ProHoster > Blog > Utongi > Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1

1. Nhanganyaya

Kambani yega yega, kunyangwe idiki diki, inoda kuvimbiswa, mvumo uye mushandisi accounting (AAA mhuri yemaprotocol). Padanho rekutanga, AAA inonyatso shandiswa uchishandisa mapuroteni akadai seRADIUS, TACACS + uye DIAMETER. Zvisinei, sezvo nhamba yevashandisi nekambani inokura, nhamba yemabasa inokurawo: kuoneka kwakanyanya kwevatenzi nemidziyo yeBYOD, multi-factor authentication, kugadzira mitemo yakawanda yekuwana mitemo uye nezvimwe zvakawanda.

Kune mabasa akadai, iyo NAC (Network Access Control) kirasi yemhinduro yakakwana - network yekuwana control. Munhevedzano yezvinyorwa zvakatsaurirwa kuna Cisco ISE (Identity Services Engine) -NAC mhinduro yekupa mamiriro-kuziva kwekutonga kwekuwana kune vashandisi pane yemukati network, isu ticha tarisa zvakadzama nezve mavakirwo, kupa, kumisikidzwa uye marezenisi emhinduro.

Rega ndikuyeuchidze muchidimbu kuti Cisco ISE inokutendera kuti:

  • Kurumidza uye nyore kugadzira kuwana kwevaenzi paWLAN yakatsaurirwa;

  • Ziva zvishandiso zveBYOD (semuenzaniso, maPC epamba evashandi avakauya nawo kubasa);

  • Isa pakati uye simbisa mitemo yekuchengetedza munzvimbo yese nevasiri-domain vashandisi vachishandisa SGT chengetedzo yeboka mavara TrustSec);

  • Tarisa makomputa kune imwe software yakaiswa uye kutevedzera zviyero (posturing);

  • Rongedza uye mbiri yekupedzisira uye network zvishandiso;

  • Ipa magumo ekuonekwa;

  • Tumira matanda ezviitiko zvelogon/logoff yevashandisi, maakaundi avo (kuzivikanwa) kuNGFW kuti vagadzire mutemo wevashandisi;

  • Batanidza natively neCisco StealthWatch uye gara wega vanhu vanofungidzira vanobatanidzwa muzviitiko zvekuchengetedza (mamwe mashoko);

  • Uye mamwe maficha akajairwa kune AAA maseva.

Vanoshanda navo muindasitiri vakatonyora nezveCisco ISE, saka ndinokupa zano kuti uverenge: Cisco ISE kuita maitiro, Maitiro Ekugadzirira Cisco ISE Implementation.

2. Architecture

Iyo Identity Services Engine architecture ine 4 entities (node): a manejimendi node (Policy Administration Node), policy distribution node (Policy Service Node), monitoring node (Monitoring Node) uye PxGrid node (PxGrid Node). Cisco ISE inogona kunge iri mune yakamira kana kugoverwa kuiswa. Muiyo Standalone vhezheni, ese masangano ari pamushini mumwe chete chaiwo kana sevha yemuviri (Secure Network Servers - SNS), nepo muDistributed vhezheni, node dzinogovaniswa pamidziyo yakasiyana.

Policy Administration Node (PAN) inzvimbo inodiwa iyo inokutendera kuti uite ese ekutonga mabasa paCisco ISE. Iyo inobata ese masisitimu masisitimu ane hukama neAAA. Muchigadziro chakagoverwa (node ​​dzinogona kuiswa semichina yakaparadzana), unogona kuva nepamusoro pemaPAN maviri ekushivirira kukanganisa - Active / Standby mode.

Policy Service Node (PSN) inzvimbo inosungirwa inopa mukana wetiweki, nyika, kupinda kwevaenzi, kupa masevhisi evatengi, uye kunyora. PSN inoongorora mutemo uye inoishandisa. Kazhinji, maPSN akawanda akaiswa, kunyanya mukugadzirisa kwakagoverwa, kune mamwe mabasa akawandisa uye akagoverwa. Zvechokwadi, vanoedza kuisa node idzi muzvikamu zvakasiyana kuitira kuti vasarasikirwa nekwanisi yekupa ruzivo rwakatenderwa uye rwakabvumirwa kwechipiri.

Monitoring Node (MnT) inzvimbo inosungirwa inochengeta matanda ezviitiko, matanda edzimwe node uye marongero pane network. Iyo MnT node inopa maturusi epamberi ekutarisisa uye kugadzirisa matambudziko, kuunganidza uye kubatanidza data rakasiyana, uye inopawo mishumo ine musoro. Cisco ISE inobvumidza iwe kuve neanopfuura maviri MnT node, nekudaro kugadzira kukanganisa kushivirira - Active / Standby maitiro. Nekudaro, matanda anounganidzwa neaviri node, ese anoshanda uye asingaiti.

PxGrid Node (PXG) inzvimbo inoshandisa PxGrid protocol uye inobvumira kutaurirana pakati pezvimwe midziyo inotsigira PxGrid.

PxGrid  - iprotocol inogonesa kubatanidzwa kweIT uye ruzivo rwekuchengetedza ruzivo zvigadzirwa kubva kune vakasiyana vatengesi: yekutarisa masisitimu, intrusion yekuona uye yekudzivirira masisitimu, chengetedzo mapuratifomu ekuchengetedza uye mamwe akawanda mhinduro. Cisco PxGrid inokutendera iwe kuti ugovane mamiriro nenzira isina kurongeka kana bidirectional nemapuratifomu mazhinji pasina kudiwa kwemaAPI, nekudaro ichigonesa tekinoroji. TrustSec (SGT tags), chinja uye shandisa ANC (Adaptive Network Control) mutemo, pamwe nekuita profiling - kuona iyo mudziyo modhi, OS, nzvimbo, nezvimwe.

Mukugadziriswa kwekuwanikwa kwepamusoro, PxGrid node dzinodzokorora ruzivo pakati pemanodhi pamusoro pePAN. Kana iyo PAN yakaremara, iyo PxGrid node inomira kuita chokwadi, kubvumidza, uye accounting kune vashandisi. 

Pazasi pane schematic inomiririra kushanda kweakasiyana Cisco ISE masangano mune yekambani network.

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 1. Cisco ISE Architecture

3. Zvinodiwa

Cisco ISE inogona kuitwa, senge mhinduro dzemazuva ano, dzinenge kana panyama sevhavha yakaparadzana. 

Zvishandiso zvemuviri zvinomhanya Cisco ISE software zvinonzi SNS (Secure Network Server). Vanouya mumhando nhatu: SNS-3615, SNS-3655 uye SNS-3695 yemabhizinesi madiki, epakati uye makuru. Tafura 1 inoratidza ruzivo kubva datasheet SNS.

Tafura 1. Tafura yekuenzanisa yeSNS yezviyero zvakasiyana

Parameter

SNS 3615 (Diki)

SNS 3655 (Yepakati)

SNS 3695 (Hombe)

Nhamba yenzvimbo dzinotsigirwa mukuiswa kweStandalone

10000

25000

50000

Nhamba yenzvimbo dzinotsigirwa paPSN

10000

25000

100000

CPU (Intel Xeon 2.10 GHz)

8 cores

12 cores

12 cores

RAM 

32 GB (2 x 16 GB)

96 GB (6 x 16 GB)

256 GB (16 x 16 GB)

HDD

1 x 600 GB

4 x 600 GB

8 x 600 GB

Hardware RAID

kwete

RAID 10, kuvapo kweRAID controller

RAID 10, kuvapo kweRAID controller

Network pakati

2 x 10Gbase-T

4 x 1Gbase-T 

2 x 10Gbase-T

4 x 1Gbase-T 

2 x 10Gbase-T

4 x 1Gbase-T

Nezve mashandisirwo chaiwo, iwo anotsigirwa hypervisors iVMware ESXi (zvishoma VMware vhezheni 11 yeESXi 6.0 inokurudzirwa), Microsoft Hyper-V uye Linux KVM (RHEL 7.0). Zviwanikwa zvinofanirwa kunge zvakangofanana nezviri mutafura iri pamusoro, kana kupfuura. Nekudaro, izvo zvishoma zvinodikanwa zvediki bhizinesi virtual muchina ndezvi: 2 CPU ine frequency ye2.0 GHz uye yakakwira, 16 GB RAM ΠΈ 200 GB HDD. 

Kune mamwe Cisco ISE deployment data, ndapota taura kwatiri kana ku chinhu #1, chinhu #2.

4. Kuiswa

Kufanana nezvimwe zvakawanda zvigadzirwa zveCisco, ISE inogona kuedzwa nenzira dzinoverengeka:

  • dcloud - Cloud sevhisi ye pre-yakaiswa marabhoritari marongero (Cisco account inodiwa);

  • GVE chikumbiro – chikumbiro kubva saiti Cisco yeimwe software (nzira yevabatsiri). Iwe unogadzira kesi ine inotevera tsananguro yakajairika: Chigadzirwa mhando [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];

  • pilot project - bata chero mudiwa ane mvumo kuti aite chirongwa chemahara chekuyedza.

1) Mushure mekugadzira muchina chaiwo, kana iwe wakakumbira ISO faira uye kwete OVA template, hwindo rinobuda umo ISE inoda kuti iwe usarudze yekuisa. Kuti uite izvi, pane yako login uye password, iwe unofanirwa kunyora "gadzirira"!

Cherechedza: kana iwe wakatumira ISE kubva kuOVA template, ipapo iwo mazita ekupinda admin/MyIseYPass2 (izvi nezvimwe zvakawanda zvinoratidzwa mumukuru guide).

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 2. Kuisa Cisco ISE

2) Ipapo iwe unofanirwa kuzadza minda inodiwa senge IP kero, DNS, NTP nevamwe.

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 3. Kutanga Cisco ISE

3) Mushure meizvozvo, mudziyo unozotangazve, uye iwe uchakwanisa kubatanidza kuburikidza newebhu interface uchishandisa yakambotaurwa IP kero.

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 4. Cisco ISE Web Interface

4) Mune tab Kutonga> System> Deployment unogona kusarudza kuti ndeapi node (masangano) anogoneswa pane imwe mudziyo. Iyo PxGrid node inogoneswa pano.

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 5. Cisco ISE Entity Management

5) Zvadaro mune tab Kutonga> System> Admin Access> Authentication Ini ndinokurudzira kumisikidza password password, nzira yekusimbisa (chitupa kana password), zuva rekupera kweakaundi, uye mamwe marongero.

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 6. Kugadziriswa kwerudzi rwekusimbisaCisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 7. Password policy settingsCisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 8. Kugadzirisa kuvharwa kweakaundi mushure mekunge nguva yaperaCisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 9. Kugadzirisa kuvhara kweakaunti

6) Mune tab Kutonga> Sisitimu> Kuwana Administrator> Administrator> Vashandisi> Wedzera unogona kugadzira maneja mutsva.

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 10. Kugadzira Local Cisco ISE Administrator

7) Mutungamiri mutsva anogona kuitwa chikamu cheboka idzva kana mapoka akatofanotsanangurwa. Mapoka evatungamiri anotungamirirwa mupaneru imwe chete mune tab Admin Groups. Tafura 2 inopfupisa ruzivo nezve ISE maneja, kodzero dzavo uye mabasa.

Tafura 2. Cisco ISE Administrator Groups, Access Levels, Permissions, and Restrictions

Zita reboka remutungamiri

Zvibvumirano

Zvibvumirano

Customization Admin

Kumisikidza vaenzi uye kutsigira portals, manejimendi uye kugadzirisa

Kusakwanisa kushandura marongero kana kuona mishumo

Helpdesk Admin

Kugona kuona iyo huru dashibhodhi, mishumo yese, larm uye dambudziko rekugadzirisa hova

Iwe haugone kuchinja, kugadzira kana kudzima mishumo, maalarm uye matanda echokwadi

Identity Admin

Kubata vashandisi, ropafadzo uye mabasa, kugona kuona matanda, mishumo uye maaramu

Iwe haugone kushandura marongero kana kuita mabasa padanho reOS

MnT Admin

Kutarisisa kwakazara, mishumo, maalarm, matanda uye manejimendi avo

Kusakwanisa kushandura chero mitemo

Network Device Admin

Kodzero dzekugadzira uye kushandura ISE zvinhu, kuona matanda, mishumo, huru dashboard

Iwe haugone kushandura marongero kana kuita mabasa padanho reOS

Policy Admin

Kutonga kwakazara kwemitemo yese, kuchinja maprofile, marongero, kuona mishumo

Kusakwanisa kuita zvigadziriso nezvitupa, ISE zvinhu

RBAC Admin

Zvese zvigadziriso muMashandiro tebhu, ANC magadzirirwo emitemo, manejimendi ekubika

Iwe haugone kushandura marongero kunze kweANC kana kuita mabasa padanho reOS

Super Admin

Kodzero kune ese magadzirirwo, kushuma uye manejimendi, anogona kudzima nekushandura zvitupa zvemaneja

Haikwanise kuchinja, bvisa imwe mbiri kubva kuSuper Admin boka

System Admin

Zvese zvigadziriso muMashandiro tebhu, kutonga masisitimu marongero, ANC mutemo, yekuona mishumo

Iwe haugone kushandura marongero kunze kweANC kana kuita mabasa padanho reOS

Zvekunze RESTful Services (ERS) Admin

Kuwana kuzere kuCisco ISE REST API

Chete mvumo, manejimendi evashandisi venzvimbo, mauto uye mapoka ekuchengetedza (SG)

External RESTful Services (ERS) Operator

Cisco ISE REST API Verenga Mvumo

Chete mvumo, manejimendi evashandisi venzvimbo, mauto uye mapoka ekuchengetedza (SG)

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 11. Predefined Cisco ISE Administrator Groups

8) Zvimwe mune tab Mvumo> Mvumo> RBAC Policy Iwe unogona kugadzirisa kodzero dzevatongi vakatemerwa.

Cisco ISE: Nhanganyaya, zvinodiwa, kuiswa. Chikamu 1Mufananidzo 12. Cisco ISE Administrator Preset Profile Rights Management

9) Mune tab Kutonga> System> Zvirongwa Yese masisitimu marongero anowanikwa (DNS, NTP, SMTP nevamwe). Unogona kuzvizadza pano kana iwe wakazvipotsa panguva yekutanga mudziyo kutanga.

5. Mhedziso

Izvi zvinopedzisa nyaya yekutanga. Takakurukura nezvekushanda kweCisco ISE NAC mhinduro, mavakirwo ayo, zvidiki zvinodiwa uye sarudzo dzekutumira, uye yekutanga kuisirwa.

Muchinyorwa chinotevera, tichatarisa kugadzira maakaundi, kubatanidza neMicrosoft Active Directory, uye kugadzira kuwana kwevaenzi.

Kana iwe uine chero mibvunzo nezvenyaya iyi kana uchida rubatsiro mukuyedza chigadzirwa, ndapota taura batanidzo.

Garai makamirirwa kuti muwane zvigadziriso mumachaneli edu (teregiramuFacebookVKTS Solution BlogYandex Zen).

Source: www.habr.com

Voeg