Wamkelekile kwisithuba sesithathu kuthotho lweCisco ISE. Amakhonkco kuwo onke amanqaku kolu thotho anikwe ngezantsi:
Kule post, uya kuntywila ekungeneni kweendwendwe, kunye nesikhokelo sesinyathelo-nge-nyathelo sokudibanisa iCisco ISE kunye neFortiGate ukuqwalasela iFortiAP, indawo yokufikelela kwiFortinet (ngokubanzi, nasiphi na isixhobo esixhasayo. I-RADIUS CoA β Ukutshintshwa koGunyaziso).
Aqhotyoshelwe amanqaku ethu. .
Qaphela:A: Khangela izixhobo ze-SMB aziyixhasi iRADIUS CoA.
emangalisayo ichaza ngesiNgesi indlela yokudala ukufikelela kweendwendwe usebenzisa iCisco ISE kwiCisco WLC (Umlawuli ongenazintambo). Masiyiqonde!
1. Intshayelelo
Ukufikelela kwiindwendwe (i-portal) ikuvumela ukuba unikeze ukufikelela kwi-Intanethi okanye kwimithombo yangaphakathi yeendwendwe kunye nabasebenzisi ongafuniyo ukubavumela ukuba bangene kwinethiwekhi yendawo yakho. Kukho iintlobo ezi-3 ezichazwe kwangaphambili zeportal yeendwendwe (I-portal yeeNdwendwe):
-
I-Hotspot yeeNdwendwe portal - Ukufikelela kwinethiwekhi kunikezelwa kwiindwendwe ngaphandle kwedatha yokungena. Abasebenzisi ngokubanzi kufuneka bamkele "Usetyenziso kunye noMgaqo-nkqubo waBucala" wenkampani ngaphambi kokufikelela kwinethiwekhi.
-
I-portal yeeNdwendwe ezixhasiweyo - ukufikelela kwinethiwekhi kunye nedatha yokungena kufuneka ikhutshwe ngumxhasi - umsebenzisi onoxanduva lokudala ii-akhawunti zeendwendwe kwiCisco ISE.
-
I-portal yeeNdwendwe ezibhalisiweyo - kulo mzekelo, iindwendwe zisebenzisa iinkcukacha zokungena ezikhoyo, okanye zizenzele i-akhawunti kunye neenkcukacha zokungena, kodwa ukuqinisekiswa komxhasi kuyadingeka ukuze ufumane ukufikelela kwinethiwekhi.
Iiphothali ezininzi zinokufakwa kwiCisco ISE ngaxeshanye. Ngokungagqibekanga, kwi-portal yeendwendwe, umsebenzisi uya kubona uphawu lweCisco kunye namabinzana aqhelekileyo aqhelekileyo. Konke oku kunokwenziwa ngokwezifiso kwaye kusetelwe ukujonga iintengiso ezinyanzelekileyo ngaphambi kokufumana ufikelelo.
Ukusekwa kokufikelela kwiindwendwe kunokwahlulwa zibe ngamanyathelo ama-4 aphambili: Ukuseta i-FortiAP, i-Cisco ISE kunye ne-FortiAP uqhagamshelwano, ukudala i-portal yeendwendwe, kunye nokusekwa komgaqo-nkqubo wokufikelela.
2. Ukuqwalasela i-FortiAP kwi-FortiGate
I-FortiGate ngumlawuli wendawo yokufikelela kwaye zonke izicwangciso zenziwa kuyo. Amanqaku okufikelela kwi-FortiAP axhasa i-PoE, ngoko ke emva kokuba uyixhume kwinethiwekhi nge-Ethernet, unokuqalisa uqwalaselo.
1) Kwi-FortiGate, yiya kwithebhu I-WiFi kunye noMlawuli woTshintsho> I-FortiAPs elawulwayo> Yenza eNtsha> I-AP elawulwayo. Ukusebenzisa inombolo yesiriyeli yendawo yofikelelo, eprintwe kwindawo yofikelelo ngokwayo, yongeze njengento. Okanye inokuzibonisa kwaye emva koko ucinezele Mvume usebenzisa iqhosha lemouse lasekunene.
2) Useto lwe-FortiAP lunokungagqibekanga, umzekelo, shiya njengoko kumfanekiso wesikrini. Ndincoma kakhulu ukuvula imo ye-5 GHz, kuba ezinye izixhobo azixhasi i-2.4 GHz.
3) Emva koko kwithebhu I-WiFi kunye noMlawuli woTshintsho> Iiprofayili ze-FortiAP> Yenza eNtsha senza iprofayili yesethingi yendawo yokufikelela (uguqulelo lwe-802.11 protocol, imo ye-SSID, i-frequency channel kunye nenombolo yabo).
Umzekelo useto lwe-FortiAP
4) Inyathelo elilandelayo kukudala i-SSID. Yiya kwisithuba I-WiFi kunye noMlawuli woTshintsho> ii-SSIDs> Yenza eNtsha> i-SSID. Apha ukusuka kokubalulekileyo kufuneka kuqwalaselwe:
-
indawo yedilesi yeendwendwe WLAN - IP/Netmask
-
I-RADIUS Accounting kunye noKhuseleko loQhagamshelwano lweFabric kwindawo yokuFikelela kuLawulo
-
Isixhobo sokuFumana ukhetho
-
I-SSID kunye noSasazo lwe-SSID ukhetho
-
Iisetingi zeMowudi yoKhuseleko > IPortal yokubanjwa
-
IPortal yoQinisekiso-Ngaphandle kwaye ufake ikhonkco kwi-portal yeendwendwe eyenziweyo evela kwiCisco ISE ukusuka kwinqanaba lama-20
-
Iqela labasebenzisi - Iqela leeNdwendwe - Ngaphandle - yongeza i-RADIUS kwi-Cisco ISE (iphe. 6 ukuya phambili)
Umzekelo wokumisela i-SSID
5) Emva koko kufuneka udale imigaqo kumgaqo-nkqubo wokufikelela kwi-FortiGate. Yiya kwisithuba Umgaqo-nkqubo & neZinto > uMgaqo-nkqubo woMlilo kwaye wenze umthetho onje:
3. Ukusetha iRADIUS
6) Yiya kwi-intanethi ye-Cisco ISE kwi-tab Umgaqo-nkqubo > Izinto zoMgaqo-nkqubo > Izichazi-magama > Inkqubo > Irediyo > Abathengisi beRADIUS > Yongeza. Kule thebhu, siya kongeza i-Fortinet RADIUS kuluhlu lweeprothokholi ezixhaswayo, kuba phantse wonke umthengisi uneempawu zakhe ezithile-VSA (Iimpawu eziKhethekileyo zoMthengisi).
Uluhlu lweempawu zeFortinet RADIUS zinokufunyanwa . Ii-VSAs zohlulwe ngenombolo ye-ID yomthengisi eyodwa. IFortinet inale ID = 12356. Igcwele I-VSA ipapashwe yi-IANA.
7) Misela igama lesichazi-magama, cacisa Isazisi somthengisi (12356) kwaye cinezela Ngenisa.
8) Emva kokuba siye Ulawulo > Iiprofayili zeSixhobo seNethiwekhi > Yongeza kwaye wenze iprofayile yesixhobo esitsha. Kwi-RADIUS Dictionaries field, khetha isichazi-magama esenziwe ngaphambili seFortinet RADIUS kwaye ukhethe iindlela ze-CoA oza kuzisebenzisa kamva kumgaqo-nkqubo we-ISE. Ndikhethe i-RFC 5176 kunye ne-Port Bounce (ukuvalwa / akukho ujongano lwenethiwekhi yokuvala) kunye neeVSA ezihambelanayo:
Fortinet-Access-Profile=funda-bhala
I-Fortinet-Iqela-Igama = fmg_faz_admins
9) Emva koko, yongeza i-FortiGate yokunxibelelana ne-ISE. Ukwenza oku, yiya kwithebhu Ulawulo > Izibonelelo zeNethiwekhi > Iiprofayili zeSixhobo seNethiwekhi > Yongeza. Iindawo eziza kutshintshwa Igama, umthengisi, izichazi-magama zeRADIUS (Idilesi yeIP isetyenziswa yiFortiGate, hayi iFortiAP).
Umzekelo wokuqwalasela iRADIUS ukusuka kwicala le-ISE
10) Emva koko, kuya kufuneka uqwalasele iRADIUS kwicala leFortiGate. Kujongano lwewebhu lweFortiGate, yiya ku Umsebenzisi kunye noQinisekiso > Iiseva zeRADIUS > Yenza Entsha. Chaza igama, idilesi ye-IP kunye nemfihlo ekwabelwana ngayo (igama lokugqitha) ukusuka kumhlathi odlulileyo. Cofa ngokulandelayo Vavanya iiNkcazo zoMsebenzisi kwaye ngenisa naziphi na iziqinisekiso ezinokutsalwa nge-RADIUS (umzekelo, umsebenzisi wasekhaya kwiCisco ISE).
11) Yongeza iseva ye-RADIUS kwiNdwendwe-iQela (ukuba ayikho) kunye nomthombo wangaphandle wabasebenzisi.
12) Ungalibali ukongeza iQela loNdwendwe kwi-SSID esiyidale ngaphambili kwinyathelo lesi-4.
4. Ukusetwa koQinisekiso lomsebenzisi
13) Ngokukhetha, ungangenisa isatifikethi kwi-portal yeendwendwe ze-ISE okanye wenze isatifikethi esizisayinileyo kwithebhu. Amaziko oMsebenzi > Ukufikelela kwiiNdwendwe > Ulawulo > Isiqinisekiso > Izatifikethi zeNkqubo.
14) Emva kwethebhu Amaziko oMsebenzi > Ufikelelo lweeNdwendwe > Amaqela eZazisi > Amaqela oSazisi lomsebenzisi > Yongeza yenza iqela elitsha labasebenzisi kunikezelo lweendwendwe, okanye sebenzisa ezihlala zikhona.
15) Ngokubhekele phaya kwithebhu Ulawulo > Izazisi yenza abasebenzisi beendwendwe kwaye ubafake kumaqela asuka kumhlathi odlulileyo. Ukuba ufuna ukusebenzisa iiakhawunti zomntu wesithathu, tsiba eli nyathelo.
16) Emva kokuba siye kuseto Amaziko oMsebenzi > Ukufikelela kwiiNdwendwe > Izazisi > Ulandelelwano loMthombo wesazisi > Ulandelelwano lwePortal yeeNdwendwe β olu lungqinisiso olungagqibekanga lulandelelwano lwabasebenzisi bondwendwe. Kwaye entsimini ULuhlu loPhando loQinisekiso khetha iodolo yoqinisekiso lomsebenzisi.
17) Ukwazisa iindwendwe ngephasiwedi yexesha elilodwa, unokuqwalasela ababoneleli beSMS okanye umncedisi we-SMTP kule njongo. Yiya kwisithuba AmaZiko oMsebenzi > Ukufikelela kwiiNdwendwe > Ulawulo > Iseva ye-SMTP okanye SMS Gateway ababoneleli kwezi setingi. Kwimeko yomncedisi we SMTP, kufuneka wenze i akhawunti ye ISE kwaye ucacise idatha kule thebhu.
18) Kwizaziso zeSMS, sebenzisa ithebhu efanelekileyo. I-ISE ineeprofayile ezifakwe ngaphambili zababoneleli beSMS abaziwayo, kodwa kungcono ukwenza eyakho. Sebenzisa ezi profayili njengomzekelo wokuseta Isango le-imeyile ye-SMSy okanye SMS HTTP API.
Umzekelo wokuseta iseva ye-SMTP kunye nesango le-SMS legama lokugqitha lexesha elinye
5. Ukumisela i-portal yeendwendwe
I-19) Njengoko kukhankanyiwe ekuqaleni, kukho iintlobo ze-3 zee-portal zeendwendwe ezifakwe ngaphambili: I-Hotspot, iXhasiwe, i-Self-Registered. Ndicebisa ukuba ukhethe ukhetho lwesithathu, njengoko luqhelekileyo. Nokuba yeyiphi na indlela, iisetingi ziyafana ubukhulu becala. Ngoko masiye kwithebhu. AmaZiko oMsebenzi > UFikelelo lweeNdwendwe > IiPortals & Nezixhobo > IiNdawo zeeNdwendwe > I-Portal yeeNdwendwe eziBhalisiweyo (ehlala ikho).
20) Okulandelayo, kwi-Portal Page Customization tab, khetha "Jonga ngesiRashiya - isiRashiya", ukuze i-portal iboniswe ngesiRashiya. Ungatshintsha okubhaliweyo kuyo nayiphi na ithebhu, yongeza ilogo yakho, kunye nokunye. Ngasekunene kwikona yimboniso yeportal yeendwendwe ukuze ube nombono ongcono.
Umzekelo wokuqwalasela i-portal yeendwendwe kunye nokubhalisa ngokwakho
21) Cofa kwibinzana I-URL yovavanyo lwePortal kwaye ukhuphele i-URL ye-portal kwi-SSID kwi-FortiGate kwinqanaba lesi-4. Isampuli ye-URL
Ukubonisa indawo yakho, kufuneka ulayishe isatifikethi kwi-portal yeendwendwe, jonga inyathelo le-13.
22) Yiya kwithebhu Amaziko oMsebenzi> Ukufikelela kwiiNdwendwe> Izinto zoMgaqo-nkqubo> Iziphumo> IiProfayili zoGunyaziso> Yongeza ukwenza iprofayile yogunyaziso phantsi kwale yenziwe ngaphambili Iprofayile yeSixhobo seNethiwekhi.
23) Kwithebhu Amaziko oMsebenzi > Ukufikelela kwiiNdwendwe > iiSeti zePolisi Hlela umgaqo-nkqubo wofikelelo kubasebenzisi be-WiFi.
24) Makhe sizame ukudibanisa kwi-SSID yeendwendwe. Indikhokelela kwakhona kwiphepha lokungena. Apha ungangena nge-akhawunti yeendwendwe eyenziwe ekuhlaleni kwi-ISE, okanye ubhalise njengomsebenzisi weendwendwe.
25) Ukuba ukhethe ukhetho lokuzibhalisa, ngoko idatha yokungena ngexesha elinye ingathunyelwa ngeposi, ngeSMS, okanye iprintwe.
26) Kwi-RADIUS> I-Live Logs tab kwi-Cisco ISE, uya kubona iilogi zokungena ezihambelanayo.
6. Isiphelo
Kule nqaku elide, silungiselele ngempumelelo ukufikelela kweendwendwe kwiCisco ISE, apho i-FortiGate isebenza njengomlawuli wendawo yokufikelela, kwaye i-FortiAP yenza njengendawo yokufikelela. Kwavela uhlobo lokudityaniswa okungeyomfuneko, okuphinda kubonakalise ukusetyenziswa okuxhaphakileyo kwe-ISE.
Ukuvavanya iCisco ISE, qhagamshelana kwaye uhlale ubukele kumajelo ethu (, , , , ).
umthombo: www.habr.com