{"id":1442,"date":"2010-09-28T03:42:58","date_gmt":"2010-09-28T07:42:58","guid":{"rendered":"http:\/\/www.killtest.hk\/?p=1442"},"modified":"2010-09-28T03:42:58","modified_gmt":"2010-09-28T07:42:58","slug":"nac","status":"publish","type":"post","link":"https:\/\/www.killtest.hk\/index.php\/cisco\/nac\/","title":{"rendered":"NAC\u7f51\u7edc\u51c6\u5165–\u6574\u4e2a\u521d\u59cb\u5316\u8fc7\u7a0b"},"content":{"rendered":"

\u521d\u59cb\u5316\u968e\u6bb5<\/strong><\/p>\n

1\uff09\u4e3b\u6a5f\u63a5\u5165\u5230Switch<\/p>\n

2\uff09Switch\u7acb\u5373\u9001SNMP\u7d66CAM(\u9019\u500btrap\u5305\u542b\u4e86Client\u7684MAC\u5730\u5740\u548cSwitch\u7aef\u53e3\u865f)\u3002<\/p>\n

3\uff09CAM\u9996\u5148\u8981\u770b\u662f\u5426\u9019\u500bMac address\u5df2\u7d93\u88abPosture assessment\u904e\uff08CAM\u770b\u662f\u5426Mac\u5730\u5740\u5728\u5df2\u7d93\u8a8d\u8b49\u7684\u8868\u88cf\u9762\u3002\u63db\u53e5\u8a71\u8aaa\uff0ccheck\u9019\u81fa\u6a5f\u5668\u662f\u4e0d\u662f\u66fe\u7d93\u5f9e\u7db2\u7d61\u88cf\u9762logged off\u7684\uff09\uff0c\u5982\u679c\u662f\u66fe\u7d93logged off\u7684\u6a5f\u5668\uff0c\u5247\u53ea\u9700\u76f4\u63a5\u653e\u5230access vlan \u6216\u8005\u8b93\u5b83\u91cd\u65b0\u8a8d\u8b49\uff0c\u5982\u679c\u91cd\u65b0\u8a8d\u8b49\u7684\u8a71\uff0c\u58f9\u822c\u6211\u5011\u4e0d\u6703\u518d\u6b21\u505aPostrue assessment\uff0c\u53ea\u9700\u8981authentication\u5c31\u53ef\u4ee5\u3002\u9019\u500b\u53ef\u4ee5\u5728CAM\u4e0a\u5b9a\u7fa9\u3002
\n4\uff09\u5982\u679c\u9019\u662f\u58f9\u81fa\u65b0\u7684Client\uff0cCAM\u6703\u9001\u58f9\u500bSNMP write\u7d66Switch\uff0c\u8b93Switch\u7684\u9019\u500b\u63a5\u53e3\u8655\u65bcauthentication VLAN\uff08\u6bd4\u5982vlan 200\uff09\u3002
\n5\uff09CAM\u540c\u6642\u6703\u628a\u9019\u500bClient\u7684\u4fe1\u606f\u6dfb\u52a0\u5230\u81ea\u5df1\u7684OOB Discovered list \u5217\u8868\u88cf\u9762\u3002\u9019\u500b\u4fe1\u606f\u662f\u5f9eSwitch\u4e0a\u767c\u904e\u4f86\u7684SNMP Mac trap \u6216Switch link up down traps\u3002
\n6\uff09\u5230\u4e86\u9019\u88cf\uff0cClient \u5df2\u7d93\u88ab\u653e\u5230\u4e86Untrasted Vlan\u88cf\u9762vlan 200\uff0c\u6240\u6709\u7684\u5f9eClient\u904e\u4f86\u7684traffic\u90fd\u88ab\u5f37\u8feb\u901a\u904eCAS\u3002\u7576\u7136CAS\u4e0a\u9762\u5df2\u7d93\u88ab\u914d\u7f6e\u5141\u8a31DHCP \u548cDNS queries\u4fe1\u606f\u901a\u904e\uff0c\u7f3a\u7701\u60c5\u6cc1\u4e0b\uff0c\u662f\u4e0d\u5141\u8a31\u901a\u904e\u4efb\u4f55\u6d41\u91cf\u7684\u3002
\n7\uff09\u9019\u500b\u6642\u5019\uff0cClient\u8981\u958b\u59cb\u5f9eDHCP server \u4e0aRequest \u58f9\u500bIP \u5730\u5740\u4e86\u3002
\n8\uff09Client\u7684IP Address request\u88abCAS\u7684untrusted \u53e3\uff08Vlan 200\uff09\u63a5\u6536\uff0c\u5728CAS\u4e0a\uff0crequest packet\u7684VLAN ID \u88ab\u6539\u6210CAS trusted \u53e3\u7684VLAN ID\u6bd4\u5982VLAN 100\uff08\u5982\u4f55\u66f4\u6539vlan\u5176\u5be6\u4f7f\u6211\u5011\u5728CAM\u4e0a\u5df2\u7d93\u9810\u5b9a\u7fa9\u597d\u7684\uff09\uff0c\u53cd\u5411\u540c\u6642\u4e5f\u9700\u8981\u5728CAS\u4e0a\u66f4\u6539\u5305\u7684vlan\u3002
\n9\uff09Okey\uff0c\u7576DHCP server\u6536\u5230\u9019\u500brequest\u5f8c\uff0c\u5b83\u6703\u5206\u914d\u7d66client \u58f9\u500bVLAN 100 \u7684\u5730\u5740\uff0c\u56e0\u70ba\u9019\u500bDHCP server\u662f\u5728VLAN 100 \u88cf\u9762
\n10\uff09CAS \u628a\u5f9eDHCP\u8fd4\u56de\u4f86\u7684packet\u9001\u7d66Client\uff0c\u9019\u88cf\u5176\u5be6CAS\u53c8\u505a\u4e86\u58f9\u6b21\u66f4\u6539VLAN ID\u7684\u5de5\u4f5c\u3002<\/p>\n

11\uff09\u6b64\u6642\uff0c\u9019\u500bClient\u5df2\u7d93\u64c1\u6709\u4e86Access vlan 100 \u88cf\u9762\u7684\u5730\u5740\uff0c\u4f46\u5b83\u53c8\u8655\u5728authentication VLAN\u88cf\u9762\u3002\u8a3b\u610f\u9019\u7a2e\u65b9\u5f0f\u53ea\u80fd\u7528\u5728Virtual gateway \u6a21\u5f0f\uff0c\u5982\u679c\u662fRouter\u6a21\u5f0f\uff0cCAS\u5169\u7aef\u9700\u8981\u4e0d\u540c\u7684\u5730\u5740\u3002<\/p>\n

CAA \u9700\u8981\u505a\u7684\u5de5\u4f5c<\/p>\n

1\uff09Okey\uff0c\u5230\u4e86\u6b64\u6642\uff0c\u9019\u81faClient\u8655\u65bc\u672a\u8a8d\u8b49\u7684\u89d2\u8272\u88cf\u9762\uff0c\u800c\u4e14\u6709\u4e86IP address\uff0c\u9664\u4e86DHCP\u548cDNS queries\uff0c\u5176\u4ed6\u7684\u4efb\u4f55\u6d41\u91cf\u90fd\u4e0d\u53ef\u4ee5\u901a\u904eCAS\uff08\u6211\u5011\u53ef\u4ee5\u5b9a\u7fa9\u5141\u8a31\u901a\u904e\u7684\u6d41\u91cf\uff09\u3002CAA\u8a72\u958b\u59cb\u5de5\u4f5c\u4e86\u3002
\n2\uff09\u7db2\u7d61\u58f9\u65e6\u9023\u901a\uff0c\u5247CAA\u958b\u59cb\u9001SWISS discovery packets \u7d66Default gateway\u3002
\n3\uff09CAS\u7684Swiss \u7aef\u53e3\u58f9\u76f4\u5728\u76e3\u807d\uff0c\u58f9\u65e6\u6536\u5230CAA\u767c\u904e\u4f86\u7684\u4fe1\u606f\uff0c\u5b83\u99ac\u4e0a\u6703\u7d66\u58f9\u500bFeedback\u3002
\n4\uff09CAS\u56de\u9001\u7684\u4fe1\u606f\u540c\u6642\u6703\u4fc3\u4f7fCAA\u5f48\u51fa Login \u7a97\u53e3\u3002\u7528\u6236\u540d\u548cpasswrd\u5c07\u88abNAC server \u8f49\u767c\u5230CAM\u3002<\/p>\n

\u5982\u679cCAS\u901a\u904e\u4e86authentication \u5247\u958b\u59cb\u9032\u884cPosture assessment\u3002\u7576Posture \u5931\u6557\u6642\uff0cCAM\u6703\u628aClient\u653e\u5165Temporary \u89d2\u8272\uff0c\u9019\u4e9b\u5de5\u4f5c\u90fd\u662f\u5728CAM\u4e0a\u4f86\u5b9a\u7fa9\uff0c\u7531CAS\u4f86\u57f7\u884c\u3002Client\u5347\u7d1a\u7684traffic\u6703\u901a\u904eCAS\u5230\u9054Trast\u58f9\u908a\uff0c\u9019\u4e9b\u904e\u7a0b\u5176\u5be6\u6d41\u91cf\u53c8\u5411\u4e4b\u524d\u58f9\u6a23\u5728CAS\u4e0a\u88ab\u6539\u904eVLAN ID.\u56e0\u6b64\uff0c\u5982\u679c\u59b3\u51fa\u4e0d\u4f86\u7d50\u679c\uff0c\u53ef\u80fd\u662fCAM\u914d\u7f6e\u554f\u984c\u3002
\n\u5982\u679c\u7528\u6236\u8eab\u4efd\u8a8d\u8b49\u901a\u904e\uff0c\u5247\u9032\u5165Posture\u6aa2\u6e2c\u72c0\u614b\uff0c\u8a3b\u610f\u9019\u88cfClient\u8eab\u4efd\u53ef\u4ee5\u7531CAM\u5b8c\u6210\uff0c\u4f46\u5efa\u8b70\u4f7f\u7528RADIUS\u7b49server\u4f86\u505a\u3002\u5230\u5e95\u6aa2\u6e2cClient\u4e0a\u7684\u90a3\u4e9bposture\u4e5f\u662f\u5728CAM\u4e0a\u5b9a\u7fa9\u7684\u3002\u6211\u5011\u53ef\u4ee5\u6839\u64daClient\u7684\u4e0d\u540c\u89d2\u8272\u4f86\u5b9a\u7fa9\u6aa2\u6e2c\u4ec0\u9ebd\u3002<\/p>\n

CAM \u9996\u5148\u901a\u904eCAS\u544a\u8a34CAA\u8981\u6aa2\u6e2c\u54ea\u4e9b\u5167\u5bb9\uff0cCAA\u8ca0\u8cac\u6536\u96c6Client\u4e0a\u7684\u4fe1\u606f\u3002<\/p>\n

CAA\u6536\u96c6Client\u4e0a\u7684\u4fe1\u606f\u7136\u5f8c\u901a\u904eCAS\u9001\u7d66CAM\u3002<\/p>\n

CAM\u6703\u628aCAA\u767c\u904e\u4f86\u7684\u4fe1\u606f\u8207\u5df2\u77e5\u7684\u75c5\u6bd2\u7248\u672c\u3001\u4e3b\u6a5fpatch\u4fe1\u606f\u9032\u884c\u6bd4\u8f03\uff0c\u5982\u679c\u4e0dmatch\uff0c\u5247CAM\u6307\u5f15Client \u4e0a\u7684CAA\u5f48\u51fa\u4fee\u5fa9\u5c0d\u8a71\u6846\uff0c\u8a72\u5c0d\u8a71\u6846\u4e2d\u6703\u544a\u8a34\u7528\u6236\u767c\u73fe\u7684\u554f\u984c\uff0c\u5982\u4f55\u4fee\u5fa9\u3002<\/p>\n

\u9019\u500b\u6642\u5019\uff0cCAM\u6703\u628aClient\u7684\u89d2\u8272\u5f9eUnauthenticated \u79fb\u5230Temporary\u3002<\/p>\n

\u6240\u6709\u7684update \u4fe1\u606f\u8981\u5728\u9019\u88cf\u901a\u904eCAS\uff0cTraffic\u901a\u904eCAS\u6642VLAN ID\u88ab\u4fee\u6539\u518d\u6b21\u4e0a\u6f14\u3002<\/p>\n

\u5176\u5be6\u4e8c\u5c64\u7684OOB\u914d\u7f6e\u9084\u662f\u6bd4\u8f03\u7c21\u55ae\u7684,\u4e09\u5c64\u7684OOB\u6bd4\u8f03\u5fa9\u96dc\u58f9\u9ede\uff0c\u4e2d\u9593\u93c8\u8def\u9700\u8981\u505aPBR\u6216\u8005ACC-LIST<\/p>\n

Cisco\u7db2\u7d61\u6e96\u5165\u63a7\u5236\uff08NA \u88ab\u904e\u6ffe\u5ee3\u544aC\uff09\u4e4b\u524d\u540d\u70baCisco Clean Access\uff0c\u4e3b\u8981\u7528\u65bc\u5728\u7db2\u7d61\u57fa\u790e\u67b6\u69cb\u4e2d\u5f37\u5316\u5b89\u5168\u7b56\u7565\u3002
\n\u7db2\u7d61\u6e96\u5165\u63a7\u5236\uff08NAC\uff09\u662f\u58f9\u9805\u7531\u601d\u79d1\u767c\u8d77\u3001\u591a\u5bb6\u5ee0\u5546\u53c3\u52a0\u7684\u8a08\u5283\uff0c\u5176\u5b97\u65e8\u662f\u9632\u6b62\u75c5\u6bd2\u548c\u8815\u87f2\u7b49\u65b0\u8208\u9ed1\u5ba2\u6280\u8853\u5c0d\u4f01\u696d\u5b89\u5168\u9020\u6210\u7684\u5371\u5bb3\u3002\u501f\u52a9NAC\uff0c\u5ba2\u6236\u53ef\u4ee5\u53ea\u5141\u8a31\u5408\u6cd5\u7684\u3001\u503c\u5f97\u4fe1\u4efb\u7684\u7aef\u9ede\u8a2d\u5099\uff08\u4f8b\u5982PC\u3001\u670d\u52d9\u5668\u3001PDA\uff09\u63a5\u5165\u7db2\u7d61\uff0c\u800c\u4e0d\u5141\u8a31\u5176\u4ed6\u8a2d\u5099\u63a5\u5165\u3002\u5728\u521d\u59cb\u968e\u6bb5\uff0c\u7576\u7aef\u9ede\u8a2d\u5099\u9032\u5165\u7db2\u7d61\u6642\uff0cNAC\u80fd\u5920\u5e6b\u52a9\u601d\u79d1\u8def\u7531\u5668\u5be6\u65bd\u8a2a\u554f\u6b0a\u9650\u3002NAC\u6c7a\u7b56\u53ef\u4ee5\u6839\u64da\u7aef\u9ede\u8a2d\u5099\u7684\u4fe1\u606f\u5236\u5b9a\uff0c\u4f8b\u5982\u8a2d\u5099\u7684\u7576\u524d\u9632\u75c5\u6bd2\u72c0\u6cc1\u4ee5\u53ca\u64cd\u4f5c\u7cfb\u7d71\u88dc\u4e01\u7b49\u3002\u7db2\u7d61\u5c07\u6309\u7167\u5ba2\u6236\u5236\u5b9a\u7684\u7b56\u7565\u5be6\u884c\u76f8\u61c9\u7684\u6e96\u5165\u63a7\u5236\u6c7a\u7b56\uff1a\u5141\u8a31\u3001\u62d2\u7d55\u3001\u9694\u96e2\u6216\u9650\u5236\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

\u521d\u59cb\u5316\u968e\u6bb5 1\uff09\u4e3b\u6a5f\u63a5\u5165\u5230Switch 2\uff09Switch\u7acb\u5373\u9001SNMP\u7d66CAM(\u9019\u500btrap\u5305\u542b\u4e86Client […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[534,533],"class_list":["post-1442","post","type-post","status-publish","format-standard","hentry","category-cisco","tag-cisco","tag-nac"],"_links":{"self":[{"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/posts\/1442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/comments?post=1442"}],"version-history":[{"count":0,"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/posts\/1442\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/media?parent=1442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/categories?post=1442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.killtest.hk\/index.php\/wp-json\/wp\/v2\/tags?post=1442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}