Sii wadida maqaallada taxanaha ah ee mawduuca ururka Helitaanka fog ee VPN marin u helitaan ma caawin karo laakiin la wadaaga waayo-aragnimadayda soo dejinta ee xiisaha leh qaabeynta VPN aad u sugan. Hawl aan fududayn ayaa waxaa soo bandhigay hal macaamiil (waxaa jira hindiseyaal ku sugan tuulooyinka Ruushka), laakiin Caqabadda waa la aqbalay oo si hal abuur leh loo fuliyay. Natiijadu waa fikrad xiiso leh oo leh sifooyinka soo socda:
- Dhowr arrimood oo ka hortagaya beddelka aaladda terminaalka (oo si adag loogu xirayo isticmaalaha);
- Qiimaynta u hoggaansanaanta kombuyuutarka isticmaalaha ee loo qoondeeyay UDID-da PC-ga la oggol yahay ee ku jira kaydka aqoonsiga;
- Iyadoo MFA ay isticmaalayso PC UDID ka shahaadada aqoonsiga sare ee Cisco DUO (Waxaad ku lifaaqi kartaa mid kasta oo SAML/Radius ku habboon);
- Xaqiijinta arrimo badan:
- Shahaadada isticmaale oo leh xaqiijinta goobta iyo xaqiijinta sare ee mid ka mid ah;
- Soo gal (aan la beddeli karin, laga soo qaatay shahaadada) iyo erayga sirta ah;
- Qiyaasida xaalada isku xidhaha martida loo yahay (Boogga)
Qaybaha xalinta ee la isticmaalay:
- Cisco ASA (VPN Gateway);
- Cisco ISE ( Xaqiijinta / Ogolaanshaha / Xisaabinta, Qiimaynta Gobolka, CA);
- Cisco DUO (xaqiijinta arrimo badan) (Waxaad ku lifaaqi kartaa mid kasta oo SAML/Radius ku habboon);
- Cisco AnyConnect (Wakiilka ujeedo badan leh ee goobaha shaqada iyo OS-ka moobilka);
Aan ku bilowno shuruudaha macmiilka:
- Isticmaaluhu waa in, iyada oo loo marayo xaqiijinta Login/Password-ka, uu awood u leeyahay inuu ka soo dejiyo macmiilka AnyConnect albaabka VPN; dhammaan qaybaha AnyConnect lagama maarmaanka ah waa in si toos ah loogu rakibaa si waafaqsan siyaasadda isticmaalaha;
- Isticmaaluhu waa inuu si toos ah u soo saari karaa shahaado (mid ka mid ah xaaladaha, xaaladda ugu weyni waa soo saarista gacanta iyo ku dhejinta kombuyuutarka), laakiin waxaan hirgeliyay arrin toos ah si loo muujiyo (weligeed aad uma daahdo in laga saaro).
- Xaqiijinta aasaasiga ah waa in ay dhacdaa dhowr marxaladood, marka hore waxaa jira xaqiijinta shahaado oo leh falanqaynta meelaha lagama maarmaanka ah iyo qiyamkooda, ka dib login/password, kaliya markan magaca isticmaalaha ee ku qeexan goobta shahaadada waa in la geliyo daaqada gelitaanka Magaca mawduuca (CN) iyada oo aan lahayn awood wax lagu saxo.
- Waxaad u baahan tahay inaad hubiso in qalabka aad ka soo galayso uu yahay laptop-ka shirkadda ee la siiyay isticmaalaha si uu u galo meel fog, oo aan ahayn wax kale. (Dhawr doorasho ayaa la sameeyay si loo buuxiyo shuruudahan)
- Xaaladda aaladda isku xidhka (marxaladdan PC) waa in lagu qiimeeyaa iyada oo la hubinayo miis culus oo dhan ee shuruudaha macaamiisha (soo koobaya):
- Faylasha iyo hantidooda;
- Gelida diiwaanka;
- Xirmooyinka OS ee liiska la bixiyay (is-dhexgalka SCCM ka dib);
- Helitaanka Ka-hortagga Fayraska ee soo saaraha gaarka ah iyo ku habboonaanta saxeexyada;
- Hawlaha adeegyada qaarkood;
- Helitaanka barnaamijyada qaarkood ee la rakibay;
Si aad u bilawdo, waxaan kuu soo jeedinayaa inaad si dhab ah u eegto bandhigga fiidiyowga ee hirgelinta natiijada ka soo baxday Youtube (5 daqiiqo).
Hadda waxaan soo jeedinayaa in aan tixgeliyo tafaasiisha fulinta ee aan lagu sheegin fiidiyoowga.
Aynu diyaarino astaanta AnyConnect:
Waxaan hore u bixiyay tusaale abuurista profile (marka la eego shayga menu ee ASDM) maqaalkayga ku saabsan dejinta . Hadda waxaan jeclaan lahaa inaan si gaar ah u xuso ikhtiyaarrada aan u baahan doono:
Gudaha bogga, waxaan ku tusi doonaa albaabka VPN iyo magaca profile ee ku xidhida macmiilka dhamaadka:
Aynu habaynno bixinta tooska ah ee shahaado ka dhanka profile, oo tilmaamaya, gaar ahaan, xuduudaha shahaadada iyo, sifo, fiiro gaar ah u garoonka. Bilawga (I), halkaas oo qiimo gaar ah gacanta lagu geliyo UDID mashiinka tijaabada (Aqoonsi qalab gaar ah oo uu soo saaray macmiilka Cisco AnyConnect).
Halkan waxaan rabaa in aan sameeyo qallafsanaan lyrical ah, maadaama maqaalkani qeexayo fikradda; ujeedooyinka muujinta, UDID ee soo saarista shahaado ayaa la galiyay goobta bilowga ah ee profile AnyConnect. Dabcan, nolosha dhabta ah, haddii aad tan sameyso, markaa dhammaan macaamiishu waxay heli doonaan shahaado la mid ah UDID gudaha goobtan mana jiraan wax u shaqeynaya iyaga, maadaama ay u baahan yihiin UDID ee kombuyuutarkooda gaarka ah. AnyConnect, nasiib darro, ma hirgelin beddelka goobta UDID ee astaanta codsiga caddaynta iyada oo loo marayo doorsoomiyaha deegaanka, sida ay ku samayso, tusaale ahaan, doorsoome. %USER%.
Waxaa xusid mudan in macaamilka (ee dhacdadan) uu bilawgii qorsheynayo inuu si madax-bannaan u bixiyo shahaadooyinka UDID ee habka gacanta ee PC-yada la ilaaliyo, taas oo aan dhib ku ahayn isaga. Si kastaba ha ahaatee, inta badan oo naga mid ah waxaan rabnaa automation (si fiican, aniga ahaan waa run =)).
Tanina waa waxa aan ku bixin karo marka la eego otomaatiga. Haddii AnyConnect uusan weli awoodin inuu si toos ah u bixiyo shahaadada isagoo si firfircoon u beddelaya UDID, markaa waxaa jira hab kale oo u baahan doona fikrad yar oo hal abuur leh iyo gacmo xirfad leh - waxaan kuu sheegi doonaa fikradda. Marka hore, aan eegno sida UDID-ku ugu soo saaray nidaamyada hawlgalka kala duwan ee wakiilka AnyConnect:
- Windows - SHA-256 hash ee isku dhafka DigitalProductID iyo furaha diiwaanka mashiinka SID
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash ee UUID ee qaybta xididka.
- Apple macruufka - SHA-256 hash PlatformUUID
- Android β Fiiri dukumeentiga
Sidaas awgeed, waxaanu u abuurnay qoraal shirkaddayada Windows OS, qoraalkan waxaanu ku xisaabinaynaa UDID-da annagoo adeegsanayna agab la yaqaan oo aanu samaynay codsi soo saarista shahaado annagoo UDID-gan ku gelinaya goobta loo baahan yahay, jidka, waxaad sidoo kale isticmaali kartaa mishiinka. shahaado ay bixisay AD (adigoo ku daraya laba-xaqiijinta iyadoo la isticmaalayo shahaado nidaamka Shahaado badan).
Aynu diyaarino habaynta dhinaca Cisco ASA:
Aan u abuurno TrustPoint server-ka ISE CA, waxay noqon doontaa mid soo saari doonta shahaadooyinka macaamiisha. Ma tixgalin doono habka soo dejinta ee Silsiladda Furaha; tusaale ayaa lagu sharaxay maqaalkayga ku saabsan dejinta .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureWaxaan u habaynaynaa qaybinta kooxda Tunnel-Group iyadoo lagu salaynayo qawaaniinta si waafaqsan qaybaha shahaadada loo isticmaalo xaqiijinta. Muuqaalka AnyConnect ee aanu ku samaynay marxaladii hore ayaa sidoo kale halkan lagu habeeyey. Fadlan ogow in aan isticmaalayo qiimaha SECUREBANK-RA, si loogu wareejiyo isticmaalayaasha shahaado la siiyay koox tunnel ah SECURE-BANK-VPN, fadlan la soco in aan goobtan ku leeyahay tiirka codsashada shahaadaynta profile AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Dejinta server-ka xaqiijinta Xaaladeyda, tani waa ISE marxaladda koowaad ee xaqiijinta iyo DUO (Radius Proxy) sida MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Waxaan abuurnaa siyaasado kooxeed iyo kooxaha tunnel-ka iyo qaybahooda caawiya:
Kooxda tunnel DefaultWEBVPNGkoob Waxaa loo isticmaali doonaa ugu horreyn si loo soo dejiyo macmiilka AnyConnect VPN oo soo saaro shahaado isticmaale iyadoo la adeegsanayo shaqada SCEP-Proxy ee ASA; tan waxaan ku haynaa xulashooyinka u dhigma ee ka shaqeeya kooxda tunnel lafteeda iyo siyaasadda kooxda ee la xiriirta AC-Download, iyo ku dul shuban profile AnyConnect (goobaha shahaado bixinta, iwm.). Sidoo kale siyaasadda kooxdan waxaan ku tusineynaa baahida loo qabo soo dejinta Module Booska ISE.
Kooxda tunnel SECURE-BANK-VPN waxaa si toos ah u isticmaali doona macmiilka marka lagu xaqiijinayo shahaadada la soo saaray marxaladii hore, maadaama, si waafaqsan Khariidadda Shahaadada, xidhiidhku wuxuu si gaar ah ugu dhici doonaa kooxdan tunnel-ka. Waxaan kaaga sheegi doonaa fursadaha xiisaha leh halkan:
- secondary-authentication-koox-server-koox DUO # Deji xaqiijinta labaad serverka DUO (Radius Proxy)
- username-ka-certificateCN # Xaqiijinta aasaasiga ah, waxaan isticmaalnaa goobta CN ee shahaadada si aan u dhaxlo galitaanka isticmaalaha
- labaad-username-ka-shahaadada I Xaqiijinta labaad ee server-ka DUO, waxaan isticmaalnaa magaca isticmaale ee la soo saaray iyo meelaha bilowga ah (I) ee shahaadada.
- ka hor-buuxinta-username macmiilka # ka dhig magaca isticmaale ee horay loo buuxiyey daaqada xaqiijinta adiga oo aan awoodin in la beddelo
- Second-Pre-Fill-username macmiilka qari isticmaalka-password-ka-caadiga ah riix # Waxaan qarinaa daaqadda galitaanka/password-ka gelitaanka ee xaqiijinta sare ee DUO waxaana isticmaalnaa habka ogeysiinta (sms/push/phone) - dock si aad u codsato xaqiijinta halkii aad ka isticmaali lahayd goobta sirta ah
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Marka xigta waxaan u gudubnaa ISE:
Waxaan dejineynaa isticmaale maxalli ah (waxaad isticmaali kartaa AD/LDAP/ODBC, iwm.), si fudud, waxaan ku abuuray isticmaale maxalli ah ISE lafteeda waxaanan u xilsaaray garoonka dhexdiisa. description UDID PC kaas oo loo ogol yahay inuu ka soo galo VPN. Haddii aan isticmaalo aqoonsiga maxaliga ah ee ISE, waxaan ku koobnaan doonaa hal qalab oo keliya, maadaama aysan jirin meelo badan, laakiin xogta macluumaadka aqoonsiga dhinac saddexaad ma yeelan doono xayiraad noocaas ah.
Aynu eegno siyaasadda oggolaanshaha, waxay u qaybsan tahay afar marxaladood oo xidhiidh ah:
- Heerka 1 - Siyaasadda soo dejinta wakiilka AnyConnect iyo bixinta shahaado
- Heerka 2 - Siyaasadda aqoonsiga aasaasiga ah Gal (laga bilaabo shahaado)/Password + Shahaado leh ansax UDID
- Heerka 3 - Xaqiijinta labaad ee loo sii marayo Cisco DUO (MFA) iyadoo la isticmaalayo UDID magac isticmaale ahaan + qiimaynta gobolka
- Heerka 4 Oggolaanshaha kama dambaysta ahi waa gobolka:
- Waafaqsan;
- Ansixinta UDID (laga bilaabo shahaado + xidhitaanka gelitaanka),
- Cisco DUO MFA;
- Xaqiijinta gelitaanka;
- Xaqiijinta shahaadada;
Aynu eegno xaalad xiiso leh UUID_VALIDATED, waxay u egtahay in isticmaaluhu uu dhab ahaantii ka yimid PC oo leh UDID la oggol yahay oo ku xiran goobta Description xisaabta, shuruuduhu waxay u egyihiin sidan:
Xogta oggolaanshaha ee lagu isticmaalay marxaladaha 1,2,3 waa sida soo socota:
Waxaad si sax ah u hubin kartaa sida UDID ee macmiilka AnyConnect noogu yimaado adiga oo eegaya tafaasiisha kalfadhiga macmiilka ee ISE. Si faahfaahsan waxaan arki doonaa in AnyConnect iyada oo loo marayo farsamada ACIDEX soo diro ma aha oo kaliya macluumaadka ku saabsan madal, laakiin sidoo kale UDID ee qalabka sida Cisco-AV-PAIR:
Aynu fiiro gaar ah u yeelano shahaadada la siiyay isticmaalayaasha iyo goobta Bilawga (I), Kaas oo loo isticmaalo sidii login ahaan xaqiijinta MFA sare ee Cisco DUO:
Dhinaca DUO Radius Proxy ee loguska waxaan si cad u arki karnaa sida codsiga xaqiijinta loo sameeyay, waxay ku timaadaa iyadoo la isticmaalayo UDID sida magaca isticmaalaha:
Laga soo bilaabo bogga DUO waxaan ku aragnaa dhacdo xaqiijin ah oo guulaystay:
Iyo in guryaha isticmaalaha aan u dhigay alias, kaas oo aan u isticmaalay galitaanka, markeeda, kani waa UDID-ga PC-ga loo oggol yahay soo gelida:
Natiijo ahaan waxaan helnay:
- Xaqiijinta isticmaale-factor-badan iyo aaladaha;
- Ka-hortagga qashin-qubka aaladda isticmaalaha;
- Qiimaynta xaaladda qalabka;
- Suurtagalnimada korodhka xakamaynta ee shahaadada mashiinka domain, iwm.;
- Ilaalinta goobta shaqada fog fog oo dhamaystiran oo leh qaybo amniga si toos ah loo geeyay;
Xiriirinta maqaallada taxanaha ah ee Cisco VPN:
Source: www.habr.com