Faʻaauau le faasologa o tala i le autu o le faʻalapotopotoga VPN Avanoa Mamao avanoa E le mafai ona ou fesoasoani ae faʻasoa atu laʻu poto masani faʻapipiʻiina fa'amautu VPN fa'amautu. O se galuega e le taua tele na tuʻuina atu e se tasi tagata faʻatau (o loʻo i ai tagata suʻesuʻe i nuʻu Rusia), ae na talia le Luʻitau ma faʻatinoina ma le faʻatinoina. O le taunuuga o se manatu manaia ma uiga nei:
- Le tele o mea taua o le puipuiga mai le suitulaga o le masini fa'amau (fa'atasi ai ma le fusifusia malosi i le tagata fa'aoga);
- Iloiloina o le tausisia o le PC a le tagata faʻaoga ma le UDID tofia o le PC faʻatagaina i totonu o faʻamaumauga faʻamaonia;
- Faatasi ai ma le MFA o loʻo faʻaogaina le PC UDID mai le tusi faamaonia mo faʻamaoniga lona lua e ala i Cisco DUO (E mafai ona e fa'apipi'i so'o se SAML/Radius e fetaui);
- Fa'amaoniaga fa'aopoopo:
- Tusipasi a le tagata faʻaoga faʻatasi ma faʻamaoniga fanua ma faʻamaoniga lona lua e faasaga i se tasi oi latou;
- Ulufale (e le suia, ave mai le tusi faamaonia) ma upu faataga;
- Fa'atatauina le tulaga o le 'au feso'ota'i (Posture)
Vaega fofo fa'aaogaina:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Faʻamaoniga / Faʻatagaina / Tausitusi, Iloiloga a le Setete, CA);
- Cisco DUO (Fa'amautuga Fa'apitoa) (E mafai ona e fa'apipi'i so'o se SAML/Radius e fetaui);
- Cisco AnyConnect (Sui faʻapitoa mo fale faigaluega ma OS feaveaʻi);
Tatou amata i manaoga o le tagata faatau:
- E tatau i le tagata fa'aoga, e ala i lana fa'amaoniga o le Login/Password, ona mafai ona la'u maia le AnyConnect client mai le faitoto'a VPN; e tatau ona fa'apipi'i otometi uma fa'aoga AnyConnect e tusa ai ma faiga fa'avae a le tagata fa'aoga;
- E tatau i le tagata faʻaoga ona mafai ona otometi ona tuʻuina atu se tusi faamaonia (mo se tasi o faʻataʻitaʻiga, o le faʻaaliga autu o le tuʻuina atu o tusi lesona ma le faʻapipiʻiina i luga o se PC), ae na ou faʻatinoina le faʻamatalaga otometi mo faʻataʻitaʻiga (e leʻi tuai ona aveese).
- O le faʻamaoniga autu e tatau ona faia i le tele o laʻasaga, muamua o loʻo i ai le faʻamaoniga faʻamaonia ma le auʻiliʻiliga o fanua manaʻomia ma o latou tau, ona saini lea / password, naʻo le taimi lea o le igoa faʻaoga faʻamaonia i totonu o le tusi faʻamaonia e tatau ona tuʻuina i totonu o le faʻamalama saini. Igoa Mataupu (CN) e aunoa ma le tomai e fa'asa'o.
- E tatau ona e mautinoa o le masini o loʻo e saini i totonu o le komepiuta faʻapipiʻi tuʻuina atu i le tagata faʻaoga mo avanoa mamao, ae le o se isi mea. (E tele filifiliga ua faia e faʻamalieina ai lenei manaʻoga)
- Ole tulaga ole masini fa'afeso'ota'i (i lenei la'asaga PC) e tatau ona su'esu'eina ma se siaki o se laulau maualuga atoa o mana'oga o tagata fa'atau (aoteleina):
- Faila ma a latou meatotino;
- Tusitala fa'amaumauga;
- OS patches mai le lisi tuʻuina atu (mulimuli ane SCCM tuʻufaʻatasiga);
- Avanoa o Anti-Virus mai se tagata gaosi oloa ma le talafeagai o saini;
- Gaoioiga o nisi auaunaga;
- Avanoa o nisi polokalame faʻapipiʻi;
I le amataga, ou te fautua atu e te vaʻavaʻai i le faʻataʻitaʻiga vitio o le taunuuga o le faʻatinoga Youtube (5 minute).
O lea ou te fautua atu e mafaufau i faʻamatalaga faʻatinoga e le o aofia i le vitio.
Se'i o tatou saunia le fa'amatalaga so'o se AnyConnect:
Na ou tuʻuina atu muamua se faʻataʻitaʻiga o le fatuina o se faʻamatalaga (i tulaga o se lisi lisi i le ASDM) i laʻu tusiga i luga o le seti . O lenei ou te manaʻo e vaʻavaʻai eseʻese filifiliga o le a tatou manaʻomia:
I le talaaga, matou te faʻaalia le faitotoa VPN ma le igoa faʻamatalaga mo le faʻafesoʻotaʻi i le tagata faʻaiʻu:
Sei o tatou faʻatulagaina le tuʻuina atu otometi o se tusi faamaonia mai le itu faʻamatalaga, faʻaalia, aemaise lava, faʻailoga tusi pasi ma, faʻapitoa, faʻalogo i le fanua Mataimata (I), lea o lo'o tu'uina ma le lima se tau fa'apitoa UID masini su'esu'e (Fa'ailoaina masini tulaga ese e gaosia e le Cisco AnyConnect client).
O iinei ou te manaʻo e fai se faʻasalalauga faʻasalalau, talu ai o lenei tusiga o loʻo faʻamatalaina le manatu; mo faʻamoemoega faʻataʻitaʻiga, o le UDID mo le tuʻuina atu o se tusi faamaonia o loʻo ulufale i totonu o le Initials field o le AnyConnect profile. Ioe, i le olaga moni, afai e te faia lenei mea, o le a maua uma e tagata faʻatau se tusi faamaonia ma le UDID tutusa i lenei fanua ma e leai se mea e aoga mo i latou, talu ai latou te manaʻomia le UDID o latou PC patino. AnyConnect, o le mea e leaga ai, e leʻi faʻaaogaina le sui o le UDID fanua i totonu o le faʻamatalaga talosaga tusi pasi e ala i se fesuiaiga o le siosiomaga, e pei ona faia, mo se faʻataʻitaʻiga, ma se fesuiaiga. %USER%.
E taua le maitauina o le tagata faʻatau (o lenei faʻataʻitaʻiga) na muamua fuafua e tuʻu tutoʻatasi tusi pasi faʻatasi ma se UDID tuʻuina atu i le faʻaoga tusi i ia PC Puipuia, e le o se faʻafitauli mo ia. Ae ui i lea, mo le toʻatele o tatou matou te mananaʻo i le masini (ia, mo aʻu e moni =)).
Ma o le mea lea e mafai ona ou ofoina atu i tulaga o masini. Afai e le mafai e AnyConnect ona tuʻuina atu se tusi faamaonia e aunoa ma le suia o le UDID, o loʻo i ai se isi auala e manaʻomia ai sina mafaufauga fatufatuaʻi ma lima tomai - o le a ou taʻu atu ia te oe le manatu. Muamua, seʻi o tatou vaʻavaʻai pe faʻafefea ona faʻatupuina le UDID i luga o faiga faʻaoga eseese e le sui soʻo seConnect:
- pupuni - SHA-256 hash o le tuʻufaʻatasiga o le DigitalProductID ma le masini resitala SID ki
- OSX — SHA-256 hash PlatformUUID
- Linux - SHA-256 hash o le UUID o le vaeluaga o aʻa.
- Apple iOS — SHA-256 hash PlatformUUID
- Android - Va'ai pepa o lo'o i luga
E tusa ai ma lea, matou te fatuina se tusitusiga mo la matou kamupani Windows OS, faatasi ai ma lenei tusitusiga matou te fuafua i le lotoifale le UDID e faʻaaoga ai mea faʻapitoa ma fai se talosaga mo le tuʻuina atu o se tusi faamaonia e ala i le ulufale i lenei UDID i le fanua manaʻomia, i le ala, e mafai foi ona e faʻaogaina se masini. tusi faamaonia na tuʻuina atu e le AD (e ala i le faʻaopoopoina o faʻamaoniga faʻalua e faʻaaoga ai se tusi faamaonia i le polokalame Tele Tusi Faamaonia).
Sei o tatou saunia tulaga ile Cisco ASA itu:
Sei o tatou fatuina se TrustPoint mo le ISE CA server, o le a avea ma se tasi e tuʻuina atu tusi faamaonia i tagata faʻatau. O le a ou le mafaufau i le Key-Chain import process; o se faʻataʻitaʻiga o loʻo faʻamatalaina i laʻu seti tusiga .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureMatou te faʻatulagaina le tufatufaina atu e le Tunnel-Group e faʻavae i luga o tulafono e tusa ai ma fanua i totonu o le tusi faamaonia o loʻo faʻaaogaina mo le faʻamaonia. O le AnyConnect profile na matou faia i le laasaga muamua o loʻo faʻatulagaina foi iinei. Faamolemole ia matau o loo ou faaaogaina le tau SECUREBANK-RA, e fa'afeiloa'i ai tagata fa'aoga ma se tusi faamaonia na tu'uina atu i se vaega alavai SECURE-BANK-VPN, fa'amolemole maitau o lo'o ia te a'u le fanua lea i le koluma talosaga tusi fa'ailoga a AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Fa'atulaga 'au'aunaga fa'amaonia. I loʻu tulaga, o le ISE lea mo le laasaga muamua o le faʻamaonia ma le DUO (Radius Proxy) e pei o le MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Matou te faia faiga faʻavae faʻavae ma faʻalapotopotoga alavai ma a latou vaega fesoasoani:
Tunnel group DefaultWEBVPNGroup o le a faʻaaogaina muamua e sii mai ai le AnyConnect VPN client ma tuʻuina atu se tusi faʻaoga faʻaoga e faʻaaoga ai le SCEP-Proxy galuega a le ASA; mo lenei mea o loʻo i ai a matou filifiliga talafeagai e faʻagaoioia uma i luga o le tunnel group lava ia ma luga ole faiga faʻavae vaega. AC-Download, ma luga o le faʻailoga AnyConnect ua faʻapipiʻiina (fanua mo le tuʻuina atu o se tusi faamaonia, ma isi). E fa'apea fo'i i totonu o lenei vaega faiga fa'avae matou te fa'ailoa mai ai le mana'omia e la'u mai ai ISE Posture Module.
Tunnel group SECURE-BANK-VPN o le a otometi lava ona faʻaaogaina e le kalani pe a faʻamaonia ma le tusi faamaonia na tuʻuina atu i le laasaga muamua, talu ai, e tusa ai ma le Tusi Faʻailoga Faʻafanua, o le fesoʻotaʻiga o le a pa'ū faʻapitoa i luga o lenei vaega alalaupapa. O le a ou taʻu atu ia te oe e uiga i filifiliga manaia iinei:
- lona lua-fa'amaoni-server-vaega DUO # Seti faʻamaoniga lona lua i luga o le DUO server (Radius Proxy)
- username-mai-certificateCN # Mo le faʻamaoniga muamua, matou te faʻaogaina le fanua CN o le tusi faamaonia e fai ma tofi le faʻaoga tagata
- lona lua-igoa-igoa-mai-tusi faamaonia I # Mo le faʻamaoniga lona lua i luga o le DUO server, matou te faʻaogaina le igoa faʻaigoaina na maua mai ma le Initials (I) fanua o le tusi faamaonia.
- mua'i fa'atumu-igoa fa'aoga tagata o tausia # fai le igoa ole igoa e muai faatumu i le faʻamalama faʻamaonia e aunoa ma le mafai ona sui
- second-pre-fill-username client natia le fa'aoga-tele-password push # Matou te natia le faʻamalama faʻapipiʻi / password mo le faʻamaoniga lona lua DUO ma faʻaoga le auala faʻasilasilaga (sms / push / telefoni) - faʻamau e talosagaina le faʻamaoniga nai lo le faʻailoga upu.
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Ona tatou agai atu lea i le ISE:
Matou te faʻatulagaina se tagata faʻaoga i le lotoifale (e mafai ona e faʻaogaina AD / LDAP / ODBC, ma isi), mo le faigofie, na ou fatuina se tagata faʻaoga i le lotoifale i le ISE lava ia ma tofia i le fanua faʻamatalaga UDID PC lea e faatagaina ai o ia e saini e ala i VPN. Afai ou te faʻaogaina le faʻamaoniga faʻapitonuʻu i luga o le ISE, o le a faʻamapulaʻaina aʻu i le tasi le masini, talu ai e le tele ni fanua, ae i totonu o faʻamaumauga faʻamaumauga faʻamaonia-tolu o le a ou le i ai ni tapulaa.
Se'i o tatou va'ava'ai i le faiga fa'ataga, ua vaevaeina i vaega e fa o feso'ota'iga:
- Vaega 1 - Faiga faʻavae mo le laʻuina o le sui soʻo se AnyConnect ma tuʻuina atu se tusi faamaonia
- Vaega 2 - Faiga fa'amaonia muamua Ulufale (mai tusi pasi)/Password + Tusi Faamaonia ma le UDID fa'amaonia
- Vaega 3 - Faʻamaoniga lona lua e ala i Cisco DUO (MFA) faʻaaogaina UDID e fai ma igoa ole igoa + Iloiloga a le Setete
- Vaega 4 - O le faatagaga mulimuli o loʻo i le setete:
- Tausi;
- UDID faʻamaonia (mai tusi faamaonia + faʻamaufaʻailoga saini),
- Cisco DUO MFA;
- Fa'amaoni e ala ile saini;
- Fa'amaoniga fa'amaonia;
Sei o tatou vaavaai i se tulaga manaia UUID_VALIDATE, e foliga mai o le tagata faʻaoga faʻamaonia na sau moni mai se PC ma se UDID faʻatagaina e fesoʻotaʻi i le fanua faʻamatalaga tala, o tulaga e pei o lenei:
O le faʻamatalaga faʻatagaina o loʻo faʻaaogaina i laʻasaga 1,2,3 e faʻapea:
E mafai ona e siaki tonu pe faʻafefea ona oʻo mai le UDID mai le AnyConnect client ia i matou e ala i le vaʻavaʻai i faʻamatalaga o faʻasalalauga i le ISE. I auiliiliga o le a tatou vaʻai i lena AnyConnect e ala i le masini ACIDEX auina atu e le gata o faamatalaga e uiga i le tulaga, ae faapea foi le UDID o le masini e pei Cisco-AV-PAIR:
Sei o tatou gauai atu i le tusi faamaonia na tuuina atu i le tagata faaaoga ma le fanua Mataimata (I), lea e faʻaaogaina e avea o se saini mo le faʻamaoni MFA lona lua ile Cisco DUO:
I luga o le DUO Radius Proxy itu i totonu o le ogalaau e mafai ona tatou vaʻai manino pe faʻapefea ona faia le talosaga faʻamaonia, e sau e faʻaaoga le UDID e avea ma igoa ole igoa:
Mai le faitotoa o le DUO matou te vaʻai ai i se faʻamaoniga faʻamaonia manuia:
Ma i totonu o mea faʻaoga ua ou setiina ALIAS, lea na ou faʻaaogaina mo le saini, i le isi itu, o le UDID lenei o le PC faʻatagaina mo le saini:
O se taunuuga na matou maua:
- Fa'amatalaga fa'aoga fa'atele ma masini;
- Puipuiga mai le taufaasese o le masini a le tagata e faaaogāina;
- Iloiloina le tulaga o le masini;
- Avanoa mo le fa'atuputeleina o le fa'atonuga fa'atasi ai ma le tusi fa'ailoga masini, ma isi;
- Puipuiga mamao mamao i fale faigaluega ma faʻapipiʻi faʻapipiʻi faʻapipiʻi faʻapipiʻi puipuiga;
So'oga i tala fa'asologa Cisco VPN:
puna: www.habr.com