Wamkelekile kwisithuba sesibini kwi-series ye-Cisco ISE. Kweyokuqala iingenelo kunye nokwahluka kwe-Network Access Control (NAC) izisombululo ezivela kwi-AAA eqhelekileyo, ukungafani kweCisco ISE, i-architecture kunye nenkqubo yokufakela imveliso yagxininiswa.
Kweli nqaku, siza kuphonononga ekudaleni iiakhawunti, ukongeza iiseva ze-LDAP, kunye nokudibanisa neMicrosoft Active Directory, kunye neenuances zokusebenza ngePassiveID. Ngaphambi kokufunda, ndincoma kakhulu ukuba ufunde .
1. Esinye isigama
Isazisi somsebenzisi - iakhawunti yomsebenzisi equlethe ulwazi malunga nomsebenzisi kwaye ivelise iziqinisekiso zakhe zokufikelela kwinethiwekhi. Ezi parameters zilandelayo zikhankanyiwe kwisazisi soMsebenzisi: igama lomsebenzisi, idilesi ye-imeyile, igama lokugqitha, inkcazo yeakhawunti, iqela labasebenzisi, kunye nendima.
Amaqela abasebenzisi - Amaqela abasebenzisi yingqokelela yabasebenzisi ngabanye abaneseti efanayo yamalungelo okubavumela ukuba bafikelele kwiseti ethile yeenkonzo zeCisco ISE kunye nemisebenzi.
Amaqela esazisi somsebenzisi - Amaqela abasebenzisi achazwe kwangaphambili asele enolwazi oluthile kunye neendima. La maQela oSazisi alandelayo oMsebenzisi akhona ngokungagqibekanga, unokongeza abasebenzisi kunye namaqela abasebenzisi kubo: Umqeshwa (umqeshwa), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts (ii-akhawunti zomxhasi zokulawula i-portal yeendwendwe), Undwendwe (undwendwe), i-ActivatedGuest (undwendwe olusebenzayo).
Umsebenzisi-indima- Indima yomsebenzisi yiseti yeemvume ezibonisa ukuba yeyiphi imisebenzi umsebenzisi anokuyenza kunye neenkonzo ezinokufikelela. Amaxesha amaninzi indima yomsebenzisi inxulunyaniswa neqela labasebenzisi.
Ngaphezu koko, umsebenzisi ngamnye kunye neqela labasebenzisi baneempawu ezongezelelweyo ezikuvumela ukuba ukhethe kwaye uchaze ngakumbi lo msebenzisi (iqela lomsebenzisi). Ulwazi oluninzi kwi .
2. Yenza abasebenzisi basekuhlaleni
I-1) I-Cisco ISE inamandla okudala abasebenzisi bendawo kwaye bayisebenzise kumgaqo-nkqubo wokufikelela okanye nokuba banike indima yolawulo lwemveliso. Khetha Ulawulo → Ulawulo lwesazisi → Iimpawu → Abasebenzisi → Yongeza.
Umzobo 1 Ukongeza uMsebenzisi weNdawo kwiCisco ISE
2) Kwifestile evelayo, yenza umsebenzisi wendawo, setha igama eligqithisiweyo kunye nezinye iiparameters eziqondakalayo.
Umzobo 2. Ukudala uMsebenzisi weNdawo kwiCisco ISE
3) Abasebenzisi banokungeniswa ngaphandle. Kwithebhu efanayo Ulawulo → Ulawulo lwesazisi → Iimpawu → Abasebenzisi khetha ukhetho Ngenisa kwaye ulayishe i-csv okanye ifayile ye-txt kunye nabasebenzisi. Ukufumana ithempleyithi khetha Yenza isakhelo, ngoko kufuneka izaliswe ngolwazi malunga nabasebenzisi kwifom efanelekileyo.
Umzobo 3 Ukungenisa Abasebenzisi kwiCisco ISE
3. Ukongeza iiseva zeLDAP
Mandikukhumbuze ukuba i-LDAP yinkqubo ethandwayo yomgangatho wesicelo ekuvumela ukuba ufumane ulwazi, wenze ungqinisiso, ukhangele ii-akhawunti kuluhlu lweeseva ze-LDAP, usebenza kwi-port 389 okanye i-636 (SS). Imizekelo ebalaseleyo yeeseva ze-LDAP yi-Active Directory, i-Sun Directory, i-eDirectory ye-Novell, kunye ne-OpenLDAP. Ungeno ngalunye kuluhlu lwe-LDAP luchazwa yi-DN (Igama eliBalulekileyo) kwaye umsebenzi wokubuyisa ii-akhawunti, amaqela abasebenzisi kunye neempawu ziyaphakanyiswa ukwenza umgaqo-nkqubo wokufikelela.
Kwi-Cisco ISE, kuyenzeka ukuba uqwalasele ufikelelo kwiiseva ezininzi ze-LDAP, ngaloo ndlela kuphunyezwa ukungafuneki. Ukuba umncedisi we-LDAP oyintloko (oyintloko) akafumaneki, ngoko i-ISE iya kuzama ukufikelela kweyesibini (yesibini) njalo njalo. Ukongeza, ukuba kukho ii-PAN ezi-2, i-LDAP enye ingabekwa phambili kwi-PAN yokuqala kunye nenye i-LDAP ye-PAN yesibini.
I-ISE ixhasa iintlobo ezi-2 zokukhangela (ukukhangela) xa usebenza ngeeseva ze-LDAP: Ukukhangela komsebenzisi kunye nokuJonga idilesi ye-MAC. Ukukhangela komsebenzisi kukuvumela ukuba ukhangele umsebenzisi kwi-database ye-LDAP kwaye ufumane ulwazi olulandelayo ngaphandle kokuqinisekiswa: abasebenzisi kunye neempawu zabo, amaqela abasebenzisi. Ukukhangela idilesi ye-MAC kwakhona kukuvumela ukuba ukhangele ngedilesi ye-MAC kubalawuli be-LDAP ngaphandle koqinisekiso kwaye ufumane ulwazi malunga nesixhobo, iqela lezixhobo ngeedilesi ze-MAC, kunye nezinye iimpawu ezithile.
Njengomzekelo wohlanganiso, masiyongeze i-Active Directory kwi-Cisco ISE njengeseva ye-LDAP.
1) Yiya kwithebhu Ulawulo → Ulawulo lwesazisi → Imithombo yeSazisi yaNgaphandle → LDAP → Yongeza.
Umzobo 4. Ukongeza iseva yeLDAP
2) Kwiphaneli ngokubanzi khankanya igama leseva ye-LDAP kunye neskimu (kwimeko yethu, uMlawuli oSebenzayo).
Umzobo 5. Ukongeza iseva ye-LDAP nge-schema ye-Active Directory
3) Okulandelayo yiya ku Uxhumano isithuba kwaye ukhethe Igama lomamkeli/idilesi yeIP Umncedisi we-AD, i-port (389 - LDAP, 636 - SSL LDAP), iziqinisekiso zomlawuli wesizinda (uMlawuli DN - i-DN epheleleyo), ezinye iiparameters zingashiywa njengento engagqibekanga.
Qaphela:: sebenzisa iinkcukacha zesizinda solawulo ukunqanda iingxaki ezinokubakho.
Umzobo 6 Ukufaka iData yeseva ye-LDAP
4) Kwithebhu Directory Umbutho kufuneka ukhankanye indawo yolawulo nge-DN ukusuka apho utsalwa khona abasebenzisi kunye namaqela abasebenzisi.
Umzobo 7. Ukumiselwa kwabalawuli apho amaqela abasebenzisi anokunyusa khona
5) Yiya kwifestile Amaqela → Yongeza → Khetha Amaqela Kuvimba weefayili ukukhetha tsala amaqela kumncedisi we LDAP.
Umzobo 8. Ukongeza amaqela kwiseva ye-LDAP
6) Kwifestile evelayo, cofa Fumana Amaqela. Ukuba amaqela atsalile, ke amanyathelo okuqala agqitywe ngempumelelo. Kungenjalo, zama omnye umlawuli kwaye ujonge ubukho be-ISE ngeseva ye-LDAP ngeprothokholi ye-LDAP.
Umzobo 9. Uluhlu lwamaqela abasebenzisi atsaliweyo
7) Kwithebhu iimpawu ungakhankanya ngokhetho ukuba zeziphi iimpawu ezisuka kumncedisi we LDAP emazitsalelwe phezulu, nakwi window Izicwangciso eziphambili yenza ukhetho Yenza utshintsho lwephasiwedi lusebenze, okuya kunyanzela abasebenzisi ukuba batshintshe igama labo lokugqitha ukuba liphelelwe okanye lisetyenzisiwe. Nokuba kunjalo cofa Ngenisa ukuqhubeka.
8) Iseva ye-LDAP ivele kwithebhu ehambelanayo kwaye ingasetyenziselwa ukwenza imigaqo-nkqubo yokufikelela kwixesha elizayo.
Umfanekiso 10. Uluhlu lweeseva ezongeziweyo ze-LDAP
4. Ukudityaniswa ne-Active Directory
1) Ngokudibanisa iseva kaMicrosoft Active Directory njengeseva yeLDAP, sinabasebenzisi, amaqela abasebenzisi, kodwa akukho zigodo. Okulandelayo, ndicebisa ukuseta udibaniso olupheleleyo lwe-AD kunye neCisco ISE. Yiya kwisithuba Ulawulo → Ulawulo lwesazisi → Imithombo yeSazisi yaNgaphandle → Uvimba weefayili osebenzayo → Yongeza.
Qaphela: ukudibanisa ngempumelelo kunye ne-AD, i-ISE kufuneka ibe kwi-domain kwaye ibe noqhagamshelwano olupheleleyo kunye neeseva ze-DNS, NTP kunye ne-AD, ngaphandle koko akukho nto iya kuza kuyo.
Umzobo 11. Ukongeza i-Active Directory iseva
2) Kwifestile evelayo, faka iinkcukacha zomlawuli wesizinda kwaye ukhangele ibhokisi Gcina iiNkcazo. Ukongeza, unokucacisa i-OU (iYunithi yoMbutho) ukuba i-ISE ikwi-OU ethile. Okulandelayo, kuya kufuneka ukhethe i-Cisco ISE nodes ofuna ukuyidibanisa kwi-domain.
Umzobo 12. Ukufaka iziqinisekiso
3) Ngaphambi kokuba ungeze abalawuli besizinda, qiniseka ukuba kwi-PSN kwithebhu Ulawulo → Inkqubo → Ukusasazwa ukhetho lwenziwe Inkonzo yesazisi esingenamsebenzi. Isazisi esingenamsebenzi -Ukhetho olukuvumela ukuba uguqulele uMsebenzisi kwi-IP kunye nokuchasene. I-PassiveID ifumana ulwazi kwi-AD nge-WMI, ii-arhente ezikhethekileyo ze-AD okanye i-SPAN port kwi-switch (hayi eyona ndlela ilungileyo).
Qaphela: ukujonga ubume be-Passive ID, chwetheza kwi-ISE console bonisa isimo sesicelo ise | zibandakanya PassiveID.
Umzobo 13. Ukwenza i-PassiveID ukhetho
4) Yiya kwithebhu Ulawulo → Ulawulo lwesazisi → Imithombo yeSazisi yaNgaphandle → Uvimba weefayili osebenzayo →I-PassiveID kwaye ukhethe ukhetho Yongeza ii-DCs. Emva koko, khetha abalawuli besizinda abayimfuneko ngeebhokisi zokukhangela kwaye ucofe Kulungile.
Umzobo 14. Ukongeza abalawuli besizinda
5) Khetha ii-DCs ezongeziweyo kwaye ucofe iqhosha Hlela. Nceda ubonise FQDN yakho DC, indawo yokungena kunye negama lokugqitha, kunye nokhetho lwekhonkco I-WMI okanye arhente. Khetha i-WMI kwaye ucofe Kulungile.
Umzobo 15 Ukufaka iinkcukacha zomlawuli wesizinda
6) Ukuba i-WMI asiyiyo indlela ekhethwayo yokunxibelelana ne-Active Directory, ke ii-arhente ze-ISE zingasetyenziswa. Indlela ye-arhente kukuba ungafaka ii-arhente ezikhethekileyo kwiiseva eziza kukhupha iziganeko zokungena. Kukho iinketho zokufakela ezi-2: ngokuzenzekelayo kunye nencwadana. Ukufakela ngokuzenzekelayo i-arhente kwithebhu efanayo Isazisi esingenamsebenzi khetha into Yongeza i-Arhente → Sebenzisa i-Arhente eNtsha (I-DC kufuneka ibe nokufikelela kwi-Intanethi). Emva koko gcwalisa iindawo ezifunekayo (igama lomenzeli, iseva ye-FQDN, igama lomlawuli wesizinda/igama lokugqitha) kwaye ucofe Kulungile.
Umzobo 16. Ukufakwa ngokuzenzekelayo kwe-agent ye-ISE
7) Ukufakela ngesandla i-agent ye-Cisco ISE, khetha into Bhalisa i-Agent ekhoyo. Ngendlela, unokukhuphela i-arhente kwithebhu Amaziko oMsebenzi → PassiveID → Ababoneleli → Iiarhente → Khuphela uMthunywa.
Umzobo 17. Ukukhuphela i-agent ye-ISE
Kubalulekile: I-PassiveID ayifundi iziganeko Phuma! Ipharamitha enoxanduva lokuvala ixesha ibizwa ixesha leseshoni yokuguga yomsebenzisi kwaye ilingana neeyure ezingama-24 ngokungagqibekanga. Ke ngoko, kuya kufuneka uphume ngokwakho ekupheleni kosuku lokusebenza, okanye ubhale uhlobo lweskripthi oluya kuthi luvale ngokuzenzekelayo bonke abasebenzisi abangenileyo.
Ngolwazi Phuma "I-Endpoint probes" isetyenziswa - iiprobes zokugcina. Kukho iiprobes ezininzi zokugqibela kwiCisco ISE: RADIUS, SNMP Trap, SNMP Umbuzo, DHCP, DNS, HTTP, Netflow, NMAP Scan. OKWI probe usebenzisa CoA (Utshintsho loGunyaziso) iipakethe zinika ulwazi malunga nokutshintsha amalungelo omsebenzisi (oku kufuna okuzinzisiweyo 802.1X), kwaye iqwalaselwe kwi-switch switches ye-SNMP, iya kunika ulwazi malunga nezixhobo eziqhagamshelweyo nezingaxhunywanga.
Lo mzekelo ulandelayo ufanelekile kuqwalaselo lweCisco ISE + AD ngaphandle kwe802.1X kunye neRADIUS: umsebenzisi ungene kumatshini weWindows, ngaphandle kokwenza ilogoff, ngena kwenye iPC ngeWiFi. Kule meko, iseshoni kwi-PC yokuqala iya kuhlala isebenza de kube lixesha lokuvala lenzekile okanye ilogoff enyanzelweyo yenzeke. Emva koko ukuba izixhobo zinamalungelo ahlukeneyo, ngoko okokugqibela ukungena kwisixhobo kuya kusebenzisa amalungelo alo.
8) Ukhetho kwithebhu Ulawulo → Ulawulo lwesazisi → Imithombo yeSazisi yaNgaphandle → Uvimba weefayili osebenzayo → Amaqela → Yongeza → Khetha Amaqela Kuluhlu ungakhetha amaqela ukusuka kwi-AD ofuna ukutsala phezulu kwi-ISE (kweyethu imeko, oku kwenziwe kwinyathelo lesi-3 “Yongeza iseva ye-LDAP”). Khetha ukhetho Fumana Amaqela → Kulungile.
Umzobo 18 a). Ukutsala amaqela abasebenzisi kwi-Active Directory
9) Kwithebhu Amaziko oMsebenzi → PassiveID → Isishwankathelo → Dashboard ungajonga inani leeseshoni ezisebenzayo, inani lemithombo yedatha, iiarhente, kunye nokunye.
Umzobo 19. Ukubeka iliso kumsebenzi wabasebenzisi besizinda
10) Kwithebhu Iiseshoni ezibukhoma iiseshini zangoku ziyaboniswa. Ukudityaniswa ne-AD kuqwalaselwe.
Umzobo 20. Iiseshoni ezisebenzayo zabasebenzisi besizinda
5. Isiphelo
Eli nqaku ligubungele izihloko zokudala abasebenzisi basekhaya kwiCisco ISE, ukongeza iiseva ze-LDAP, kunye nokudibanisa neMicrosoft Active Directory. Inqaku elilandelayo liza kugxininisa ukufikelela kwiindwendwe ngendlela yesikhokelo esingafunekiyo.
Ukuba unemibuzo malunga nesi sihloko okanye ufuna uncedo lokuvavanya imveliso, nceda uqhagamshelane .
Hlala ubukele uhlaziyo kumajelo ethu (, , , , ).
umthombo: www.habr.com