Ho tsoela pele letoto la lihlooho tse buang ka tlhophiso Remote Access VPN phihlello ha ke khone ho thusa empa ho arolelana boiphihlelo ba ka bo khahlisang ba thomello tlhophiso e sireletsehileng haholo ea VPN. Mosebetsi o seng oa bohlokoa o ile oa hlahisoa ke moreki a le mong (ho na le baqapi metseng ea Russia), empa Phephetso e ile ea amoheloa 'me ea kengoa tšebetsong ka boqhetseke. Sephetho ke mohopolo o khahlisang o nang le litšobotsi tse latelang:
- Lintlha tse 'maloa tsa ts'ireletso khahlanong le ho kenngoa ha sesebelisoa sa terminal (ka ho tlama ka thata ho mosebelisi);
- Ho lekola ho latela melao ea PC ea mosebelisi le UDID e fanoeng ea PC e lumelletsoeng polokelong ea netefatso;
- Ka MFA e sebelisang PC UDID ho tsoa setifikeiting sa netefatso ea bobeli ka Cisco DUO (O ka hokela leha e le efe e lumellanang le SAML/Radius);
- Netefatso ea Multi-Factor:
- Setifikeiti sa mosebelisi se nang le netefatso ea tšimo le netefatso ea bobeli khahlanong le e 'ngoe ea tsona;
- Kena (e sa fetoheng, e nkiloeng ho setifikeiti) le password;
- Ho hakanya boemo ba moamoheli ea hokelang (Posture)
Likarolo tsa tharollo tse sebelisitsoeng:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Tiiso / Authorization / Accounting, State Evaluation, CA);
- Cisco DUO (Tiiso ea Lintho tse ngata) (O ka hokela leha e le efe e lumellanang le SAML/Radius);
- Cisco AnyConnect (Moemeli oa merero e mengata bakeng sa liteishene tsa mosebetsi le mobile OS);
Ha re qaleng ka litlhoko tsa moreki:
- Mosebelisi o tlameha, ka netefatso ea hae ea Login/Password, a tsebe ho khoasolla moreki oa AnyConnect ho tsoa hekeng ea VPN; li-module tsohle tse hlokahalang tsa AnyConnect li tlameha ho kengoa ka bo eona ho latela leano la mosebelisi;
- Mosebelisi o lokela ho khona ho fana ka setifikeiti ka bohona (bakeng sa e 'ngoe ea maemo, boemo bo ka sehloohong ke ho fana ka letsoho le ho kenya ho PC), empa ke kentse tšebetsong taba ea othomathike bakeng sa pontšo (ha e so liehe ho e tlosa).
- Netefatso ea mantlha e tlameha ho etsahala ka mekhahlelo e mengata, pele ho na le netefatso ea setifikeiti ka tlhahlobo ea masimo a hlokahalang le boleng ba ona, ebe ho kena/password, nakong ena feela lebitso la mosebelisi le boletsoeng tšimong ea setifikeiti le tlameha ho kenngoa fensetereng ea ho kena. Lebitso la Sehlooho (CN) ntle le bokgoni ba ho fetola.
- U hloka ho etsa bonnete ba hore sesebelisoa seo u kenang ho sona ke laptop ea khoebo e fuoeng mosebelisi bakeng sa phihlello e hole, eseng ntho e 'ngoe. (Ho entsoe likhetho tse 'maloa ho khotsofatsa tlhoko ena)
- Boemo ba sesebelisoa se hokahanyang (mohatong ona PC) bo lokela ho hlahlojoa ka cheke ea tafole e boima ea litlhoko tsa bareki (kakaretso):
- Lifaele le thepa ea tsona;
- Kenyelletso ea Registry;
- Li-patches tsa OS ho tsoa lethathamong le fanoeng (hamorao SCCM kopanyo);
- Ho fumaneha ha Anti-Virus ho tsoa ho moetsi ea itseng le bohlokoa ba li-signature;
- Ts'ebetso ea litšebeletso tse itseng;
- Ho fumaneha ha mananeo a itseng a kentsoeng;
Ho qala, ke fana ka maikutlo a hore ka sebele u shebe pontšo ea video ea ts'ebetsong e hlahisitsoeng ka Youtube (metsotso e 5).
Joale ke etsa tlhahiso ea ho nahana ka lintlha tsa ts'ebetsong tse sa kenyelletsoeng sekotwana sa video.
Ha re lokise profaele ea AnyConnect:
Ke kile ka fana ka mohlala oa ho theha profil (ho ea ka ntho ea menu ho ASDM) sengolong sa ka mabapi le tlhophiso . Joale ke rata ho ela hloko ka thoko likhetho tseo re tla li hloka:
Boemong, re tla bonts'a heke ea VPN le lebitso la profil bakeng sa ho hokela ho mofani oa ho qetela:
Ha re lokiseng ho fana ka setifikeiti ka boiketsetso ho tloha lehlakoreng la profil, ho bonts'a, haholo-holo, liparamente tsa setifikeiti mme, ka sebopeho, ela hloko tšimo. Ea pele (I), moo boleng bo itseng bo kentsoeng ka letsoho UID mochini oa liteko (Identifier e ikhethileng ea sesebelisoa e hlahisoang ke moreki oa Cisco AnyConnect).
Mona ke batla ho nyenyefatsa, kaha sengoloa sena se hlalosa mohopolo; molemong oa lipontšo, UDID ea ho fana ka setifikeiti e kentsoe tšimong ea Initials ea profil ea AnyConnect. Ha e le hantle, bophelong ba sebele, haeba u etsa sena, joale bareki bohle ba tla fumana lengolo le nang le UDID e tšoanang tšimong ena 'me ha ho letho le tla ba sebeletsa, kaha ba hloka UDID ea PC ea bona e khethehileng. AnyConnect, ka bomalimabe, ha e e-so kenye ts'ebetsong sebaka sa UDID sebakeng sa profil ea kopo ea setifikeiti ka ho feto-fetoha ha tikoloho, joalo ka ha e etsa joalo, ka mohlala, ka phetoho. %USER%.
Ke habohlokoa ho hlokomela hore moreki (oa boemo bona) qalong o rera ho fana ka litifikeiti ka boithaopo ka UDID e fanoeng ka mokhoa oa matsoho ho li-PC tse Sirelelitsoeng, tseo e seng bothata ho eena. Leha ho le joalo, ho ba bangata ba rona re batla ho iketsetsa (hantle, ho 'na ke' nete =)).
'Me sena ke seo nka fanang ka sona ho latela automation. Haeba AnyConnect ha e so khone ho fana ka setifikeiti ka bo eona ka ho fetola UDID ka matla, ho na le tsela e 'ngoe e tla hloka mohopolo o monyane oa boqapi le matsoho a hloahloa - ke tla u joetsa mohopolo. Taba ea pele, a re shebeng hore na UDID e hlahisoa joang lits'ebetsong tse fapaneng tsa ts'ebetso ke moemeli oa AnyConnect:
- Windows - SHA-256 hash ea motsoako oa DigitalProductID le senotlolo sa ngoliso sa Machine SID
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash ea UUID ea karohano ea motso.
- Apple iOS - SHA-256 hash PlatformUUID
- Android – Sheba tokomane ho
Ka lebaka leo, re theha script bakeng sa Windows OS ea rona ea khoebo, ka script ena re bala UDID sebakeng sa heno ho sebelisa lisebelisoa tse tsejoang le ho etsa kopo ea ho fana ka setifikeiti ka ho kenya UDID ena tšimong e hlokahalang, ka tsela, u ka sebelisa mochine. setifikeiti se fanoeng ke AD (ka ho kenyelletsa netefatso e habeli u sebelisa setifikeiti ho morero Setifikeiti sa Multiple).
Ha re lokiseng litlhophiso ka lehlakoreng la Cisco ASA:
Ha re theheng TrustPoint bakeng sa seva sa ISE CA, e tla ba eona e tla fana ka litifikeiti ho bareki. Nke ke ka nahana ka mokhoa oa ho kenya Key-Chain; mohlala o hlalosoa sehloohong sa ka mabapi le ho seta .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureRe hlophisa kabo ea Tunnel-Sehlopha ho ipapisitse le melaoana ho latela likarolo tsa setifikeiti se sebelisetsoang netefatso. Boemo ba AnyConnect boo re bo entseng sethaleng se fetileng le bona bo hlophisitsoe mona. Ka kopo hlokomela hore ke sebelisa boleng SECUREBANK-RA, ho fetisetsa basebedisi ba nang le setifikeiti se fanoeng ho sehlopha sa kotopo SECURE-BANK-VPN, ka kopo hlokomela hore ke na le sebaka sena kholomong ea kopo ea setifikeiti sa boemo ba AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Ho theha li-server tsa netefatso. Tabeng ea ka, ena ke ISE bakeng sa mohato oa pele oa ho netefatsa le DUO (Radius Proxy) e le MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Re theha maano a sehlopha le lihlopha tsa lithanele le likarolo tsa tsona tse thusang:
Sehlopha sa tunnel Sehlopha sa kamehlaWEBVPN e tla sebelisoa haholo ho khoasolla moreki oa AnyConnect VPN le ho fana ka setifikeiti sa mosebelisi o sebelisa SCEP-Proxy function ea ASA; bakeng sa sena re na le likhetho tse tsamaellanang tse kentsoeng sehlopheng sa kotopo ka boeona le leanong le amanang le sehlopha. AC-Khoasolla, le profaeleng ea AnyConnect e kentsoeng (libaka tsa ho fana ka setifikeiti, joalo-joalo). Hape leanong lena la sehlopha re bonts'a tlhoko ea ho jarolla ISE Posture Module.
Sehlopha sa tunnel SECURE-BANK-VPN e tla sebelisoa ke moreki ka boiketsetso ha ho netefatsoa ka setifikeiti se fanoeng sethaleng se fetileng, kaha, ho latela 'Mapa oa Setifikeiti, khokahano e tla oela ka ho khetheha sehlopheng sena sa kotopo. Ke tla u joetsa ka likhetho tse khahlisang mona:
- secondary-authentication-server-group DUO # Beha netefatso ea bobeli ho seva sa DUO (Radius Proxy)
- username-from-certificateCN # Bakeng sa netefatso ea mantlha, re sebelisa sebaka sa CN sa setifikeiti ho rua ho kena ha mosebelisi
- secondary-username-from-certificate I # Bakeng sa netefatso ea bobeli ho seva sa DUO, re sebelisa lebitso la mosebelisi le ntšitsoeng le likarolo tsa Initials (I) tsa setifikeiti.
- ho tlatsa-lebitso la mosebedisi # etsa hore lebitso la mosebelisi le tlatsoe pele ka fensetere ea netefatso ntle le bokhoni ba ho fetoha
- Sebapali sa bobeli-pele ho tlatsa-lebitso la mosebelisi pata tšebeliso-tloaelehileng-password push # Re pata fensetere ea ho kenya / password bakeng sa netefatso ea bobeli ea DUO mme re sebelisa mokhoa oa tsebiso (sms / push / fono) - boema-kepe ho kopa netefatso ho fapana le sebaka sa password.
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!E latelang re fetela pele ho ISE:
Re lokisa mosebelisi oa lehae (o ka sebelisa AD/LDAP/ODBC, joalo-joalo), ho nolofatsa, ke thehile mosebelisi oa lehae ho ISE ka boeona mme ka e beha tšimong. Tlhaloso UDID PC ho tloha moo a lumelloa ho kena ka VPN. Haeba ke sebelisa netefatso ea lehae ho ISE, ke tla lekanyetsoa sesebelisoa se le seng feela, kaha ha ho na masimo a mangata, empa litsing tsa netefatso ea motho oa boraro nke ke ka ba le lithibelo tse joalo.
Ha re shebeng leano la tumello, le arotsoe ka mekhahlelo e mene ea khokahano:
- Mothati oa 1 - Leano la ho khoasolla moemeli oa AnyConnect le ho fana ka setifikeiti
- Mothati oa 2 - Leano la mantlha la netefatso Kena (ho tsoa ho setifikeiti) / Password + Setifikeiti se nang le netefatso ea UDID
- Mothati oa 3 - netefatso ea bobeli ka Cisco DUO (MFA) o sebelisa UDID joalo ka lebitso la mosebelisi + tlhahlobo ea Naha
- Mothati oa 4 - Tumello ea ho qetela e naheng:
- E lumellana;
- netefatso ea UDID (ho tsoa ho setifikeiti + se tlamang ho kena),
- Cisco DUO MFA;
- Netefatso ka ho kena;
- Netefatso ea setifikeiti;
A re shebeng boemo bo thahasellisang UUID_VALIDATED, ho bonahala eka mosebelisi ea netefatsang o tsoa ho PC e nang le UDID e lumelletsoeng e amanang le lebaleng. Tlhaloso Ak'haonte, maemo a shebahala tjena:
Profaele ea tumello e sebelisitsoeng methating ea 1,2,3 ke e latelang:
U ka sheba hantle hore na UDID e tsoang ho moreki oa AnyConnect e fihla joang ho rona ka ho sheba lintlha tsa seshene ea bareki ho ISE. Ka botlalo re tla bona hore AnyConnect ka mochini ACIDEX ha e romele tlhahisoleseding e mabapi le sethaleng feela, empa hape le UDID ea sesebelisoa e le Cisco-AV-PAIR:
Ha re ele hloko setifikeiti se fuoeng mosebelisi le tšimo Ea pele (I), e sebelisetsoang ho e nka e le ho kena bakeng sa netefatso ea bobeli ea MFA ho Cisco DUO:
Ka lehlakoreng la DUO Radius Proxy ho log re ka bona ka ho hlaka hore na kopo ea netefatso e etsoa joang, e tla ho sebelisoa UDID joalo ka lebitso la mosebelisi:
Ho tsoa ho portal ea DUO re bona ketsahalo e atlehileng ea netefatso:
'Me ho thepa ea mosebedisi ke e behile ALISE, eo ke neng ke e sebelisa bakeng sa ho kena, hape, ena ke UDID ea PC e lumelletsoeng ho kena:
Ka lebaka leo, re fumane:
- netefatso ea lisebelisoa tse ngata le lisebelisoa;
- Tšireletso khahlanong le ho senyeha ha sesebelisoa sa mosebedisi;
- Ho hlahloba boemo ba sesebelisoa;
- Monyetla oa ho eketsa taolo ka setifikeiti sa mochini oa domain, joalo-joalo;
- Tšireletso e felletseng ea sebaka sa mosebetsi se nang le li-module tsa ts'ireletso tse kentsoeng ka bo eona;
Lihokela tsa lingoliloeng tsa Cisco VPN:
Source: www.habr.com