Ake sicabangele ngokusebenza ukusetshenziswa kwe-Windows Active Directory + NPS (amaseva angu-2 ukuqinisekisa ukubekezelelana kwamaphutha) + 802.1x indinganiso yokulawula ukufinyelela kanye nokuqinisekiswa kwabasebenzisi - amakhompyutha wesizinda - amadivaysi. Ungakwazi ukujwayelana nethiyori ngokwezinga eliku-Wikipedia, kusixhumanisi:
Njengoba "ilabhorethri" yami inomkhawulo ezinsizeni, izindima ze-NPS nesilawuli sesizinda ziyahambisana, kodwa ngincoma ukuthi usahlukanise izinsizakalo ezinjalo ezibalulekile.
Angizazi izindlela ezijwayelekile zokuvumelanisa ukucushwa kwe-Windows NPS (izinqubomgomo), ngakho-ke sizosebenzisa imibhalo ye-PowerShell eyethulwe umhleli wemisebenzi (umbhali nguzakwethu wangaphambili). Ukuze kugunyazwe amakhompyutha esizinda kanye namadivayisi angakwazi I-802.1x (amafoni, amaphrinta, njll.), inqubomgomo yeqembu izolungiswa futhi amaqembu okuvikela azokwakhiwa.
Ekupheleni kwesihloko, ngizokutshela mayelana nokunye okuyinkimbinkimbi yokusebenza nge-802.1x - ukuthi ungasebenzisa kanjani ukushintshwa okungalawulwa, ama-ACL ashukumisayo, njll. Ngizokwabelana ngolwazi mayelana "nezingqinamba" ezibanjiwe. .
Ake siqale ngokufaka nokulungisa i-failover NPS ku-Windows Server 2012R2 (konke kuyafana ngo-2016): NgeSiphathi Seseva -> Engeza Izindima Nesilekeleli Sezici, khetha kuphela Iseva Yenqubomgomo Yenethiwekhi.
noma usebenzisa i-PowerShell:
Install-WindowsFeature NPAS -IncludeManagementToolsUkucaciswa okuncane - kusukela ngo I-Protected EAP (PEAP) nakanjani uzodinga isitifiketi esiqinisekisa ubuqiniso beseva (enamalungelo afanelekile okusebenzisa), esizothenjwa kumakhompyutha eklayenti, lapho-ke cishe uzodinga ukufaka indima. Isitifiketi Seziphathimandla. Kodwa sizokucabanga lokho CA usuvele uyifakile...
Asenze okufanayo kuseva yesibili. Ake sakhe ifolda yeskripthi se-C:Scripts kuzo zombili iziphakeli kanye nefolda yenethiwekhi kuseva yesibili I-SRV2NPS-config$
Ake sakhe umbhalo we-PowerShell kuseva yokuqala C:ScriptsExport-NPS-config.ps1 ngokuqukethwe okulandelayo:
Export-NpsConfiguration -Path "SRV2NPS-config$NPS.xml"Ngemva kwalokhu, ake silungise umsebenzi ku-Task Sheduler: “Thumela-NpsConfiguration"
powershell -executionpolicy unrestricted -f "C:ScriptsExport-NPS-config.ps1"
Gijimela bonke abasebenzisi - Qalisa ngamalungelo aphezulu
Nsuku zonke - Phinda umsebenzi njalo ngemizuzu eyi-10. phakathi kwamahora angu-8
Ku-NPS eyisipele, lungiselela ukungenisa kokucushwa (izinqubomgomo):
Masidale umbhalo we-PowerShell:
echo Import-NpsConfiguration -Path "c:NPS-configNPS.xml" >> C:ScriptsImport-NPS-config.ps1nomsebenzi wokuwenza njalo ngemizuzu eyi-10:
powershell -executionpolicy unrestricted -f "C:ScriptsImport-NPS-config.ps1"
Gijimela bonke abasebenzisi - Qalisa ngamalungelo aphezulu
Nsuku zonke - Phinda umsebenzi njalo ngemizuzu eyi-10. phakathi kwamahora angu-8
Manje, ukuhlola, ake sengeze ku-NPS kwenye yeziphakeli(!) amaswishi ambalwa kumakhasimende e-RADIUS (IP kanye Nemfihlo Eyabiwe), izinqubomgomo ezimbili zesicelo sokuxhuma: I-WIRED-Connect (Umbandela: “Uhlobo lwembobo ye-NAS yi-Ethernet”) kanye I-WiFi-Enterprise (Umbandela: “Uhlobo lwembobo ye-NAS yi-IEEE 802.11”), kanye nenqubomgomo yenethiwekhi Finyelela kumadivayisi enethiwekhi ye-Cisco (Abaphathi Benethiwekhi):
Условия:
Группы Windows - domainsg-network-admins
Ограничения:
Методы проверки подлинности - Проверка открытым текстом (PAP, SPAP)
Параметры:
Атрибуты RADIUS: Стандарт - Service-Type - Login
Зависящие от поставщика - Cisco-AV-Pair - Cisco - shell:priv-lvl=15Ohlangothini lweswishi, izilungiselelo ezilandelayo:
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa group server radius NPS
server-private 192.168.38.151 auth-port 1812 acct-port 1813 key %shared_secret%
server-private 192.168.10.151 auth-port 1812 acct-port 1813 key %shared_secret%
!
aaa authentication login default group NPS local
aaa authentication dot1x default group NPS
aaa authorization console
aaa authorization exec default group NPS local if-authenticated
aaa authorization network default group NPS
!
aaa session-id common
!
identity profile default
!
dot1x system-auth-control
!
!
line vty 0 4
exec-timeout 5 0
transport input ssh
escape-character 99
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
escape-character 99Ngemva kokumisa, ngemva kwemizuzu engu-10, wonke amapharamitha enqubomgomo yeklayenti kufanele avele ku-NPS eyisipele futhi sizokwazi ukungena kumaswishi sisebenzisa i-akhawunti ye-ActiveDirectory, ilungu leqembu le-domainsg-network-admins (esilidale kusengaphambili).
Masiqhubekele ekusetheni Uhla Lwemibhalo Olusebenzayo - dala izinqubomgomo zeqembu nephasiwedi, dala amaqembu adingekayo.
Inqubomgomo Yeqembu Amakhompyutha-8021x-Izilungiselelo:
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
System Services
Wired AutoConfig (Startup Mode: Automatic)
Wired Network (802.3) Policies
I-NPS-802-1x
Name NPS-802-1x
Description 802.1x
Global Settings
SETTING VALUE
Use Windows wired LAN network services for clients Enabled
Shared user credentials for network authentication Enabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network access Enabled
Enforce use of IEEE 802.1X authentication for network access Disabled
IEEE 802.1X Settings
Computer Authentication Computer only
Maximum Authentication Failures 10
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication method Protected EAP (PEAP)
Validate server certificate Enabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authorities Disabled
Enable fast reconnect Enabled
Disconnect if server does not present cryptobinding TLV Disabled
Enforce network access protection Disabled
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any) Enabled
Masidale iqembu lokuvikela sg-computers-8021x-vl100, lapho sizofaka khona amakhompyutha esifuna ukuwasabalalisa ku-vlan 100 futhi silungiselele ukuhlunga kwenqubomgomo yeqembu eyakhiwe ngaphambilini yaleli qembu:
Ungaqinisekisa ukuthi inqubomgomo isebenze ngempumelelo ngokuvula “Isikhungo Senethiwekhi Nokwabelana (Izilungiselelo Zenethiwekhi kanye Ne-inthanethi) – Ukushintsha izilungiselelo ze-adaptha (Ukulungiselela izilungiselelo ze-adaptha) – Izakhiwo ze-adaptha”, lapho singabona khona ithebhu “Yokuqinisekisa”:
Uma uqinisekile ukuthi inqubomgomo isetshenziswa ngempumelelo, ungaqhubeka nokusetha inqubomgomo yenethiwekhi ku-NPS kanye nezimbobo zokushintshwa kwezinga lokufinyelela.
Masidale inqubomgomo yenethiwekhi i-neag-computers-8021x-vl100:
Conditions:
Windows Groups - sg-computers-8021x-vl100
NAS Port Type - Ethernet
Constraints:
Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP)
NAS Port Type - Ethernet
Settings:
Standard:
Framed-MTU 1344
TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format)
TunnelPrivateGroupId 100
TunnelType Virtual LANs (VLAN)
Izilungiselelo ezijwayelekile zembobo yokushintsha (sicela uqaphele ukuthi kusetshenziswa uhlobo lokufakazela ubuqiniso "lwezizinda eziningi" - Idatha & Izwi, futhi kunethuba lokufakazela ubuqiniso ngekheli le-mac. Phakathi "nenkathi yoshintsho" kunengqondo ukusebenzisa amapharamitha:
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
I-vlan id akuyona "i-quarantine", kodwa efanayo lapho ikhompuyutha yomsebenzisi kufanele iye khona ngemva kokungena ngempumelelo - size sibe nesiqiniseko sokuthi yonke into isebenza ngendlela efanele. Lawa mapharamitha afanayo angasetshenziswa kwezinye izimo, isibonelo, uma iswishi engaphethwe ixhunywe kulesi sikhumulo futhi ufuna wonke amadivayisi axhunywe kuyo angadlulanga ukuqinisekiswa ukuthi awele ku-vlan ethile (“quarantine”).
shintsha izilungiselelo zembobo kumodi yesizinda sesizinda esingu-802.1x eziningi
default int range Gi1/0/39-41
int range Gi1/0/39-41
shu
des PC-IPhone_802.1x
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 2
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
lldp receive
lldp transmit
spanning-tree portfast
no shu
exitUngaqiniseka ukuthi ikhompuyutha yakho nefoni kuphumelele ukuqinisekiswa ngomyalo:
sh authentication sessions int Gi1/0/39 detManje ake sakhe iqembu (isibonelo, sg-fgpp-mab ) ku-Active Directory yamafoni bese wengeza idivayisi eyodwa kuyo ukuze ihlolwe (okwami kunjalo I-Grandstream GXP2160 nekheli le-mass 000b.82ba.a7b1 futhi resp. i-akhawunti isizinda 00b82baa7b1).
Eqenjini elidaliwe, sizokwehlisa izimfuneko zenqubomgomo yephasiwedi (usebenzisa nge-Active Directory Administrative Center -> domain -> System -> Password Settings Container) enamapharamitha alandelayo Iphasiwedi-Izilungiselelo-ze-MAB:
Ngakho, sizovumela ukusetshenziswa kwamakheli edivayisi njengamaphasiwedi. Ngemva kwalokhu singakha inqubomgomo yenethiwekhi yokuqinisekiswa kwe-802.1x yendlela mab, masiyibize nge-neag-devices-8021x-voice. Amapharamitha ami kanje:
- Uhlobo Lwembobo ye-NAS - I-Ethernet
- Windows Groups – sg-fgpp-mab
- Izinhlobo ze-EAP: Ukuqinisekisa okungabhaliwe (PAP, SPAP)
- I-RADIUS Izimfanelo – Okucacisiwe Komthengisi: Cisco – Cisco-AV-Pair – Inani lemfanelo: device-traffic-class=voice
Ngemuva kokuqinisekisa ngempumelelo (ungakhohlwa ukulungisa imbobo yokushintsha), ake sibheke imininingwane evela echwebeni:
sh ukufakazela ubuqiniso ku-Gi1/0/34
----------------------------------------
Interface: GigabitEthernet1/0/34
MAC Address: 000b.82ba.a7b1
IP Address: 172.29.31.89
User-Name: 000b82baa7b1
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000EB2000B8C5E
Acct Session ID: 0x00000134
Handle: 0xCE000EB3
Runnable methods list:
Method State
dot1x Failed over
mab Authc SuccessManje, njengoba kuthenjisiwe, ake sibheke izimo ezimbalwa ezingacacile ngokuphelele. Isibonelo, sidinga ukuxhuma amakhompuyutha abasebenzisi namadivayisi ngokusebenzisa iswishi engaphethwe (switch). Kulokhu, izilungiselelo zayo zembobo zizobukeka kanje:
shintsha izilungiselelo zembobo kumodi ye-host host-multi-auth engu-802.1x
interface GigabitEthernet1/0/1
description *SW – 802.1x – 8 mac*
shu
switchport mode access
switchport nonegotiate
switchport voice vlan 55
switchport port-security maximum 8 ! увеличиваем кол-во допустимых мас-адресов
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth ! – режим аутентификации
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
storm-control broadcast level pps 100
storm-control multicast level pps 110
no vtp
spanning-tree portfast
no shuPS siqaphele inkinga exakile - uma idivayisi ibixhunywe ngeswishi enjalo, yase ixhunywa kuswishi ephethwe, NGEKE isebenze size siqalise kabusha(!) iswishi. Angikazitholi ezinye izindlela. ukuxazulula le nkinga okwamanje.
Elinye iphuzu elihlobene ne-DHCP (uma i-ip dhcp snooping isetshenziswa) - ngaphandle kwezinketho ezinjalo:
ip dhcp snooping vlan 1-100
no ip dhcp snooping information optionNgesizathu esithile angikwazi ukuthola ikheli le-IP ngendlela efanele... nakuba lokhu kungase kube isici seseva yethu ye-DHCP
Futhi i-Mac OS & Linux (enosekelo lwendabuko lwe-802.1x) zama ukuqinisekisa umsebenzisi, noma ukuqinisekiswa ngekheli le-Mac kumisiwe.
Engxenyeni elandelayo ye-athikili, sizobheka ukusetshenziswa kwe-802.1x ye-Wireless (ngokuya ngeqembu i-akhawunti yomsebenzisi eya kuyo, "sizoyiphonsa" kunethiwekhi ehambisanayo (vlan), nakuba izoxhuma i-SSID efanayo).
Source: www.habr.com