
Po dłuższej przerwie wróciłem do integracji Cisco ISE 2.0 z Palo Alto Networks wykorzystując Radiusa z ISE jako punkt uwierzytelniania kont administracyjnych. Wiem, że zapewne większość autoryzacji kont administracyjnych opiera się o LDAP oraz AD. Natomiast ja jak zawszę muszę kombinować i komplikować scenariusze do labowania, ale dzięki takiemu podejściu jestem w stanie bardziej poznać oba systemy.
Konfiguracja ISE
przechodzimy do Policy –> Policy Elements –> Dictationaries wybieramy system –> radius —RADIUS Vendors. Tutaj będzie nam pomocny link– gdzie mamy opisane atrybuty.
klikamy add
Dictionary Name: PaloAlto – nasza nazwa
Vendor ID: 25461
klikamy submit
przechodzimy do nowo utworzonego profilu po czym przechodzimy do Dictionary Attributes. Klikamy add
zgodnie z dokumentacją PaloAlto. W tej chwili będzie nam potrzebny jeden atrybut
Attribute Name: PaloAlto-Admin-Role
Data Type: String
Direction: Both
ID: 1
W kroku kolejnym tworzymy profil dla urządzań typu PaloAlto. Przechodzimy do Administration –> Network Resources –> Network Device Profiles klikamy Add
Dodajemy nasze urządzenie do ISE, przechodzimy do Administration –> Network Resources –> Network Devices klikamy Add
Podajemy dane:
Name: nazwę dla naszego urządzenia
IP Address: podajemy adres ip, z którego nasze urządzenie będzie się komunikowało z serwerem ISE
Device Profile: wybieramy nasz profil dla urządzeń Palo
Device Type: ja stworzyłem oddzielne repo dla urządzęń tego typu
Location: również podzieliłem na lokalizację
Wybieramy: RADIUS Authentication Settings
w polu Shared Secret wpisujemy nasze hasło, które będzie wykorzystywane do połączenia PALO do ISE
Wybieramy grupę AD, w której będą użytkownicy mogący zalogować się na Palo
Przechodzimy do Administration –> Indetity Management –> External Identity Soures, wybieramy Active Direcory oraz nasz punkt spięcia z naszym AD. Tam wybieramy Groups, dodajemy Add z menu Select Dictionary Groups po czym otworzy się okno, w którym możemy wyszukać naszą grupę dodając ją do ISE.
Tworzymy profil dozwolonych protokołów komunikacji PALO ISE, przechodzimy do Policy –> Policy Elements –> Results –> Authentication –> Allowed Protocols, klikamy Add
Tworzymy profil autoryzacyjny, przechodzimy do Policy –> Policy Elements –> Results –> Authorization –> Authoriztion Profiles, kliamy Add
w polu Advanced Attributes Settings wybieramy z menu PaloAlto –> PaloAlto-Admin-Role, w polu obok wpisujemy nazwę naszego profilu z Palo, który później zostanie skonfigurowany na Palo.
W polu Attributes Details mamy taki wynik:
1 2 3 4 |
Access Type = ACCESS_ACCEPT PaloAlto-Admin-Role = admin-radius |
przechodzimy do utworzenia reguły autoryzacyjnej, gdzie idziemy do Polcy –> Authorization
dodajemy nową rulę gdzie:
Rule Name: nasza nazwa reguły
warunki:
If ANY and ISE-SRV:memberOf maches CN=PA-admin-full,CN=Users,DC=safekom,DC=pl
and DEVICE:Device Type Equals Device Type#All Device Types#Palo
then Palo-auth
Konfiguracja Palo
Prszyszedł czas na konfigurację naszego Palo. Po zalogowaniu się przechodzimy do Device –> Server Profiles –> Radius, dodajemy nowy profil z ISE
gdzie:
Profil Name: nasz profil Radiusa
w polu servers dodajemy nasze serwery radiusa (w mym przypadku jest to jeden serwer)
Name: nasza nazwa rozpoznawcza
RADIUS Server: adres IP lub FQDN naszego radiusa
Secret: nasze ustawione hasło
Port: Standardowo 1812
CLI
1 2 3 4 5 |
set shared server-profile radius ISE server ISE01 secret -AQ==gPzxJUAM1wLKKOPC5tJg+lHyn0A=aloUXPMeEZ6yM/xJpgEVLA== set shared server-profile radius ISE server ISE01 port 1812 set shared server-profile radius ISE server ISE01 ip-address 192.168.1.55 |
Tworzymy profil Admin Roles – dzięki temu profilowi możliwe będzie zalogowanie się użytkownika z odpowiednimi uprawnieniami.
W tym miejscu ważne jest aby nazwa profilu była taka sama jak zdefiniowaliśmy ją na serwerze ISE admin-radius
Cli
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
set shared admin-role admin-radius role device cli superuser set shared admin-role admin-radius role device webui dashboard enable set shared admin-role admin-radius role device webui acc enable set shared admin-role admin-radius role device webui monitor logs traffic enable set shared admin-role admin-radius role device webui monitor logs threat enable set shared admin-role admin-radius role device webui monitor logs url enable set shared admin-role admin-radius role device webui monitor logs wildfire enable set shared admin-role admin-radius role device webui monitor logs data-filtering enable set shared admin-role admin-radius role device webui monitor logs hipmatch enable set shared admin-role admin-radius role device webui monitor logs configuration enable set shared admin-role admin-radius role device webui monitor logs system enable set shared admin-role admin-radius role device webui monitor logs alarm enable set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlation-objects enable set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlated-events enable set shared admin-role admin-radius role device webui monitor packet-capture enable set shared admin-role admin-radius role device webui monitor app-scope enable set shared admin-role admin-radius role device webui monitor session-browser enable set shared admin-role admin-radius role device webui monitor botnet enable set shared admin-role admin-radius role device webui monitor pdf-reports manage-pdf-summary enable set shared admin-role admin-radius role device webui monitor pdf-reports pdf-summary-reports enable set shared admin-role admin-radius role device webui monitor pdf-reports user-activity-report enable set shared admin-role admin-radius role device webui monitor pdf-reports saas-application-usage-report enable set shared admin-role admin-radius role device webui monitor pdf-reports report-groups enable set shared admin-role admin-radius role device webui monitor pdf-reports email-scheduler enable set shared admin-role admin-radius role device webui monitor custom-reports application-statistics enable set shared admin-role admin-radius role device webui monitor custom-reports data-filtering-log enable set shared admin-role admin-radius role device webui monitor custom-reports threat-log enable set shared admin-role admin-radius role device webui monitor custom-reports threat-summary enable set shared admin-role admin-radius role device webui monitor custom-reports traffic-log enable set shared admin-role admin-radius role device webui monitor custom-reports traffic-summary enable set shared admin-role admin-radius role device webui monitor custom-reports url-log enable set shared admin-role admin-radius role device webui monitor custom-reports url-summary enable set shared admin-role admin-radius role device webui monitor custom-reports hipmatch enable set shared admin-role admin-radius role device webui monitor custom-reports wildfire-log enable set shared admin-role admin-radius role device webui monitor view-custom-reports enable set shared admin-role admin-radius role device webui monitor application-reports enable set shared admin-role admin-radius role device webui monitor threat-reports enable set shared admin-role admin-radius role device webui monitor url-filtering-reports enable set shared admin-role admin-radius role device webui monitor traffic-reports enable set shared admin-role admin-radius role device webui policies security-rulebase enable set shared admin-role admin-radius role device webui policies nat-rulebase enable set shared admin-role admin-radius role device webui policies qos-rulebase enable set shared admin-role admin-radius role device webui policies pbf-rulebase enable set shared admin-role admin-radius role device webui policies ssl-decryption-rulebase enable set shared admin-role admin-radius role device webui policies application-override-rulebase enable set shared admin-role admin-radius role device webui policies captive-portal-rulebase enable set shared admin-role admin-radius role device webui policies dos-rulebase enable set shared admin-role admin-radius role device webui objects addresses enable set shared admin-role admin-radius role device webui objects address-groups enable set shared admin-role admin-radius role device webui objects regions enable set shared admin-role admin-radius role device webui objects applications enable set shared admin-role admin-radius role device webui objects application-groups enable set shared admin-role admin-radius role device webui objects application-filters enable set shared admin-role admin-radius role device webui objects services enable set shared admin-role admin-radius role device webui objects service-groups enable set shared admin-role admin-radius role device webui objects tags enable set shared admin-role admin-radius role device webui objects global-protect hip-objects enable set shared admin-role admin-radius role device webui objects global-protect hip-profiles enable set shared admin-role admin-radius role device webui objects dynamic-block-lists enable set shared admin-role admin-radius role device webui objects custom-objects data-patterns enable set shared admin-role admin-radius role device webui objects custom-objects spyware enable set shared admin-role admin-radius role device webui objects custom-objects vulnerability enable set shared admin-role admin-radius role device webui objects custom-objects url-category enable set shared admin-role admin-radius role device webui objects security-profiles antivirus enable set shared admin-role admin-radius role device webui objects security-profiles anti-spyware enable set shared admin-role admin-radius role device webui objects security-profiles vulnerability-protection enable set shared admin-role admin-radius role device webui objects security-profiles url-filtering enable set shared admin-role admin-radius role device webui objects security-profiles file-blocking enable set shared admin-role admin-radius role device webui objects security-profiles wildfire-analysis enable set shared admin-role admin-radius role device webui objects security-profiles data-filtering enable set shared admin-role admin-radius role device webui objects security-profiles dos-protection enable set shared admin-role admin-radius role device webui objects security-profile-groups enable set shared admin-role admin-radius role device webui objects log-forwarding enable set shared admin-role admin-radius role device webui objects decryption-profile enable set shared admin-role admin-radius role device webui objects schedules enable set shared admin-role admin-radius role device webui network interfaces enable set shared admin-role admin-radius role device webui network zones enable set shared admin-role admin-radius role device webui network vlans enable set shared admin-role admin-radius role device webui network virtual-wires enable set shared admin-role admin-radius role device webui network virtual-routers enable set shared admin-role admin-radius role device webui network ipsec-tunnels enable set shared admin-role admin-radius role device webui network dhcp enable set shared admin-role admin-radius role device webui network dns-proxy enable set shared admin-role admin-radius role device webui network global-protect portals enable set shared admin-role admin-radius role device webui network global-protect gateways enable set shared admin-role admin-radius role device webui network global-protect mdm enable set shared admin-role admin-radius role device webui network global-protect device-block-list enable set shared admin-role admin-radius role device webui network qos enable set shared admin-role admin-radius role device webui network lldp enable set shared admin-role admin-radius role device webui network network-profiles gp-app-ipsec-crypto enable set shared admin-role admin-radius role device webui network network-profiles ike-gateways enable set shared admin-role admin-radius role device webui network network-profiles ipsec-crypto enable set shared admin-role admin-radius role device webui network network-profiles ike-crypto enable set shared admin-role admin-radius role device webui network network-profiles tunnel-monitor enable set shared admin-role admin-radius role device webui network network-profiles interface-mgmt enable set shared admin-role admin-radius role device webui network network-profiles zone-protection enable set shared admin-role admin-radius role device webui network network-profiles qos-profile enable set shared admin-role admin-radius role device webui network network-profiles lldp-profile enable set shared admin-role admin-radius role device webui network network-profiles bfd-profile enable set shared admin-role admin-radius role device webui device setup management enable set shared admin-role admin-radius role device webui device setup operations enable set shared admin-role admin-radius role device webui device setup services enable set shared admin-role admin-radius role device webui device setup content-id enable set shared admin-role admin-radius role device webui device setup wildfire enable set shared admin-role admin-radius role device webui device setup session enable set shared admin-role admin-radius role device webui device setup hsm enable set shared admin-role admin-radius role device webui device high-availability enable set shared admin-role admin-radius role device webui device config-audit enable set shared admin-role admin-radius role device webui device administrators read-only set shared admin-role admin-radius role device webui device admin-roles read-only set shared admin-role admin-radius role device webui device authentication-profile enable set shared admin-role admin-radius role device webui device authentication-sequence enable set shared admin-role admin-radius role device webui device user-identification enable set shared admin-role admin-radius role device webui device vm-info-source enable set shared admin-role admin-radius role device webui device certificate-management certificates enable set shared admin-role admin-radius role device webui device certificate-management certificate-profile enable set shared admin-role admin-radius role device webui device certificate-management ocsp-responder enable set shared admin-role admin-radius role device webui device certificate-management ssl-tls-service-profile enable set shared admin-role admin-radius role device webui device certificate-management scep enable set shared admin-role admin-radius role device webui device block-pages enable set shared admin-role admin-radius role device webui device log-settings system enable set shared admin-role admin-radius role device webui device log-settings config enable set shared admin-role admin-radius role device webui device log-settings hipmatch enable set shared admin-role admin-radius role device webui device log-settings cc-alarm enable set shared admin-role admin-radius role device webui device log-settings manage-log enable set shared admin-role admin-radius role device webui device server-profile snmp-trap enable set shared admin-role admin-radius role device webui device server-profile syslog enable set shared admin-role admin-radius role device webui device server-profile email enable set shared admin-role admin-radius role device webui device server-profile netflow enable set shared admin-role admin-radius role device webui device server-profile radius enable set shared admin-role admin-radius role device webui device server-profile tacplus enable set shared admin-role admin-radius role device webui device server-profile ldap enable set shared admin-role admin-radius role device webui device server-profile kerberos enable set shared admin-role admin-radius role device webui device local-user-database users enable set shared admin-role admin-radius role device webui device local-user-database user-groups enable set shared admin-role admin-radius role device webui device scheduled-log-export enable set shared admin-role admin-radius role device webui device software enable set shared admin-role admin-radius role device webui device global-protect-client enable set shared admin-role admin-radius role device webui device dynamic-updates enable set shared admin-role admin-radius role device webui device licenses enable set shared admin-role admin-radius role device webui device support enable set shared admin-role admin-radius role device webui device master-key enable set shared admin-role admin-radius role device webui privacy show-full-ip-addresses enable set shared admin-role admin-radius role device webui privacy show-user-names-in-logs-and-reports enable set shared admin-role admin-radius role device webui privacy view-pcap-files enable set shared admin-role admin-radius role device webui validate enable set shared admin-role admin-radius role device webui commit enable set shared admin-role admin-radius role device webui global system-alarms enable set shared admin-role admin-radius role device xmlapi report enable set shared admin-role admin-radius role device xmlapi log enable set shared admin-role admin-radius role device xmlapi config enable set shared admin-role admin-radius role device xmlapi op enable set shared admin-role admin-radius role device xmlapi commit enable set shared admin-role admin-radius role device xmlapi user-id enable set shared admin-role admin-radius role device xmlapi export enable set shared admin-role admin-radius role device xmlapi import enable |
Tworzymy profil dla Authentication Profile, gdzie będziemy wykorzystywać nasz profil dla ISE:
w Type wybieramy RADIUS
Server Profile wybieramy nasz profil ISE
W Advanced
w Allow List dajemy all
Cli
1 2 3 4 5 6 |
set shared authentication-profile ISE method radius server-profile ISE set shared authentication-profile ISE allow-list all set shared authentication-profile ISE lockout lockout-time 1 set shared authentication-profile ISE lockout failed-attempts 5 |
Po wykonaniu commitu próbujemy zalogować się do urządzenia po ssh
w logach PA widzimy:
Web
wyszukujemy po:
1 2 3 |
( object eq auth ) |
lub jak niżej na screenie:
1 2 3 |
( eventid eq auth-success ) |
Jak chcemy wyszukać błędne autoryzacje stosujemy filtr:
1 2 3 |
( eventid eq auth-fail ) |
CLI
1 2 3 4 5 6 7 |
michal-adminpa@PA-VM> show log system eventid equal auth-success Time Severity Subtype Object EventID ID Description =============================================================================== 2016/05/10 13:00:16 info general auth auth-su 0 authenticated for user 'michal-adminpa'. auth profile 'auth', vsys 'shared', server profile 'ISE', server address '192.168.1.55', From: 192.168.1.10. |
Taki użytkownik nie może dodawać kont lokalnych i modyfikować ich oraz dodawać/modyfkować Admin Rulses tak jak widać niżej pola add oraz delete mam wyszarzane:
Aby umożliwić dostęp na pełnych prawach musimy utworzyć konto Administratora:
gdzie Name jest naszym userem, który jest w Radiusie.
CLI
1 2 3 4 |
set mgt-config users michal permissions role-based superuser yes set mgt-config users michal authentication-profile ISE |
Po takim zabiegu mamy konto z full uprawnieniami, zalogowany administrator już może modyfikować Admin Roles
Poprzednie wpisy dotyczące ISE: