Kuenderera mberi nenhevedzano yezvinyorwa zvemusoro wesangano Remote-Access VPN kuwana ini handigone kubatsira asi kugovera yangu inonakidza yekuendesa ruzivo yakachengeteka zvakanyanya VPN kumisikidzwa. Basa risiri diki rakaunzwa nemutengi mumwechete (kune vanogadzira mumisha yeRussia), asi Dambudziko rakagamuchirwa uye rakaitwa nehunyanzvi. Mhedzisiro ipfungwa inonakidza ine zvinotevera maitiro:
- Zvinhu zvinoverengeka zvedziviriro kubva pakutsiviwa kweiyo terminal mudziyo (ine yakasimba kusunga kumushandisi);
- Kuongorora kutevedza kwePC yemushandisi neUDID yakapihwa yePC inotenderwa mudura rechokwadi;
- NeMFA uchishandisa PC UDID kubva pachitupa chechipiri chechokwadi kuburikidza neCisco DUO (Unogona kubatanidza chero SAML/Radius inoenderana imwe);
- Multi-factor authentication:
- Chitupa chemushandisi chine kusimbiswa kwemunda uye chechipiri chechokwadi kune mumwe wavo;
- Login (isingachinjiki, yakatorwa kubva pachitupa) uye password;
- Kufungidzira mamiriro ekubatanidza host (Posture)
Zvikamu zvekugadzirisa zvinoshandiswa:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Kutendesa / Mvumo / Accounting, State Evaluation, CA);
- Cisco DUO (Multi-Factor Authentication) (Unogona kubatanidza chero SAML/Radius inoenderana imwe);
- Cisco AnyConnect (Multi-chinangwa mumiriri wenzvimbo dzekushandira uye mobile OS);
Ngatitangei nezvinodiwa nemutengi:
- Mushandisi anofanira, kuburikidza nekwake Login/Password echokwadi, kukwanisa kudhawunirodha mutengi weAnyConnect kubva kuVPN gedhi; ese anodiwa AnyConnect module anofanirwa kuisirwa otomatiki zvinoenderana nemutemo wemushandisi;
- Mushandisi anofanira kukwanisa kuburitsa chitupa otomatiki (kune chimwe chezviitiko, iyo huru mamiriro ndeyekuburitsa uye kurodha paPC), asi ini ndakaisa otomatiki nyaya yekuratidzira (haina kumbononoka kuibvisa).
- Huchokwadi hwechokwadi hunofanira kuitika mumatanho akati wandei, kutanga pane chitupa chechokwadi nekuongororwa kweminda inodiwa uye kukosha kwayo, wozopinda / password, panguva ino chete zita remushandisi rakatsanangurwa mundima yechitupa rinofanira kuiswa muhwindo rekupinda. Zita reChidzidzo (CN) pasina kugona kugadzirisa.
- Iwe unofanirwa kuve nechokwadi chekuti mudziyo wauri kupinda mukati ndiyo laptop yekambani yakapihwa mushandisi kuti uwane kure, uye kwete chimwe chinhu. (Sarudzo dzinoverengeka dzakaitwa kugutsa ichi chinodiwa)
- Mamiriro emudziyo wekubatanidza (pane ino nhanho PC) inofanirwa kuongororwa necheki yetafura yakazara inorema yezvinodiwa nevatengi (kupfupikisa):
- Mafaira uye zvinhu zvawo;
- Registry zvinyorwa;
- OS zvigamba kubva pane yakapihwa runyorwa (gare gare SCCM kubatanidzwa);
- Kuwanikwa kweAnti-Virus kubva kune chaiyo mugadziri uye kukosha kwemasaini;
- Chiitiko chemamwe masevhisi;
- Kuwanikwa kwemamwe mapurogiramu akaiswa;
Kutanga, ini ndinokurudzira kuti iwe zvechokwadi utarise iyo vhidhiyo ratidziro yezvinokonzeresa kuita pa Youtube (5 maminitsi).
Ikozvino ini ndinofunga kufunga nezve mashandisirwo asina kuvharwa muvhidhiyo clip.
Ngatigadzirirei iyo AnyConnect mbiri:
Ini ndakambopa muenzaniso wekugadzira chimiro (maererano nechinhu chemenu muASDM) muchinyorwa changu chekumisikidza
Mune iyo mbiri, isu ticharatidza iyo VPN gedhi uye zita rezita rekubatanidza kune yekupedzisira mutengi:
Ngatigadzirise iyo otomatiki kuburitswa kwechitupa kubva kudivi reprofile, zvichiratidza, kunyanya, zvitupa paramita uye, zvine hunhu, teerera kumunda. Mavambo (I), uko kukosha chaiko kunopinzwa nemaoko UID bvunzo muchina (Yakasarudzika mudziyo identifier iyo inogadzirwa neCisco AnyConnect mutengi).
Pano ini ndinoda kuita digression yerwiyo, sezvo chinyorwa ichi chinotsanangura pfungwa; nezvinangwa zvekuratidzira, iyo UDID yekuburitsa chitupa inopinzwa muInitials ndima yeAnyConnect profile. Ehe, muhupenyu chaihwo, kana ukaita izvi, ipapo vatengi vese vanogashira chitupa chine UDID imwechete mumunda uyu uye hapana chinovashandira, sezvo vachida UDID yePC yavo chaiyo. AnyConnect, zvinosuruvarisa, haisati yashandisa kutsiva yeUDID munda mune yechikumbiro chechitupa kuburikidza neyakasiyana siyana, sezvainoita, semuenzaniso, ine shanduko. %USER%.
Zvakakosha kucherechedza kuti mutengi (wechiitiko ichi) pakutanga anoronga kuzvimiririra kuburitsa zvitupa neUDID yakapihwa mune yemanyorero mode kune akadaro Akadzivirirwa PC, iro risiri dambudziko kwaari. Nekudaro, kune vazhinji vedu isu tinoda otomatiki (zvakanaka, kwandiri ichokwadi =)).
Uye izvi ndizvo zvandinogona kupa maererano ne automation. Kana AnyConnect isati yave kukwanisa kuburitsa chitupa otomatiki nekushandura zvine simba iyo UDID, saka pane imwe nzira inoda kapfungwa kekusika uye nemaoko ane hunyanzvi - ini ndichakuudza iyo pfungwa. Kutanga, ngatitarisei kuti UDID inogadzirwa sei pane akasiyana masisitimu anoshanda neAnyConnect mumiriri:
- Windows - SHA-256 hashi yemusanganiswa weDigitalProductID uye Machine SID registry kiyi
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hashi yeUUID yemudzi wechikamu.
- Apple iOS - SHA-256 hash PlatformUUID
- Android - Ona gwaro pa
batanidzo
Saizvozvo, isu tinogadzira script yekambani yedu Windows OS, neichi script isu munharaunda tinoverenga iyo UDID tichishandisa inozivikanwa mapimeti uye gadzira chikumbiro chekuburitsa chitupa nekupinda iyi UDID mumunda unodiwa, nenzira, iwe unogona zvakare kushandisa muchina. chitupa chakapihwa neAD (nekuwedzera kuvimbiswa kaviri uchishandisa chitupa kuchirongwa Multiple Certificate).
Ngatigadzirire marongero padivi reCisco ASA:
Ngatigadzirei TrustPoint yeISE CA server, ichave iyo inoburitsa zvitupa kune vatengi. Ini handisi kuzotarisa iyo Key-Chain yekupinda maitiro; muenzaniso unotsanangurwa muchinyorwa changu nezve setup
crypto ca trustpoint ISE-CA
enrollment terminal
crl configure
Isu tinogadzirisa kugovera neTunnel-Group zvichibva pamitemo zvinoenderana neminda iri muchitupa chinoshandiswa kuratidza chokwadi. Iyo AnyConnect mbiri yatakagadzira padanho rapfuura yakagadziridzwawo pano. Ndapota cherechedza kuti ndiri kushandisa kukosha SECUREBANK-RA, kuendesa vashandisi nechitupa chakapihwa kuboka retunnel SECURE-BANK-VPN, ndapota cherechedza kuti ndine iyi ndima mune yeAnyConnect profil setifiketi yekukumbira column.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!
Kugadzira maseva ekusimbisa. Mune mhaka yangu, iyi ISE yechikamu chekutanga chekusimbisa uye DUO (Radius Proxy) seMFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!
Isu tinogadzira marongero eboka uye tunnel mapoka uye ayo anobatsira zvikamu:
Tunnel group DefaultWEBVPNGroup ichashandiswa kunyanya kudhawunirodha AnyConnect VPN mutengi uye kuburitsa chitupa chemushandisi uchishandisa SCEP-Proxy basa reASA; nekuda kweizvi isu tine sarudzo dzinoenderana dzakaitwa zvese patunnel boka pacharo uye pane inosanganisirwa boka reboka. AC-Download, uye pane yakarodha AnyConnect mbiri (minda yekuburitsa chitupa, nezvimwewo). Zvakare mune ino mutemo weboka tinoratidza kukosha kwekurodha ISE Posture Module.
Tunnel group SECURE-BANK-VPN inozoshandiswa otomatiki nemutengi kana uchisimbisa nechitupa chakapihwa padanho rakapfuura, sezvo, zvinoenderana neMepu yeSitifiketi, kubatana kunowira zvakananga pane iri boka renzira. Ini ndichakuudza nezve zvinonakidza sarudzo pano:
- secondary-authentication-server-group DUO # Seta chechipiri chechokwadi pane DUO server (Radius Proxy)
- username-kubva-chitupaCN # Nekuda kwehuchokwadi hwekutanga, isu tinoshandisa iyo CN ndima yechitupa kutora nhaka yekupinda mushandisi
- wechipiri-mushandisi-kubva-chitupa I # Nekuda kwechipiri chechokwadi pane DUO server, isu tinoshandisa zita rekushandisa rakabviswa uye Initials (I) minda yechitupa.
- pre-zadza-username client # ita kuti zita rekushandisa risati razadzwa muhwindo rekusimbisa pasina kukwanisa kuchinja
- wechipiri-pre-zadza-username mutengi viga shandisa-yakajairika-password push # Isu tinovanza iyo yekupinda / password yekuisa hwindo rechipiri yekusimbisa DUO uye shandisa nzira yekuzivisa (sms/push/foni) - doko kukumbira huchokwadi panzvimbo yepassword munda.
pano
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!
Zvadaro tinoenda kuISE:
Isu tinogadzirisa mushandisi wemuno (unogona kushandisa AD/LDAP/ODBC, nezvimwewo), kuti zvive nyore, ndakagadzira mushandisi wemuno muISE pachayo uye ndokuigovera mumunda. tsananguro UDID PC kubva kwaanobvumirwa kupinda neVPN. Kana ndikashandisa huchokwadi hwemunharaunda paISE, ini ndichaganhurirwa kune imwe chete mudziyo, sezvo pasina akawanda minda, asi mune yechitatu-bato rechokwadi dhatabhesi ini handizove nezvirambidzo zvakadaro.
Ngatitarisei mutemo wemvumo, wakakamurwa kuita nhanho ina dzekubatanidza:
- Stage 1 -Polisi yekurodha mumiririri weAnyConnect uye nekupa chitupa
- Stage 2 - Yekutanga yekusimbisa mutemo Kupinda (kubva kune chitupa)/Password + Sitifiketi ine UDID kusimbiswa
- Stage 3 -Sekondari kuvimbiswa kuburikidza neCisco DUO (MFA) uchishandisa UDID sezita rekushandisa + State ongororo
- Stage 4 - Mvumo yekupedzisira iri mudunhu:
- Compliant;
- UDID kusimbiswa (kubva kune chitupa + login inosunga),
- Cisco DUO MFA;
- Authentication by login;
- Certificate authentication;
Ngatitarisei mamiriro anonakidza UUID_VALIDATED, zvinoita sekunge mushandisi anotendesa akabva kuPC ine UDID inotenderwa yakabatana mumunda. tsananguro account, mamiriro acho anotaridzika seizvi:
Iyo mbiri yemvumo inoshandiswa pamatanho 1,2,3 ndeiyi inotevera:
Unogona kutarisa chaizvo kuti UDID kubva kuAnyConnect mutengi inosvika sei kwatiri nekutarisa ruzivo rwemutengi muISE. Mune zvakadzama isu tichaona kuti AnyConnect kuburikidza nemashini ACIDEX inotumira kwete chete ruzivo nezvepuratifomu, asiwo iyo UDID yemudziyo se Cisco-AV-PAIR:
Ngatitarisei kune chitupa chakapihwa mushandisi uye munda Mavambo (I), iyo inoshandiswa kuitora sekupinda kwechipiri MFA kusimbiswa paCisco DUO:
Padivi reDUO Radius Proxy murogi tinogona kuona zvakajeka kuti chikumbiro chechokwadi chinoitwa sei, chinouya uchishandisa UDID sezita rekushandisa:
Kubva paDUO portal tinoona chiitiko chakabudirira chechokwadi:
Uye mune zvemushandisi zvivakwa ini ndakazvigadzika ALIAS, yandaishandisa pakupinda, zvakare, iyi ndiyo UDID yePC inotenderwa kupinda:
Nekuda kweizvozvo takawana:
- Multi-factor mushandisi uye mudziyo kuvimbiswa;
- Kudzivirirwa kubva ku spoofing yemudziyo wemushandisi;
- Kuongorora mamiriro echigadzirwa;
- Inogona yekuwedzera kutonga nedomain muchina chitupa, nezvimwewo;
- Yakazara kure yekuchengetedzwa kwenzvimbo yebasa ine otomatiki yakaiswa kuchengetedza mamodule;
Zvinongedzo kuCisco VPN zvakatevedzana zvinyorwa:
Kutumira ASA VPN Load-Bancing Cluster Kugadzirisa masevhisi emakore muAnyConnect VPN mugero paCisco ASA
Source: www.habr.com