Aynu si dhab ah uga fikirno isticmaalka Windows Active Directory + NPS (2 server si loo hubiyo dulqaadka khaladka) + 802.1x heerka kontoroolka gelitaanka iyo xaqiijinta isticmaaleyaasha - kombiyuutarada domain - aaladaha. Waxaad ku baran kartaa aragtida sida waafaqsan halbeegga Wikipedia, halka isku xirka:
Maadaama "shaybaarkaygu" uu ku xaddidan yahay agabka, doorarka NPS iyo maamulaha domain waa iswaafajin karaan, laakiin waxaan ku talinayaa inaad wali kala saartid adeegyada muhiimka ah.
Ma garanayo dariiqooyin caadi ah oo la isku waafajiyo qaabaynta Windows NPS (siyaasadaha), markaa waxaanu isticmaali doonaa qoraalada PowerShell ee uu bilaabay jadwalaha hawsha (qoraagu waa saaxiibkeygii hore). Si loo xaqiijiyo kombiyuutarada domainka iyo qalabka aan awoodin 802.1x (Telefoonada, daabacadaha, iwm.), siyaasada kooxda waa la habayn doonaa waxaana la abuuri doonaa kooxaha amniga.
Dhammaadka maqaalka, waxaan kuu sheegi doonaa wax ku saabsan qaar ka mid ah qallafsanaanta la shaqeynta 802.1x - sida aad u isticmaali karto furayaasha aan la maamulin, ACL-yada firfircoon, iwm. Waxaan wadaagi doonaa macluumaadka ku saabsan "khaladaadka" la qabtay. .
Aan ku bilowno ku rakibida iyo habaynta fashilka NPS ee Windows Server 2012R2 (wax walba waa isku mid sanadka 2016): iyada oo loo marayo Maamulaha Server -> Ku dar Doorarka iyo Saaxiraha Tilmaamaha, dooro kaliya Server Policy Network.
ama isticmaal PowerShell:
Install-WindowsFeature NPAS -IncludeManagementTools
caddayn A yar - tan iyo waayo, Ilaalinta EAP (PEAP) Waxaad hubaal ahaan u baahan doontaa shahaado xaqiijinaysa xaqiiqada server-ka (oo leh xuquuqaha ku habboon isticmaalka), kaas oo lagu aamini doono kombuyuutarrada macmiilka, ka dib waxaad u badan tahay inaad u baahan tahay inaad rakibto doorka Maamulka Shahaadada. Laakiin taas ayaan u qaadan doonnaa CA mar hore ayaa lagu rakibay...
Aynu sidaas oo kale ku samayno server-ka labaad. Aan u samayno gal C: Scripts scripts ee labada adeegayaal iyo gal shabakad ku yaal serfarka labaad SRV2NPS-config$
Aan ku abuurno qoraalka PowerShell serverka ugu horreeya C:ScriptsExport-NPS-config.ps1 oo leh nuxurka soo socda:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"
Taas ka dib, aynu habaynno hawsha Sheduler Hawsha:"Dhoofinta-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Ku orod dhammaan isticmaalayaasha - Orod oo leh xuquuqaha ugu sarreeya
Maalin walba - Ku celi hawsha 10kii daqiiqoba mar. 8 saacadood gudahood
Kaydka NPS, ku habbee soo dejinta qaabaynta (siyaasadaha):
Aynu abuurno qoraalka PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1
iyo hawl lagu fulinayo 10kii daqiiqaba:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Ku orod dhammaan isticmaalayaasha - Orod oo leh xuquuqaha ugu sarreeya
Maalin walba - Ku celi hawsha 10kii daqiiqoba mar. 8 saacadood gudahood
Hadda, si loo hubiyo, aan ku darno NPS mid ka mid ah server-yada (!) Dhowr furayaasha RADIUS macaamiisha (IP iyo Sir Shared), laba siyaasadood oo codsi xiriir ah: WIRED-Xirran (Xaaladda: "Nooca dekedda NAS waa Ethernet") iyo WiFi-Enterprise (Xaaladda: "Nooca dekedda NAS waa IEEE 802.11"), iyo sidoo kale siyaasadda shabakadda Gali Aaladaha Shabakadda Cisco (Network Admins):
Π£ΡΠ»ΠΎΠ²ΠΈΡ:
ΠΡΡΠΏΠΏΡ Windows - domainsg-network-admins
ΠΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ:
ΠΠ΅ΡΠΎΠ΄Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΠΎΠ΄Π»ΠΈΠ½Π½ΠΎΡΡΠΈ - ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΠΎΡΠΊΡΡΡΡΠΌ ΡΠ΅ΠΊΡΡΠΎΠΌ (PAP, SPAP)
ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ:
ΠΡΡΠΈΠ±ΡΡΡ RADIUS: Π‘ΡΠ°Π½Π΄Π°ΡΡ - Service-Type - Login
ΠΠ°Π²ΠΈΡΡΡΠΈΠ΅ ΠΎΡ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° - Cisco-AV-Pair - Cisco - shell:priv-lvl=15
Dhinaca beddelka, dejinta soo socota:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99
Qaabeynta ka dib, 10 daqiiqo ka dib, dhammaan macaamiishu waa inay ka soo muuqdaan kaydka NPS waxaanan awood u yeelan doonaa inaan galno furayaasha anagoo adeegsanayna akoon ActiveDirectory, xubin ka tirsan kooxda domainsg-network-admins (oo aan horay u abuurnay).
Aan u gudubno dejinta Active Directory - abuuro koox iyo siyaasad sirta ah, abuur kooxaha lagama maarmaanka ah.
Siyaasadda Kooxda Kombiyuutarada-8021x-Settings:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Aan abuurno koox amni sg-computer-8021x-vl100, halkaas oo aan ku dari doono kombiyuutarada aan rabno inaan u qaybinno vlan 100 oo aan u habeynno shaandhaynta siyaasadda kooxda ee hore loo abuuray kooxdan:
Waxaad xaqiijin kartaa in siyaasaddu ay si guul leh u shaqeysay adigoo furaya "Network and Sharing Center" (Network and Internet Settings) - Beddelida goobaha adabtarada (Qaabka Adaabta) - Guryaha Adapter", halkaas oo aan ka arki karno "Authentication" tab:
Markaad ku qanacdo in siyaasada si guul leh loo dabaqay, waxaad sii wadi kartaa dejinta siyaasada shabakada NPS iyo marin u helka dekedaha beddelka.
Aan abuurno siyaasad shabakadeed neag-computer-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Goobaha caadiga ah ee dekedda beddelka (fadlan ogow in nooca aqoonsiga "multi-domain" la isticmaalo - Data & Voice, sidoo kale waxaa jira suurtogalnimada in lagu xaqiijiyo ciwaanka mac. Inta lagu jiro "xilliga kala-guurka" waxaa macno leh in la isticmaalo xuduudaha:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
vlan id ma aha "karantiil", laakiin waa isku mid meesha kombayuutarka adeegsaduhu ay tahay inuu tago ka dib markii uu si guul leh u galo - ilaa aan hubinno in wax walba ay u shaqeynayaan sidii la rabay. Isla halbeegyadan ayaa loo isticmaali karaa xaalado kale, tusaale ahaan, marka furaha aan la maamulin lagu xidho dekeddan oo aad rabto in dhammaan aaladaha ku xidhan ee aan gudbin xaqiijinta ay ku dhacaan vlan gaar ah ("karantiil").
u beddelo dejimaha dekedda ee 802.1x hab-qaab-qaabeeyaha qaab-domain-badan
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exit
Waxaad hubin kartaa in kombiyuutarkaaga iyo taleefankaagu ay si guul leh uga gudbeen xaqiijinta amarka:
sh authentication sessions int Gi1/0/39 det
Hadda aynu abuurno koox (tusaale ahaan, sg-fgpp-mab ) Hagaha Active ee telefoonada oo ku dar hal qalab si loogu tijaabiyo (xaaladdayda waa Grandstream GXP2160 leh ciwaanka mas 000b.82ba.a7b1 iyo resp. xisaabta domain 00b82baa7b1).
Kooxda la abuuray, waxaanu hoos u dhigi doonaa shuruudaha siyaasadda erayga sirta ah (adoo la isticmaalayo
Sidaa darteed, waxaan u oggolaan doonaa isticmaalka ciwaannada masraxa aaladda sirta ahaan. Tan ka dib, waxaan u abuuri karnaa siyaasad shabakad 802.1x habka xaqiijinta mab, aynu ugu yeerno neag-devices-8021x-cod. Halbeegyadu waa sida soo socota:
- Nooca Dekedda NAS - Ethernet
- Kooxaha Windows β sg-fgpp-mab
- Noocyada EAP: Xaqiijinta aan qarsoodi ahayn (PAP, SPAP)
- Sifooyinka RADIUS - Iibiyaha Gaarka ah: Cisco - Cisco-AV-Pair - Qiimaha sifada: Qalabka-taraafikada-class=cod
Xaqiijinta guusha ka dib (ha ilaawin inaad dejiso dekedda beddelka), aan eegno macluumaadka dekedda:
sugida sugida int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Hadda, sidii ballanku ahaa, aan eegno dhowr xaaladood oo aan si buuxda u muuqan. Tusaale ahaan, waxaan u baahanahay in aan ku xirno kombuyuutarrada isticmaalaha iyo aaladaha iyada oo loo marayo furaha aan la maamulin. Xaaladdan oo kale, dejinta dekeddu waxay u ekaan doontaa sidan:
u beddelo dejimaha dekedda ee 802.1x hab-qaab-yaqaanka qaab-uth-badan
interface GigabitEthernet1/0/1
description *SW β 802.1x β 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! ΡΠ²Π΅Π»ΠΈΡΠΈΠ²Π°Π΅ΠΌ ΠΊΠΎΠ»-Π²ΠΎ Π΄ΠΎΠΏΡΡΡΠΈΠΌΡΡ
ΠΌΠ°Ρ-Π°Π΄ΡΠ΅ΡΠΎΠ²
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! β ΡΠ΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shu
PS waxaan ogaanay cilad aad u yaab badan - haddii aaladda lagu xiray furaha noocaan oo kale ah, ka dibna lagu xiray furaha la maareeyay, markaa ma shaqeyn doonto ilaa aan dib u soo kabno (!) furaha, ma helin siyaabo kale si loo xaliyo dhibaatadan weli.
Qodob kale oo la xidhiidha DHCP (haddii ip dhcp snooping la isticmaalo) - iyada oo aan la helin ikhtiyaarradan:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information option
Sababta qaar awgeed uma heli karo ciwaanka IP-ga si sax ah...in kasta oo tani ay noqon karto sifo server-kayaga DHCP
Iyo Mac OS & Linux (kuwaaso leh taageero 802.1x hooyo ah) isku day in aad xaqiijiso isticmaalaha, xitaa haddii aqoonsiga cinwaanka Mac la habeeyey.
Qaybta soo socota ee maqaalka, waxaan eegi doonaa isticmaalka 802.1x ee Wireless (waxay kuxirantahay kooxda ay ka tirsan tahay koontada isticmaalaha, waxaan "ku tuuri doonaa" shabakada u dhiganta (vlan), inkastoo ay ku xiran yihiin isla SSID).
Source: www.habr.com