0.背景
本文适用于办公以及研发环境的虚拟专有网络统一认证,适用于同时需要保障环境安全性,完整性以及可控性的情况。
内网的安全涉及到wifi准入,上网行为管理,网络出口防火墙等。基于ZStack平台私有云环境,需要一整套虚拟专有网准入以及日志审计的系统平台。
本次主要是使用openldap作为统一认证,Cisco ASA 作为VPN服务端,使用syslog进行日志审计。同时也提供了使用snmp的方式去定时轮训获取登录的用户以及ip。
说明:
本文介绍的方案是新钛云服架构师在实际环境中实践总结而来,效果不错,所以整理分享出来。
实战环境:
AA.zstack+ASA8.42+Anyconnect+Ldap(CiscoPerson)+Syslog
1.快速安装openldap
https://github.com/osixia/docker-openldap
docker run --env LDAP_ORGANISATION="tyun" --env LDAP_DOMAIN="tyun.cn" --env LDAP_ADMIN_PASSWORD="ldap_passwd" --volume /data/slapd/database:/var/lib/ldap --volume /data/slapd/config:/etc/ldap/slapd.d --detach -it -p 389:389 -p 636:636 osixia/openldap:1.2.0
docker 快速安装(根据需要选择对应的版本,或者手工基于dockerfile build最新版本)或者手动安装,但需要加入memberof 属性。
2.openldap 导入CiscoPerson objectclass
2.1 下载 cisco.schema
wget
cisco.schema(上面链接失效的化,使用本处)
将85行改为MUST ( uid $ cn ), 86行 delete掉telephoneNumber(否则会报错)
也可以直接使用已经修改好的
2.2 基于cisco.schema生成cisco.ldif
新建配置文件以及目录
echo "include cisco.schema" >>cisco.conf
mkdir ldif_cisco
slaptest -f cisco.conf -F ldif_cisco
获取到ldif目录结构如下:
tree ldif
tree
.
├── cn=conflig
│ ├── cn=schema
│ │ └── cn={0}cisco.ldif
│ ├── cn=schema.ldif
│ ├── olcDatabase={0}config.ldif
│ └── olcDatabase={-1}frontend.ldif
└── cn=config.ldif
文件cn=config/cn=schema/cn={0}cisco.ldif就是生成的‘ldif’文件,编辑此文件,前三行改为:
dn: cn=cisco,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: cisco
最后注释掉最后七行:
2.3 将‘’cn={0}cisco.ldif"文件内容导入ldap数据库
进入对应的目录,导入数据库(如果使用docker安装,则通过docker cp 复制配置文件到容器里执行,当然也可以安装openldap-clients,openldap-devel,通过-H 指定ldap主机):
cd ldif_cisco/cn=config/cn=schema
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn={0}cisco.ldif
查看是否导入成功:
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
直接查看生成的文件(/etc/ldap/slapd.d/cn=config/cn=schema/cn={16}cisco.ldif):
3.Cisco ASA
3.1商业购买ASA 硬件+ Anyconnect vpn的liscence (推荐)
3.2模拟器vMware或在Esxi版本的ASA8.42(或者ASA931等其他版本都可以) +Cisco ASA Keygen(网上教程比较多,仅作为测试学习使用,请勿商业使用。)
3.3 KVM 版本的 ASA8.42(仅作为测试学习使用)。
解压vmware的ova 文件(iso文件为启动引导文件,qcow2为disk0:或者flash文件,最重要的是iso文件,qcow2可以重新生成):
convert vmware to qcow2
root@zhuxiang:~/cisco# tar -xvf asa842.ova
WOLF-ASA842-adv.ovf
WOLF-ASA842-adv.mf
WOLF-ASA842-adv-disk1.vmdk
WOLF-ASA842-adv-file1.iso
root@zhuxiang:~/cisco# ls
asa842.ova WOLF-ASA842-adv-disk1.vmdk WOLF-ASA842-adv-file1.iso WOLF-ASA842-adv.mf WOLF-ASA842-adv.ovf
root@zhuxiang:~/cisco# mkdir -pv ASA_qcow2
mkdir: created directory 'ASA_qcow2'
root@zhuxiang:~/cisco# qemu-img convert -f vmdk -O qcow2 WOLF-ASA842-adv-disk1.vmdk ASA_qcow2/ASA842-adv-disk1.qcow2
root@zhuxiang:~/cisco# cp WOLF-ASA842-adv-file1.iso ASA_qcow2/ASA842-adv-file1.iso
最重要的是iso文件,每次虚拟机启动都要重iso启动:
root@zhuxiang:~/cisco# ls ASA_qcow2/
ASA842-adv-disk1.qcow2 ASA842-adv-file1.iso
查看qcow2文件:
root@zhuxiang:~/cisco/ASA_qcow2# virt-list-filesystems -a ASA842-adv-disk1.qcow2
/dev/sda1
通过guestmount工具查看asa磁盘里的信息。
root@zhuxiang:~/cisco/ASA_qcow2# guestmount -a ASA842-adv-disk1.qcow2 -m /dev/sda1 /mnt
root@zhuxiang:~/cisco/ASA_qcow2# ls /mnt/
anyconnect-win-3.0.0629-k9.pkg boot csco_config rdp2-plugin.090211.jar ssh-plugin.080430.jar
asdm-645-206.bin coredumpinfo csd_3.6.181-k9.pkg rdp-plugin.101215.jar vnc-plugin.080130.jar
可以生成kvm系统(网卡必须选择e1000,把iso作为第一启动项),或者导入ISO ZStack,然后直接运行(导入ASA8.42.iso,格式必须是iso,平台是other):
创建虚拟机,根云盘规格选择10G,计算规格2核4G以上,网络按照需求选择,选择对应的ASA8.42 iso镜像。创建虚拟机成功。(Network Anti-Spoofing 功能注意关闭)
由于zstack2.3.2 不支持serial重定向,查看ASA8.42所在的计算节点,通过在宿主机上直接运行命令virsh console ASA8.42_domain进入console控制台,配置基础管理功能
(其他版本ASA可能支持直接从页面console口登陆)
修改云主机启动顺序(CdRom,HardDisk):
asa
[root@bjm8-zscns-10-0-3-16 ~]# virsh list --all
Id 名称 状态
----------------------------------------------------
6 687ba60019f04a5fa71b3f1501560d3a running
7 3459d91402c247ca8fabf0e7d922af7b running
9 09cabc8ca969429c9505fafaf14071eb running
34 fb4550f382fb496cbb03d77ca5f2456e running
42 8af69ae1236e4827880f6684987d9438 running
43 zstack10310 running
[root@bjm8-zscns-10-0-3-16 ~]# virsh console 8af69ae1236e4827880f6684987d9438
连接到域 8af69ae1236e4827880f6684987d9438
换码符为 ^]
ASAGW7>
ASAGW7> ena
Password:
ASAGW7# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ASAGW7 up 1 day 20 hours
Hardware: ASA 5520, 3072 MB RAM, CPU Pentium II 2095 MHz
Internal ATA Compact Flash, 131072MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is fa1a.6c10.8800, irq 0
1: Ext: GigabitEthernet1 : address is fa03.b8ec.3001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 10000 perpetual
AnyConnect Essentials : 0 perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 5000 perpetual
Total UC Proxy Sessions : 10000 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
4.AnyConnect VPN 配置
41. webvpn 配置
webvpn
webvpn
enable Outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1
anyconnect enable
tunnel-group-list enable
sysopt connection permit-vpn
4.2 aaa-server ldap 配置
aaa-server ldap
ASAGW7# sho running-config aaa-server
aaa-server LdapServerGroup0 protocol ldap
aaa-server LdapServerGroup0 (Inside) host XXXXXXXXXX
ldap-base-dn dc=tyun,dc=cn
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password
ldap-login-dn cn=admin,dc=tyun,dc=cn
server-type openldap
ldap-attribute-map LdapMapClass0
4.3 ldap attribute-map 配置
ldap attreibute-map
ASAGW7# sho run ldap
ldap attribute-map LdapMapClass0
map-name CiscoACLin Cisco-AV-Pair
map-name CiscoBanner Banner1
map-name CiscoDNS Primary-DNS
map-name CiscoDomain IPSec-Default-Domain
map-name CiscoGroupPolicy IETF-Radius-Class
map-name CiscoIPAddress IETF-Radius-Framed-IP-Address
map-name CiscoIPNetmask IETF-Radius-Framed-IP-Netmask
map-name CiscoSplitACL IPSec-Split-Tunnel-List
map-name CiscoSplitTunnelPolicy IPSec-Split-Tunneling-Policy
ldap 用户 ciscoperson objectclass 添加,以及ASA关键配置
ciscoperson
根据需要配置ciscoperson,案例如下,本次案例可以直接只使用group-policy
cat users.ldiff
# User account
dn: uid=zhuxiang,ou=operations,ou=users,dc=tyun,dc=cn
cn: zhu xiang
givenName: zhuxiang
sn: zhuxiang
uid: zhuxiang
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/zhuxiang
mail: zhuxiang@tyun.cn
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: CiscoPerson
loginShell: /bin/bash
userPassword: {CRYPT}
CiscoBanner: This is banner 1
CiscoIPAddress: 10.1.1.1
CiscoIPNetmask: 255.255.255.128
CiscoDomain: xtstack.com
CiscoDNS: 223.5.5.5
CiscoACLin: ip:inacl#1=permit ip 10.255.0.200 255.255.255.255 10.0.3.14 255.255.255.255
ip:inacl#2=permit ip 10.255.0.200 255.255.255.255 10.0.3.10 255.255.255.255
CiscoSplitACL: DefaultSplitVPNAcl0
CiscoSplitTunnelPolicy: 1
CiscoGroupPolicy: DefaultGroupPolicy0
ASA 上对应配置
ASAGW47# show running-config access-list
access-list DefaultSplitVPNAcl0 standard permit 10.0.0.0 255.0.0.0
access-list DefaultSplitVPNAcl1 standard permit 10.0.5.0 255.255.255.0
ip local pool DefaultVPNPool0 10.255.0.11-10.255.0.64 mask 255.255.255.0
新建用户group-policy ,以及默认denyall的group-policy
ASAGW47# sho running-config group-policy
group-policy DefaultGroupPolicy0 internal
group-policy DefaultGroupPolicy0 attributes
vpn-simultaneous-logins 10
vpn-idle-timeout 9999
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultSplitVPNAcl0
default-domain value tyun.cn
address-pools value DefaultVPNPool0
group-policy NoAccessGroupPolicy internal
group-policy NoAccessGroupPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value tyun.cn
address-pools none
LDAP用户匹配上group-policy DefaultGroupPolicy0 才可以访问,其他用户默认匹配group-policy NoAccessGroupPolicy,该策略默认不可以访问vpn
ASAGW7# sho run tunnel-group
tunnel-group DefaultTunnelGroup0 type remote-access
tunnel-group DefaultTunnelGroup0 general-attributes
authentication-server-group LdapServerGroup0
default-group-policy NoAccessGroupPolicy
tunnel-group DefaultTunnelGroup0 webvpn-attributes
group-alias OperationsAdmin enable
ldap objectclass ciscoperson 常见
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ref_extserver.pdf
5.log 配置
开启ASA vpn 以及auth log
asa syslog
logging enable
logging timestamp
logging buffer-size 1048576
logging buffered notifications
logging class vpn buffered notifications
logging class auth buffered notifications
日志可以查看登录用户历史记录
log
ASAGW7# show logging | include zhuxiang
May 23 2018 17:54:02: %ASA-4-722041: TunnelGroupGroupPolicyUserIP<58.215.49.222>No IPv6 address available for SVC connection
May 23 2018 17:54:02: %ASA-5-722033: GroupUserIP<58.215.49.222>First TCP SVC connection established for SVC session.
May 23 2018 17:54:02: %ASA-4-722051: GroupUserIP<58.215.49.222>Address<10.255.0.13>assigned to session
May 23 2018 17:57:20: %ASA-5-722012: GroupUserIP<58.215.49.222>SVC Message: 16/NOTICE: Aborted by caller.
May 23 2018 17:57:20: %ASA-5-722037: GroupUserIP<58.215.49.222>SVC closing connection: User Requested.
May 23 2018 17:57:20: %ASA-4-113019: Group = DefaultTunnelGroup0, Username = zhuxiang, IP = 58.215.49.222, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:03m:18s, Bytes xmt: 8592, Bytes rcv: 1053, Reason: User Requested
May 23 2018 18:45:44: %ASA-5-722037: GroupUserIP<101.81.238.100>SVC closing connection: Transport closing.
May 23 2018 18:48:15: %ASA-5-722037: GroupUserIP<101.81.238.100>SVC closing connection: Transport closing.
通通过snmp 获取 用户以及访问的来源ip地址
asa snmp
[root@zabbix55 ~]# snmpwalk -v 2c -c tyun11325 10.0.5.7 enterprises.9.9.392.1.3.21.1.10
SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.10.8.122.104.117.120.105.97.110.103.53249 = STRING: "124.78.135.29"
SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.10.8.122.104.117.120.105.97.110.103.57345 = STRING: "101.81.238.100"
重量级的Graylog
https://blog.csdn.net/liukuan73/article/details/52525431
商业kiwi syslog
6.后记
以下的方法是直接通过ldap memberof (ldapsearch -x -h "127.0.0.1" -b dc=tyun,dc=cn -D "cn=admin,dc=tyun,dc=cn" -W '(uid=zhuxiang)' memberOf)属性映射的方式,8.4.2没有测试成功,估计要更高的版本。
作者:祝祥 新钛云服运维架构师
十年运维经验,曾任刻通云运维工程师、微烛云和某互联网金融平台首席运维架构师。拥有OpenStack、CCIE、阿里云、ZStack等技术认证。有上万台云主机,PB级别分布式存储运维经验。熟悉各种虚拟化技术,软硬件,网络,容器编排等技术,拥有python开发经验。热爱各种开源技术。
免责声明:本网站内容主要来自原创、合作伙伴供稿和第三方自媒体作者投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。任何单位或个人认为本网站中的网页或链接内容可能涉嫌侵犯其知识产权或存在不实内容时,应及时向本网站提出书面权利通知或不实情况说明,并提供身份证明、权属证明及详细侵权或不实情况证明。本网站在收到上述法律文件后,将会依法尽快联系相关文章源头核实,沟通删除相关内容或断开相关链接。
