Iqhubeka nochungechunge lwezihloko ngesihloko senhlangano I-VPN yokufinyelela kude ukufinyelela angikwazi ukusiza kodwa ukwabelana ngolwazi lwami lokusebenza oluthakazelisayo ukucushwa kwe-VPN okuvikeleke kakhulu. Umsebenzi ongeyona into encane wethulwa ikhasimende elilodwa (kunabasunguli emadolobheni aseRussia), kodwa Inselele yamukelwa futhi yasetshenziswa ngobuhlakani. Umphumela uwumqondo othakazelisayo onezimpawu ezilandelayo:
- Izinto ezimbalwa zokuvikela ekufakweni endaweni yetheminali (ngokubophezela okuqinile kumsebenzisi);
- Ukuhlola ukuthobela kwe-PC yomsebenzisi ne-UDID eyabelwe ye-PC evunyelwe kusizindalwazi sokuqinisekisa;
- Nge-MFA esebenzisa i-PC UDID evela kusitifiketi sokuqinisekisa okwesibili nge-Cisco DUO (Unganamathisela noma iyiphi ehambisanayo ne-SAML/Radius);
- Ukuqinisekiswa kwezinto eziningi:
- Isitifiketi somsebenzisi esinokuqinisekiswa kwenkundla kanye nokuqinisekiswa kwesibili ngokumelene nenye yazo;
- Ngena ngemvume (okungaguquleki, kuthathwe kusitifiketi) kanye nephasiwedi;
- Ukulinganisa isimo somsingathi oxhumayo (Ukuma)
Izingxenye zesixazululo ezisetshenzisiwe:
- Cisco ASA (VPN Gateway);
- I-Cisco ISE (Ukuqinisekisa / Ukugunyazwa / Ukubalwa kwezimali, Ukuhlolwa Kwesifunda, CA);
- I-Cisco DUO (Ukuqinisekiswa Kwezinto Eziningi) (Unganamathisela noma iyiphi ehambisanayo ne-SAML/Radius);
- I-Cisco AnyConnect (i-ejenti enezinjongo eziningi yezindawo zokusebenza ne-OS yeselula);
Ake siqale ngezimfuneko zekhasimende:
- Umsebenzisi kufanele, ngokusebenzisa ukuqinisekiswa kwakhe Ngemvume/Iphasiwedi, akwazi ukulanda iklayenti le-AnyConnect esangweni le-VPN; wonke amamojula adingekayo we-AnyConnect kufanele afakwe ngokuzenzakalelayo ngokuvumelana nenqubomgomo yomsebenzisi;
- Umsebenzisi kufanele akwazi ukukhipha isitifiketi ngokuzenzakalelayo (kwesinye sezimo, isimo esiyinhloko ukukhishwa mathupha nokulayisha ku-PC), kodwa ngisebenzise ukukhishwa okuzenzakalelayo ukuze kuboniswe (akukephuzi kakhulu ukukususa).
- Ukufakazela ubuqiniso okuyisisekelo kufanele kwenzeke ngezigaba ezimbalwa, okokuqala kukhona ukuqinisekiswa kwesitifiketi ngokuhlaziywa kwezinkambu ezidingekayo namanani azo, bese ungena/iphasiwedi, kulokhu kuphela igama lomsebenzisi elicaciswe enkambini yesitifiketi kufanele lifakwe efasiteleni lokungena ngemvume. Igama lesihloko (CN) ngaphandle kwekhono lokuhlela.
- Udinga ukwenza isiqiniseko sokuthi idivayisi ongene kuyo ngemvume iyikhompuyutha ephathekayo yenkampani ekhishelwe umsebenzisi ukufinyelela kude, hhayi enye into. (Izinketho eziningi zenziwe ukwanelisa le mfuneko)
- Isimo sedivayisi yokuxhuma (kulesi sigaba se-PC) kufanele sihlolwe ngesheke lethebula elisindayo lezidingo zamakhasimende (okufingqa):
- Amafayela nezakhiwo zawo;
- Ukubhalisa okufakiwe;
- Iziqephu ze-OS ohlwini olunikeziwe (kamuva ukuhlanganiswa kwe-SCCM);
- Ukutholakala kwe-Anti-Virus kumkhiqizi othize kanye nokufaneleka kwamasignesha;
- Umsebenzi wezinkonzo ezithile;
- Ukutholakala kwezinhlelo ezithile ezifakiwe;
Okokuqala, ngiphakamisa ukuthi nakanjani ubheke ukuboniswa kwevidiyo okuwumphumela wokuqaliswa ku I-YouTube (imizuzu emi-5).
Manje ngiphakamisa ukuthi kucutshungulwe imininingwane yokusetshenziswa engafakwanga kusiqeshana sevidiyo.
Masilungiselele iphrofayela ye-AnyConnect:
Ngaphambilini nginikeze isibonelo sokwenza iphrofayili (ngokwento yemenyu ku-ASDM) esihlokweni sami sokusetha
Kuphrofayela, sizobonisa isango le-VPN kanye negama lephrofayela yokuxhuma kwiklayenti lokugcina:
Ake silungiselele ukukhishwa okuzenzakalelayo kwesitifiketi ohlangothini lwephrofayili, ekhombisa, ikakhulukazi, imingcele yesitifiketi futhi, ngokwesibonelo, sinake inkambu. Iziqalo (I), lapho inani elithile lifakwa khona mathupha UDID umshini wokuhlola (Isihlonzi sedivayisi esiyingqayizivele esikhiqizwa iklayenti le-Cisco AnyConnect).
Lapha ngifuna ukwenza ukwehla kwamazwi, njengoba lesi sihloko sichaza umqondo; ngezinhloso zokubonisa, i-UDID yokukhipha isitifiketi ifakwe kunkambu yokuqala yephrofayela ye-AnyConnect. Yiqiniso, empilweni yangempela, uma wenza lokhu, khona-ke wonke amaklayenti azothola isitifiketi esine-UDID efanayo kulo mkhakha futhi akukho lutho oluzowasebenzela, ngoba adinga i-UDID ye-PC yawo ethile. I-AnyConnect, ngeshwa, ayikasebenzisi ukufaka esikhundleni senkambu ye-UDID kuphrofayela yesicelo sesitifiketi ngokushintshashintsha kwendawo, njengoba yenza, ngokwesibonelo, ngokuguquguquka. %USER%.
Kuyaphawuleka ukuthi ikhasimende (lesi simo) ekuqaleni lihlela ukukhipha izitifiketi ngokuzimela nge-UDID enikeziwe kwimodi yezandla kulawo ma-PC Avikelwe, okungeyona inkinga kuye. Nokho, kwabaningi bethu sifuna okuzenzakalelayo (kahle, kimina kuyiqiniso =)).
Futhi yilokhu engingakunikeza mayelana ne-automation. Uma i-AnyConnect ingakakwazi ukukhipha isitifiketi ngokuzenzakalelayo ngokushintshanisa i-UDID, khona-ke kukhona enye indlela ezodinga umcabango omncane wokudala nezandla ezinekhono - ngizokutshela umqondo. Okokuqala, ake sibheke ukuthi i-UDID yenziwa kanjani kumasistimu wokusebenza ahlukene yi-ejenti ye-AnyConnect:
- Windows β I-SHA-256 hash yenhlanganisela ye-DigitalProductID kanye nokhiye wokubhalisa womshini we-SID
- OSX - I-SHA-256 hash PlatformUUID
- Linux - I-SHA-256 hash ye-UUID yokuhlukaniswa kwezimpande.
- Apple iOS - I-SHA-256 hash PlatformUUID
- Android - Bona idokhumenti ku
isixhumanisi
Ngakho-ke, sakha iskripthi se-Windows OS yethu yebhizinisi, ngalesi script sibala i-UDID endaweni sisebenzisa okokufaka okwaziwayo futhi sakha isicelo sokukhipha isitifiketi ngokufaka le UDID emkhakheni odingekayo, ngendlela, ungasebenzisa futhi umshini. isitifiketi esikhishwe yi-AD (ngokwengeza ubuqiniso obuphindwe kabili usebenzisa isitifiketi esikimini Isitifiketi Esiningi).
Ake silungiselele izilungiselelo ohlangothini lwe-Cisco ASA:
Ake sakhe i-TrustPoint yeseva ye-ISE CA, kuzoba yiyo ezokhipha izitifiketi kumaklayenti. Ngeke ngicabangele inqubo yokungenisa i-Key-Chain; isibonelo sichazwe esihlokweni sami sokusetha
crypto ca trustpoint ISE-CA
enrollment terminal
crl configure
Silungiselela ukusatshalaliswa kwe-Tunnel-Group ngokusekelwe emithethweni ngokuhambisana nezinkambu zesitifiketi esisetshenziselwa ukuqinisekiswa. Iphrofayela ye-AnyConnect esiyenze esigabeni sangaphambilini nayo imisiwe lapha. Sicela wazi ukuthi ngisebenzisa inani I-SECUREBANK-RA, ukudlulisa abasebenzisi abanesitifiketi esikhishiwe eqenjini lomhubhe I-SECURE-BANK-VPN, ngicela wazi ukuthi nginale nkambu kukholomu yesitifiketi sephrofayela ye-AnyConnect.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!
Isetha amaseva okuqinisekisa. Endabeni yami, lena i-ISE yesigaba sokuqala sokuqinisekisa kanye ne-DUO (Radius Proxy) njenge-MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!
Sakha izinqubomgomo zeqembu namaqembu omhubhe kanye nezingxenye zawo ezisizayo:
Iqembu lomhubhe OkuzenzakalelayoWEBVPNGroup izosetshenziselwa ngokuyinhloko ukulanda iklayenti le-AnyConnect VPN futhi ikhiphe isitifiketi somsebenzisi kusetshenziswa umsebenzi we-SCEP-Proxy we-ASA; kulokhu sinezinketho ezihambisanayo ezicushwe kokubili eqenjini lomhubhe ngokwalo nakunqubomgomo yeqembu ehlobene. AC-Landa, nakuphrofayela ye-AnyConnect elayishiwe (izinkambu zokukhipha isitifiketi, njll.). Futhi kule nqubomgomo yeqembu sibonisa isidingo sokudawuniloda I-ISE Posture Module.
Iqembu lomhubhe I-SECURE-BANK-VPN izosetshenziswa ngokuzenzakalelayo iklayenti lapho ifakazela ubuqiniso ngesitifiketi esikhishwe esigabeni sangaphambilini, njengoba, ngokuhambisana nemephu yesitifiketi, ukuxhumana kuzowela ngqo kuleli qembu lomhubhe. Ngizokutshela mayelana nezinketho ezithakazelisayo lapha:
- i-secondary-authentication-server-group DUO # Setha ukuqinisekiswa kwesibili kuseva ye-DUO (I-Radius Proxy)
- igama lomsebenzisi-kusuka-kusitifiketiCN # Ukufakazela ubuqiniso okuyisisekelo, sisebenzisa inkambu ye-CN yesitifiketi ukuze sizuze ukungena ngemvume komsebenzisi
- igama lomsebenzisi lesibili-kusuka-kusitifiketi I # Ukuze uthole ukuqinisekiswa kwesibili kuseva ye-DUO, sisebenzisa igama lomsebenzisi elikhishiwe kanye nezinkambu Zokuqala (I) zesitifiketi.
- gcwalisa ngaphambili-iklayenti legama lomsebenzisi # yenza igama lomsebenzisi ligcwaliswe kuqala efasiteleni lokuqinisekisa ngaphandle kokukwazi ukushintsha
- iklayenti lesibili-ngaphambi kokugcwalisa-igama lomsebenzisi fihla ukusetshenziswa-okujwayelekile-iphasiwedi yokuphusha # Sifihla iwindi lokungena/lokufaka iphasiwedi ye-DUO yokuqinisekisa okwesibili futhi sisebenzisa indlela yokwazisa (i-sms/push/ifoni) - idokhi ukucela ukuqinisekiswa esikhundleni senkambu yephasiwedi
lapha
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!
Okulandelayo sidlulela ku-ISE:
Silungiselela umsebenzisi wendawo (ungasebenzisa i-AD/LDAP/ODBC, njll.), ukuze kube lula, ngidale umsebenzisi wendawo ku-ISE uqobo futhi ngamnika ensimini. incazelo I-UDID PC lapho evunyelwe ukungena khona nge-VPN. Uma ngisebenzisa ubuqiniso bendawo ku-ISE, ngizokhawulelwa kudivayisi eyodwa kuphela, njengoba zingeziningi izinkambu, kodwa kuzingobo zolwazi zokuqinisekisa ezivela eceleni ngeke ngibe nemikhawulo enjalo.
Ake sibheke inqubomgomo yokugunyazwa, ihlukaniswe izigaba ezine zokuxhuma:
- Isigaba 1 - Inqubomgomo yokulanda i-ejenti ye-AnyConnect kanye nokukhipha isitifiketi
- Isigaba 2 - Inqubomgomo yokuqinisekisa eyisisekelo Ngena ngemvume (kusuka kusitifiketi)/Iphasiwedi + Isitifiketi esinokuqinisekiswa kwe-UDID
- Isigaba 3 - Ukuqinisekiswa kwesibili nge-Cisco DUO (MFA) kusetshenziswa i-UDID njengegama lomsebenzisi + Ukuhlola isimo
- Isigaba 4 - Ukugunyazwa kokugcina kusesifundazweni:
- Ukuthobelana;
- Ukuqinisekiswa kwe-UDID (kusuka kusitifiketi + ukubophezela kokungena ngemvume),
- Cisco DUO MFA;
- Ukufakazela ubuqiniso ngokungena ngemvume;
- Ukuqinisekiswa kwesitifiketi;
Ake sibheke isimo esithakazelisayo UUID_VALIDATED, kubukeka sengathi umsebenzisi ofakazela ubuqiniso uvele kwi-PC ene-UDID evunyelwe ehlotshaniswa nensimu. Incazelo i-akhawunti, izimo zibukeka kanjena:
Iphrofayili yokugunyazwa esetshenziswe ezigabeni 1,2,3 imi kanje:
Ungahlola kahle ukuthi i-UDID evela kuklayenti le-AnyConnect ifika kanjani kithi ngokubheka imininingwane yeseshini yeklayenti ku-ISE. Ngokuningiliziwe sizobona ukuthi i-AnyConnect ngomshini I-ACIDEX ayithumeli kuphela ulwazi mayelana nesiteji, kodwa futhi i-UDID yedivayisi njenge I-Cisco-AV-PAIR:
Ake sinake isitifiketi esinikezwe umsebenzisi kanye nenkundla Iziqalo (I), esetshenziselwa ukukuthatha njengokungena ngemvume kokuqinisekiswa kwe-MFA yesibili ku-Cisco DUO:
Ngasohlangothini lwe-DUO Radius Proxy kulogi singabona ngokucacile ukuthi isicelo sokuqinisekisa senziwa kanjani, siza kusetshenziswa i-UDID njengegama lomsebenzisi:
Kusuka kuphothali ye-DUO sibona umcimbi wokuqinisekisa oyimpumelelo:
Futhi ezimpahleni zomsebenzisi nginethiwe I-ALIAS, engangiyisebenzisela ukungena ngemvume, nayo, lena i-UDID ye-PC evunyelwe ukungena ngemvume:
Ngenxa yalokho sithole:
- Ukuqinisekiswa kwe-Multi-factor kanye nedivayisi;
- Ukuvikelwa ekuphangisweni kwedivayisi yomsebenzisi;
- Ukuhlola isimo somshini;
- Amathuba okulawula okukhulisiwe ngesitifiketi somshini wesizinda, njll.;
- Ukuvikelwa okubanzi kwendawo yokusebenza okukude ngamamojula okuphepha afakwe ngokuzenzakalelayo;
Izixhumanisi zama-athikili ochungechunge lwe-Cisco VPN:
Kusetshenziswa i-ASA VPN Load-Bancing Cluster Ukuthuthukisa izinsiza zamafu emhubheni we-AnyConnect VPN ku-Cisco ASA
Source: www.habr.com