Kugamuchirwa kune yechitatu positi muCisco ISE akatevedzana. Zvinongedzo kune zvese zvinyorwa munhevedzano zvinopihwa pazasi:
Mune ino positi, iwe unonyura mukusvika kwevaenzi, pamwe nedanho-ne-nhanho gwara rekubatanidza Cisco ISE neFortiGate kugadzirisa FortiAP, nzvimbo yekuwana kubva kuFortinet (kazhinji, chero chishandiso chinotsigira. RADIUS CoA - Shanduko yemvumo).
Zvakanamirwa zvinyorwa zvedu. .
taura pfungwaA: Tarisa Point SMB zvishandiso hazvitsigire RADIUS CoA.
zvinoshamisa inotsanangura muChirungu maitiro ekugadzira mukana wevaenzi uchishandisa Cisco ISE paCisco WLC (Wireless Controller). Ngatizvione!
1. Nhanganyaya
Kupinda kwevaenzi (portal) inobvumidza iwe kuti upe mukana kuInternet kana kune zvemukati zviwanikwa zvevaenzi nevashandisi zvausingade kupinza mune yako yemuno network. Kune matatu akafanotsanangurwa marudzi evaenzi portal (Guest portal):
-
Hotspot Guest portal - Kuwana kune network kunopihwa kune vashanyi vasina login data. Vashandisi vanowanzo fanirwa kugamuchira iyo kambani "Kushandisa uye Yakavanzika Policy" vasati vasvika kunetiweki.
-
Sponsored-Guest portal - kupinda kunetiweki uye data rekupinda kunofanirwa kupihwa nemubatsiri - mushandisi ane basa rekugadzira maakaundi evaenzi paCisco ISE.
-
Anozvinyoresa Yevaenzi portal - mune iyi kesi, vashanyi vanoshandisa iripo nhoroondo yekupinda, kana kuzvigadzirira iyo account ine ruzivo rwekupinda, asi kutsigira kwekutsigira kunodiwa kuti uwane mukana kune network.
Multiple portals anogona kuiswa paCisco ISE panguva imwe chete. Nekusagadzikana, mune yevaenzi portal, mushandisi achaona Cisco logo uye akajairwa mitsara. Zvese izvi zvinogona kugadziridzwa uye kunyange kusetwa kuti uone zvinosungirwa ads usati wawana mukana.
Kuseta kwevaenzi kunogona kukamurwa kuita 4 nhanho huru: FortiAP setup, Cisco ISE uye FortiAP yekubatanidza, yevaenzi portal kusikwa, uye yekuwana bumbiro remitemo.
2. Kugadzirisa FortiAP paFortiGate
FortiGate inzvimbo yekupinda controller uye zvese zvigadziriso zvinogadzirwa pairi. FortiAP yekuwana mapoinzi inotsigira PoE, saka kana wangoibatanidza kunetiweki kuburikidza neEthernet, unogona kutanga kugadzirisa.
1) PaFortiGate, enda kune tab WiFi & Shandura Controller> Yakagadziriswa FortiAPs> Gadzira Nyowani> Yakagadziriswa AP. Uchishandisa yakasarudzika serial nhamba yenzvimbo yekuwana, iyo yakadhindwa panzvimbo yekupinda pachayo, wedzera sechinhu. Kana kuti inogona kuzviratidza yobva yadzvanya Authorize uchishandisa bhatani rekurudyi.
2) FortiAP marongero anogona kuve akasarudzika, semuenzaniso, siya sezviri muscreenshot. Ini ndinokurudzira zvikuru kuvhura iyo 5 GHz modhi, nekuti mamwe maturusi haatsigire 2.4 GHz.
3) Zvadaro mune tab WiFi & Switch Controller> FortiAP Profiles> Gadzira Nyowani isu tiri kugadzira chimiro chezvirongwa zvenzvimbo yekuwana (vhezheni 802.11 protocol, SSID modhi, chiteshi frequency uye nhamba yavo).
FortiAP marongero muenzaniso
4) Nhanho inotevera kugadzira SSID. Enda kune tab WiFi & Switch Controller> SSIDs> Gadzira Nyowani> SSID. Pano kubva kune yakakosha inofanira kugadzirwa:
-
kero nzvimbo yemuenzi WLAN - IP/Netmask
-
RADIUS Accounting uye Chengetedza Fabric Connection muAdistrative Access field
-
Device Detection sarudzo
-
SSID uye Broadcast SSID sarudzo
-
Chengetedzo Mode Settings> Captive Portal
-
Authentication Portal - Yekunze uye isa chinongedzo kune yakagadzirwa muenzi portal kubva kuCisco ISE kubva padanho rechi20.
-
Boka reVashandisi - Boka reVaenzi - Zvekunze - wedzera RADIUS kuCisco ISE (p. 6 zvichienda mberi)
SSID yekuisa muenzaniso
5) Ipapo iwe unofanirwa kugadzira mitemo mumutemo wekuwana paFortiGate. Enda kune tab Policy & Zvinhu > Firewall Policy uye gadzira mutemo wakadai:
3. RADIUS kugadzirisa
6) Enda kuCisco ISE web interface kune tab Policy> Policy Elements> Dictionaries> System> Radius> RADIUS Vendors> Wedzera. Mune ino tebhu, isu tichawedzera Fortinet RADIUS kune rondedzero inotsigirwa maprotocol, sezvo angangoita wese mutengesi ane ayo chaiwo hunhu - VSA (Vendor-Specific Attributes).
Rondedzero yeFortinet RADIUS hunhu inogona kuwanikwa . VSAs anosiyaniswa neavo akasiyana Vendor ID nhamba. Fortinet ine ID iyi = 12356... Full VSA yakaburitswa neIANA.
7) Isa zita reduramazwi, tsanangura Vendor ID (12356) uye dzvanya Endesa.
8) Mushure mokunge taenda Kutonga> Network Device Profiles> Wedzera uye gadzira chimiro chitsva chemudziyo. Muchikamu cheRADIUS Dictionaries, sarudza rakambogadzirwa Fortinet RADIUS duramazwi uye sarudza nzira dzeCoA dzekushandisa gare gare mumutemo weISE. Ndakasarudza RFC 5176 uye Port Bounce (kuvhara / hapana kuvhara network interface) uye maVSA anoenderana:
Fortinet-Access-Profile=verenga-nyora
Fortinet-Group-Zita = fmg_faz_admins
9) Tevere, wedzera FortiGate yekubatanidza neISE. Kuti uite izvi, enda kune tab Kutonga> Network Zviwanikwa> Network Device Profiles> Wedzera. Minda inofanira kuchinjwa Zita, Mutengesi, RADIUS Dictionaries (IP Kero inoshandiswa neFortiGate, kwete FortiAP).
Muenzaniso wekugadzirisa RADIUS kubva kudivi reISE
10) Mushure meizvozvo, iwe unofanirwa kugadzirisa RADIUS padivi reFortiGate. MuFortiGate web interface, enda ku Mushandisi & Kutendeseka> RADIUS Servers> Gadzira Nyowani. Taura zita, IP kero uye Yakagovaniswa chakavanzika (password) kubva pandima yapfuura. Next tinya Edzai Mushandisi Zvitupa uye isa chero humbowo hunogona kudhonzwa kuburikidza neRADIUS (semuenzaniso, mushandisi wepano paCisco ISE).
11) Wedzera sevha yeRADIUS kune Guest-Group (kana isipo) pamwe neyekunze sosi yevashandisi.
12) Usakanganwa kuwedzera Guest-Group kuSSID yatakagadzira pakutanga munhanho 4.
4. User Authentication Setting
13) Sarudzo, unogona kuendesa chitupa kune ISE muenzi portal kana kugadzira chitupa chakasaina wega mutebhu. Nzvimbo dzebasa> Kuwana Kwevaenzi> Kutonga> Chitupa> Zvitupa zveSitimu.
14) Mushure mune tab Nzvimbo dzebasa> Kuwana Kwevaenzi> Mapoka ekuzivikanwa> Mapoka ekuzivikanwa kwevashandisi> Wedzera gadzira boka idzva revashandisi kuti vaenzi vasvike, kana shandisa avo vagara varipo.
15) Kuwedzera mune iyo tab Administration > Zvitupa gadzira vashandisi vevaenzi uye wovawedzera kumapoka kubva mundima yapfuura. Kana iwe uchida kushandisa wechitatu-bato maakaundi, wobva wasvetuka danho iri.
16) Mushure mokunge taenda kune zvigadziro Nzvimbo dzebasa> Kuwana Kwevaenzi> Zviziviso> Identity Source Sequence > Guest Portal Sequence - uku ndiko kutevedzana kwechokwadi kwevaenzi kune vashandisi. Uye mumunda Authentication Search List sarudza odha yechokwadi yemushandisi.
17) Kuzivisa vashanyi nepassword yenguva imwe chete, unogona kugadzirisa vanopa SMS kana sevha yeSMTP nekuda kweichi chinangwa. Enda kune tab Nzvimbo dzebasa> Kuwana Kwevaenzi> Kutonga> SMTP Server kana SMS Gateway Vanopa zvezvirongwa izvi. Panyaya yeS SMTP server, unofanirwa kugadzira account yeISE uye tsanangura iyo data mune ino tebhu.
18) Nezviziviso zveSMS, shandisa iyo yakakodzera tebhu. ISE ine pre-yakaiswa maprofiles evanozivikanwa vanopa SMS, asi zviri nani kugadzira yako. Shandisa aya maprofayiri semuenzaniso wekuseta SMS Email Gatewayy kana SMS HTTP API.
Muenzaniso wekugadzira SMTP server uye yeSMS gedhi renguva imwe chete password
5. Kugadzira portal yevaenzi
19) Sezvambotaurwa pakutanga, kune 3 mhando dzekare-yakaiswa muenzi portals: Hotspot, Sponsored, Self-Registered. Ini ndinokurudzira kusarudza sarudzo yechitatu, sezvo iriyo yakawanda. Chero nzira, marongero akanyanya kufanana. Saka ngatiende kune iyo tab. Nzvimbo dzebasa > Kuwana Kwevaenzi > Zvikumbaridzo & Zvikamu > Guest Portals > Kuzvinyoresa Kwevaenzi Portal (default).
20) Tevere, muPortal Peji Kugadzirisa tebhu, sarudza "Ona muRussia - Russian", kuitira kuti portal ionekwe muchiRussia. Unogona kushandura zvinyorwa zvechero tab, wedzera logo yako, nezvimwe. Kurudyi mukona kune tarisiro yenzvimbo yevaenzi yekuona zviri nani.
Muenzaniso wekugadzirisa portal yevaenzi nekuzvinyoresa
21) Dzvanya pane chirevo Portal test URL uye kopira iyo portal URL kuSSID paFortiGate mudanho 4. Sample URL
Kuti uratidze yako domain, iwe unofanirwa kurodha chitupa kune yevaenzi portal, ona nhanho 13.
22) Enda kune tab Nzvimbo dzebasa> Kuwana Kwevaenzi> Zvimiro zvePolisi> Mhedzisiro> Maprofiles emvumo> Wedzera kugadzira mbiri yemvumo pasi peyakagadzirwa kare Network Device Profile.
23) Mune tab Nzvimbo dzebasa> Kuwana Kwevaenzi> Maseti ePolisi gadzirisa mutemo wekuwana wevashandisi veWiFi.
24) Ngatiedzei kubatana kune muenzi SSID. Inobva yangondidzosera kune peji rekupinda. Pano iwe unogona kupinda neakaundi yevaenzi yakagadzirwa munharaunda paISE, kana kunyoresa semuenzi mushandisi.
25) Kana wakasarudza sarudzo yekuzvinyoresa, ipapo data yenguva imwe chete inogona kutumirwa netsamba, kuburikidza neSMS, kana kudhindwa.
26) MuRADIUS> Rarama Logs tebhu paCisco ISE, iwe uchaona anoenderana ekupinda matanda.
6. Mhedziso
Muchinyorwa ichi chakareba, takabudirira kugadzirisa kupinda kwevaenzi paCisco ISE, uko FortiGate inoita semutongi wenzvimbo yekupinda, uye FortiAP inoita senzvimbo yekuwana. Yakazove rudzi rwekusinga diki kusanganisa, iyo zvakare inoratidza kushandiswa kwakapararira kweISE.
Kuti uedze Cisco ISE, bata uye zvakare garai makatarisa mumachaneli edu (, , , , ).
Source: www.habr.com