Tẹsiwaju awọn jara ti awọn nkan lori koko ti agbari Wiwọle latọna jijin VPN wiwọle Emi ko le ran sugbon pin mi awon imuṣiṣẹ iriri gíga ni aabo VPN iṣeto ni. Iṣẹ-ṣiṣe ti kii ṣe pataki ni a gbekalẹ nipasẹ alabara kan (awọn olupilẹṣẹ wa ni awọn abule Russia), ṣugbọn Ipenija naa ti gba ati imuse ti iṣelọpọ. Abajade jẹ imọran ti o nifẹ pẹlu awọn abuda wọnyi:
- Orisirisi awọn ifosiwewe ti aabo lodi si fidipo ẹrọ ebute (pẹlu abuda to muna si olumulo);
- Ṣiṣayẹwo ibamu ti PC olumulo pẹlu UDID ti a sọtọ ti PC ti a gba laaye ninu aaye data ijẹrisi;
- Pẹlu MFA lilo PC UDID lati ijẹrisi fun Atẹle ìfàṣẹsí nipasẹ Sisiko DUO (O le so eyikeyi SAML/Radius ibaramu ọkan);
- Ijeri-ifosiwewe pupọ:
- Ijẹrisi olumulo pẹlu ijẹrisi aaye ati ijẹrisi Atẹle si ọkan ninu wọn;
- Wọle (a ko yipada, ti o gba lati ijẹrisi) ati ọrọ igbaniwọle;
- Iṣiro ipo ti agbalejo asopo (Iduro)
Awọn paati ojutu ti a lo:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Ijeri / Aṣẹ / Iṣiro, Ipinle Igbelewọn, CA);
- Sisiko DUO (Ijeri Opo-pupọ) (O le so eyikeyi SAML/Radius ibaramu ọkan);
- Cisco AnyConnect (Aṣoju idi-pupọ fun awọn ibudo iṣẹ ati OS alagbeka);
Jẹ ki a bẹrẹ pẹlu awọn ibeere alabara:
- Olumulo gbọdọ, nipasẹ Ijeri Wiwọle/Ọrọigbaniwọle rẹ, ni anfani lati ṣe igbasilẹ alabara AnyConnect lati ẹnu-ọna VPN; gbogbo awọn modulu AnyConnect pataki gbọdọ wa ni fi sori ẹrọ laifọwọyi ni ibamu pẹlu eto imulo olumulo;
- Olumulo naa yẹ ki o ni anfani lati fun iwe-ẹri laifọwọyi (fun ọkan ninu awọn oju iṣẹlẹ, oju iṣẹlẹ akọkọ jẹ ipinfunni afọwọṣe ati ikojọpọ lori PC), ṣugbọn Mo ṣe imuse ọrọ aifọwọyi fun ifihan (ko pẹ ju lati yọ kuro).
- Ijeri ipilẹ gbọdọ waye ni awọn ipele pupọ, akọkọ ijẹrisi ijẹrisi wa pẹlu itupalẹ awọn aaye pataki ati awọn iye wọn, lẹhinna buwolu / ọrọ igbaniwọle, ni akoko yii orukọ olumulo ti o pato ninu aaye ijẹrisi gbọdọ fi sii sinu window iwọle. Orukọ Koko-ọrọ (CN) laisi agbara lati ṣatunkọ.
- O nilo lati rii daju pe ẹrọ lati eyiti o wọle jẹ kọǹpútà alágbèéká ajọ ti a pese si olumulo fun iraye si latọna jijin, kii ṣe nkan miiran. (Awọn aṣayan pupọ ti ṣe lati ni itẹlọrun ibeere yii)
- Ipo ti ẹrọ asopọ (ni PC ipele yii) yẹ ki o ṣe ayẹwo pẹlu ayẹwo gbogbo tabili hefty ti awọn ibeere alabara (lakotan):
- Awọn faili ati awọn ohun-ini wọn;
- Awọn titẹ sii iforukọsilẹ;
- Awọn abulẹ OS lati atokọ ti a pese (isọpọ SCCM nigbamii);
- Wiwa ti Anti-Iwoye lati ọdọ olupese kan pato ati ibaramu ti awọn ibuwọlu;
- Iṣẹ-ṣiṣe ti awọn iṣẹ kan;
- Wiwa ti awọn eto fifi sori ẹrọ kan;
Lati bẹrẹ pẹlu, Mo daba pe o dajudaju wo ifihan fidio ti imuse abajade lori Youtube (iṣẹju 5).
Bayi Mo daba lati gbero awọn alaye imuse ti a ko bo ni agekuru fidio.
Jẹ ki a mura profaili AnyConnect:
Mo fun ni iṣaaju apẹẹrẹ ti ṣiṣẹda profaili kan (ni awọn ofin ti ohun akojọ aṣayan ni ASDM) ninu nkan mi lori eto . Bayi Emi yoo fẹ lati ṣe akiyesi lọtọ awọn aṣayan ti a yoo nilo:
Ninu profaili, a yoo tọka ẹnu-ọna VPN ati orukọ profaili fun sisopọ si alabara ipari:
Jẹ ki a tunto ipinfunni laifọwọyi ti ijẹrisi lati ẹgbẹ profaili, nfihan, ni pataki, awọn aye ijẹrisi ati, ni ihuwasi, san ifojusi si aaye naa. Awọn ibẹrẹ (I), nibiti iye kan pato ti wa ni titẹ sii pẹlu ọwọ UID igbeyewo ẹrọ (Oto ẹrọ idamo ti o ti wa ni ipilẹṣẹ nipasẹ awọn Sisiko AnyConnect ni ose).
Nibi Mo fẹ lati ṣe digression lyrical, niwọn igba ti nkan yii ṣe apejuwe imọran; fun awọn idi ifihan, UDID fun ipinfunni ijẹrisi ti wa ni titẹ sii ni aaye Awọn ibẹrẹ ti profaili AnyConnect. Nitoribẹẹ, ni igbesi aye gidi, ti o ba ṣe eyi, lẹhinna gbogbo awọn alabara yoo gba ijẹrisi pẹlu UDID kanna ni aaye yii ati pe ko si ohun ti yoo ṣiṣẹ fun wọn, nitori wọn nilo UDID ti PC wọn pato. AnyConnect, laanu, ko tii ṣe iyipada aaye UDID sinu profaili ibeere ijẹrisi nipasẹ oniyipada ayika, bi o ti ṣe, fun apẹẹrẹ, pẹlu oniyipada kan. %OLUMULO%.
O tọ lati ṣe akiyesi pe alabara (ti oju iṣẹlẹ yii) ni ibẹrẹ ngbero lati fun awọn iwe-ẹri ominira pẹlu UDID ti a fun ni ipo afọwọṣe si iru awọn PC ti o ni aabo, eyiti kii ṣe iṣoro fun u. Sibẹsibẹ, fun pupọ julọ wa a fẹ adaṣe (daradara, fun mi o jẹ otitọ =)).
Ati pe eyi ni ohun ti Mo le funni ni awọn ofin ti adaṣe. Ti AnyConnect ko ba ni anfani lati fun iwe-ẹri ni adaṣe laifọwọyi nipa fidipo UDID ni agbara, lẹhinna ọna miiran wa ti yoo nilo ironu ẹda diẹ ati awọn ọwọ oye - Emi yoo sọ fun ọ imọran naa. Ni akọkọ, jẹ ki a wo bii UDID ṣe ṣe ipilẹṣẹ lori awọn ọna ṣiṣe oriṣiriṣi nipasẹ aṣoju AnyConnect:
- Windows - SHA-256 hash ti apapo ti DigitalProductID ati bọtini iforukọsilẹ SID ẹrọ
- OSX - SHA-256 elile PlatformUUID
- Linux - SHA-256 hash ti UUID ti ipin root.
- Apple iOS - SHA-256 elile PlatformUUID
- Android – Wo iwe lori
Nitorinaa, a ṣẹda iwe afọwọkọ kan fun Windows OS ile-iṣẹ wa, pẹlu iwe afọwọkọ yii a ṣe iṣiro UDID agbegbe ni lilo awọn igbewọle ti a mọ ati ṣe ibeere kan fun ipinfunni ijẹrisi nipa titẹ UDID yii ni aaye ti o nilo, nipasẹ ọna, o tun le lo ẹrọ kan. ijẹrisi ti a fun nipasẹ AD (nipa fifi ijẹrisi ilọpo meji kun nipa lilo ijẹrisi kan si ero naa Iwe-ẹri pupọ).
Jẹ ki a ṣeto awọn eto ni ẹgbẹ Sisiko ASA:
Jẹ ki a ṣẹda TrustPoint kan fun olupin ISE CA, yoo jẹ ọkan ti yoo fun awọn iwe-ẹri si awọn alabara. Emi kii yoo gbero ilana agbewọle Pq-Kọtini; apẹẹrẹ ni a ṣe apejuwe ninu nkan mi lori iṣeto .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureA tunto pinpin nipasẹ Eefin-Ẹgbẹ da lori awọn ofin ni ibamu pẹlu awọn aaye inu ijẹrisi ti o ti lo fun ìfàṣẹsí. Profaili AnyConnect ti a ṣe ni ipele iṣaaju jẹ tunto nibi. Jọwọ ṣe akiyesi pe Mo nlo iye naa SECUREBANK-RA, lati gbe awọn olumulo pẹlu iwe-ẹri ti a fun si ẹgbẹ eefin kan SECURE-BANK-VPN, Jọwọ ṣakiyesi pe Mo ni aaye yii ninu iwe-ẹri ijẹrisi profaili AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Ṣiṣeto awọn olupin ìfàṣẹsí. Ninu ọran mi, eyi jẹ ISE fun ipele akọkọ ti ijẹrisi ati DUO (Radius Proxy) bi MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!A ṣẹda awọn eto imulo ẹgbẹ ati awọn ẹgbẹ oju eefin ati awọn paati iranlọwọ wọn:
Ẹgbẹ eefin DefaultWEBVPNGẹgbẹ yoo ṣee lo ni akọkọ lati ṣe igbasilẹ alabara AnyConnect VPN ati fifun ijẹrisi olumulo kan nipa lilo iṣẹ SCEP-Aṣoju ti ASA; fun eyi a ni awọn aṣayan ti o baamu mu ṣiṣẹ mejeeji lori ẹgbẹ eefin funrararẹ ati lori eto imulo ẹgbẹ ti o somọ. AC-Download, ati lori profaili AnyConnect ti kojọpọ (awọn aaye fun ipinfunni ijẹrisi, ati bẹbẹ lọ). Paapaa ninu eto imulo ẹgbẹ yii a tọka iwulo lati ṣe igbasilẹ ISE Iduro Module.
Ẹgbẹ eefin SECURE-BANK-VPN yoo jẹ lilo laifọwọyi nipasẹ alabara nigbati o ba jẹri pẹlu ijẹrisi ti a fun ni ipele iṣaaju, nitori, ni ibamu pẹlu Maapu Iwe-ẹri, asopọ naa yoo ṣubu ni pataki lori ẹgbẹ eefin yii. Emi yoo sọ fun ọ nipa awọn aṣayan ti o nifẹ si nibi:
- secondary-ijeri-olupin-ẹgbẹ DUO # Ṣeto ijẹrisi keji lori olupin DUO (Aṣoju Radius)
- orukọ olumulo-lati-certificateCN # Fun ijẹrisi akọkọ, a lo aaye CN ti ijẹrisi lati jogun iwọle olumulo
- Orukọ olumulo-keji-lati-ẹri I # Fun ijẹrisi keji lori olupin DUO, a lo orukọ olumulo ti a fa jade ati awọn aaye Ibẹrẹ (I) ti ijẹrisi naa.
- ami-fill-orukọ olumulo onibara # jẹ ki orukọ olumulo kun ni iṣaaju ni window ijẹrisi laisi agbara lati yipada
- secondary-pre-fill-orukọ olumulo onibara tọju lilo-wọpọ-ọrọ igbaniwọle titari # A tọju iwọle / window titẹ ọrọ igbaniwọle fun DUO ijẹrisi keji ati lo ọna iwifunni (sms / titari / foonu) - ibi iduro lati beere ijẹrisi dipo aaye ọrọ igbaniwọle
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Nigbamii a lọ si ISE:
A tunto olumulo agbegbe kan (o le lo AD/LDAP/ODBC, ati bẹbẹ lọ), fun ayedero, Mo ṣẹda olumulo agbegbe kan ni ISE funrararẹ ati pin si ni aaye. apejuwe PC UDID lati eyiti o gba ọ laaye lati wọle nipasẹ VPN. Ti MO ba lo ijẹrisi agbegbe lori ISE, Emi yoo ni opin si ẹrọ kan nikan, nitori pe ko si awọn aaye pupọ, ṣugbọn ninu awọn apoti isura data ẹni-kẹta Emi kii yoo ni iru awọn ihamọ bẹ.
Jẹ ki a wo eto imulo aṣẹ, o pin si awọn ipele asopọ mẹrin:
- Ipele 1 - Ilana fun igbasilẹ aṣoju AnyConnect ati ipinfunni ijẹrisi kan
- Ipele 2 - Eto imulo ijẹrisi akọkọ Wọle (lati ijẹrisi) / Ọrọigbaniwọle + Iwe-ẹri pẹlu afọwọsi UDID
- Ipele 3 - Atẹle ìfàṣẹsí nipasẹ Sisiko DUO (MFA) lilo UDID bi olumulo + State igbelewọn
- Ipele 4 - Aṣẹ ipari wa ni ipinle:
- Ni ibamu;
- Ifọwọsi UDID (lati ijẹrisi + abuda iwọle),
- Cisco DUO MFA;
- Ijeri nipasẹ wiwọle;
- Ijẹrisi ijẹrisi;
Jẹ ká wo ni ohun awon majemu UUID_VALIDATED, o kan dabi pe olumulo ti o jẹri ni otitọ wa lati PC kan pẹlu UDID ti a gba laaye ti o ni nkan ṣe ni aaye Apejuwe iroyin, awọn ipo dabi eyi:
Profaili aṣẹ ti a lo ni awọn ipele 1,2,3 jẹ bi atẹle:
O le ṣayẹwo ni pato bi UDID lati ọdọ alabara AnyConnect ṣe de ọdọ wa nipa wiwo awọn alaye igba alabara ni ISE. Ni apejuwe awọn a yoo ri pe AnyConnect nipasẹ awọn siseto ACIDEX rán ko nikan alaye nipa awọn Syeed, sugbon o tun awọn UDID ti awọn ẹrọ bi Cisco-AV-bata:
Jẹ ki a san ifojusi si ijẹrisi ti a fun olumulo ati aaye naa Awọn ibẹrẹ (I), eyiti a lo lati mu bi iwọle fun ijẹrisi MFA keji lori Sisiko DUO:
Ni ẹgbẹ aṣoju DUO Radius ninu akọọlẹ a le rii ni kedere bi o ṣe ṣe ibeere ijẹrisi, o wa ni lilo UDID bi orukọ olumulo:
Lati oju-ọna DUO a rii iṣẹlẹ ijẹrisi aṣeyọri:
Ati ninu awọn ohun-ini olumulo Mo ni o ṣeto ALIAS, eyiti mo lo fun iwọle, ni ọna, eyi ni UDID ti PC laaye fun wiwọle:
Bi abajade, a ni:
- Olona-ifosiwewe olumulo ati ẹrọ ìfàṣẹsí;
- Idaabobo lodi si spoofing ti awọn olumulo ká ẹrọ;
- Ṣiṣayẹwo ipo ti ẹrọ naa;
- O pọju fun iṣakoso ti o pọ si pẹlu ijẹrisi ẹrọ-ašẹ, ati bẹbẹ lọ;
- Idaabobo ibi iṣẹ latọna jijin okeerẹ pẹlu awọn modulu aabo ti a fi ranṣẹ laifọwọyi;
Awọn ọna asopọ si awọn nkan lẹsẹsẹ Cisco VPN:
orisun: www.habr.com