Uyemukelwa ekushicilelweni kwesithathu kochungechunge lwezihloko ezinikezelwe ku-Cisco ISE. Izixhumanisi zawo wonke ama-athikili ochungechungeni zinikezwe ngezansi:
Kulolu shicilelo, uzocwila ekufinyeleleni kwezivakashi, kanye nesiqondiso sesinyathelo nesinyathelo sokuhlanganisa i-Cisco ISE ne-FortiGate ukuze ulungiselele i-FortiAP - indawo yokufinyelela evela e-Fortinet (ngokujwayelekile, noma iyiphi idivayisi esekelayo. I-RADIUS CoA - Ukushintsha kokugunyazwa).
Ukwengeza, nginamathisela izihloko zethu .
Ukubhala: Amadivayisi we-Check Point SMB awasekeli i-RADIUS CoA.
Kuyamangalisa ichaza ngesiNgisi indlela yokudala ukufinyelela kwezivakashi kusetshenziswa i-Cisco ISE ku-Cisco WLC (Isilawuli Esingenantambo). Ake sithole!
1. Isingeniso
Ukufinyelela kwesivakashi (ingosi) kukuvumela ukuthi unikeze ukufinyelela ku-inthanethi noma izinsiza zangaphakathi zezivakashi nabasebenzisi ongafuni ukubavumela kunethiwekhi yangakini. Kunezinhlobo ezi-3 ezifakwe ngaphambili zephothali Yezihambeli:
-
Ingosi Yezihambeli ze-Hotspot—ukufinyelela kunethiwekhi kunikezwa izivakashi ngaphandle kolwazi lokungena. Ngokuvamile, abasebenzisi kudingeka bavumelane “Nenqubomgomo Yokusetshenziswa Nobumfihlo” yenkampani ngaphambi kokufinyelela inethiwekhi.
-
Ingosi Yesivakashi Esixhasiwe - ukufinyelela kunethiwekhi kanye nedatha yokungena ngemvume kufanele kunikezwe umxhasi - umsebenzisi onesibopho sokudala ama-akhawunti ezivakashi ku-Cisco ISE.
-
Ingosi Yezihambeli Ezibhalise Ngokwakho - kulokhu, izivakashi zisebenzisa idatha yokungena ekhona, noma zizenzele i-akhawunti ngedatha yokungena, kodwa ukuqinisekiswa komxhasi kuyadingeka ukuze zithole ukufinyelela kunethiwekhi.
Ungakwazi phaka inthanethi amaningi kanyekanye Cisco ISE. Ngokuzenzakalelayo, umsebenzisi uzobona ilogo ye-Cisco nemishwana evamile evamile kuphothali yesivakashi. Konke lokhu kungenziwa ngokwezifiso futhi ungasetha ngisho nokubukwa kokukhangisa okuphoqelekile ngaphambi kokufinyelela.
Ukusetha ukufinyelela kwezivakashi kungahlukaniswa kube izinyathelo ezi-4 eziyinhloko: ukusetha i-FortiAP, ukusungula ukuxhumana kwe-Cisco ISE ne-FortiAP, ukwakha ingosi yesivakashi, nokumisa inqubomgomo yokufinyelela.
2. Ukulungiselela i-FortiAP ku-FortiGate
I-FortiGate isilawuli sephoyinti lokufinyelela futhi zonke izilungiselelo zenziwa kuyo. Amaphoyinti okufinyelela e-FortiAP asekela i-PoE, ngakho-ke uma usuyixhume kunethiwekhi yakho nge-Ethernet, ungaqala ukumisa.
1) Ku-FortiGate, hamba kuthebhu I-WiFi & Isilawuli Sokushintsha > Ama-FortiAP Aphethwe > Dala Okusha > I-AP Ephethwe. Usebenzisa inombolo ye-serial eyingqayizivele yendawo yokufinyelela, etholakala endaweni yokufinyelela ngokwayo, yengeze njengento. Noma ingase izivele ngokwayo bese uchofoza Vumela usebenzisa inkinobho yegundane engakwesokudla.
2) Izilungiselelo ze-FortiAP zingase zibe okuzenzakalelayo; isibonelo, zishiye njengakusithombe-skrini. Ngincoma kakhulu ukuvula imodi ye-5 GHz, ngoba amanye amadivayisi awasekeli i-2.4 GHz.
3) Bese kuthebhu I-WiFi & Isilawuli Sokushintsha > Amaphrofayili e-FortiAP > Dala Okusha sakha iphrofayela yezilungiselelo zendawo yokufinyelela (inguqulo yephrothokholi engu-802.11, imodi ye-SSID, imvamisa yesiteshi kanye nenani lamashaneli).
Isibonelo sezilungiselelo ze-FortiAP
4) Isinyathelo esilandelayo ukwakha i-SSID. Iya kuthebhu I-WiFi & Isilawuli Sokushintsha > Ama-SSID > Dala Okusha > I-SSID. Nazi izinto ezibalulekile okufanele uzilungiselele:
-
indawo yekheli yesivakashi i-WLAN - IP/Netmask
-
I-RADIUS Accounting kanye Nokuxhumana Kwendwangu Okuvikelekile kunkambu yokufinyelela kokuphatha
-
Inketho Yokuthola Idivayisi
-
Inketho ye-SSID ne-Broadcast SSID
-
Izilungiselelo zemodi yokuphepha > Iphothali yabathunjiweyo
-
Iphothali Yokuqinisekisa - Yangaphandle bese unamathisele isixhumanisi kuphothali yesivakashi edaliwe evela kuCisco ISE ukusuka esinyathelweni sama-20
-
Iqembu lomsebenzisi - Iqembu Lezivakashi - Ezangaphandle - engeza i-RADIUS ku-Cisco ISE (isigaba 6 ff)
Isibonelo sokucushwa kwe-SSID
5) Okulandelayo, kufanele udale imithetho kunqubomgomo yokufinyelela ku-FortiGate. Iya kuthebhu Inqubomgomo Nezinto > Inqubomgomo Yohlelo Lokuvikela bese udala umthetho kanje:
3. Ukusethwa kwe-RADIUS
6) Iya kusixhumi esibonakalayo sewebhu se-Cisco ISE kuthebhu Inqubomgomo > Izinto Zenqubomgomo > Izichazamazwi > Uhlelo > Irediyasi > Abathengisi be-RADIUS > Engeza. Kule thebhu sizofaka i-RADIUS evela ku-Fortinet ohlwini lwezivumelwano ezisekelwayo, njengoba cishe wonke umthengisi unezimfanelo zakhe ezithile - i-VSA (Izimfanelo Ezicacisiwe Zomthengisi).
Uhlu lwezimfanelo ze-Fortinet RADIUS lungatholakala . Ama-VSA ahlukaniswa ngenombolo ye-ID yomthengisi ehlukile. I-Fortinet inale ID = 12356. Okugcwele I-VSA yashicilelwa yinhlangano ye-IANA.
7) Setha igama lesichazamazwi, khombisa I-ID yomthengisi (12356) bese ucindezela Thumela.
8) Ngemva kwalokho siya ku Ukuphatha > Amaphrofayili Edivayisi Yenethiwekhi > Engeza futhi udale iphrofayela entsha yedivayisi. Emkhakheni wezichazamazwi ze-RADIUS, kufanele ukhethe isichazamazwi esidalwe ngaphambilini se-Fortinet RADIUS bese ukhetha izindlela ze-CoA ukuze uzisebenzise kamuva kunqubomgomo ye-ISE. Ngikhethe i-RFC 5176 ne-Port Bounce (ukuvala shaqa/akukho ukuvalwa kwesixhumi esibonakalayo senethiwekhi) kanye ne-VSA ehambisanayo:
I-Fortinet-Access-Profile = funda-bhala
I-Fortinet-Group-Name = fmg_faz_admins
9) Okulandelayo kufanele wengeze i-FortiGate ukuze uxhumeke ne-ISE. Ukuze wenze lokhu, yiya kuthebhu Ukuphatha > Izinsiza Zenethiwekhi > Amaphrofayili Edivayisi Yenethiwekhi > Engeza. Izinkambu kufanele zishintshwe Igama, Umthengisi, RADIUS Izichazamazwi (Ikheli lasesizindeni se-inthanethi lisetshenziswa yi-FortiGate, hhayi i-FortiAP).
Isibonelo sokucushwa kwe-RADIUS ukusuka ohlangothini lwe-ISE
10) Okulandelayo, kufanele ulungiselele i-RADIUS ohlangothini lwe-FortiGate. Kusixhumi esibonakalayo sewebhu se-FortiGate, iya ku Umsebenzisi Nokuqinisekisa > Iziphakeli ze-RADIUS > Dala Okusha. Cacisa igama, ikheli le-IP kanye nemfihlo eyabiwe (iphasiwedi) kusukela endimeni edlule. Chofoza okulandelayo Hlola Ukuqinisekisa Umsebenzisi bese ufaka noma yiziphi iziqinisekiso ezingadonswa nge-RADIUS (isibonelo, umsebenzisi wendawo ku-Cisco ISE).
11) Engeza iseva ye-RADIUS ku-Guest-Group (uma ingekho, yakha), kanye nabasebenzisi bomthombo wangaphandle.
12) Ungakhohlwa ukungeza Iqembu Lezivakashi ku-SSID esiyidalile ekuqaleni esinyathelweni sesi-4.
4. Ukusetha abasebenzisi bokuqinisekisa
13) Ngokuzithandela, ungangenisa isitifiketi kuphothali yezivakashi ze-ISE noma udale isitifiketi esizisayinele kuthebhu Izikhungo Zokusebenza > Ukufinyelela Kwezivakashi > Ukuphatha > Isitifiketi > Izitifiketi Zesistimu.
14) Ngemva kuthebhu Izikhungo Zokusebenza > Ukufinyelela Izivakashi > Amaqembu Obunikazi > Amaqembu Obunikazi Bomsebenzisi > Engeza dala iqembu elisha labasebenzisi lokufinyelela isivakashi, noma sebenzisa ezimisiwe.
15) Okulandelayo kuthebhu Ukuphatha > Ubunikazi dala abasebenzisi abayizihambeli futhi ubangeze emaqenjini asuka endimeni yangaphambilini. Uma ufuna ukusebenzisa ama-akhawunti ezinkampani zangaphandle, bese weqa lesi sinyathelo.
16) Bese uya kuzilungiselelo Izikhungo Zokusebenza > Ukufinyelela Kwezivakashi > Ubunikazi > Ukulandelana Komthombo Wobunikazi > Ukulandelana Kwephothali Yezivakashi - Lokhu ukulandelana kokuqinisekisa okuchazwe ngaphambilini kwabasebenzisi abayizihambeli. Futhi ensimini Uhlu Lokusesha Lokuqinisekisa khetha i-oda lokuqinisekisa lomsebenzisi.
17) Ukuze wazise izivakashi ngephasiwedi yesikhathi esisodwa, ungamisa abahlinzeki be-SMS noma iseva ye-SMTP ngale njongo. Iya kuthebhu Izikhungo Zokusebenza > Ukufinyelela Kwezivakashi > Ukuphatha > Iseva ye-SMTP noma SMS Gateway Providers zalezi zilungiselelo. Esimeni seseva ye-SMTP, udinga ukudala i-akhawunti ye-ISE futhi ucacise idatha kule thebhu.
18) Ukuze uthole izaziso ze-SMS, sebenzisa ithebhu efanelekile. I-ISE inamaphrofayili afakwe ngaphambili abahlinzeki be-SMS abadumile, kodwa kungcono ukuzakhela awakho. Sebenzisa lawa maphrofayili njengesibonelo sezilungiselelo I-imeyili ye-SMS Gateway noma I-SMS HTTP API.
Isibonelo sokusetha iseva ye-SMTP kanye nesango le-SMS lephasiwedi yesikhathi esisodwa
5. Ukusetha ingosi yezivakashi
19) Njengoba kushiwo ekuqaleni, kunezinhlobo ezi-3 zamaphothali ezivakashi ezifakwe kuqala: I-Hotspot, Ixhasiwe, Ezibhalisiwe. Ngiphakamisa ukukhetha inketho yesithathu, ngoba ivame kakhulu. Kunoma yikuphi, izilungiselelo ziyefana kakhulu. Ngakho-ke asiye kuthebhu Izikhungo Zokusebenzela > Ukufinyelela Kwezivakashi > Amaphothali Nezingxenye > Iphothali Yezihambeli > Iphothali Yezihambeli Ezibhalise Ngokwakho (okuzenzakalelayo).
20) Okulandelayo, kuthebhu ethi Ukwenza Ngokwezifiso Ikhasi Lephothali, khetha "Buka ngesiRashiya - isiRashiya", ukuze ingosi iqale ukuvezwa ngesiRashiya. Ungashintsha umbhalo wanoma iyiphi ithebhu, wengeze ilogo yakho nokunye okuningi. Ekhoneni elingakwesokudla kukhona ukubuka kuqala kwengosi yesivakashi ukuze kube nephrezentheshini elula kakhudlwana.
Isibonelo sokusetha iphothali yesivakashi ngokuzibhalisa
21) Chofoza umusho "I-URL yokuhlola iphothali" futhi ukopishe i-URL yephothali ku-SSID ku-FortiGate esinyathelweni sesi-4. Isampula ye-URL
Ukuze isizinda sakho sibonakale, kufanele ulayishe isitifiketi kuphothali yesivakashi, bona isinyathelo 13.
22) Yiya kuthebhu Izikhungo Zokusebenza > Ukufinyelela Kwezivakashi > Izakhi Zenqubomgomo > Imiphumela > Amaphrofayili Wokugunyazwa > Engeza ukudala iphrofayili yokugunyaza eyakhiwe ngaphambilini Iphrofayela Yedivayisi Yenethiwekhi.
23) Kuthebhu Izikhungo Zomsebenzi > Ukufinyelela Izivakashi > Amasethi Enqubomgomo hlela inqubomgomo yokufinyelela yabasebenzisi be-WiFi.
24) Ake sizame ukuxhuma ku-SSID yesivakashi. Ngokushesha ngiqondiswa kabusha ekhasini lokungena. Lapha ungangena ngaphansi kwe-akhawunti yesivakashi eyakhiwe endaweni yangakini ku-ISE, noma ubhalise njengomsebenzisi oyisivakashi.
25) Uma ukhethe inketho yokuzibhalisela, idatha yokungena yesikhathi esisodwa ingathunyelwa nge-imeyili, nge-SMS, noma iphrintwe.
26) Ku-RADIUS> I-Live Logs ithebhu ku-Cisco ISE uzobona izingodo zokungena ezihambisanayo.
6. Isiphetho
Kulesi sihloko eside, silungiselele ngempumelelo ukufinyelela kwezivakashi ku-Cisco ISE, lapho i-FortiGate isebenza njengesilawuli sephoyinti lokufinyelela kanye ne-FortiAP njengendawo yokufinyelela. Umphumela uwuhlobo lokuhlanganisa okungelona okuncane, okuphinde kufakazele ukusetshenziswa okusabalele kwe-ISE.
Ukuze uhlole i-Cisco ISE, xhumana , futhi ulandele nezibuyekezo eziteshini zethu (, , , , ).
Source: www.habr.com