1. Intshayelelo
Yonke inkampani, nokuba yeyona incinci, inesidingo sokuqinisekiswa, ukugunyaziswa kunye nokubalwa komsebenzisi (usapho lwe-AAA lweprotocol). Kwinqanaba lokuqala, i-AAA iphunyezwe kakuhle kusetyenziswa iiprothokholi ezinje ngeRADIUS, TACACS + kunye neDIAMETER. Nangona kunjalo, njengoko inani labasebenzisi kunye nenkampani likhula, inani lemisebenzi likhula kwakhona: ukubonakala okuphezulu kwemikhosi kunye nezixhobo ze-BYOD, ukuqinisekiswa kwezinto ezininzi, ukudala umgaqo-nkqubo wokufikelela kumanqanaba amaninzi kunye nokunye okuninzi.
Kwimisebenzi enjalo, i-NAC (i-Network Access Control) iklasi yezisombululo igqibelele - ulawulo lokufikelela kwinethiwekhi. Kuluhlu lwamanqaku anikezelwe (Injini yeeNkonzo ze-Identity) - Isisombululo se-NAC sokubonelela ngolawulo lokufikelela kolwazi kubasebenzisi kwinethiwekhi yangaphakathi, siya kujonga ngokucokisekileyo kwi-architecture, ukubonelela, ukucwangciswa kunye nelayisenisi yesisombululo.
Makhe ndikukhumbuze ngokufutshane ukuba iCisco ISE ikuvumela ukuba:
-
Ngokukhawuleza nangokulula ukwenza ukufikelela kweendwendwe kwi-WLAN ezinikeleyo;
-
Khangela izixhobo ze-BYOD (umzekelo, iiPC zasekhaya zabasebenzi abazizise emsebenzini);
-
Beka kwindawo enye kwaye unyanzelise imigaqo-nkqubo yokhuseleko kwi-domain kunye nabasebenzisi abangengo-domain usebenzisa iilebhile zeqela lokhuseleko le-SGT );
-
Khangela iikhomputha zesoftware ethile efakiweyo kunye nokuthotyelwa kwemigangatho (ukuthunyelwa);
-
Ukuhlelwa kunye neprofayili ekupheleni kunye nezixhobo zenethiwekhi;
-
Ukubonelela ngokubonakala kwesiphelo;
-
Thumela iilog zesiganeko sokungena kwelogi/logoff yabasebenzisi, ii-akhawunti zabo (izazisi) kwi-NGFW ukwenza umgaqo-nkqubo osekelwe kumsebenzisi;
-
Dibanisa ngokwemveli kunye neCisco StealthWatch kwaye uvalele abantu ababukeleyo abakrokrelayo ababandakanyeka kwiziganeko zokhuseleko ();
-
Kwaye ezinye iimpawu ezisemgangathweni kwiiseva ze-AAA.
Oogxa kwishishini sele bebhale malunga neCisco ISE, ke ndikucebisa ukuba ufunde: ,.
2. Uyilo loyilo
I-Identity Services Engine i-architecture inamacandelo e-4 (i-nodes): indawo yokulawula (iNode yoLawulo loMgaqo-nkqubo), indawo yokusabalalisa umgaqo-nkqubo (iNode yeNkonzo yoMgaqo-nkqubo), indawo yokubeka iliso (iNode yokuHlola) kunye ne-PxGrid node (i-PxGrid Node). I-Cisco ISE ingaba kwi-standalone okanye ukuhanjiswa kofakelo. Kwinguqulo ye-Standalone, onke amaqumrhu abekwe kumatshini omnye wenyani okanye iseva yomzimba (Iiseva zeNethiwekhi eziKhuselekileyo - i-SNS), ngelixa i-Distributed version, ii-nodes zisasazwa kuzo zonke izixhobo ezahlukeneyo.
INode yoLawulo loMgaqo-nkqubo (PAN) yindawo efunekayo evumela ukuba wenze yonke imisebenzi yolawulo kwiCisco ISE. Iphatha lonke ulungelelwaniso lwenkqubo olunxulumene ne-AAA. Kulungelelwaniso olusasazwayo (i-nodes inokufakwa njengoomatshini abahlukeneyo), unokuba nobuninzi beePAN ezimbini zokunyamezela impazamo - Imo esebenzayo / yokulinda.
I-Node yeNkonzo yoMgaqo-nkqubo (PSN) yindawo enyanzelekileyo enikezela ukufikelela kwinethiwekhi, urhulumente, ukufikelela kwiindwendwe, ukubonelela ngenkonzo yomxhasi, kunye nokuchazwa kweprofayili. I-PSN iyawuvavanya umgaqo-nkqubo kwaye iwusebenzise. Ngokuqhelekileyo, ii-PSN ezininzi zifakwe, ngokukodwa kwi-configuration esasazwayo, ukwenzela ukuba kusebenze ngakumbi kunye nokusabalalisa. Ngokuqinisekileyo, bazama ukufaka ezi nodi kumacandelo ahlukeneyo ukuze bangalahlekelwa ukukwazi ukubonelela ukufikelela okuqinisekisiweyo kunye nokugunyazisiweyo okwesibini.
I-Monitoring Node (MnT) yindawo enyanzelekileyo egcina iilog zesiganeko, iilogi zezinye iindawo kunye nemigaqo-nkqubo kwinethiwekhi. Indawo ye-MnT ibonelela ngezixhobo eziphambili zokubeka iliso kunye nokusombulula iingxaki, ukuqokelela kunye nokudibanisa idatha eyahlukeneyo, kwaye ikwabonelela ngeengxelo ezinentsingiselo. I-Cisco ISE ikuvumela ukuba ube nobuninzi beendawo ezimbini ze-MnT, ngaloo ndlela udala ukunyamezela iimpazamo - Imo esebenzayo / yokulinda. Nangona kunjalo, iilogi ziqokelelwa zizo zombini iindawo, zombini ezisebenzayo kunye ne-passive.
I-PxGrid Node (PXG) yindawo esebenzisa iPxGrid protocol kwaye ivumela unxibelelwano phakathi kwezinye izixhobo ezixhasa iPxGrid.
- iprotocol eqinisekisa ukudityaniswa kwe-IT kunye neemveliso zeziseko zokhuseleko zolwazi ezivela kubathengisi abahlukeneyo: iinkqubo zokubeka iliso, ukufumanisa ukungena kunye neenkqubo zokukhusela, iiplatifomu zokulawula umgaqo-nkqubo wokhuseleko kunye nezinye izisombululo ezininzi. I-Cisco PxGrid ikuvumela ukuba wabelane ngomxholo ngendlela engekho-directional okanye e-bidirectional kunye namaqonga amaninzi ngaphandle kwesidingo se-APIs, ngaloo ndlela ivumela iteknoloji. (i-SGT tags), tshintsha kwaye usebenzise umgaqo-nkqubo we-ANC (Adaptive Network Control), kunye nokwenza iprofayili - ukugqiba imodeli yesixhobo, i-OS, indawo, kunye nokunye.
Kulungiselelo oluphezulu lokufumaneka, iindawo zePxGrid ziphindaphinda ulwazi phakathi kweenodi ngaphezulu kwePAN. Ukuba i-PAN ivaliwe, indawo ye-PxGrid iyayeka ukuqinisekiswa, ukugunyazisa, kunye nokunika ingxelo kubasebenzisi.
Apha ngezantsi kukho umboniso wenkqubo yokusebenza kwamaqumrhu eCisco ISE kuthungelwano loshishino.
Umzobo 1. Cisco ISE Architecture
3. Iimfuno
I-Cisco ISE inokuphunyezwa, njengezisombululo ezininzi zanamhlanje, ngokubonakalayo okanye ngokwasemzimbeni njengomncedisi owahlukileyo.
Izixhobo eziphathekayo eziqhuba isoftware yeCisco ISE zibizwa ngokuba yi-SNS (Secure Network Server). Ziza kwiimodeli ezintathu: SNS-3615, SNS-3655 kunye ne-SNS-3695 kumashishini amancinci, aphakathi kunye namakhulu. Uluhlu loku-1 lubonisa ulwazi olusuka SNS.
Itheyibhile 1. Itheyibhile yokuthelekisa ye-SNS yezikali ezahlukeneyo
IParamu
I-SNS 3615 (Encinci)
I-SNS 3655 (Phakathi)
I-SNS 3695 (Enkulu)
Inani leendawo zokuphela ezixhaswayo kufakelo oluzimeleyo
10000
25000
50000
Inani leendawo zokuphela ezixhaswayo ngePSN nganye
10000
25000
100000
CPU (Intel Xeon 2.10 GHz)
8 amanqaku
12 amanqaku
12 amanqaku
i-ram
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1 x 600 GB
4 x 600 GB
8 x 600 GB
Hardware RAID
akukho
I-RAID 10, ubukho bomlawuli we-RAID
I-RAID 10, ubukho bomlawuli we-RAID
Unxibelelwano lwenethiwekhi
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
Ngokumalunga nokuphunyezwa okubonakalayo, i-hypervisors exhaswayo yi-VMware ESXi (ubuncinane be-VMware version 11 ye-ESXi 6.0 iyacetyiswa), i-Microsoft Hyper-V kunye ne-Linux KVM (RHEL 7.0). Izibonelelo kufuneka zilingane nezikuluhlu olungentla, okanye ngaphezulu. Nangona kunjalo, ubuncinci obufunekayo kumatshini omncinci weshishini elincinci zezi: 2 CPU kunye frequency 2.0 GHz nangaphezulu, 16 GB RAM ΠΈ I-200 GB I-HDD.
Ukufumana ezinye iinkcukacha zokusasazwa kweCisco ISE, nceda uqhagamshelane okanye , .
4. Ufakelo
Njengazo zonke ezinye iimveliso zeCisco, i-ISE inokuvavanywa ngeendlela ezininzi:
-
-inkonzo yelifu yoyilo lwelabhoratri efakwe ngaphambili (i-akhawunti yeCisco iyafuneka);
-
β isicelo esivela Cisco of software ethile (indlela amaqabane). Udala imeko ngale nkcazo ilandelayo: Uhlobo lweMveliso [ISE], i-ISE Software [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
-
β qhagamshelana nalo naliphi na iqabane eligunyazisiweyo ukuba liqhube iprojekthi yokulinga yasimahla.
1) Emva kokudala umatshini wenyani, ukuba ucele ifayile ye-ISO kwaye hayi itemplate ye-OVA, ifestile iya kuvela apho i-ISE ifuna ukuba ukhethe ukufakela. Ukwenza oku, endaweni yokungena kwakho kunye negama eligqithisiweyo, kufuneka ubhale "Misela"!
Qaphela: ukuba usebenzise i-ISE kwitemplate ye-OVA, ngoko iinkcukacha zokungena admin/MyIseYPass2 (oku nokunye okuninzi kubonisiwe kwigosa ).
Umzobo 2. Ukufaka iCisco ISE
2) Emva koko kufuneka ugcwalise iindawo ezifunekayo ezifana nedilesi ye-IP, i-DNS, i-NTP kunye nabanye.
Umzobo 3. Ukuqalisa iCisco ISE
3) Emva koko, isixhobo siya kuqalisa kwakhona, kwaye uya kukwazi ukudibanisa nge-interface yewebhu usebenzisa idilesi ye-IP echazwe ngaphambili.
Umzobo 4. Cisco ISE Web Interface
4) Kwithebhu Ulawulo > Inkqubo > Ukusasazwa ungakhetha ukuba zeziphi iindawo (imibutho) ezenziweyo kwisixhobo esithile. Indawo yePxGrid yenziwe apha.
Umzobo 5. Cisco ISE Entity Management
5) Emva koko kwithebhu Ulawulo > Inkqubo > Ufikelelo lolawulo > Ukuqinisekiswa Ndincoma ukuseta umgaqo-nkqubo wephasiwedi, indlela yokuqinisekisa (isatifikethi okanye igama eliyimfihlo), umhla wokuphelelwa kwe-akhawunti, kunye nezinye izicwangciso.
Umzobo 6. Ukusetwa kohlobo lokuqinisekisaUmzobo 7. Useto lomgaqo-nkqubo wegama lokugqithaUmzobo 8. Ukumisela ukuvala i-akhawunti emva kokuphelelwa kwexeshaUmzobo 9. Ukumisela ukutshixa iakhawunti
6) Kwithebhu Ulawulo > Inkqubo > Ufikelelo kuLawulo > Abalawuli > Abasebenzisi Bolawulo > Yongeza ungadala umlawuli omtsha.
Umzobo 10. Ukudala uMlawuli weCisco ISE wendawo
7) Umlawuli omtsha unokwenziwa inxalenye yeqela elitsha okanye amaqela asele echazwe kwangaphambili. Amaqela omlawuli alawulwa kwiqela elinye kwithebhu Amaqela olawulo. Itheyibhile 2 ishwankathela ulwazi malunga nabalawuli be-ISE, amalungelo kunye neendima zabo.
Itheyibhile 2. Amaqela oLawulo lweCisco ISE, amaNqanaba okuFikelela, iiMvume, kunye neziThintelo
Igama leqela lomlawuli
Iimvume
Zi thintelo
Customization Admin
Ukumisela iiphothali zeendwendwe kunye nenkxaso, ulawulo kunye nokwenza ngokwezifiso
Ukungakwazi ukutshintsha imigaqo-nkqubo okanye ukujonga iingxelo
Idesika yoncedo Admin
Ukukwazi ukujonga ideshibhodi ephambili, zonke iingxelo, iilarms kunye nemijelo yokusombulula ingxaki
Awukwazi ukutshintsha, ukwenza okanye ukucima iingxelo, ii-alam kunye neelogi zobungqina
Isazisi Admin
Ukulawula abasebenzisi, amalungelo kunye neendima, ukukwazi ukujonga iilogi, iingxelo kunye neealamu
Awukwazi ukutshintsha imigaqo-nkqubo okanye wenze imisebenzi kwinqanaba le-OS
Mnt Admin
Ukubeka iliso ngokupheleleyo, iingxelo, ii-alamu, iilogi kunye nolawulo lwazo
Ukungakwazi ukutshintsha nayiphi na imigaqo-nkqubo
Ulawulo lweSixhobo seNethiwekhi
Amalungelo okudala kunye nokutshintsha izinto ze-ISE, ukujonga iilog, iingxelo, ideshibhodi ephambili
Awukwazi ukutshintsha imigaqo-nkqubo okanye wenze imisebenzi kwinqanaba le-OS
Ulawulo lwePolisi
Ulawulo olupheleleyo lwayo yonke imigaqo-nkqubo, ukutshintsha iiprofayili, izicwangciso, iingxelo zokujonga
Ukungakwazi ukwenza useto ngeziqinisekiso, izinto ze-ISE
RBAC Admin
Zonke iisetingi kwithebhu yeMisebenzi, izicwangciso zomgaqo-nkqubo we-ANC, ulawulo lokunika ingxelo
Awukwazi ukutshintsha imigaqo-nkqubo ngaphandle kwe-ANC okanye wenze imisebenzi kwinqanaba le-OS
Super Admin
Amalungelo kuzo zonke iisetingi, ukunika ingxelo kunye nolawulo, kunokucima kunye nokutshintsha iziqinisekiso zomlawuli
Ayinakutshintsha, cima enye iprofayile kwiqela loLawulo Oluphezulu
YoLawulo lweNkqubo
Zonke izicwangciso kwithebhu yeMisebenzi, ukulawula izicwangciso zenkqubo, umgaqo-nkqubo we-ANC, iingxelo zokujonga
Awukwazi ukutshintsha imigaqo-nkqubo ngaphandle kwe-ANC okanye wenze imisebenzi kwinqanaba le-OS
Iinkonzo ze-RESTful zaNgaphandle (ERS) Admin
Ukufikelela ngokupheleleyo kwiCisco ISE REST API
Kuphela kugunyaziso, ulawulo lwabasebenzisi bendawo, ababuki zindwendwe kunye namaqela okhuseleko (SG)
Iinkonzo zaNgaphandle ze-RESTful (ERS) Umsebenzisi
Cisco ISE REST API Funda Iimvume
Kuphela kugunyaziso, ulawulo lwabasebenzisi bendawo, ababuki zindwendwe kunye namaqela okhuseleko (SG)
Umzobo 11. Amaqela oLawulo lweCisco ISE achazwe kwangaphambili
8) Ukhetho kwithebhu Ugunyaziso > Iimvume > Umgaqo-nkqubo we-RBAC Ungahlela amalungelo abalawuli abachazwe kwangaphambili.
Umzobo 12. Cisco ISE Administrator Preset Profile Rights Management
9) Kwithebhu Ulawulo > Inkqubo > Useto Zonke iisetingi zesistim ziyafumaneka (DNS, NTP, SMTP kunye nezinye). Ungazigcwalisa apha ukuba uziphosile ngexesha lokuqaliswa kwesixhobo sokuqala.
5. Isiphelo
Oku kuqukumbela inqaku lokuqala. Sixoxe ngokusebenza kwesisombululo seCisco ISE NAC, ukwakhiwa kwayo, ubuncinci beemfuno kunye nokukhethwa kokuthunyelwa, kunye nokufakelwa kokuqala.
Kwinqaku elilandelayo, siza kujonga ukwenza iiakhawunti, ukudibanisa neMicrosoft Active Directory, kunye nokudala ukufikelela kwiindwendwe.
Ukuba unemibuzo malunga nesi sihloko okanye ufuna uncedo lokuvavanya imveliso, nceda uqhagamshelane .
Hlala ubukele uhlaziyo kumajelo ethu (, , , , ).
umthombo: www.habr.com