Jẹ ki a ronu ni iṣe lilo Windows Active Directory + NPS (awọn olupin 2 lati rii daju ifarada ẹbi) + 802.1x boṣewa fun iṣakoso wiwọle ati ijẹrisi ti awọn olumulo - awọn kọnputa agbegbe - awọn ẹrọ. O le ni imọran pẹlu imọ-ọrọ ni ibamu si boṣewa lori Wikipedia, ni ọna asopọ:
Niwọn bi “yàrá” mi ti ni opin ni awọn orisun, awọn ipa ti NPS ati oludari agbegbe jẹ ibaramu, ṣugbọn Mo ṣeduro pe ki o tun ya iru awọn iṣẹ to ṣe pataki.
Emi ko mọ awọn ọna boṣewa lati muuṣiṣẹpọ awọn atunto Windows NPS (awọn ilana), nitorinaa a yoo lo awọn iwe afọwọkọ PowerShell ti a ṣe ifilọlẹ nipasẹ oluṣeto iṣẹ-ṣiṣe (onkọwe jẹ ẹlẹgbẹ mi tẹlẹ). Fun ijẹrisi awọn kọnputa agbegbe ati fun awọn ẹrọ ti ko le 802.1x (awọn foonu, awọn ẹrọ atẹwe, ati bẹbẹ lọ), eto imulo ẹgbẹ yoo wa ni tunto ati awọn ẹgbẹ aabo yoo ṣẹda.
Ni ipari ti nkan naa, Emi yoo sọ fun ọ nipa diẹ ninu awọn intricacies ti ṣiṣẹ pẹlu 802.1x - bii o ṣe le lo awọn iyipada ti a ko ṣakoso, awọn ACL ti o ni agbara, ati bẹbẹ lọ Emi yoo pin alaye nipa awọn “glitches” ti a mu. .
Jẹ ki a bẹrẹ pẹlu fifi sori ẹrọ ati tunto NPS failover lori Windows Server 2012R2 (ohun gbogbo jẹ kanna ni ọdun 2016): nipasẹ Oluṣakoso olupin -> Ṣafikun Awọn ipa ati Oluṣeto Awọn ẹya, yan Olupin Afihan Nẹtiwọọki nikan.
tabi lilo PowerShell:
Install-WindowsFeature NPAS -IncludeManagementToolsA kekere alaye - niwon fun EAP ti o ni aabo (PEAP) dajudaju iwọ yoo nilo ijẹrisi ti o jẹrisi otitọ ti olupin naa (pẹlu awọn ẹtọ ti o yẹ lati lo), eyiti yoo ni igbẹkẹle lori awọn kọnputa alabara, lẹhinna o ṣeese yoo nilo lati fi ipa naa sori ẹrọ. Alaṣẹ Iwe-ẹri. Ṣugbọn a yoo ro pe CA o ti fi sori ẹrọ tẹlẹ...
Jẹ ki a ṣe kanna lori olupin keji. Jẹ ki a ṣẹda folda kan fun C: Awọn iwe afọwọkọ lori olupin mejeeji ati folda nẹtiwọki kan lori olupin keji SRV2NPS-konfigi $
Jẹ ki a ṣẹda iwe afọwọkọ PowerShell lori olupin akọkọ C:ScriptsExport-NPS-config.ps1 pẹlu akoonu wọnyi:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"Lẹhin eyi, jẹ ki a tunto iṣẹ-ṣiṣe ni Sheduler Iṣẹ: "Okeere-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Ṣiṣe fun gbogbo awọn olumulo - Ṣiṣe pẹlu awọn ẹtọ to ga julọ
Ojoojumọ - Tun iṣẹ naa ṣe ni gbogbo iṣẹju 10. laarin 8 wakati
Lori NPS afẹyinti, tunto agbewọle ti iṣeto ni (awọn ilana):
Jẹ ki a ṣẹda iwe afọwọkọ PowerShell kan:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1ati iṣẹ kan lati ṣiṣẹ ni gbogbo iṣẹju mẹwa 10:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Ṣiṣe fun gbogbo awọn olumulo - Ṣiṣe pẹlu awọn ẹtọ to ga julọ
Ojoojumọ - Tun iṣẹ naa ṣe ni gbogbo iṣẹju 10. laarin 8 wakati
Bayi, lati ṣayẹwo, jẹ ki a ṣafikun si NPS lori ọkan ninu awọn olupin (!) Awọn iyipada meji ni awọn alabara RADIUS (IP ati Aṣiri Pipin), awọn ilana ibeere asopọ meji: WIRED-Sopọ (Ipo: "NAS ibudo Iru ni àjọlò") ati WiFi-Idawọlẹ (Ipo: "Iru ibudo NAS jẹ IEEE 802.11"), bakanna bi eto imulo nẹtiwọki. Wọle si Cisco Network Devices (Awọn alabojuto nẹtiwọki):
Условия:
Группы Windows - domainsg-network-admins
Ограничения:
Методы проверки подлинности - Проверка открытым текстом (PAP, SPAP)
Параметры:
Атрибуты RADIUS: Стандарт - Service-Type - Login
Зависящие от поставщика - Cisco-AV-Pair - Cisco - shell:priv-lvl=15Ni ẹgbẹ iyipada, awọn eto wọnyi:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99Lẹhin iṣeto ni, lẹhin awọn iṣẹju 10, gbogbo awọn alabarapolicyparameters yẹ ki o han lori NPS afẹyinti ati pe a yoo ni anfani lati wọle si awọn iyipada nipa lilo akọọlẹ ActiveDirectory kan, ọmọ ẹgbẹ ti domainsg-nẹtiwọọki-admins ẹgbẹ (eyiti a ṣẹda ni ilosiwaju).
Jẹ ki a lọ siwaju si iṣeto Active Directory - ṣẹda ẹgbẹ ati awọn eto imulo ọrọ igbaniwọle, ṣẹda awọn ẹgbẹ pataki.
Ẹgbẹ Afihan Awọn kọmputa-8021x-Eto:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Jẹ ki a ṣẹda ẹgbẹ aabo kan sg-kọmputa-8021x-vl100, nibiti a yoo ṣafikun awọn kọnputa ti a fẹ kaakiri si vlan 100 ati tunto sisẹ fun eto imulo ẹgbẹ ti a ṣẹda tẹlẹ fun ẹgbẹ yii:
O le rii daju pe eto imulo naa ti ṣiṣẹ ni aṣeyọri nipa ṣiṣi “Nẹtiwọọki ati Ile-iṣẹ Pipin (Nẹtiwọọki ati Eto Intanẹẹti) - Yiyipada awọn eto oluyipada (Ṣiṣeto awọn eto ohun ti nmu badọgba) - Awọn ohun-ini Adapter”, nibiti a ti le rii taabu “Ijeri”:
Nigbati o ba ni idaniloju pe eto imulo naa ti lo ni aṣeyọri, o le tẹsiwaju lati ṣeto eto imulo nẹtiwọọki lori NPS ati awọn ebute iyipada ipele ipele.
Jẹ ki a ṣẹda eto imulo nẹtiwọki kan neag-kọmputa-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Awọn eto aṣoju fun ibudo yipada (jọwọ ṣakiyesi pe iru ijẹrisi “ọpọlọpọ-ašẹ” ni a lo - Data & Voice, ati pe o tun ṣee ṣe ti ijẹrisi nipasẹ adirẹsi mac. Lakoko “akoko iyipada” o jẹ oye lati lo ninu paramita:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
vlan id kii ṣe ọkan “quarantine”, ṣugbọn ọkan kanna nibiti kọnputa olumulo yẹ ki o lọ lẹhin ti o wọle ni aṣeyọri - titi ti a fi ni idaniloju pe ohun gbogbo n ṣiṣẹ bi o ti yẹ. Awọn paramita kanna le ṣee lo ni awọn oju iṣẹlẹ miiran, fun apẹẹrẹ, nigbati iyipada ti a ko ṣakoso ti ṣafọ sinu ibudo yii ati pe o fẹ ki gbogbo awọn ẹrọ ti o sopọ mọ rẹ ti ko kọja ijẹrisi lati ṣubu sinu vlan kan (“quarantine”).
yipada ibudo eto ni 802.1x ogun-mode olona-ašẹ mode
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exitO le rii daju pe kọmputa rẹ ati foonu ti kọja aṣeyọri pẹlu aṣẹ:
sh authentication sessions int Gi1/0/39 detBayi jẹ ki a ṣẹda ẹgbẹ kan (fun apẹẹrẹ, sg-fgpp-mab ) ni Active Directory fun awọn foonu ki o si fi ẹrọ kan kun fun idanwo (ninu ọran mi o jẹ Grandstream GXP2160 pẹlu mas adirẹsi 000b.82ba.a7b1 ati resp. iroyin ìkápá 00b82baa7b1).
Fun ẹgbẹ ti o ṣẹda, a yoo dinku awọn ibeere eto imulo ọrọ igbaniwọle (lilo nipasẹ Ile-iṣẹ Isakoso Itọsọna Active -> agbegbe -> Eto -> Apoti Eto Ọrọigbaniwọle) pẹlu awọn aye atẹle wọnyi Ọrọigbaniwọle-Eto-fun-MAB:
Bayi, a yoo gba awọn lilo ti ẹrọ ibi-adirẹsi bi awọn ọrọigbaniwọle. Lẹhin eyi, a le ṣẹda eto imulo nẹtiwọki kan fun ọna ijẹrisi 802.1x mab, jẹ ki a pe ni neag-devices-8021x-voice. Awọn paramita jẹ bi atẹle:
- NAS Port Iru - àjọlò
- Awọn ẹgbẹ Windows – sg-fgpp-mab
- Awọn oriṣi EAP: Ijeri ti ko paro (PAP, SPAP)
- Awọn eroja RADIUS – Olutaja pato: Sisiko – Sisiko-AV-Pair – Iye ikalara: ẹrọ-traffic-kilasi=ohùn
Lẹhin ijẹrisi aṣeyọri (maṣe gbagbe lati tunto ibudo yipada), jẹ ki a wo alaye naa lati ibudo naa:
sh ìfàṣẹsí se int Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc SuccessBayi, gẹgẹbi a ti ṣe ileri, jẹ ki a wo awọn ipo meji ti kii ṣe kedere patapata. Fun apẹẹrẹ, a nilo lati sopọ awọn kọnputa olumulo ati awọn ẹrọ nipasẹ iyipada ti a ko ṣakoso (yipada). Ni idi eyi, awọn eto ibudo fun rẹ yoo dabi eyi:
yipada ibudo eto ni 802.1x ogun-mode olona-auth mode
interface GigabitEthernet1/0/1
description *SW – 802.1x – 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! увеличиваем кол-во допустимых мас-адресов
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! – режим аутентификации
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shuPS a ṣe akiyesi glitch ajeji pupọ kan - ti ẹrọ naa ba ti sopọ nipasẹ iru iyipada kan, ati lẹhinna o ti ṣafọ sinu yipada iṣakoso, lẹhinna kii yoo ṣiṣẹ titi ti a fi tun atunbere (!) yipada naa Emi ko rii awọn ọna miiran miiran. lati yanju isoro yi sibẹsibẹ.
Ojuami miiran ti o ni ibatan si DHCP (ti o ba ti lo ip dhcp snooping) - laisi iru awọn aṣayan:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information optionFun idi kan Emi ko le gba adiresi IP ni deede… botilẹjẹpe eyi le jẹ ẹya ti olupin DHCP wa
Ati Mac OS & Lainos (eyiti o ni atilẹyin 802.1x abinibi) gbiyanju lati jẹri olumulo naa, paapaa ti o ba tunto ìfàṣẹsí nipasẹ adirẹsi Mac.
Ni apakan atẹle ti nkan naa, a yoo wo lilo 802.1x fun Alailowaya (da lori ẹgbẹ eyiti akọọlẹ olumulo jẹ, a yoo “ju” sinu nẹtiwọọki ti o baamu (vlan), botilẹjẹpe wọn yoo sopọ si SSID kanna).
orisun: www.habr.com