NTP, SMTP ma isi). E mafai ona e fa'atumuina iinei pe a e misia i latou i le taimi o le amataga o le masini.
5. Faaiuga
O le faaiʻuga lea o le mataupu muamua. Na matou talanoaina le aoga o le Cisco ISE NAC solution, lona fausaga, tulaga maualalo ma le faʻaogaina o filifiliga, ma le faʻapipiʻiina muamua.
I le isi tala, o le a tatou vaʻavaʻai i le fatuina o tala, tuʻufaʻatasia ma le Microsoft Active Directory, ma le fatuina o avanoa faʻapitoa.
Afai ei ai ni au fesili e uiga i lenei autu pe manaʻomia se fesoasoani e suʻe ai le oloa, faʻamolemole faʻafesoʻotaʻi .
Fa'atali mo fa'amatalaga i totonu o matou alaleo (, , , , ).
puna: www.habr.com