Tikugashirei kune yechipiri kudhindwa kweakatevedzana ezvinyorwa zvakatsaurirwa kuCisco ISE. Mukutanga mabhenefiti uye mutsauko weNetwork Access Control (NAC) mhinduro kubva kune yakajairwa AAA, iyo yakasarudzika yeCisco ISE, iyo yekuvaka uye yekuisa maitiro echigadzirwa zvakasimbiswa.
Muchinyorwa chino tichaongorora kugadzira maakaunti, tichiwedzera LDAP maseva uye kubatanidzwa neMicrosoft Active Directory, pamwe nemanuances kana uchishanda nePassiveID. Ndisati ndaverenga, ndinokurudzira zvakasimba kuti uverenge .
1. Mamwe mazwi
User Identity - account yemushandisi ine ruzivo nezve mushandisi uye inoumba magwaro ake ekuwana network. Aya maparamendi anotevera anowanzo kutsanangurwa muMushandisi Identity: zita rekushandisa, email kero, password, tsananguro yeakaundi, boka revashandisi, uye basa.
Vashandisi Mapoka - Mapoka evashandisi muunganidzwa wevashandisi vega vane yakajairwa seti yeropafadzo inovabvumira kuwana chaiyo seti yeCisco ISE masevhisi uye mabasa.
User Identity Groups - Mapoka evashandisi akafanotsanangurwa atova neruzivo nemabasa. Aya anotevera Mushandisi Identity Mapoka aripo nekusarudzika uye iwe unogona kuwedzera vashandisi nemapoka evashandisi kwavari: Mushandi, SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts (sponsor accounts ekutonga portal yevaenzi), Muenzi, ActivatedGuest.
Basa remushandisi - Basa remushandisi seti yemvumo inotaridza kuti ndeapi mabasa anogona kuitwa nemushandisi uye kuti ndeapi masevhisi anogona kuwanikwa nemushandisi. Kazhinji basa remushandisi rinosanganiswa neboka revashandisi.
Uyezve, mushandisi wega wega uye boka revashandisi rine humwe hunhu hunokutendera kuti utarise uye zvakanyanya kutsanangura akapihwa mushandisi (boka remushandisi). Ruzivo rwakawanda mu .
2. Gadzira vashandisi vemo
1) MuCisco ISE zvinokwanisika kugadzira vashandisi venzvimbo uye kuvashandisa mumatongerwo ekuwana kana kutovapa basa rekutonga chigadzirwa. Sarudza Kutonga → Identity Management → Kuzivikanwa → Vashandisi → Wedzera.
Mufananidzo 1: Kuwedzera Mushandisi Wemunharaunda kuCisco ISE
2) Muhwindo rinoonekwa, gadzira mushandisi wepanzvimbo, mupe password uye mamwe ma parameter akajeka.
Mufananidzo 2. Kugadzira mushandisi wepanzvimbo muCisco ISE
3) Vashandisi vanogonawo kutengwa kunze kwenyika. Mune imwe tab Kutonga → Identity Management → Kuzivikanwa → Vashandisi sarudza imwe sarudzo Tumira uye rodha csv kana txt faira nevashandisi. Kuti uwane template, sarudza Gadzira Template, ipapo iwe unofanirwa kuizadza neruzivo nezve vashandisi mune fomu yakakodzera.
Mufananidzo 3. Kupinza Vashandisi muCisco ISE
3. Kuwedzera maseva eLDAP
Rega ndikuyeuchidze kuti LDAP ipuroti yakakurumbira yekushandisa-level inobvumidza iwe kugamuchira ruzivo, kuita chokwadi, kutsvaga maakaundi muLDAP server directories, uye inoshanda pachiteshi 389 kana 636 (SS). Mienzaniso yakakurumbira yemaseva eLDAP ndeye Active Directory, Sun Directory, Novell eDirectory uye OpenLDAP. Imwe neimwe inopinda muLDAP dhairekitori inotsanangurwa neDN (Zita Rinosiyanisa) uye kugadzira mutemo wekuwana, basa rekudzoreredza maakaundi, mapoka evashandisi uye hunhu hunomuka.
MuCisco ISE zvinogoneka kugadzirisa kuwana kune akawanda LDAP maseva, nekudaro uchiona redundancy. Kana iyo yekutanga LDAP server isipo, ISE inoedza kubata yechipiri, zvichingodaro. Pamusoro pezvo, kana paine maPAN maviri, ipapo LDAP imwe inogona kukosheswa kune yekutanga PAN, uye imwe LDAP inogona kukosheswa kune yechipiri PAN.
ISE inotsigira mhando mbiri dzekutarisa paunenge uchishanda nemaseva eLDAP: Kutarisa Kwemushandisi uye MAC Kero Kutarisa. Kutsvaga Kwemushandisi kunobvumidza iwe kutsvaga mushandisi muLDAP dhatabhesi uye wotora zvinotevera ruzivo pasina humbowo: vashandisi nehunhu hwavo, mapoka evashandisi. MAC Kero Kutarisa zvakare inobvumidza iwe kutsvaga neMAC kero mumadhairekitori eLDAP pasina humbowo uye uwane ruzivo nezve mudziyo, boka remidziyo nemakero eMAC uye humwe hunhu.
Semuenzaniso wekubatanidza, ngatiwedzerei Active Directory kuCisco ISE seLDAP server.
1) Enda kune tab Kutonga → Identity Management → Zvekuzivikanwa Zvekunze → LDAP → Wedzera.
Mufananidzo 4. Kuwedzera sevha yeLDAP
2) Muchikamu General tsanangura iyo LDAP sevha zita uye chirongwa (munyaya yedu Active Directory).
Mufananidzo 5. Kuwedzera sevha yeLDAP ine Active Directory schema
3) Tevere enda ku Connection tab uye tsanangura Zita remugamuchiri/IP kero Server AD, port (389 - LDAP, 636 - SSL LDAP), domain administrator credentials (Admin DN - yakazara DN), mamwe maparameter anogona kusiiwa seagara aripo.
taura pfungwa: Shandisa iyo admin domain data kudzivirira zvinogona kuitika.
Mufananidzo 6. Kupinza LDAP server data
4) Mune tab Directory Organisation iwe unofanirwa kutsanangura nzvimbo yedhairekitori kuburikidza neDN kubva kwaunodhonza vashandisi nemapoka evashandisi.
Mufananidzo 7. Kusarudza dhairekitori kubva kwairi kudhonza mapoka evashandisi
5) Enda kuhwindo Zvikwata → Wedzera → Sarudza Mapoka Kubva Dhairekitori kusarudza mapoka ekudhonza kubva paLDAP server.
Mufananidzo 8. Kuwedzera mapoka kubva kuLDAP server
6) Muhwindo rinoonekwa, tinya Dzora Mapoka. Kana mapoka akabatana, zvino matanho ekutanga apera kubudirira. Zvikasadaro, edza mumwe maneja uye tarisa kuwanikwa kweISE neLDAP server uchishandisa iyo LDAP protocol.
Mufananidzo 9. Rondedzero yemapoka evashandisi akagoneswa
7) Mune tab unhu iwe unogona kusarudza kusarudza kuti ndeupi hunhu kubva kuLDAP sevha inofanirwa kudhonzwa kumusoro, uye nepahwindo Purogiramu yakasimudzwa gonesa sarudzo Gonesa Password Shanduko, izvo zvinomanikidza vashandisi kuti vachinje password yavo kana yapera kana kugadziridzwa. Chero nzira, tinya bvuma kuenderera mberi.
8) Sevha yeLDAP inoonekwa mune inoenderana tebhu uye inogona kushandiswa gare gare kugadzira marongero ekuwana.
Mufananidzo 10. Rondedzero yemaseva eLDAP akawedzerwa
4. Kubatanidzwa neActive Directory
1) Nekuwedzera Microsoft Active Directory server seLDAP server, takagamuchira vashandisi, mapoka evashandisi, asi kwete matanda. Tevere, ini ndinokurudzira kumisikidza yakazara AD kubatanidzwa neCisco ISE. Enda kune tab Kutonga → Identity Management → Zvekuzivikanwa Kwekunze → Active Directory → Wedzera.
Cherechedza: Kuti ubudirire kubatanidzwa neAD, ISE inofanirwa kunge iri mudura uye iine kubatana kwakazara neDNS, NTP uye AD maseva, zvikasadaro hapana chinozoshanda.
Mufananidzo 11. Kuwedzera Active Directory server
2) Muhwindo rinoonekwa, pinda iyo domain administrator ruzivo uye tarisa bhokisi Chengeta Zvinyorwa. Pamusoro pezvo, unogona kutsanangura iyo OU (Yesangano Yesangano) kana iyo ISE iri mune chaiyo OU. Tevere, iwe uchafanirwa kusarudza iyo Cisco ISE node yaunoda kubatanidza kune iyo domain.
Mufananidzo 12. Kuisa zvinyorwa
3) Usati wawedzera domain controllers, ita shuwa kuti paPSN mune iyo tab Kutonga → Sisitimu → Kuendesa sarudzo yakagoneswa Passive Identity Service. PassiveID - sarudzo inokubvumira kushandura Mushandisi kuenda kuIP uye zvichipesana. PassiveID inogamuchira ruzivo kubva kuAD kuburikidza neWMI, yakakosha AD vamiririri, kana SPAN port pane switch (kwete yakanakisa sarudzo).
Cherechedza: kutarisa iyo Passive ID mamiriro, pinda muISE console ratidza chimiro chekushandisa | inosanganisira PassiveID.
Mufananidzo 13. Kugonesa PassiveID sarudzo
4) Enda kune tab Kutonga → Identity Management → External Identity Sources → Active Directory → PassiveID uye sarudza sarudzo Wedzera DCs. Tevere, sarudza inodiwa domain controller nemabhokisi ekutarisa uye tinya OK.
Mufananidzo 14. Kuwedzera domain controllers
5) Sarudza maDC akawedzerwa uye tinya bhatani Gadzirisa. Ndapota ratidza FQDN yako DC, domain login uye password, pamwe nesarudzo yekutaurirana WMI kana muiti. Sarudza WMI uye tinya OK.
Mufananidzo 15. Kupinda domain controller ruzivo
6) Kana WMI isiri iyo nzira inosarudzika yekutaura neActive Directory, saka ISE vamiririri vanogona kushandiswa. Iyo mumiririri nzira ndeyokuti iwe unogona kuisa yakakosha vamiririri pane server iyo inoburitsa zviitiko zvekupinda. Pane 2 yekuisa sarudzo: otomatiki uye manyore. Kuisa otomatiki mumiririri mune imwechete tab PassiveID sarudza Wedzera Mumiririri → Shandisa Mumiriri Mutsva (DC inofanira kuva neInternet access). Wobva wazadza minda inodiwa (zita remumiririri, server FQDN, domain administrator login/password) wobva wadzvanya. OK.
Mufananidzo 16. Kuiswa otomatiki kweISE agent
7) Kuti uise nemaoko Cisco ISE mumiriri, unofanirwa kusarudza Bhalisa Aripo Agent. Nenzira, iwe unogona kudhawunirodha mumiririri mune iyo tab Nzvimbo dzebasa → PassiveID → Vanopa → Vamiririri → Dhawunirodha Agent.
Mufananidzo 17. Kurodha mumiririri weISE
Zvakakosha kuti: PassiveID haiverenge zviitiko log off! Iyo parameter inokonzeresa nguva yekupera inonzi mushandisi musangano kukwegura nguva uye yakaenzana nemaawa makumi maviri nemana nekusarudzika. Naizvozvo, iwe unofanirwa kuzvibvisa wega pakupera kwezuva rekushanda, kana kunyora imwe mhando yezvinyorwa zvinozozvivharira zvese zvakapinda vashandisi.
Kuti uwane ruzivo log off "Endpoint probes" inoshandiswa. Kune akati wandei endpoint probes muCisco ISE: RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. nharaunda probe kushandisa CoA (Shanduko yeMvumo) mapakeji anopa ruzivo nezve kushandura kodzero dzevashandisi (izvi zvinoda yakamisikidzwa 802.1X), uye SNMP yakagadziridzwa pane yekuwana switch ichapa ruzivo nezve yakabatana uye yakabviswa michina.
Pazasi pane muenzaniso unoenderana neCisco ISE + AD kumisikidzwa isina 802.1X uye RADIUS: mushandisi anopindirwa pamushini weWindows, pasina kuita logoff, pinda kubva kune imwe PC kuburikidza neWiFi. Muchiitiko ichi, chikamu paPC yekutanga chicharamba chichishanda kusvika nguva yekubuda pakaitika kana kumanikidzwa kurogwa. Zvino, kana zvishandiso zvine kodzero dzakasiyana, iyo yekupedzisira yakapinda mumudziyo ichashandisa kodzero dzayo.
8) Zvimwe mune tab Administration → Identity Management → External Identity Sources → Active Directory → Zvikwata → Wedzera → Sarudza Zvikwata Kubva Mudhairekitori unogona kusarudza mapoka kubva kuAD aunoda kuwedzera kuISE (munyaya yedu, izvi zvakaitwa mudanho rechitatu "Kuwedzera sevha yeLDAP"). Sarudza imwe sarudzo Dzora Mapoka → OK.
Mufananidzo 18 a). Kudhonza mapoka evashandisi kubva kuActive Directory
9) Mune tab Nzvimbo dzebasa → PassiveID → Overview → Dashboard unogona kutarisa nhamba yezvikamu zvinoshanda, nhamba yezvinyorwa zve data, vamiririri, nezvimwe.
Mufananidzo 19. Monitoring domain user basa
10) Mune tab Rarama Zvikamu zvirongwa zvazvino zvinoratidzwa. Kubatanidzwa neAD kunogadziriswa.
Mufananidzo 20. Zvirongwa zvinoshanda zvevashandisi vedomasi
5. Mhedziso
Ichi chinyorwa chakafukidza misoro yekugadzira vashandisi vemunharaunda muCisco ISE, ichiwedzera LDAP maseva uye kubatanidza neMicrosoft Active Directory. Chinyorwa chinotevera chinobata mukana wevaenzi nenzira yedhairekitori risingaverengeki.
Kana iwe uine chero mibvunzo nezvenyaya iyi kana uchida rubatsiro mukuyedza chigadzirwa, ndapota taura .
Garai makamirirwa kuti muwane zvigadziriso mumachaneli edu (, , , , ).
Source: www.habr.com