0.背景
本文適用於辦公以及研發環境的虛擬專有網絡統一認證,適用於同時需要保障環境安全性,完整性以及可控性的情況。
內網的安全涉及到wifi准入,上網行為管理,網絡出口防火牆等。基於ZStack平台私有雲環境,需要一整套虛擬專有網准入以及日志審計的系統平台。
本次主要是使用openldap作為統一認證,Cisco ASA 作為VPN服務端,使用syslog進行日志審計。同時也提供了使用snmp的方式去定時輪訓獲取登錄的用戶以及ip。
說明:
本文介紹的方案是新鈦雲服架構師在實際環境中實踐總結而來,效果不錯,所以整理分享出來。
實戰環境:
AA.zstack+ASA8.42+Anyconnect+Ldap(CiscoPerson)+Syslog
1.快速安裝openldap
https://github.com/osixia/docker-openldap
docker run --env LDAP_ORGANISATION="tyun" --env LDAP_DOMAIN="tyun.cn" --env LDAP_ADMIN_PASSWORD="ldap_passwd" --volume /data/slapd/database:/var/lib/ldap --volume /data/slapd/config:/etc/ldap/slapd.d --detach -it -p 389:389 -p 636:636 osixia/openldap:1.2.0
docker 快速安裝(根據需要選擇對應的版本,或者手工基於dockerfile build最新版本)或者手動安裝,但需要加入memberof 屬性。
2.openldap 導入CiscoPerson objectclass
2.1 下載 cisco.schema
wget https://gist.github.com/jaseywang/041f76d03e2f43579d6f6984e3358774
cisco.schema(上面鏈接失效的化,使用本處)
將85行改為MUST ( uid $ cn ), 86行 delete掉telephoneNumber(否則會報錯)
也可以直接使用已經修改好的
https://raw.githubusercontent.com/qingyufei/ubuntutools/master/Cisco_ASA_ldap/zhuxiang/cisco.schema
2.2 基於cisco.schema生成cisco.ldif
新建配置文件以及目錄
echo "include cisco.schema" >>cisco.conf
mkdir ldif_cisco
slaptest -f cisco.conf -F ldif_cisco
獲取到ldif目錄結構如下:
tree ldif
tree
.
├── cn=conflig
│ ├── cn=schema
│ │ └── cn={0}cisco.ldif
│ ├── cn=schema.ldif
│ ├── olcDatabase={0}config.ldif
│ └── olcDatabase={-1}frontend.ldif
└── cn=config.ldif
文件cn=config/cn=schema/cn={0}cisco.ldif就是生成的‘ldif’文件,編輯此文件,前三行改為:
dn: cn=cisco,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: cisco
最后注釋掉最后七行:
2.3 將‘’cn={0}cisco.ldif"文件內容導入ldap數據庫
進入對應的目錄,導入數據庫(如果使用docker安裝,則通過docker cp 復制配置文件到容器里執行,當然也可以安裝openldap-clients,openldap-devel,通過-H 指定ldap主機):
cd ldif_cisco/cn=config/cn=schema
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn={0}cisco.ldif
查看是否導入成功:
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
直接查看生成的文件(/etc/ldap/slapd.d/cn=config/cn=schema/cn={16}cisco.ldif):
3.Cisco ASA
3.1商業購買ASA 硬件+ Anyconnect vpn的liscence (推薦)
3.2模擬器vMware或在Esxi版本的ASA8.42(或者ASA931等其他版本都可以) +Cisco ASA Keygen(網上教程比較多,僅作為測試學習使用,請勿商業使用。)
3.3 KVM 版本的 ASA8.42(僅作為測試學習使用)。
解壓vmware的ova 文件(iso文件為啟動引導文件,qcow2為disk0:或者flash文件,最重要的是iso文件,qcow2可以重新生成):
convert vmware to qcow2
root@zhuxiang:~/cisco# tar -xvf asa842.ova
WOLF-ASA842-adv.ovf
WOLF-ASA842-adv.mf
WOLF-ASA842-adv-disk1.vmdk
WOLF-ASA842-adv-file1.iso
root@zhuxiang:~/cisco# ls
asa842.ova WOLF-ASA842-adv-disk1.vmdk WOLF-ASA842-adv-file1.iso WOLF-ASA842-adv.mf WOLF-ASA842-adv.ovf
root@zhuxiang:~/cisco# mkdir -pv ASA_qcow2
mkdir: created directory 'ASA_qcow2'
root@zhuxiang:~/cisco# qemu-img convert -f vmdk -O qcow2 WOLF-ASA842-adv-disk1.vmdk ASA_qcow2/ASA842-adv-disk1.qcow2
root@zhuxiang:~/cisco# cp WOLF-ASA842-adv-file1.iso ASA_qcow2/ASA842-adv-file1.iso
最重要的是iso文件,每次虛擬機啟動都要重iso啟動:
root@zhuxiang:~/cisco# ls ASA_qcow2/
ASA842-adv-disk1.qcow2 ASA842-adv-file1.iso
查看qcow2文件:
root@zhuxiang:~/cisco/ASA_qcow2# virt-list-filesystems -a ASA842-adv-disk1.qcow2
/dev/sda1
通過guestmount工具查看asa磁盤里的信息。
root@zhuxiang:~/cisco/ASA_qcow2# guestmount -a ASA842-adv-disk1.qcow2 -m /dev/sda1 /mnt
root@zhuxiang:~/cisco/ASA_qcow2# ls /mnt/
anyconnect-win-3.0.0629-k9.pkg boot csco_config rdp2-plugin.090211.jar ssh-plugin.080430.jar
asdm-645-206.bin coredumpinfo csd_3.6.181-k9.pkg rdp-plugin.101215.jar vnc-plugin.080130.jar
可以生成kvm系統(網卡必須選擇e1000,把iso作為第一啟動項),或者導入ISO ZStack,然后直接運行(導入ASA8.42.iso,格式必須是iso,平台是other):
創建虛擬機,根雲盤規格選擇10G,計算規格2核4G以上,網絡按照需求選擇,選擇對應的ASA8.42 iso鏡像。創建虛擬機成功。(Network Anti-Spoofing 功能注意關閉)
由於zstack2.3.2 不支持serial重定向,查看ASA8.42所在的計算節點,通過在宿主機上直接運行命令virsh console ASA8.42_domain進入console控制台,配置基礎管理功能
(其他版本ASA可能支持直接從頁面console口登陸)
修改雲主機啟動順序(CdRom,HardDisk):
asa
[root@bjm8-zscns-10-0-3-16 ~]# virsh list --all
Id 名稱 狀態
----------------------------------------------------
6 687ba60019f04a5fa71b3f1501560d3a running
7 3459d91402c247ca8fabf0e7d922af7b running
9 09cabc8ca969429c9505fafaf14071eb running
34 fb4550f382fb496cbb03d77ca5f2456e running
42 8af69ae1236e4827880f6684987d9438 running
43 zstack10310 running
[root@bjm8-zscns-10-0-3-16 ~]# virsh console 8af69ae1236e4827880f6684987d9438
連接到域 8af69ae1236e4827880f6684987d9438
換碼符為 ^]
ASAGW7>
ASAGW7> ena
Password:
ASAGW7# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ASAGW7 up 1 day 20 hours
Hardware: ASA 5520, 3072 MB RAM, CPU Pentium II 2095 MHz
Internal ATA Compact Flash, 131072MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is fa1a.6c10.8800, irq 0
1: Ext: GigabitEthernet1 : address is fa03.b8ec.3001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 10000 perpetual
AnyConnect Essentials : 0 perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 5000 perpetual
Total UC Proxy Sessions : 10000 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
4.AnyConnect VPN 配置
41. webvpn 配置
webvpn
webvpn
enable Outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1
anyconnect enable
tunnel-group-list enable
sysopt connection permit-vpn
4.2 aaa-server ldap 配置
aaa-server ldap
ASAGW7# sho running-config aaa-server
aaa-server LdapServerGroup0 protocol ldap
aaa-server LdapServerGroup0 (Inside) host XXXXXXXXXX
ldap-base-dn dc=tyun,dc=cn
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password
ldap-login-dn cn=admin,dc=tyun,dc=cn
server-type openldap
ldap-attribute-map LdapMapClass0
4.3 ldap attribute-map 配置
ldap attreibute-map
ASAGW7# sho run ldap
ldap attribute-map LdapMapClass0
map-name CiscoACLin Cisco-AV-Pair
map-name CiscoBanner Banner1
map-name CiscoDNS Primary-DNS
map-name CiscoDomain IPSec-Default-Domain
map-name CiscoGroupPolicy IETF-Radius-Class
map-name CiscoIPAddress IETF-Radius-Framed-IP-Address
map-name CiscoIPNetmask IETF-Radius-Framed-IP-Netmask
map-name CiscoSplitACL IPSec-Split-Tunnel-List
map-name CiscoSplitTunnelPolicy IPSec-Split-Tunneling-Policy
ldap 用戶 ciscoperson objectclass 添加,以及ASA關鍵配置
ciscoperson
根據需要配置ciscoperson,案例如下,本次案例可以直接只使用group-policy
cat users.ldiff
# User account
dn: uid=zhuxiang,ou=operations,ou=users,dc=tyun,dc=cn
cn: zhu xiang
givenName: zhuxiang
sn: zhuxiang
uid: zhuxiang
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/zhuxiang
mail: zhuxiang@tyun.cn
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: CiscoPerson
loginShell: /bin/bash
userPassword: {CRYPT}
CiscoBanner: This is banner 1
CiscoIPAddress: 10.1.1.1
CiscoIPNetmask: 255.255.255.128
CiscoDomain: xtstack.com
CiscoDNS: 223.5.5.5
CiscoACLin: ip:inacl#1=permit ip 10.255.0.200 255.255.255.255 10.0.3.14 255.255.255.255
ip:inacl#2=permit ip 10.255.0.200 255.255.255.255 10.0.3.10 255.255.255.255
CiscoSplitACL: DefaultSplitVPNAcl0
CiscoSplitTunnelPolicy: 1
CiscoGroupPolicy: DefaultGroupPolicy0
ASA 上對應配置
ASAGW47# show running-config access-list
access-list DefaultSplitVPNAcl0 standard permit 10.0.0.0 255.0.0.0
access-list DefaultSplitVPNAcl1 standard permit 10.0.5.0 255.255.255.0
ip local pool DefaultVPNPool0 10.255.0.11-10.255.0.64 mask 255.255.255.0
新建用戶group-policy ,以及默認denyall的group-policy
ASAGW47# sho running-config group-policy
group-policy DefaultGroupPolicy0 internal
group-policy DefaultGroupPolicy0 attributes
vpn-simultaneous-logins 10
vpn-idle-timeout 9999
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultSplitVPNAcl0
default-domain value tyun.cn
address-pools value DefaultVPNPool0
group-policy NoAccessGroupPolicy internal
group-policy NoAccessGroupPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value tyun.cn
address-pools none
LDAP用戶匹配上group-policy DefaultGroupPolicy0 才可以訪問,其他用戶默認匹配group-policy NoAccessGroupPolicy,該策略默認不可以訪問vpn
ASAGW7# sho run tunnel-group
tunnel-group DefaultTunnelGroup0 type remote-access
tunnel-group DefaultTunnelGroup0 general-attributes
authentication-server-group LdapServerGroup0
default-group-policy NoAccessGroupPolicy
tunnel-group DefaultTunnelGroup0 webvpn-attributes
group-alias OperationsAdmin enable
ldap objectclass ciscoperson 常見
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ref_extserver.pdf
5.log 配置
開啟ASA vpn 以及auth log
asa syslog
logging enable
logging timestamp
logging buffer-size 1048576
logging buffered notifications
logging class vpn buffered notifications
logging class auth buffered notifications
日志可以查看登錄用戶歷史記錄
log
ASAGW7# show logging | include zhuxiang
May 23 2018 17:54:02: %ASA-4-722041: TunnelGroup <DefaultTunnelGroup0> GroupPolicy <DefaultGroupPolicy0> User <zhuxiang> IP <58.215.49.222> No IPv6 address available for SVC connection
May 23 2018 17:54:02: %ASA-5-722033: Group <DefaultGroupPolicy0> User <zhuxiang> IP <58.215.49.222> First TCP SVC connection established for SVC session.
May 23 2018 17:54:02: %ASA-4-722051: Group <DefaultGroupPolicy0> User <zhuxiang> IP <58.215.49.222> Address <10.255.0.13> assigned to session
May 23 2018 17:57:20: %ASA-5-722012: Group <DefaultGroupPolicy0> User <zhuxiang> IP <58.215.49.222> SVC Message: 16/NOTICE: Aborted by caller.
May 23 2018 17:57:20: %ASA-5-722037: Group <DefaultGroupPolicy0> User <zhuxiang> IP <58.215.49.222> SVC closing connection: User Requested.
May 23 2018 17:57:20: %ASA-4-113019: Group = DefaultTunnelGroup0, Username = zhuxiang, IP = 58.215.49.222, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:03m:18s, Bytes xmt: 8592, Bytes rcv: 1053, Reason: User Requested
May 23 2018 18:45:44: %ASA-5-722037: Group <DefaultGroupPolicy0> User <zhuxiang> IP <101.81.238.100> SVC closing connection: Transport closing.
May 23 2018 18:48:15: %ASA-5-722037: Group <DefaultGroupPolicy0> User <zhuxiang> IP <101.81.238.100> SVC closing connection: Transport closing.
通通過snmp 獲取 用戶以及訪問的來源ip地址
asa snmp
[root@zabbix55 ~]# snmpwalk -v 2c -c tyun11325 10.0.5.7 enterprises.9.9.392.1.3.21.1.10
SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.10.8.122.104.117.120.105.97.110.103.53249 = STRING: "124.78.135.29"
SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.10.8.122.104.117.120.105.97.110.103.57345 = STRING: "101.81.238.100"
重量級的Graylog
https://blog.csdn.net/liukuan73/article/details/52525431
商業kiwi syslog
6.后記
以下的方法是直接通過ldap memberof (ldapsearch -x -h "127.0.0.1" -b dc=tyun,dc=cn -D "cn=admin,dc=tyun,dc=cn" -W '(uid=zhuxiang)' memberOf)屬性映射的方式,8.4.2沒有測試成功,估計要更高的版本。
參考文檔:
https://www.cisco.com/c/zh_cn/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc6
https://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group/
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html
作者:祝祥 新鈦雲服運維架構師
十年運維經驗,曾任刻通雲運維工程師、微燭雲和某互聯網金融平台首席運維架構師。擁有OpenStack、CCIE、阿里雲、ZStack等技術認證。有上萬台雲主機,PB級別分布式存儲運維經驗。熟悉各種虛擬化技術,軟硬件,網絡,容器編排等技術,擁有python開發經驗。熱愛各種開源技術。