1. Kenyelletso
Khampani e 'ngoe le e' ngoe, esita le e nyenyane ka ho fetisisa, e na le tlhoko ea ho netefatsa, tumello le tlaleho ea mosebedisi (AAA family of protocols). Boemong ba pele, AAA e sebelisoa hantle ho sebelisoa liprothokholo tse kang RADIUS, TACACS+ le DIAMETER. Leha ho le joalo, ha palo ea basebelisi le k'hamphani e ntse e hōla, palo ea mesebetsi e boetse e ntse e hōla: ponahalo e kholo ea mabotho le lisebelisoa tsa BYOD, ho netefatsa lintlha tse ngata, ho theha leano la ho fihlella maemo a mangata le tse ling tse ngata.
Bakeng sa mesebetsi e joalo, sehlopha sa tharollo sa NAC (Network Access Control) se nepahetse - taolo ea phihlello ea marang-rang. Letotong la lihlooho tse nehetsoeng ho (Identity Services Engine) - Tharollo ea NAC bakeng sa ho fana ka taolo ea phihlello ea maemo ho basebelisi ba marang-rang a kahare, re tla shebisisa ka botlalo boqapi, ho fana, ho hlophisoa le ho fana ka tumello ea tharollo.
E re ke u hopotse ka bokhutšoanyane hore Cisco ISE e u lumella ho:
Ka potlako le ha bonolo theha phihlello ea baeti ho WLAN e inehetseng;
Fumana lisebelisoa tsa BYOD (mohlala, li-PC tsa lehae tsa basebetsi tseo ba tlileng le tsona mosebetsing);
Beha le ho tiisa melaoana ea ts'ireletso ho pholletsa le basebelisi ba sebaka sa marang-rang le bao e seng ba domain ho sebelisa lileibole tsa sehlopha sa ts'ireletso sa SGT );
Sheba lik'homphieutha bakeng sa software e itseng e kentsoeng le ho lumellana le litekanyetso (posturing);
Hlophisa le boemo ba ho qetela le lisebelisoa tsa marang-rang;
Fana ka ponahalo ea ntlha ea ho qetela;
Romella lintlha tsa liketsahalo tsa logon/logoff ea basebelisi, li-account tsa bona (boitsebahatso) ho NGFW ho theha leano le thehiloeng ho basebelisi;
Ikopanye le Cisco StealthWatch le ho arola batho ba belaellang batho ba amehang liketsahalong tsa ts'ireletso ();
Le likarolo tse ling tse tloaelehileng bakeng sa li-server tsa AAA.
Basebetsi-'moho le uena indastering ba se ba ngotse ka Cisco ISE, kahoo ke u eletsa hore u bale: ,.
2. Boqapi
Mohaho oa Identity Services Engine o na le mekhatlo e 4 (node): sebaka sa tsamaiso (Policy Administration Node), sebaka sa ho aba leano (Policy Service Node), sebaka sa ho shebella (Monitoring Node) le PxGrid Node (PxGrid Node). Cisco ISE e ka ba setsing se ikemetseng kapa se ajoang. Ka mofuta oa Standalone, mekhatlo eohle e fumaneha mochining o le mong kapa seva sa 'mele (Secure Network Servers - SNS), ha e le ka har'a mofuta oa Distributed, li-node li ajoa ho lisebelisoa tse fapaneng.
Policy Administration Node (PAN) ke node e hlokahalang e u lumellang ho etsa mesebetsi eohle ea tsamaiso ho Cisco ISE. E sebetsana le litlhophiso tsohle tsa sistimi tse amanang le AAA. Ka tlhophiso e ajoang (li-node li ka kengoa e le mechini e arohaneng ea li-virtual), o ka ba le palo e kholo ea li-PAN tse peli bakeng sa mamello ea liphoso - Mokhoa oa Active / Standby.
Policy Service Node (PSN) ke node e tlamang e fanang ka phihlello ea marang-rang, naha, phihlello ea baeti, phano ea litšebeletso tsa bareki le profiling. PSN e hlahloba pholisi le ho e sebelisa. Ka tloaelo, li-PSN tse ngata li kentsoe, haholo-holo tlhophisong e ajoang, bakeng sa ts'ebetso e sa sebetseng le e ajoang. Ha e le hantle, ba leka ho kenya li-node tsena likarolong tse fapaneng e le hore ba se ke ba lahleheloa ke bokhoni ba ho fana ka phihlelo e tiisitsoeng le e lumelloang ka motsotsoana.
Monitoring Node (MnT) ke node e tlamang e bolokang litlaleho tsa liketsahalo, li-log tsa li-node tse ling le maano a marang-rang. Node ea MnT e fana ka lisebelisoa tse tsoetseng pele tsa ho beha leihlo le ho rarolla mathata, ho bokella le ho hokahanya lintlha tse fapaneng, hape e fana ka litlaleho tse nang le moelelo. Cisco ISE e u lumella ho ba le li-node tse peli tsa MnT, ka hona, ho theha mamello ea liphoso - Mokhoa o sebetsang / o emeng. Leha ho le joalo, li-log li bokelloa ke li-node ka bobeli, tse sebetsang le tse sa sebetseng.
PxGrid Node (PXG) ke node e sebelisang protocol ea PxGrid mme e lumella puisano pakeng tsa lisebelisoa tse ling tse tšehetsang PxGrid.
- protocol e netefatsang ho kopanngoa ha IT le lihlahisoa tsa ts'ireletso ea ts'ireletso ea tlhahisoleseding ho tsoa ho barekisi ba fapaneng: mekhoa ea ho shebella, mekhoa ea ho lemoha le ho thibela ho kena-kenana, mekhoa ea tsamaiso ea maano a tšireletso le tse ling tse ngata tsa tharollo. Cisco PxGrid e u lumella ho arolelana litaba ka mokhoa o sa laoleheng kapa ka mahlakoreng a mabeli le li-platform tse ngata ntle le tlhoko ea li-API, ka hona e nolofalletsa theknoloji. (SGT tags), fetola le ho sebelisa leano la ANC (Adaptive Network Control), hammoho le ho etsa profiling - ho khetholla mohlala oa sesebelisoa, OS, sebaka, le tse ling.
Ka tlhophiso e phahameng ea ho fumaneha, li-node tsa PxGrid li pheta tlhahisoleseling lipakeng tsa li-node ho feta PAN. Haeba PAN e koetsoe, node ea PxGrid e emisa ho netefatsa, ho fana ka tumello le boikarabello bakeng sa basebelisi.
Ka tlase ke setšoantšo sa moralo oa ts'ebetso ea mekhatlo e fapaneng ea Cisco ISE netwekeng ea khoebo.
Setšoantšo sa 1. Cisco ISE Architecture
3. Litlhoko
Cisco ISE e ka kengoa ts'ebetsong, joalo ka litharollo tse ngata tsa sejoale-joale, hoo e ka bang kapa ka 'mele joalo ka seva e arohaneng.
Lisebelisoa tsa 'mele tse tsamaisang software ea Cisco ISE li bitsoa SNS (Secure Network Server). Li tla ka mefuta e meraro: SNS-3615, SNS-3655 le SNS-3695 bakeng sa likhoebo tse nyane, tse mahareng le tse kholo. Letlapa la 1 le bonts'a tlhahisoleseling ho tsoa ho SNS.
Letlapa la 1. Tafole ea papiso ea SNS bakeng sa litekanyo tse fapaneng
Parameter
SNS 3615 (Nnyane)
SNS 3655 (Bohareng)
SNS 3695 (E kholo)
Nomoro ea li-endpoints tse tšehetsoeng ketsong ea Standalone
10000
25000
50000
Nomoro ea liphetho tse tšehelitsoeng ho latela PSN
10000
25000
100000
CPU (Intel Xeon 2.10 GHz)
8 cores
12 cores
12 cores
RAM
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
o hdd
1 x 600 GB
4 x 600 GB
8 x 600 GB
Hardware futuheloa ke
No
RAID 10, boteng ba molaoli oa RAID
RAID 10, boteng ba molaoli oa RAID
Marang-rang a marang-rang
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
Mabapi le lits'ebetso tse fumanehang ka mokhoa oa sebele, li-hypervisor tse tšehetsoang ke VMware ESXi (bonyane mofuta oa VMware oa 11 o khothaletsoa bakeng sa ESXi 6.0), Microsoft Hyper-V le Linux KVM (RHEL 7.0). Lisebelisoa li lokela ho tšoana le tse tafoleng e kaholimo, kapa ho feta. Leha ho le joalo, litlhoko tse tlase tsa mochini oa inthanete bakeng sa likhoebo tse nyane ke: 2 CPU ka maqhubu a 2.0 GHz le ho feta, 16 GB ea RAM и 200 GB HDD.
Bakeng sa lintlha tse ling tsa phepelo ea Cisco ISE, ka kopo ikopanye kapa ho , .
4. Ho kenya
Joalo ka lihlahisoa tse ling tsa Cisco, ISE e ka lekoa ka mekhoa e mengata:
- tšebeletso ea leru ea meralo ea laboratori e kentsoeng pele (ak'haonte ea Cisco ea hlokahala);
– kopo ho tswa ho Cisco ea software e itseng (mokhoa bakeng sa balekane). U theha nyeoe ka tlhaloso e tloaelehileng e latelang: Mofuta oa sehlahisoa [ISE], ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
— ikopanye le molekane ofe kapa ofe ya dumeletsweng ho etsa projeke ya mahala ya teko.
1) Kamora ho theha mochini o sebetsang, haeba o kopile faele ea ISO eseng template ea OVA, ho tla hlaha fensetere moo ISE e hlokang hore u khethe ho kenya. Ho etsa sena, sebakeng sa ho kena le password, o lokela ho ngola "tlhophiso"!
Ela hloko: haeba u tsamaisitse ISE ho tsoa ho template ea OVA, joale lintlha tsa ho kena admin/MyIseYPass2 (sena le tse ling tse ngata li bontšitsoe ho ofisiri ).
Setšoantšo sa 2. Ho kenya Cisco ISE
2) Joale o lokela ho tlatsa masimo a hlokahalang joalo ka aterese ea IP, DNS, NTP le tse ling.
Setšoantšo sa 3. Ho qala Cisco ISE
3) Ka mor'a moo, sesebelisoa se tla qala hape, 'me u tla khona ho hokahanya ka sebopeho sa marang-rang u sebelisa aterese ea IP e boletsoeng pele.
Setšoantšo sa 4. Cisco ISE Web Interface
4) Ho tab Tsamaiso > Sistimi > Phepelo o ka khetha hore na ke li-node life (mekhatlo) e kentsoeng sesebelisoa se itseng. Node ea PxGrid e lumelletsoe mona.
Setšoantšo sa 5. Cisco ISE Entity Management
5) Ebe ka tab Tsamaiso > Sistimi > Phihlello ya Taolo > netefatso Ke khothaletsa ho theha leano la phasewete, mokhoa oa netefatso (setifikeiti kapa password), letsatsi la ho felloa ke nako ea akhaonto, le litlhophiso tse ling.
Setšoantšo sa 6. Tlhophiso ea mofuta oa netefatso
Setšoantšo sa 7. Litlhophiso tsa leano la password
Setšoantšo sa 8. Ho theha ho koala ha akhaonto ka mor'a hore nako e felile
Setšoantšo sa 9. Ho theha ho koala akhaonto
6) Ho tab Tsamaiso > Sistimi > Phihlello ya Tsamaiso > Batsamaisi > Basebedisi ba Tsamaiso > Eketsa o ka theha motsamaisi e mocha.
Setšoantšo sa 10. Ho theha Mookameli oa Cisco ISE oa Sebaka
7) Mookameli e mocha a ka etsoa karolo ea sehlopha se secha kapa lihlopha tse seng li hlalositsoe esale pele. Lihlopha tsa batsamaisi li laoloa ka phanele e le 'ngoe ho tab Lihlopha tsa Tsamaiso. Letlapa la 2 le akaretsa lintlha tse mabapi le batsamaisi ba ISE, litokelo le mesebetsi ea bona.
Letlapa la 2. Lihlopha tsa Tsamaiso tsa Cisco ISE, Maemo a Phihlello, Litumello, le Lithibelo
Lebitso la sehlopha sa motsamaisi
Litumello
Lithibelo
Taolo ea Boiketlo
Ho theha li-portal tsa baeti le ba lithuso, tsamaiso le ho itlhophisa
Ho se khone ho fetola maano kapa ho sheba litlaleho
Motsamaisi oa Lefapha la Thuso
Bokhoni ba ho sheba dashboard ea mantlha, litlaleho tsohle, larm le melapo ea ho rarolla mathata
O ka se kgone ho fetola, ho etsa kapa ho hlakola ditlaleho, dialamo le dipolokelo tsa netefatso
Identity Admin
Ho laola basebelisi, litokelo le likarolo, bokhoni ba ho sheba litlaleho, litlaleho le lialamo
O ke ke oa fetola maano kapa oa etsa mesebetsi boemong ba OS
MnT Admin
Tlhokomelo e felletseng, litlaleho, lialamo, li-log le tsamaiso ea tsona
Ho se khone ho fetola maano afe kapa afe
Taolo ea Sesebelisoa sa Marang-rang
Litokelo tsa ho theha le ho fetola lintho tsa ISE, ho sheba li-log, litlaleho, dashboard ea mantlha
O ke ke oa fetola maano kapa oa etsa mesebetsi boemong ba OS
Taolo ea Leano
Tsamaiso e felletseng ea maano ohle, ho fetola liprofaele, litlhophiso, litlaleho tsa ho shebella
Ho se khone ho etsa litlhophiso ka mangolo a netefatso, lintho tsa ISE
Motsamaisi oa RBAC
Litlhophiso tsohle ho tab ea Ts'ebetso, litlhophiso tsa leano la ANC, taolo ea tlaleho
O ka se fetole maano ntle le ANC kapa ho etsa mesebetsi maemong a OS
Super admin
Litokelo ho litlhophiso tsohle, ho tlaleha le ho laola, li ka hlakola le ho fetola mangolo a boitsebiso ba motsamaisi
Ha e khone ho fetoha, hlakola boemo bo bong ho sehlopha sa Super Admin
Tsamaiso ea tsamaiso
Litlhophiso tsohle ho tab ea Ts'ebetso, ho laola litlhophiso tsa sistimi, leano la ANC, litlaleho tsa ho shebella
O ka se fetole maano ntle le ANC kapa ho etsa mesebetsi maemong a OS
Litšebeletso tsa RESTful tsa Kantle (ERS) Admin
Ho fihlella ka botlalo ho Cisco ISE REST API
Feela bakeng sa tumello, taolo ea basebelisi ba lehae, mabotho le lihlopha tsa ts'ireletso (SG)
Mosebetsi oa Kantle oa RESTful Services (ERS).
Cisco ISE REST API Bala Litumello
Feela bakeng sa tumello, taolo ea basebelisi ba lehae, mabotho le lihlopha tsa ts'ireletso (SG)
Setšoantšo sa 11. Lihlopha tse hlalositsoeng esale pele tsa Cisco ISE Administrator
8) Taba ea boikhethelo ho tab Tumello > Ditumello > Leano la RBAC U ka hlophisa litokelo tsa batsamaisi ba boletsoeng esale pele.
Setšoantšo sa 12. Cisco ISE Administrator Preset Profile Rights Management
9) Ho tab Tsamaiso > Sistimi > Di-setting Litlhophiso tsohle tsa sistimi lia fumaneha (DNS, NTP, SMTP le tse ling). U ka li tlatsa mona haeba u li fositse nakong ea ho qala sesebelisoa.
5. Qetello
Sena se phethela sehlooho sa pele. Re buisane ka katleho ea tharollo ea Cisco ISE NAC, meralo ea eona, litlhoko tse tlase le likhetho tsa ho e tsamaisa, le ho kenya ts'ebetso ea pele.
Sengoliloeng se latelang, re tla sheba ho theha li-account, ho kopanya le Microsoft Active Directory, le ho theha phihlello ea baeti.
Haeba u na le lipotso mabapi le sehlooho sena kapa u hloka thuso ea ho lekola sehlahisoa, ka kopo ikopanye .
Lula u mametse ho fumana lintlha tse ncha ho liteishene tsa rona (, , , , ).
Source: www.habr.com
