Ukuqhubela phambili uluhlu lwamanqaku kwisihloko sombutho Ukufikelela kude kwi-VPN ukufikelela andikwazi ukunceda kodwa ukwabelana ngamava am osasazo anomdla uqwalaselo olukhuselekileyo lweVPN. Umsebenzi ongewona umncinci uboniswe ngumthengi omnye (kukho abaqambi kwiidolophana zaseRashiya), kodwa uMngeni wamkelwa kwaye waphunyezwa ngokuyilayo. Isiphumo singumbono onomdla onezi mpawu zilandelayo:
- Izinto ezininzi zokukhusela ekufakweni endaweni yesixhobo se-terminal (ngokubophelela ngokungqongqo kumsebenzisi);
- Ukuvavanya ukuthotyelwa kwePC yomsebenzisi kunye ne-UDID eyabelwe i-PC evunyelweyo kwi-database yokuqinisekisa;
- Nge-MFA usebenzisa i-PC UDID kwisatifikethi sobuqinisekiso besibini ngeCisco DUO (Ungancamathela nayiphi na i-SAML/Radius ehambelanayo);
- Uqinisekiso lwezinto ezininzi:
- Isatifikethi somsebenzisi esinokuqinisekiswa kwentsimi kunye noqinisekiso lwesibini ngokuchasene nomnye wabo;
- Ngena (okungenakuguqulwa, kuthathwe kwisatifikethi) kunye negama lokugqitha;
- Ukuqikelela imeko yenginginya edibanisayo (Isithuba)
Amacandelo esisombululo asetyenzisiweyo:
- Cisco ASA (VPN Gateway);
- I-Cisco ISE (Uqinisekiso / uGunyaziso / uCwangciso-mali, uVavanyo lukaRhulumente, i-CA);
- I-Cisco DUO (Uqinisekiso lwezinto ezininzi) (Ungancamathela nayiphi na i-SAML/Radius ehambelanayo);
- Cisco AnyConnect (Multi-purpose agent for workstations and mobile OS);
Masiqale ngeemfuno zomthengi:
- Umsebenzisi kufuneka, ngokungena kwakhe / ukuqinisekiswa kwePassword, akwazi ukukhuphela umxhasi we-AnyConnect kwisango le-VPN; zonke iimodyuli eziyimfuneko ze-AnyConnect kufuneka zifakwe ngokuzenzekelayo ngokuhambelana nomgaqo-nkqubo womsebenzisi;
- Umsebenzisi kufuneka akwazi ukukhupha isatifikethi ngokuzenzekelayo (kwenye yeemeko, imeko ephambili kukukhutshwa ngesandla kunye nokulayishwa kwi-PC), kodwa ndiphumeze umba ozenzekelayo wokubonisa (akukaze kube kudala ukuyisusa).
- Ungqinisiso olusisiseko kufuneka lwenzeke kwizigaba ezininzi, okokuqala kukho uqinisekiso lwesatifikethi ngohlalutyo lwemihlaba eyimfuneko kunye namaxabiso azo, ngoko igama-gama/igama lokugqitha, ngeli xesha kuphela igama lomsebenzisi elikhankanyiweyo kwintsimi yesatifikethi kufuneka lifakwe kwiwindow yokungena. Igama lesihloko (CN) ngaphandle kokukwazi ukuhlela.
- Kuya kufuneka uqiniseke ukuba isixhobo ongena kuso yilaptop yenkampani ekhutshelwe umsebenzisi ukufikelela kude, hayi enye into. (Iinketho ezininzi zenziwe ukwanelisa le mfuneko)
- Ubume besixhobo sokudibanisa (kweli nqanaba lePC) kufuneka sivavanywe ngetshekhi yetafile enzima yeemfuno zabathengi (ushwankathelo):
- Iifayile kunye neempawu zazo;
- amangeno oBhaliso;
- Iziqendu ze-OS kuluhlu olunikiweyo (kamva udibaniso lwe-SCCM);
- Ubukho be-Anti-Virus kumvelisi othile kunye nokufaneleka kweesignesha;
- Umsebenzi weenkonzo ezithile;
- Ubukho beenkqubo ezithile ezifakiweyo;
Ukuqala, ndicebisa ukuba ngokuqinisekileyo ujonge umboniso wevidiyo wesiphumo sophumezo kwi Youtube (5 imizuzu).
Ngoku ndicebisa ukuba kuthathelwe ingqalelo iinkcukacha zokuphunyezwa ezingagutyungelwanga kwikliphu yevidiyo.
Masilungiselele iprofayile ye-AnyConnect:
Ngaphambili ndinike umzekelo wokudala iprofayile (ngokwemiqathango yemenyu kwi-ASDM) kwinqaku lam malunga nokucwangcisa . Ngoku ndingathanda ukuqaphela ngokwahlukeneyo iinketho esiya kuzifuna:
Kwiprofayile, siya kubonisa isango leVPN kunye negama leprofayili yokuqhagamshela kumxhasi wokugqibela:
Masiqwalasele ukukhutshwa okuzenzekelayo kwesatifikethi ukusuka kwicala leprofayili, ebonisa, ngokukodwa, iiparamitha zesatifikethi kwaye, ngokwempawu, sinikele ingqalelo kwintsimi. Abaqalayo (I), apho ixabiso elithile lingeniswa ngesandla I-UID umatshini wovavanyo (isixhobo sokuchonga isixhobo esisodwa esiveliswa ngumxhasi weCisco AnyConnect).
Apha ndifuna ukwenza ukwehla kweengoma, kuba eli nqaku lichaza ingqikelelo; ngeenjongo zokubonisa, i-UDID yokukhupha isatifikethi ifakwe kwindawo yokuQala yeprofayile ye-AnyConnect. Ngokuqinisekileyo, ebomini bokwenene, ukuba wenza oku, ngoko bonke abathengi baya kufumana isatifikethi kunye ne-UDID efanayo kule ndawo kwaye akukho nto iya kubasebenzela, kuba bafuna i-UDID yePC yabo ethile. AnyConnect, ngelishwa, ayikaphumeleli indawo ye UDID kwiprofayile yesicelo sesatifikethi ngokutshintsha kwendalo, njengoko isenza, umzekelo, ngokuguquguquka. %USER%.
Kuyafaneleka ukuba uqaphele ukuba umthengi (kule meko) ekuqaleni uceba ukuzimela ngokuzimeleyo izatifikethi kunye ne-UDID enikeziweyo kwimodi yesandla kwiiPC ezinjalo eziKhuselweyo, okungekho ngxaki kuye. Nangona kunjalo, kuninzi lwethu sifuna ukuzenzekelayo (kakuhle, kum yinyani =)).
Kwaye le nto ndinokunikezela ngayo malunga ne-automation. Ukuba i-AnyConnect ayikakwazi ukukhupha isatifikethi ngokuzenzekelayo ngokufaka i-UDID endaweni, kukho enye indlela eya kufuna ingcamango encinci yokuyila kunye nezandla ezinobuchule-ndiza kukuxelela ingcamango. Okokuqala, makhe sijonge indlela i-UDID eveliswa ngayo kwiinkqubo ezahlukeneyo zokusebenza ngummeli we-AnyConnect:
- Windows - I-SHA-256 hash yokudibanisa i-DigitalProductID kunye nesitshixo sobhaliso se-Machine SID
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash ye-UUID yolwahlulo lweengcambu.
- Apple iOS - SHA-256 hash PlatformUUID
- Android -Bona uxwebhu kwi
Ngokufanelekileyo, senza iskripthi kwi-Windows OS yethu yenkampani, kunye nesi script sibala i-UDID yendawo ngokusebenzisa amagalelo aziwayo kwaye senze isicelo sokukhupha isatifikethi ngokufaka le UDID kwintsimi efunekayo, ngendlela, ungasebenzisa kwakhona umatshini. isatifikethi esikhutshwe ngu-AD (ngokongeza uqinisekiso oluphindiweyo usebenzisa isatifikethi kwisikim Isatifikethi esiNinzi).
Masilungiselele useto kwicala leCisco ASA:
Masenze iTrustPoint ye-ISE CA iseva, iya kuba yiyo eya kukhupha izatifikethi kubaxhasi. Andiyi kuqwalasela inkqubo yokungenisa i-Key-Chain; umzekelo uchazwe kwinqaku lam malunga nokuseta .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureSiqwalasela ukuhanjiswa kweTunnel-Iqela ngokusekelwe kwimigaqo ngokuhambelana nemimandla kwisatifikethi esisetyenziselwa ukuqinisekiswa. Iprofayile ye-AnyConnect esiyenzileyo kwinqanaba langaphambili nayo iqwalaselwe apha. Nceda uqaphele ukuba ndisebenzisa ixabiso SECUREBANK-RA, ukudlulisela abasebenzisi abanesatifikethi esikhutshiweyo kwiqela letonela I-SECURE-BANK-VPN, Nceda uqaphele ukuba ndinalo mmandla kumhlathi wesicelo sesiqinisekiso seprofayile ye-AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Ukumisela iiseva zoqinisekiso. Kwimeko yam, le yi-ISE yenqanaba lokuqala lokuqinisekisa kunye ne-DUO (i-Radius Proxy) njenge-MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!Senza imigaqo-nkqubo yeqela kunye namaqela etonela kunye namacandelo awo ancedisayo:
Iqela letonela Okuhlala kukhoWEBVPNIqela iya kusetyenziswa ikakhulu ukukhuphela iAnyConnect VPN umxhasi kwaye ukhuphe isatifikethi somsebenzisi usebenzisa iSCEP-umsebenzi woMmeli we-ASA, koku sinokhetho oluhambelanayo olwenziwe lwasebenza zombini kwiqela letonela ngokwalo nakumgaqo-nkqubo weqela elinxulumeneyo. AC-Khuphela, kunye neprofayili elayishiweyo ye-AnyConnect (imimandla yokukhupha isatifikethi, njl.). Kwakhona kulo mgaqo-nkqubo weqela sibonisa isidingo sokukhuphela Imodyuli ye-ISE yokuma.
Iqela letonela I-SECURE-BANK-VPN iyakusetyenziswa ngokuzenzekelayo ngumxhasi xa kuqinisekiswa ngesatifikethi esikhutshiweyo kwinqanaba langaphambili, ekubeni, ngokuhambelana neMephu yeSatifikethi, uxhulumaniso luya kuwa ngokukodwa kweli qela letonela. Ndiza kukuxelela malunga nokhetho olunomdla apha:
- yesibini-yobuqinisekiso-server-iqela DUO # Cwangcisa ubunyani besibini kwiseva yeDUO (iRadius Proxy)
- Igama lomsebenzisi-ukusuka-kwisatifikethiCN # Kuqinisekiso oluphambili, sisebenzisa umhlaba we-CN wesatifikethi ukufumana ilifa lokungena komsebenzisi
- igama lomsebenzisi yesibini-ukusuka-kwisatifikethi I # Ukuqinisekisa okwesibini kwiseva ye-DUO, sisebenzisa igama lomsebenzisi elikhutshiweyo kunye neendawo zokuqala (I) zesatifikethi.
- gcwalisa-igama lomsebenzisi umxhasi # yenza igama lomsebenzisi lizaliswe kwangaphambili kwifestile yesiqinisekiso ngaphandle kokukwazi ukutshintsha
- umxhasi wesibini-ngaphambi kokuzalisa-igama lomsebenzisi fihla ukusetyenziswa-eliqhelekileyo-lokutyhala igama lokugqithisa # Sifihla ingeniso yokungena/yegama lokugqitha kwi-DUO yoqinisekiso lwesibini kwaye sisebenzise indlela yokwazisa (sms/push/phone) - idokhi ukucela uqinisekiso endaweni yendawo yokugqitha.
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Okulandelayo siqhubela phambili kwi-ISE:
Siqwalasela umsebenzisi wasekhaya (ungasebenzisa iAD/LDAP/ODBC, njl.njl.), ukwenza lula, ndidale umsebenzisi wasekhaya kwi-ISE ngokwayo kwaye yabela endle. Inkcazo UDID PC apho avunyelwe ukungena khona ngeVPN. Ukuba ndisebenzisa ungqinisiso lwendawo kwi-ISE, ndiya kulinganiselwa kwisixhobo esinye kuphela, kuba kungekho mabala maninzi, kodwa kugcino lwedatha yomntu wesithathu andizukuba nezithintelo ezinjalo.
Makhe sijonge umgaqo-nkqubo wogunyaziso, wahlulwe ngokwezigaba ezine zonxibelelwano:
- Isigaba 1 β Ipolisi yokukhuphela iarhente yeAnyConnect kunye nokukhupha isatifikethi
- Isigaba 2 - Umgaqo-nkqubo wobunyani obusisiseko Ngena (ukusuka kwisatifikethi)/Igama eliyimfihlo + iSatifikethi esinokuqinisekiswa kwe-UDID
- Isigaba 3 -Ukuqinisekiswa okwesibini ngeCisco DUO (MFA) usebenzisa i-UDID njengegama lomsebenzisi + uvavanyo lukarhulumente
- Isigaba 4 - Ugunyaziso lokugqibela lukwilizwe:
- Ukuthobela;
- Ukuqinisekiswa kwe-UDID (ukusuka kwisatifikethi + isibophelelo sokungena),
- Cisco DUO MFA;
- Uqinisekiso ngokungena;
- uqinisekiso lwesatifikethi;
Makhe sijonge imeko enomdla UUID_VALIDATED, kukhangeleka ngathi umsebenzisi wokuqinisekisa uvele kwiPC ene-UDID evunyelweyo edityaniswe entsimini. inkcazelo akhawunti, iimeko zijongeka ngolu hlobo:
Iprofayili yogunyaziso esetyenziswe kwizigaba 1,2,3 ngolu hlobo lulandelayo:
Unokujonga ngqo ukuba i-UDID evela kumxhasi we-AnyConnect ifika njani kuthi ngokujonga iinkcukacha zeseshoni yomxhasi kwi-ISE. Ngokweenkcukacha siza kubona ukuba i-AnyConnect ngokusebenzisa indlela ACIDEX ayithumeli kuphela ulwazi malunga neqonga, kodwa kunye ne-UDID yesixhobo njenge Cisco-AV-PAIR:
Masinikele ingqalelo kwisatifikethi esinikezelwe kumsebenzisi kunye nentsimi Abaqalayo (I), esetyenziselwa ukuyithatha njengegama lokungena kuqinisekiso lwe MFA yesibini kwiCisco DUO:
Kwicala le-DUO Radius Proxy kwilog sinokubona ngokucacileyo ukuba isicelo sobunyani senziwe njani, siza kusetyenziswa i-UDID njengegama lomsebenzisi:
Ukusuka kwi-portal ye-DUO sibona isiganeko esiyimpumelelo sokuqinisekisa:
Kwaye kwiipropati zomsebenzisi ndiyibeke I-ALIAS, endiyisebenzisele ukungena, ngokulandelelana, le yi UDID yePC evunyelweyo ukungena:
Ngenxa yoko siye safumana:
- Izinto ezininzi zokuqinisekisa umsebenzisi kunye nesixhobo;
- Ukukhuselwa ngokuchasene nokonakaliswa kwesixhobo somsebenzisi;
- Ukuvavanya imeko yesixhobo;
- Ithuba lokwandisa ulawulo kunye nesatifikethi somatshini wesizinda, njl.;
- Ukhuseleko olubanzi lwendawo yokusebenza ekude kunye neemodyuli zokhuseleko ezibekwe ngokuzenzekelayo;
Amakhonkco kumanqaku echungechunge lweCisco VPN:
umthombo: www.habr.com