Cisco NAC配置手册-图文_第1页
Cisco NAC配置手册-图文_第2页
Cisco NAC配置手册-图文_第3页
Cisco NAC配置手册-图文_第4页
Cisco NAC配置手册-图文_第5页
已阅读5页,还剩50页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

NAC配置手册(L2、OOB、Real-IP-Gateway、CentralDeploymentXX网络2011年10月目录1NAC概述(31.1NAC基本概念(31.2几种部署模式(42NAC配置(92.1NAC初始化(92.2CAM初始化(92.3CAS初始化(132.4时间配置(182.5CAM时间配置(182.6CAS时间配置(182.7第三方证书申请/颁发(192.8CAM证书申请(192.9CAS证书申请(212.10第三方机构证书申请/颁发/下载/导入(212.11CAM添加管理CAS(262.12CAM配置CAS的DHCP服务(282.13CAM配置OOBProfile(302.14CAM配置SNMPReciver(322.15被管交换机SNMP配置(332.16CAM添加被管交换机(332.17CAM配置UserRoles(352.18CAM添加第三方Radius认证服务器(372.19CAM配置认证登录界面(392.20附录:MAC认证(Printer、IPoneetc(411NAC概述1.1NAC基本概念NAC,即NetworkAdmissionControl,意指网络准入的安全策略,确保进入网络的设备附和预定的策略。NAC的四项关键功能为:●安全识别设备和用户:对用户进行验证和授权,支持本地数据库、RADIUS、AD、LDAP等;●执行一致的策略:集中的策略支持多种用户角色;进行扫描以寻找感染、端口安全漏洞、AV、AS、运行的服务和文件;●隔离和修复:使用IP和MAC进行隔离不附和策略的设备;●配置和管理:简单的策略配置和规则创建、基于WEB的管理。NAC的组件有:CleanAccessServer(CAS:作为带内或带外设备,进行网络接入控制;CleanAccessManager(CAM:提供集中管理;CleanAccessAgent:可选客户端,在不可管理的环境中进行注册和扫描;规则集更新:事先安排的对于防病毒软件、关键热修复和其他应用的自动更新。NAC的工作流程如下图:1.2几种部署模式NAC共有4类部署模式:✓VirtualGateway/RealIPGateway✓CentralDeployment/EdgeDeployment✓Layer2/Layer3✓InBand/OutofBand下面将分别对这几种部署模式进行说明。VirtualGateway/RealIP(NATGatewayVirtualGateway相当于BridgeMode,CAS工作于二层,可以理解为一个透明模式下的防火墙。在该模式下,VLANID可以进行有针对性的修改(MAP也可以不做改动地通过CAS。RealIP/NATGateway即路由模式,CAS工作于三层,VLAN在此被终结。此模式下CAS也可以进行NAT转换。这两种部署模式只能选择一种,并不影响其他部署方式的选择。CentralDeployment/EdgeDeployment当采取EdgeDeployment时,CAS从物理上看和从逻辑上看都是inline的,并且VLANID不会被修改。但当网络规模较大时该部署模式会有一些困难。当采取CentralDeployment时,CAS仅在逻辑上是inline的,比较适合大规模的部署。在VGW模式下,CAS将对VLANID进行Mapping,以避免二层的网络环路。如下图:这两种部署模式只能选择一种,并不影响其他部署方式的选择。Leyer2/Leyer3L2/L3模式指的是client的网段与CAS是否二层相邻(L2Adjacent。在L2模式下,用户的MAC地址作为区分用户的ID。该模式比较适用于局域网环境。L3模式下,用户的IP地址作为区分用户的ID。该模式比较适用于WAN/VPN的环境,并且只适用于InBand模式。InBand/OutofBandInBand/OutofBand指的是用户的数据流量是否经过CAS。无论InBand/OutofBand,用户的PostureAssessment总是Inband的,也就是说,用户验证、检查的流量经过CAS、用户正常的数据流量不经过CAS。OutofBand的目的是改善带宽,因为用户的数据流量不经过CAS,可以提高带宽的利用率。但该模式部署起来较为复杂,CAS将通过SNMP来修改交换机端口的VLAN划分。在Inband模式下,可以支持带宽管理和ACL过滤等功能,而在OutofBand模式下,数据流不支持这些功能。小结1.VirtualGateway模式(VGW比较适用于正在运行的网络,能够实现网络的平滑过渡。2.尽量采取CentralDeployment的模式。3.L2模式适用于局域网,L3模式适用于广域网/VPN的环境。下面是几种典型的部署模式:L2/VGW/Edge部署模式:L2/RealIP模式:L2/VGWCentralDeployment/Inband模式:L2/VGWCentralDeployment/outofband模式:2NAC配置2.1NAC初始化2.2CAM初始化初次启动设备,有启动显示信息,等待出现登录提示符后,初次默认登录的用户名是:root,密码是空,登录后会提示进行初始化配置,也可以使用命令“serviceperfigoconfig”进行重复初始化配置。配置如下:CentOSrelease5.3(FinalKernel2.6.18-128.1.10.el5PAEonani686login:rootLastlogin:TueFeb905:31:52onttyS0_[H_[JWelcometotheCiscoCleanAccessManagerquickconfigurationutility.Notethatyouneedtoberoottoexecutethisutility.Theutilitywillnowaskyouaseriesofconfigurationquestions.Pleaseanswerthemcarefully.CiscoCleanAccessManager,(C2009CiscoSystems,Inc.ciConfiguringthenetworkinterface:PleaseentertheIPaddressfortheinterfaceeth0[]:6Youentered6Isthiscorrect?(y/n?[y]yPleaseenterthenetmaskfortheinterfaceeth0[]:Youentered,isthiscorrect?(y/n?[y]PleaseentertheIPaddressforthedefaultgateway[]:54Youentered54Isthiscorrect?(y/n?[y]Pleaseenterthehostname[nacmanager]:TJ-CAM-1YouenteredTJ-CAM-1Isthiscorrect?(y/n?[y]yPleaseentertheIPaddressesforthenameservers:[]:YouenteredIsthiscorrect?(y/n?[y]yThemastersecretisusedtoencryptsensitivedata.RemembertoconfigureallHApairswiththesamesecret.Pleaseenterthemastersecret:ciscoPleaseconfirmthemastersecret:cisco>>>Configuringdateandtime:Thetimezoneiscurrentlynotsetonthissystem.Pleaseidentifyalocationsothattimezonerulescanbesetcorrectly.Pleaseselectacontinentorocean.1Africa2Americas3Antarctica4ArcticOcean5Asia6AtlanticOcean7Australia8Europe9IndianOcean10PacificOcean11none-IwanttospecifythetimezoneusingthePosixTZformat.#?5Pleaseselectacountry.1Afghanistan18Israel35Palestine2Armenia19Japan36Philippines3Azerbaijan20Jordan37Qatar4Bahrain21Kazakhstan38Russia5Bangladesh22Korea(North39SaudiArabia6Bhutan23Korea(South40Singapore7Brunei24Kuwait41SriLanka8Cambodia25Kyrgyzstan42Syria9China26Laos43Taiwan10Cyprus27Lebanon44Tajikistan11EastTimor28Macau45Thailand12Georgia29Malaysia46Turkmenistan13HongKong30Mongolia47UnitedArabEmirates14India31Myanmar(Burma48Uzbekistan15Indonesia32Nepal49Vietnam16Iran33Oman50Yemen17Iraq34Pakistan#?9Pleaseselectoneofthefollowingtimezoneregions.1eastChina-Beijing,Guangdong,Shanghai,etc.2Heilongjiang(exceptMohe,Jilin3centralChina-Sichuan,Yunnan,Guangxi,Shaanxi,Guizhou,etc.4mostofTibet&Xinjiang5westTibet&Xinjiang#?1Thefollowinginformationhasbeengiven:ChinaeastChina-Beijing,Guangdong,Shanghai,etc.IstheaboveinformationOK?1Yes2No#?1Updatingtimezoneinformation...Currentdateandtimehh:mm:ssmm/dd/yy[08:06:0204/15/10]:14:04:0004/15/10Youentered14:04:0004/15/10Isthiscorrect?(y/n?[y]yThuApr1514:04:00CST2010YoumustgenerateavalidSSLcertificateinordertousetheCleanAccessManager'ssecurewebconsole.Pleaseanswerthefollowingquestionscorrectly.InformationforanewSSLcertificate:EnterfullyqualifieddomainnameorIP:TJ-CAM-1.Enterorganizationunitname:CiscoNACApplianceEnterorganizationname:CiscoSystemEntercityname:TianjinEnterstatecode:022Enter2lettercountrycode:CNYouenteredthefollowing:Domain:TJ-CAM-1.Organizationunit:CiscoNACApplianceOrganizationname:CiscoSystemCityname:TianjinStatecode:022Countrycode:CNIsthiscorrect?(y/n?[y]yGeneratingSSLCertificate...DoneEnablePreloginBannerSupport?(y/n?[n]Forsecurityreasons,itishighlyrecommendedthatyouchangethepasswordfortherootuser.**Pleaseenteravalidpasswordforrootuseraspertherequirementsbelow!**Changingpasswordforuserroot.Youcannowchoosethenewpassword.//密码至少8为,要满足密码复杂度Re-typenewpassword://重复输入复杂密码passwd:allauthenticationtokensupdatedsuccessfully.Pleaseenteranappropriatelysecurepasswordforthewebconsoleadminuser.Newpasswordforwebconsoleadmin://设置web登录用户名admin的复杂密码Confirmnewpasswordforwebconsoleadmin://再次重复输入复杂密码Configurationiscomplete.ChangesrequireaREBOOTofCleanAccessManager.[root@nacmanager~]#[root@nacmanager~]#rebootBroadcastmeStoppinganacron:[OK]Stoppingatd:[OK]Shuttingdownconsolemouseservices:[OK]Stoppingnessusd:[OK]Stoppingsshd:[OK]Stoppingpostgresql:Stoppingpostgresqlservice:[OK][OK]Stoppingxinetd:[OK]Stoppingcrond:[OK]Stoppingautofs:Stoppingautomount:[OK][OK]Shuttingdownkernellogger:[OK]Shuttingdownsystemlogger:[OK]Shuttingdownloopbackinterface:[OK]Startingkillall:[OK]SendingallprocessestheTERMsignal...SendingallprocessestheKILLsignal...Savingrandomseed:SyncinghardwareclocktosystemtimeTurningoffswap:Turningoffquotas:Unmountingfilesystems:Pleasestandbywhilerebootingthesystem...md:stoppingallmddevices.SynchronizingSCSIcachefordisksdb:SynchronizingSCSIcachefordisksda:ACPI:PCIinterruptfordevice0000:04:00.1disabledACPI:PCIinterruptfordevice0000:04:00.0disabledRestartingsystem.//至此,CAM初始化基本完毕。2.3CAS初始化CAS初始化基本与CAM一样,初次启动设备等待出现登录信息时,初次默认登录的用户名是:root,密码是空,登录后会提示进行初始化配置,也可以使用命令“serviceperfigoconfig”进行重复初始化配置。配置如下:CentOSrelease5.3(FinalKernel2.6.18-cisco.nac.1onani686nacserverlogin:rootLastlogin:ThuFeb1109:09:53onttyS0_[H_[JWelcometotheCiscoCleanAccessServerquickconfigurationutility.Notethatyouneedtoberoottoexecutethisutility.Theutilitywillnowaskyouaseriesofconfigurationquestions.Pleaseanswerthemcarefully.CiscoCleanAccessServer,(C2009CiscoSystems,Inc.Configuringthenetworkinterfaces:PleaseentertheIPaddressfortheinterfaceeth0[]:7Youentered7Isthiscorrect?(y/n?[y]Pleaseenterthenetmaskfortheinterfaceeth0[]:Youentered,isthiscorrect?(y/n?[y]PleaseentertheIPaddressforthedefaultgateway[]:54Youentered54Isthiscorrect?(y/n?[y][VlanIdPassthrough]forpacketsfrometh0toeth1isdisabled.Wouldyouliketoenableit?(y/n?[n][ManagementVlanTagging]foregresspacketsofeth0isdisabled.Wouldyouliketoenableit?(y/n?[n]PleaseentertheIPaddressfortheuntrustedinterfaceeth1[]:YouenteredIsthiscorrect?(y/n?[y]Pleaseenterthenetmaskfortheinterfaceeth1[]:Youentered,isthiscorrect?(y/n?[y]PleaseentertheIPaddressforthedefaultgateway[]:YouenteredIsthiscorrect?(y/n?[y]y[VlanIdPassthrough]forpacketsfrometh1toeth0isdisabled.Wouldyouliketoenableit?(y/n?[n][ManagementVlanTagging]foregresspacketsofeth1isdisabled.Wouldyouliketoenableit?(y/n?[n]Pleaseenterthehostname[nacserver]:TJ-CAS-1YouenteredTJ-CAS-1Isthiscorrect?(y/n?[y]PleaseentertheIPaddressesforthenameservers:[]:YouenteredIsthiscorrect?(y/n?[y]yThemastersecretisusedtoencryptsensitivedata.RemembertoconfigureallHApairswiththesamesecret.Pleaseenterthemastersecret:ciscoPleaseconfirmthemastersecret:cisco>>>Configuringdateandtime:Thetimezoneiscurrentlynotsetonthissystem.Pleaseidentifyalocationsothattimezonerulescanbesetcorrectly.Pleaseselectacontinentorocean.1Africa2Americas3Antarctica4ArcticOcean5Asia6AtlanticOcean7Australia8Europe9IndianOcean10PacificOcean11none-IwanttospecifythetimezoneusingthePosixTZformat.#?5Pleaseselectacountry.1Afghanistan18Israel35Palestine2Armenia19Japan36Philippines3Azerbaijan20Jordan37Qatar4Bahrain21Kazakhstan38Russia5Bangladesh22Korea(North39SaudiArabia6Bhutan23Korea(South40Singapore7Brunei24Kuwait41SriLanka8Cambodia25Kyrgyzstan42Syria9China26Laos43Taiwan10Cyprus27Lebanon44Tajikistan11EastTimor28Macau45Thailand12Georgia29Malaysia46Turkmenistan13HongKong30Mongolia47UnitedArabEmirates14India31Myanmar(Burma48Uzbekistan15Indonesia32Nepal49Vietnam16Iran33Oman50Yemen17Iraq34Pakistan#?9Pleaseselectoneofthefollowingtimezoneregions.1eastChina-Beijing,Guangdong,Shanghai,etc.2Heilongjiang(exceptMohe,Jilin3centralChina-Sichuan,Yunnan,Guangxi,Shaanxi,Guizhou,etc.4mostofTibet&Xinjiang5westTibet&Xinjiang#?1Thefollowinginformationhasbeengiven:ChinaeastChina-Beijing,Guangdong,Shanghai,etc.IstheaboveinformationOK?1Yes2No#?1Updatingtimezoneinformation...Currentdateandtimehh:mm:ssmm/dd/yy[08:33:5904/15/10]:14:33:0004/15/10Youentered14:33:0004/15/10Isthiscorrect?(y/n?[y]y/bin/date:invaliddate`14:33:0004/15/10'YoumustgenerateavalidSSLcertificateinordertousetheCleanAccessServer'ssecurewebconsole.Pleaseanswerthefollowingquestionscorrectly.InformationforanewSSLcertificate:EnterfullyqualifieddomainnameorIP:TJ-CAS-1.Enterorganizationunitname:CiscoNACApplianceEnterorganizationname:CiscoSystemEntercityname:TianjinEnterstatecode:022Enter2lettercountrycode:CNYouenteredthefollowing:Domain:TJ-CAS-1.Organizationunit:CiscoNACApplianceOrganizationname:CiscoSystemCityname:TianjinStatecode:022Countrycode:CNIsthiscorrect?(y/n?[y]yGeneratingSSLCertificate...DoneEnablePreloginBannerSupport?(y/n?[n]Forsecurityreasons,itishighlyrecommendedthatyouchangethepasswordfortherootuser.**Pleaseenteravalidpasswordforrootuseraspertherequirementsbelow!**Changingpasswordforuserroot.Youcannowchoosethenewpassword.Avalidpasswordshouldbeamixofupperandlowercaseletters,digits,andothercharacters.Youcanusean8characterlongpasswordwithcharactersfromalloftheseclasses.Anuppercaseletterthatbeginsthepasswordandadigitthatendsitdonotcounttowardsthenumberofcharacterclassesused.Enternewpassword://输入复杂的root密码Re-typenewpassword://再次重复输入密码passwd:allauthenticationtokensupdatedsuccessfully.Pleaseenteranappropriatelysecurepasswordforthewebconsoleadminuser.Newpasswordforwebconsoleadmin://输入复杂的admin密码Confirmnewpasswordforwebconsoleadmin://再次重复输入密码Webconsoleadminpasswordchangedsuccessfully.Configurationiscomplete.ChangesrequireaREBOOTofCleanAccessServer.[root@nacserver~]#rebootBroadcastmessagefromroot(ttyS0(ThuApr1508:36:482010:ThesystemisgoingdownforrebootNOW![root@nacserverStoppinganacron:[OK]Stoppingatd:[OK]Shuttingdownconsolemouseservices:[OK]Stoppingnessusd:[OK]Stoppingsshd:[OK]Stoppingxinetd:[OK]Stoppingcrond:[OK]Stoppingautofs:Stoppingautomount:[OK][OK]Shuttingdownkernellogger:[OK]Shuttingdownsystemlogger:[OK]Shuttingdownloopbackinterface:[OK]Startingkillall:[OK]SendingallprocessestheTERMsignal...SendingallprocessestheKILLsignal...Savingrandomseed:SyncinghardwareclocktosystemtimeTurningoffswap:Turningoffquotas:Unmountingfilesystems:Pleasestandbywhilerebootingthesystem...md:stoppingallmddevices.SynchronizingSCSIcachefordisksdb:SynchronizingSCSIcachefordisksda:ACPI:PCIinterruptfordevice0000:04:00.1disabledACPI:PCIinterruptfordevice0000:04:00.0disabledRestartingsystem.//至此CAS初始化完毕。2.4时间配置2.5CAM时间配置在IE地址栏中输入:https://nac-cam-ip-address/admin,根据提示输入CAM的用户名和密码,用户名:admin,密码:(在console初始化时设置的值,Web导航依次Administration->CCAManager->SystemTime:输入具体的时间,建议使用NTP(如果NTP服务器使用域名地址,需要设置DNS服务器。因为CAM与CAS联动与时间因素有很大关系。2.6CAS时间配置在IE地址栏输入https://nac-cas-ip-address/admin,根据提示输入登录用户名和密码,登录用户名是admin,密码是console初始化时设置的值。Web导航依次是Administration->TimeServer进行具体设置,建议使用NTP设置。注意:CAM和CAS的时间差不能太大,否则CAM与CAS联动会有未知故障出现。2.7第三方证书申请/颁发2.8CAM证书申请Web界面登录,Administration->CCAManager->SSL->X509CertificationRequest->GenerateCertificationRequest,输入具体申请证书的信息,如下图:将生成请求证书的信息导出并保存,准备在第三方证书结构申请时使用,如下图:2.9CAS证书申请CAS的证书申请与CAM申请流程大同小异,Web界面如下:2.10第三方机构证书申请/颁发/下载/导入1证书申请打开第三方证书机构申请页面,这里使用Windows2003证书服务器举例,如下图:http://cert-server-ip-address/certsrv依次点击:申请一个证书->高级证书申请->使用base64编码的CMC或PKCS#10文件提交一个证书申请,或使用base64编码的PKCS#7文件续订证书申请,使用记事本打开先前CAM/CAS申请信息,如下图:2证书下载:等待证书机构颁发申请的证书后,下载证书,点击“查看挂起的证书申请的状态”->“保存的申请证书(时间”,如下图:另外需要下载跟证书,是为了在CAM/CAS导入证书信任机构。依次点击:“下载一个CA证书,证书链或CRL”->选择跟证书下载,如下图:3证书导入:Web界面登录CAM,需要先导入证书信任机构。依次点击Administrator->CCAManager->SSL->TrustCertificateAuthorities,如下图:点击“浏览”,找到下载的证书,然后点击Import,导入成功如下图:待证书信任机构导入CA根证书后,再导入CAM/CAS申请的证书,依次点击Administration->CCAManager->SSL->CCAManager->X509Certificate,如下图:点击“浏览”,找到CAM的证书,点击Import导入,如下图:CAS的证

人人文库> 全部分类> 教育资料 > 辅导培训

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论