Siyakwamukela kokuthunyelwe kwesibili ochungechungeni lwe-Cisco ISE. Kwesokuqala izinzuzo kanye nomehluko wezixazululo ze-Network Access Control (NAC) ezivela ku-AAA ejwayelekile, ukuhluka kwe-Cisco ISE, ukwakheka kanye nenqubo yokufaka umkhiqizo kwagqanyiswa.
Kulesi sihloko, sizobheka ekudaleni ama-akhawunti, sengeze amaseva e-LDAP, futhi sihlanganise ne-Microsoft Active Directory, kanye nama-nuances okusebenza ne-PassiveID. Ngaphambi kokufunda, ngincoma kakhulu ukuthi ufunde .
1. Amanye amagama
Ubunikazi Bomsebenzisi - i-akhawunti yomsebenzisi equkethe ulwazi mayelana nomsebenzisi futhi ekhiqiza imininingwane yakhe yokufinyelela kunethiwekhi. Amapharamitha alandelayo ngokuvamile acaciswa Kubunikazi Bomsebenzisi: igama lomsebenzisi, ikheli le-imeyili, iphasiwedi, incazelo ye-akhawunti, iqembu lomsebenzisi, kanye nendima.
Amaqembu Abasebenzisi - Amaqembu abasebenzisi iqoqo labasebenzisi abangabodwana abanesethi evamile yamalungelo ebavumela ukuthi bafinyelele isethi ethile yezinsizakalo nemisebenzi ye-Cisco ISE.
I-User Identity Groups - Amaqembu abasebenzisi achazwe ngaphambilini asenolwazi oluthile nemisebenzi. Amaqembu Obunikazi Bomsebenzisi alandelayo akhona ngokuzenzakalelayo, ungakwazi ukwengeza abasebenzisi namaqembu abasebenzisi kuwo: Isisebenzi (isisebenzi), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts (ama-akhawunti abaxhasi okuphatha iphothali yesivakashi), Isivakashi (isivakashi), ActivatedGuest (isivakashi esicushiwe).
indima yomsebenzisi- Indima yomsebenzisi isethi yezimvume ezinquma ukuthi yimiphi imisebenzi umsebenzisi angayenza nokuthi yiziphi izinsiza ezingafinyelela. Ngokuvamile indima yomsebenzisi ihlotshaniswa neqembu labasebenzisi.
Ngaphezu kwalokho, umsebenzisi ngamunye neqembu labasebenzisi banezimfanelo ezengeziwe ezikuvumela ukuthi ukhethe futhi uchaze ngokucacile lo msebenzisi (iqembu lomsebenzisi). Ulwazi olwengeziwe ku .
2. Dala abasebenzisi bendawo
1) I-Cisco ISE inamandla okudala abasebenzisi bendawo futhi ibasebenzise kunqubomgomo yokufinyelela noma inikeze indima yokuphatha umkhiqizo. Khetha Ukuphatha → Ukuphathwa Kobunikazi → Ubunikazi → Abasebenzisi → Engeza.
Umfanekiso 1 Ukwengeza Umsebenzisi Wasendaweni ku-Cisco ISE
2) Efasiteleni elivelayo, dala umsebenzisi wendawo, setha iphasiwedi kanye neminye imingcele eqondakalayo.
Umfanekiso 2. Ukudala Umsebenzisi Wasendaweni ku-Cisco ISE
3) Abasebenzisi bangangeniswa futhi. Kuthebhu efanayo Ukuphatha → Ukuphathwa Kobunikazi → Ubunikazi → Abasebenzisi khetha inketho Ngenisa futhi ulayishe ifayela le-csv noma le-txt nabasebenzisi. Ukuze uthole isifanekiso khetha Khiqiza Isifanekiso, khona-ke kufanele igcwaliswe ngolwazi mayelana nabasebenzisi efomini elifanelekile.
Umfanekiso 3 Ungenisa Abasebenzisi ku-Cisco ISE
3. Ukwengeza amaseva e-LDAP
Ake ngikukhumbuze ukuthi i-LDAP iphrothokholi yezinga lohlelo lokusebenza edumile ekuvumela ukuthi uthole ulwazi, wenze ukuqinisekiswa, ukucinga ama-akhawunti kunkhombandlela yamaseva e-LDAP, isebenza ku-port 389 noma 636 (SS). Izibonelo ezivelele zamaseva e-LDAP i-Active Directory, Sun Directory, Novell eDirectory, kanye ne-OpenLDAP. Ukufakwa ngakunye ohlwini lwemibhalo lwe-LDAP kuchazwa yi-DN (Igama Eligqamile) futhi umsebenzi wokubuyisa ama-akhawunti, amaqembu abasebenzisi kanye nezibaluli uyaphakanyiswa ukuze kwakheke inqubomgomo yokufinyelela.
Ku-Cisco ISE, kuyenzeka ukuthi ulungiselele ukufinyelela kumaseva amaningi e-LDAP, ngaleyo ndlela kusetshenziswa ukungafuneki. Uma iseva eyinhloko (eyinhloko) ye-LDAP ingatholakali, i-ISE izozama ukufinyelela eyesibili (yesibili) njalo njalo. Ukwengeza, uma kukhona ama-PAN angu-2, i-LDAP eyodwa ingase ibekwe kuqala ku-PAN eyinhloko kanye nenye i-LDAP ye-PAN yesibili.
I-ISE isekela izinhlobo ezi-2 zokubheka (ukubheka) lapho usebenza namaseva e-LDAP: Ukubheka Umsebenzisi Nokubheka Ikheli Le-MAC. Ukubheka Umsebenzisi kukuvumela ukuthi useshe umsebenzisi kusizindalwazi se-LDAP futhi uthole ulwazi olulandelayo ngaphandle kokuqinisekisa: abasebenzisi nezibaluli zabo, amaqembu abasebenzisi. Ukubheka Ikheli le-MAC kuphinde kuvumele ukuthi useshe ngekheli le-MAC kuzinkhombandlela ze-LDAP ngaphandle kokuqinisekisa futhi uthole ulwazi mayelana nedivayisi, iqembu lamadivayisi ngamakheli e-MAC, nezinye izibaluli ezithile.
Njengesibonelo sokuhlanganisa, ake sengeze uhla lwemibhalo olusebenzayo ku-Cisco ISE njengeseva ye-LDAP.
1) Yiya kuthebhu Ukuphatha → Ukuphathwa Kobunikazi → Imithombo Yobunikazi Bangaphandle → LDAP → Engeza.
Umfanekiso 4. Ukwengeza iseva ye-LDAP
2) Kuphaneli General cacisa igama leseva ye-LDAP nesikimu (kithi, Uhlu Lwemibhalo Esebenzayo).
Umfanekiso 5. Ukwengeza iseva ye-LDAP ngohlelo lohlu lwemibhalo olusebenzayo
3) Okulandelayo yiya ku Connection ithebhu bese ukhetha Igama lomethuleli/ikheli le-IP Iseva ye-AD, imbobo (389 - LDAP, 636 - SSL LDAP), izifakazelo zomphathi wesizinda (Admin DN - DN egcwele), amanye amapharamitha angashiywa njengokuzenzakalelayo.
Ukubhala: sebenzisa imininingwane yesizinda somqondisi ukuze ugweme izinkinga ezingaba khona.
Umfanekiso 6 Ufaka Idatha Yeseva ye-LDAP
4) Kuthebhu Inhlangano Yemibhalo kufanele ucacise indawo yohla lwemibhalo nge-DN lapho uzodonsa khona abasebenzisi namaqembu abasebenzisi.
Umfanekiso 7. Ukunqunywa kwezinkomba lapho amaqembu abasebenzisi angakhuphuka khona
5) Yiya efasiteleni Amaqembu → Engeza → Khetha Amaqembu Kuhla Lwemibhalo ukukhetha ukudonsa amaqembu kuseva ye-LDAP.
Umfanekiso 8. Ukwengeza amaqembu kuseva ye-LDAP
6) Efasiteleni elivelayo, chofoza Buyisa Amaqembu. Uma amaqembu edonse phezulu, khona-ke izinyathelo zokuqala seziqediwe ngempumelelo. Uma kungenjalo, zama omunye umlawuli futhi uhlole ukutholakala kwe-ISE neseva ye-LDAP ngephrothokholi ye-LDAP.
Umfanekiso 9. Uhlu lwamaqembu abasebenzisi abadonsiwe
7) Kuthebhu Izimfanelo ungacacisa ngokuzikhethela ukuthi yiziphi izibaluli ezivela kuseva ye-LDAP okufanele zidonswe phezulu, nasefasiteleni Izilungiselelo ezithuthukile vumela inketho Nika amandla ukuguqulwa kwephasiwedi, okuzophoqa abasebenzisi ukuthi bashintshe iphasiwedi yabo uma iphelelwe yisikhathi noma isethwe kabusha. Noma kunjalo chofoza Hambisa ukuqhubeka.
8) Iseva ye-LDAP ivele kuthebhu ehambisanayo futhi ingasetshenziswa ukwenza izinqubomgomo zokufinyelela esikhathini esizayo.
Umfanekiso 10. Uhlu lwamaseva e-LDAP angeziwe
4. Ukuhlanganisa ne-Active Directory
1) Ngokungeza iseva ye-Microsoft Active Directory njengeseva ye-LDAP, sithole abasebenzisi, amaqembu abasebenzisi, kodwa awekho amalogi. Okulandelayo, ngiphakamisa ukusetha ukuhlanganiswa kwe-AD okuphelele ne-Cisco ISE. Iya kuthebhu Ukuphatha → Ukuphathwa Kobunikazi → Imithombo Yobunikazi Bangaphandle → Uhlu Olusebenzayo → Engeza.
Qaphela: ukuze kuhlanganiswe ngempumelelo ne-AD, i-ISE kufanele ibe sesizinda futhi ibe nokuxhumana okugcwele namaseva e-DNS, NTP kanye ne-AD, ngaphandle kwalokho akukho okuzovela kuyo.
Umfanekiso 11. Ukwengeza i-Active Directory server
2) Efasiteleni elivelayo, faka imininingwane yomphathi wesizinda bese ubheka ibhokisi Gcina Imininingwane. Ukwengeza, ungacacisa i-OU (Iyunithi Yenhlangano) uma i-ISE iku-OU ethile. Okulandelayo, kuzodingeka ukhethe amanodi e-Cisco ISE ofuna ukuwaxhuma esizindeni.
Umfanekiso 12. Ukufaka imininingwane
3) Ngaphambi kokungeza abalawuli besizinda, qiniseka ukuthi ku-PSN kuthebhu Ukuphatha → Uhlelo → Ukuthunyelwa inketho inikwe amandla Isevisi ye-Passive Identity. I-Passive ID - inketho ekuvumela ukuthi uhumushe Umsebenzisi uye ku-IP futhi ngokuphambene nalokho. I-PassiveID ithola ulwazi ku-AD nge-WMI, ama-ejenti e-AD akhethekile noma imbobo ye-SPAN ekushintsheni (hhayi inketho engcono kakhulu).
Qaphela: ukuze uhlole isimo se-Passive ID, thayipha ikhonsoli ye-ISE bonisa isimo sohlelo lokusebenza | faka i-PassiveID.
Umfanekiso 13. Ukunika amandla inketho ye-PassiveID
4) Yiya kuthebhu Ukuphatha → Ukuphathwa Kobunikazi → Imithombo Yobunikazi Bangaphandle → Uhlu Olusebenzayo →I-PassiveID bese ukhetha inketho Engeza ama-DC. Okulandelayo, khetha izilawuli zesizinda ezidingekayo ezinamabhokisi okuhlola bese uchofoza KULUNGILE.
Umfanekiso 14. Ukwengeza abalawuli besizinda
5) Khetha ama-DC angeziwe bese uchofoza inkinobho Hlela. Khombisa I-FQDN I-DC yakho, ukungena ngemvume kwesizinda kanye nephasiwedi, kanye nenketho yesixhumanisi I-WMI noma Agent. Khetha i-WMI bese uchofoza KULUNGILE.
Umfanekiso 15 Ifaka imininingwane yesilawuli sesizinda
6) Uma i-WMI kungeyona indlela ekhethwayo yokuxhumana ne-Active Directory, khona-ke ama-ISE angasetshenziswa. Indlela ye-ejenti ukuthi ungafaka ama-ejenti akhethekile kumaseva azokhipha imicimbi yokungena. Kunezinketho ezi-2 zokufaka: okuzenzakalelayo kanye nesandla. Ukufaka ngokuzenzakalelayo i-ejenti kuthebhu efanayo I-Passive ID khetha into Engeza umenzeli → Sebenzisa umenzeli omusha (I-DC kumele ibe ne-inthanethi). Bese ugcwalisa izinkambu ezidingekayo (igama le-ejenti, iseva ye-FQDN, ukungena/iphasiwedi yomphathi wesizinda) bese uchofoza. KULUNGILE.
Umfanekiso 16. Ukufakwa okuzenzakalelayo kwe-ejenti ye-ISE
7) Ukuze ufake ngesandla i-ejenti ye-Cisco ISE, khetha into Bhalisa Umenzeli Okhona. Kodwa-ke, ungalanda i-ejenti kuthebhu Izikhungo Zokusebenza → I-PassiveID → Abahlinzeki → Ama-ejenti → Umenzeli Wokulanda.
Umfanekiso 17. Ukulanda i-ejenti ye-ISE
Okubalulekile: I-PassiveID ayifundi imicimbi Phuma ngemvume! Ipharamitha enesibopho sokuvala isikhathi ibizwa isikhathi sokuguga seseshini yomsebenzisi futhi kulingana namahora angama-24 ngokuzenzakalelayo. Ngakho-ke, kufanele uzikhiphe ngokwakho ekupheleni kosuku lokusebenza, noma ubhale uhlobo oluthile lweskripthi oluzovala ngokuzenzakalelayo bonke abasebenzisi abangene.
Ukuze uthole ulwazi Phuma ngemvume "Ama-Endpoint probes" asetshenziswa - ama-terminal probes. Kukhona ama-endpoint probe amaningana ku-Cisco ISE: I-RADIUS, i-SNMP Trap, Umbuzo we-SNMP, i-DHCP, i-DNS, i-HTTP, i-Netflow, i-NMAP Scan. RADIUS probe usebenzisa I-CoA (Ushintsho Lokugunyazwa) amaphakheji anikeza ulwazi mayelana nokushintsha amalungelo omsebenzisi (lokhu kudinga okushumekiwe 802.1X), futhi elungiselelwe ekushintsheni kokufinyelela i-SNMP, izonikeza ulwazi mayelana namadivayisi axhunyiwe nanqanyuliwe.
Isibonelo esilandelayo sibalulekile ekucushweni kwe-Cisco ISE + AD ngaphandle kwe-802.1X ne-RADIUS: umsebenzisi ungene ngomshini we-Windows, ngaphandle kokwenza i-logoff, ngena kwenye i-PC nge-WiFi. Kulokhu, iseshini ku-PC yokuqala isazosebenza kuze kube yilapho kuvela ukuphela kwesikhathi noma ukuphuma ngempoqo kwenzeka. Bese kuthi uma amadivayisi anamalungelo ahlukene, okokugcina okungene ngemvume kuzosebenzisa amalungelo ayo.
8) Ongakukhetha kuthebhu Ukuphatha → Ukuphathwa Kobunikazi → Imithombo Yobunikazi Bangaphandle → Uhlu Olusebenzayo → Amaqembu → Engeza → Khetha Amaqembu Kuhla Lwemibhalo ungakhetha amaqembu ku-AD ofuna ukuwakhipha ku-ISE (kithi, lokhu kwenziwe esinyathelweni sesi-3 “Ukwengeza iseva ye-LDAP”). Khetha inketho Buyisa Amaqembu → KULUNGILE.
Umfanekiso 18 a). Idonsa amaqembu abasebenzisi ku-Active Directory
9) Kuthebhu Izikhungo Zomsebenzi → I-PassiveID → Uhlolojikelele → Ideshibhodi ungakwazi ukubona inani lamaseshini asebenzayo, inombolo yemithombo yedatha, ama-ejenti, nokuningi.
Umfanekiso 19. Ukuqapha umsebenzi wabasebenzisi besizinda
10) Kuthebhu Izikhathi Zokuphila amaseshini amanje ayaboniswa. Ukuhlanganiswa ne-AD kumisiwe.
Umfanekiso 20. Izikhathi ezisebenzayo zabasebenzisi besizinda
5. Isiphetho
Le ndatshana ihlanganise izihloko zokudala abasebenzisi bendawo ku-Cisco ISE, yengeza amaseva e-LDAP, futhi ihlanganiswe ne-Microsoft Active Directory. Isihloko esilandelayo sizogqamisa ukufinyelela kwesivakashi ngendlela yomhlahlandlela ongasasebenzi.
Uma unemibuzo mayelana nalesi sihloko noma udinga usizo lokuhlola umkhiqizo, sicela uxhumane .
Hlala ubukele ukuze uthole izibuyekezo eziteshini zethu (, , , , ).
Source: www.habr.com