Po dłuższej przerwie wróciłem do integracji Cisco ISE 2.0 z Palo Alto Networks wykorzystując Radiusa z ISE jako punkt uwierzytelniania kont administracyjnych. Wiem, że zapewne większość autoryzacji kont administracyjnych opiera się o LDAP oraz AD. Natomiast ja jak zawszę muszę kombinować i komplikować scenariusze do labowania, ale dzięki takiemu podejściu jestem w stanie bardziej poznać oba systemy.
Konfiguracja ISE
przechodzimy do Policy –> Policy Elements –> Dictationaries wybieramy system –> radius —RADIUS Vendors. Tutaj będzie nam pomocny link– gdzie mamy opisane atrybuty.
klikamy add
Dictionary Name: PaloAlto – nasza nazwa
Vendor ID: 25461
klikamy submit
przechodzimy do nowo utworzonego profilu po czym przechodzimy do Dictionary Attributes. Klikamy add
zgodnie z dokumentacją PaloAlto. W tej chwili będzie nam potrzebny jeden atrybut
Attribute Name: PaloAlto-Admin-Role
Data Type: String
Direction: Both
ID: 1
W kroku kolejnym tworzymy profil dla urządzań typu PaloAlto. Przechodzimy do Administration –> Network Resources –> Network Device Profiles klikamy Add
Dodajemy nasze urządzenie do ISE, przechodzimy do Administration –> Network Resources –> Network Devices klikamy Add
Podajemy dane:
Name: nazwę dla naszego urządzenia
IP Address: podajemy adres ip, z którego nasze urządzenie będzie się komunikowało z serwerem ISE
Device Profile: wybieramy nasz profil dla urządzeń Palo
Device Type: ja stworzyłem oddzielne repo dla urządzęń tego typu
Location: również podzieliłem na lokalizację
Wybieramy: RADIUS Authentication Settings
w polu Shared Secret wpisujemy nasze hasło, które będzie wykorzystywane do połączenia PALO do ISE
Wybieramy grupę AD, w której będą użytkownicy mogący zalogować się na Palo
Przechodzimy do Administration –> Indetity Management –> External Identity Soures, wybieramy Active Direcory oraz nasz punkt spięcia z naszym AD. Tam wybieramy Groups, dodajemy Add z menu Select Dictionary Groups po czym otworzy się okno, w którym możemy wyszukać naszą grupę dodając ją do ISE.
Tworzymy profil dozwolonych protokołów komunikacji PALO ISE, przechodzimy do Policy –> Policy Elements –> Results –> Authentication –> Allowed Protocols, klikamy Add
Tworzymy profil autoryzacyjny, przechodzimy do Policy –> Policy Elements –> Results –> Authorization –> Authoriztion Profiles, kliamy Add
w polu Advanced Attributes Settings wybieramy z menu PaloAlto –> PaloAlto-Admin-Role, w polu obok wpisujemy nazwę naszego profilu z Palo, który później zostanie skonfigurowany na Palo.
W polu Attributes Details mamy taki wynik:
Access Type = ACCESS_ACCEPT PaloAlto-Admin-Role = admin-radius
przechodzimy do utworzenia reguły autoryzacyjnej, gdzie idziemy do Polcy –> Authorization
dodajemy nową rulę gdzie:
Rule Name: nasza nazwa reguły
warunki:
If ANY and ISE-SRV:memberOf maches CN=PA-admin-full,CN=Users,DC=safekom,DC=pl
and DEVICE:Device Type Equals Device Type#All Device Types#Palo
then Palo-auth
Konfiguracja Palo
Prszyszedł czas na konfigurację naszego Palo. Po zalogowaniu się przechodzimy do Device –> Server Profiles –> Radius, dodajemy nowy profil z ISE
gdzie:
Profil Name: nasz profil Radiusa
w polu servers dodajemy nasze serwery radiusa (w mym przypadku jest to jeden serwer)
Name: nasza nazwa rozpoznawcza
RADIUS Server: adres IP lub FQDN naszego radiusa
Secret: nasze ustawione hasło
Port: Standardowo 1812
CLI
set shared server-profile radius ISE server ISE01 secret -AQ==gPzxJUAM1wLKKOPC5tJg+lHyn0A=aloUXPMeEZ6yM/xJpgEVLA== set shared server-profile radius ISE server ISE01 port 1812 set shared server-profile radius ISE server ISE01 ip-address 192.168.1.55
Tworzymy profil Admin Roles – dzięki temu profilowi możliwe będzie zalogowanie się użytkownika z odpowiednimi uprawnieniami.
W tym miejscu ważne jest aby nazwa profilu była taka sama jak zdefiniowaliśmy ją na serwerze ISE admin-radius
Cli
set shared admin-role admin-radius role device cli superuser set shared admin-role admin-radius role device webui dashboard enable set shared admin-role admin-radius role device webui acc enable set shared admin-role admin-radius role device webui monitor logs traffic enable set shared admin-role admin-radius role device webui monitor logs threat enable set shared admin-role admin-radius role device webui monitor logs url enable set shared admin-role admin-radius role device webui monitor logs wildfire enable set shared admin-role admin-radius role device webui monitor logs data-filtering enable set shared admin-role admin-radius role device webui monitor logs hipmatch enable set shared admin-role admin-radius role device webui monitor logs configuration enable set shared admin-role admin-radius role device webui monitor logs system enable set shared admin-role admin-radius role device webui monitor logs alarm enable set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlation-objects enable set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlated-events enable set shared admin-role admin-radius role device webui monitor packet-capture enable set shared admin-role admin-radius role device webui monitor app-scope enable set shared admin-role admin-radius role device webui monitor session-browser enable set shared admin-role admin-radius role device webui monitor botnet enable set shared admin-role admin-radius role device webui monitor pdf-reports manage-pdf-summary enable set shared admin-role admin-radius role device webui monitor pdf-reports pdf-summary-reports enable set shared admin-role admin-radius role device webui monitor pdf-reports user-activity-report enable set shared admin-role admin-radius role device webui monitor pdf-reports saas-application-usage-report enable set shared admin-role admin-radius role device webui monitor pdf-reports report-groups enable set shared admin-role admin-radius role device webui monitor pdf-reports email-scheduler enable set shared admin-role admin-radius role device webui monitor custom-reports application-statistics enable set shared admin-role admin-radius role device webui monitor custom-reports data-filtering-log enable set shared admin-role admin-radius role device webui monitor custom-reports threat-log enable set shared admin-role admin-radius role device webui monitor custom-reports threat-summary enable set shared admin-role admin-radius role device webui monitor custom-reports traffic-log enable set shared admin-role admin-radius role device webui monitor custom-reports traffic-summary enable set shared admin-role admin-radius role device webui monitor custom-reports url-log enable set shared admin-role admin-radius role device webui monitor custom-reports url-summary enable set shared admin-role admin-radius role device webui monitor custom-reports hipmatch enable set shared admin-role admin-radius role device webui monitor custom-reports wildfire-log enable set shared admin-role admin-radius role device webui monitor view-custom-reports enable set shared admin-role admin-radius role device webui monitor application-reports enable set shared admin-role admin-radius role device webui monitor threat-reports enable set shared admin-role admin-radius role device webui monitor url-filtering-reports enable set shared admin-role admin-radius role device webui monitor traffic-reports enable set shared admin-role admin-radius role device webui policies security-rulebase enable set shared admin-role admin-radius role device webui policies nat-rulebase enable set shared admin-role admin-radius role device webui policies qos-rulebase enable set shared admin-role admin-radius role device webui policies pbf-rulebase enable set shared admin-role admin-radius role device webui policies ssl-decryption-rulebase enable set shared admin-role admin-radius role device webui policies application-override-rulebase enable set shared admin-role admin-radius role device webui policies captive-portal-rulebase enable set shared admin-role admin-radius role device webui policies dos-rulebase enable set shared admin-role admin-radius role device webui objects addresses enable set shared admin-role admin-radius role device webui objects address-groups enable set shared admin-role admin-radius role device webui objects regions enable set shared admin-role admin-radius role device webui objects applications enable set shared admin-role admin-radius role device webui objects application-groups enable set shared admin-role admin-radius role device webui objects application-filters enable set shared admin-role admin-radius role device webui objects services enable set shared admin-role admin-radius role device webui objects service-groups enable set shared admin-role admin-radius role device webui objects tags enable set shared admin-role admin-radius role device webui objects global-protect hip-objects enable set shared admin-role admin-radius role device webui objects global-protect hip-profiles enable set shared admin-role admin-radius role device webui objects dynamic-block-lists enable set shared admin-role admin-radius role device webui objects custom-objects data-patterns enable set shared admin-role admin-radius role device webui objects custom-objects spyware enable set shared admin-role admin-radius role device webui objects custom-objects vulnerability enable set shared admin-role admin-radius role device webui objects custom-objects url-category enable set shared admin-role admin-radius role device webui objects security-profiles antivirus enable set shared admin-role admin-radius role device webui objects security-profiles anti-spyware enable set shared admin-role admin-radius role device webui objects security-profiles vulnerability-protection enable set shared admin-role admin-radius role device webui objects security-profiles url-filtering enable set shared admin-role admin-radius role device webui objects security-profiles file-blocking enable set shared admin-role admin-radius role device webui objects security-profiles wildfire-analysis enable set shared admin-role admin-radius role device webui objects security-profiles data-filtering enable set shared admin-role admin-radius role device webui objects security-profiles dos-protection enable set shared admin-role admin-radius role device webui objects security-profile-groups enable set shared admin-role admin-radius role device webui objects log-forwarding enable set shared admin-role admin-radius role device webui objects decryption-profile enable set shared admin-role admin-radius role device webui objects schedules enable set shared admin-role admin-radius role device webui network interfaces enable set shared admin-role admin-radius role device webui network zones enable set shared admin-role admin-radius role device webui network vlans enable set shared admin-role admin-radius role device webui network virtual-wires enable set shared admin-role admin-radius role device webui network virtual-routers enable set shared admin-role admin-radius role device webui network ipsec-tunnels enable set shared admin-role admin-radius role device webui network dhcp enable set shared admin-role admin-radius role device webui network dns-proxy enable set shared admin-role admin-radius role device webui network global-protect portals enable set shared admin-role admin-radius role device webui network global-protect gateways enable set shared admin-role admin-radius role device webui network global-protect mdm enable set shared admin-role admin-radius role device webui network global-protect device-block-list enable set shared admin-role admin-radius role device webui network qos enable set shared admin-role admin-radius role device webui network lldp enable set shared admin-role admin-radius role device webui network network-profiles gp-app-ipsec-crypto enable set shared admin-role admin-radius role device webui network network-profiles ike-gateways enable set shared admin-role admin-radius role device webui network network-profiles ipsec-crypto enable set shared admin-role admin-radius role device webui network network-profiles ike-crypto enable set shared admin-role admin-radius role device webui network network-profiles tunnel-monitor enable set shared admin-role admin-radius role device webui network network-profiles interface-mgmt enable set shared admin-role admin-radius role device webui network network-profiles zone-protection enable set shared admin-role admin-radius role device webui network network-profiles qos-profile enable set shared admin-role admin-radius role device webui network network-profiles lldp-profile enable set shared admin-role admin-radius role device webui network network-profiles bfd-profile enable set shared admin-role admin-radius role device webui device setup management enable set shared admin-role admin-radius role device webui device setup operations enable set shared admin-role admin-radius role device webui device setup services enable set shared admin-role admin-radius role device webui device setup content-id enable set shared admin-role admin-radius role device webui device setup wildfire enable set shared admin-role admin-radius role device webui device setup session enable set shared admin-role admin-radius role device webui device setup hsm enable set shared admin-role admin-radius role device webui device high-availability enable set shared admin-role admin-radius role device webui device config-audit enable set shared admin-role admin-radius role device webui device administrators read-only set shared admin-role admin-radius role device webui device admin-roles read-only set shared admin-role admin-radius role device webui device authentication-profile enable set shared admin-role admin-radius role device webui device authentication-sequence enable set shared admin-role admin-radius role device webui device user-identification enable set shared admin-role admin-radius role device webui device vm-info-source enable set shared admin-role admin-radius role device webui device certificate-management certificates enable set shared admin-role admin-radius role device webui device certificate-management certificate-profile enable set shared admin-role admin-radius role device webui device certificate-management ocsp-responder enable set shared admin-role admin-radius role device webui device certificate-management ssl-tls-service-profile enable set shared admin-role admin-radius role device webui device certificate-management scep enable set shared admin-role admin-radius role device webui device block-pages enable set shared admin-role admin-radius role device webui device log-settings system enable set shared admin-role admin-radius role device webui device log-settings config enable set shared admin-role admin-radius role device webui device log-settings hipmatch enable set shared admin-role admin-radius role device webui device log-settings cc-alarm enable set shared admin-role admin-radius role device webui device log-settings manage-log enable set shared admin-role admin-radius role device webui device server-profile snmp-trap enable set shared admin-role admin-radius role device webui device server-profile syslog enable set shared admin-role admin-radius role device webui device server-profile email enable set shared admin-role admin-radius role device webui device server-profile netflow enable set shared admin-role admin-radius role device webui device server-profile radius enable set shared admin-role admin-radius role device webui device server-profile tacplus enable set shared admin-role admin-radius role device webui device server-profile ldap enable set shared admin-role admin-radius role device webui device server-profile kerberos enable set shared admin-role admin-radius role device webui device local-user-database users enable set shared admin-role admin-radius role device webui device local-user-database user-groups enable set shared admin-role admin-radius role device webui device scheduled-log-export enable set shared admin-role admin-radius role device webui device software enable set shared admin-role admin-radius role device webui device global-protect-client enable set shared admin-role admin-radius role device webui device dynamic-updates enable set shared admin-role admin-radius role device webui device licenses enable set shared admin-role admin-radius role device webui device support enable set shared admin-role admin-radius role device webui device master-key enable set shared admin-role admin-radius role device webui privacy show-full-ip-addresses enable set shared admin-role admin-radius role device webui privacy show-user-names-in-logs-and-reports enable set shared admin-role admin-radius role device webui privacy view-pcap-files enable set shared admin-role admin-radius role device webui validate enable set shared admin-role admin-radius role device webui commit enable set shared admin-role admin-radius role device webui global system-alarms enable set shared admin-role admin-radius role device xmlapi report enable set shared admin-role admin-radius role device xmlapi log enable set shared admin-role admin-radius role device xmlapi config enable set shared admin-role admin-radius role device xmlapi op enable set shared admin-role admin-radius role device xmlapi commit enable set shared admin-role admin-radius role device xmlapi user-id enable set shared admin-role admin-radius role device xmlapi export enable set shared admin-role admin-radius role device xmlapi import enable
Tworzymy profil dla Authentication Profile, gdzie będziemy wykorzystywać nasz profil dla ISE:
w Type wybieramy RADIUS
Server Profile wybieramy nasz profil ISE
W Advanced
w Allow List dajemy all
Cli
set shared authentication-profile ISE method radius server-profile ISE set shared authentication-profile ISE allow-list all set shared authentication-profile ISE lockout lockout-time 1 set shared authentication-profile ISE lockout failed-attempts 5
Po wykonaniu commitu próbujemy zalogować się do urządzenia po ssh
w logach PA widzimy:
Web
wyszukujemy po:
( object eq auth )
lub jak niżej na screenie:
( eventid eq auth-success )
Jak chcemy wyszukać błędne autoryzacje stosujemy filtr:
( eventid eq auth-fail )
CLI
michal-adminpa@PA-VM> show log system eventid equal auth-success Time Severity Subtype Object EventID ID Description =============================================================================== 2016/05/10 13:00:16 info general auth auth-su 0 authenticated for user 'michal-adminpa'. auth profile 'auth', vsys 'shared', server profile 'ISE', server address '192.168.1.55', From: 192.168.1.10.
Taki użytkownik nie może dodawać kont lokalnych i modyfikować ich oraz dodawać/modyfkować Admin Rulses tak jak widać niżej pola add oraz delete mam wyszarzane:
Aby umożliwić dostęp na pełnych prawach musimy utworzyć konto Administratora:
gdzie Name jest naszym userem, który jest w Radiusie.
CLI
set mgt-config users michal permissions role-based superuser yes set mgt-config users michal authentication-profile ISE
Po takim zabiegu mamy konto z full uprawnieniami, zalogowany administrator już może modyfikować Admin Roles
Poprzednie wpisy dotyczące ISE: