|
PxGrid联动 ISE 激活pxGrid功能
时间同步配置
FMC入域
ISE 导出证书
FMC导入证书
FMC注册pxgrid
ISE 同意后在测试
创建tag
Active Authentication 主动认证 主动弹窗让用户输入认证信息 Passive Authentication 被动认证 认证信息从第三方获得 创建VPN 策略
ASA配置 ASA 集成 ISE ASA# more system:running-config | begin aaa-ser # more 查看密码明文 aaa-server ISE protocol radius aaa-server ISE (outside) host 192.168.1.241 key cisco SSL VPN 配置 access-list Split standard permit 192.168.1.0 255.255.255.0 access-list Split standard permit 10.1.1.0 255.255.255.0 ip local pool sslvpn 172.16.1.1-172.16.1.100 mask 255.255.255.0 webvpn enable outside anyconnect image disk0:/anyconnect-win-4.4.02034-webdeploy-k9.pkg 1 anyconnect profiles IKEv2 disk0:/ikev2.xml anyconnect enable tunnel-group-list enable group-policy sslvpn-policy internal group-policy sslvpn-policy attributes dns-server value 192.168.1.244 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value Split default-domain value qytang.com address-pools value sslvpn tunnel-group sslvpn-policy type remote-access tunnel-group sslvpn-policy general-attributes authentication-server-group ISE authorization-server-group ISE accounting-server-group ISE tunnel-group sslvpn-policy webvpn-attributes group-alias Employee_Group enable crypto ikev2 policy 10 encryption aes-256 integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint sslvpn crypto ipsec ikev2 ipsec-proposal ikev2_proposal protocol esp encryption aes-256 protocol esp integrity sha-1 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map dymap 10 set ikev2 ipsec-proposal ikev2_proposal crypto map sslvpn 1000 ipsec-isakmp dynamic dymap crypto map sslvpn interface outside ISE配置
ISE集成AD
DACL permit any ASA VPN sslvpn-policy
PxGrid总结 1.FMC同步时间与集成域,下载用户 2.ISE与AD域集成,提取域用户组 3.ISE与FMC的PxGrid联动(两个证书+Approval) 4.ASAVPN通过ISE认证授权 5. ISE授权VPN用户SGT(Employee) Tag 6.ISE通过PxGrid分享(EndPointProfileMetada、SessionDirectory 和TrustsecMetaData)到FMC上 7.FMC通过SGT(Employee)Tag控制穿越防火墙的流量 放行ISE 到FMC 流量
ISE添加IDP
ID策略
添加用户策略
| ||||
 | ||||
 | ||||
