企业级虚拟专有网络统一认证解决方案及实战

0.背景本文适用于办公以及研发环境的虚拟专有网络统一认证，适用于同时需要保障环境安全性，完整性以及可控性的情况。内网的安全涉及到wifi准入，上网行为管理，网络出口防火墙等。基于ZStack平台私有云环境，需要一整套虚拟专有网准入以及日志审计的系统平台。本次主要是使用openldap作为统一认证，CiscoASA作为VPN服务端，使用syslog进行日志审计。同时也提供了使用snmp的方式去定时轮训获取登录的用户以及ip。本文介绍的方案是新钛云服架构师在实际环境中实践总结而来，效果不错，所以整理分享出来实战环境：AA.zstack+ASA8.42+Anyconnect+Ldap(CiscoPerson)+Syslog1.快速安装openldap/osixia/docker-openldapdockerrun--envLDAP_ORGANISATION="tyun"--envLDAP_DOMAIN=""--envLDAP_ADMIN_PASSWORD="ldap_passwd"--volume/data/slapd/database:/var/lib/ldap--volume/data/slapd/config:/etc/ldap/slapd.d--detach-it-p389:389-p636:636osixia/openldap:1.2.0docker快速安装（根据需要选择对应的版本，或者手工基于dockerfilebuild最新版本）或者手动安装，但需要加入memberof属性。2.openldap导入CiscoPersonobjectclass2.1下载cisco.schemawget/jaseywang/041f76d03e2f43579d6f6984e3358774cisco.schema(上面链接失效的化，使用本处)将85行改为MUST(uid$cn)，86行delete掉telephoneNumber（否则会报也可以直接使用已经修改好的/qingyufei/ubuntutools/master/Cisco_ASA_ldap/zhuxiang/cisco.schema2.2基于cisco.schema生成cisco.ldif新建配置文件以及目录echo"includecisco.schema">>cisco.confmkdirldif_ciscoslaptest-fcisco.conf-Fldif_cisco获取到ldif目录结构如下：treeldiftree.├──cn=conflig│├──cn=schema.ldif│├──olcDatabase={0}config.ldif│└──olcDatabase={-1}frontend.ldif└──cn=config.ldif文件cn=config/cn=schema/cn={0}cisco.ldif就是生成的‘ldif’文件，编辑此文件，前三行改为：dn:cn=cisco,cn=schema,cn=configobjectClass:olcSchemaConfigcn:cisco最后注释掉最后七行：2.3将‘’cn={0}cisco.ldif"文件内容导入ldap数据库进入对应的目录，导入数据库(如果使用docker安装，则通过dockercp复制配置文件到容器里执行,当然也可以安装openldap-clients,openldap-devel，通过-H指定ldap主机)：cdldif_cisco/cn=config/cn=schemasudoldapadd-Q-YEXTERNAL-Hldapi:///-fcn={0}cisco.ldif查看是否导入成功：ldapsearch-Q-LLL-YEXTERNAL-Hldapi:///-bcn=schema,cn=configdn直接查看(/etc/ldap/slapd.d/cn=config/cn=schema/cn={16}cisco.ldif)：3.CiscoASA3.1商业购买ASA硬件+Anyconnectvpn的liscence（推荐）3.2模拟器vMware或在Esxi版本的ASA8.42（或者ASA931等其他版本都可以）+CiscoASAKeygen（网上教程比较多，仅作为测试学习使用，请勿商业使用。）3.3KVM版本的ASA8.42（仅作为测试学习使用）。解压vmware的ova文件(iso文件为启动引导文件，qcow2为disk0:或者flash文件，最重要的是iso文件，qcow2可以重新生成):convertvmwaretoqcow2root@zhuxiang:~/cisco#tar-xvfasa842.ovaWOLF-ASA842-adv.ovfWOLF-ASA842-adv.mfWOLF-ASA842-adv-disk1.vmdkWOLF-ASA842-adv-file1.isoroot@zhuxiang:~/cisco#lsasa842.ovaWOLF-ASA842-adv-disk1.vmdkWOLF-ASA842-adv-file1.isoWOLF-ASA842-adv.mfWOLF-ASA842-adv.ovfroot@zhuxiang:~/cisco#mkdir-pvASA_qcow2mkdir:createddirectory'ASA_qcow2'root@zhuxiang:~/cisco#qemu-imgconvert-fvmdk-Oqcow2WOLF-ASA842-adv-disk1.vmdkASA_qcow2/ASA842-adv-disk1.qcow2root@zhuxiang:~/cisco#cpWOLF-ASA842-adv-file1.isoASA_qcow2/ASA842-adv-file1.iso最重要的是iso文件，每次虚拟机启动都要重iso启动:root@zhuxiang:~/cisco#lsASA_qcow2/ASA842-adv-disk1.qcow2ASA842-adv-file1.iso查看qcow2文件:root@zhuxiang:~/cisco/ASA_qcow2#virt-list-filesystems-aASA842-adv-disk1.qcow2/dev/sda1通过guestmount工具查看asa磁盘里的信息。root@zhuxiang:~/cisco/ASA_qcow2#guestmount-aASA842-adv-disk1.qcow2-m/dev/sda1/mntroot@zhuxiang:~/cisco/ASA_qcow2#ls/mnt/anyconnect-win-3.0.0629-k9.pkgbootcsco_configrdp2-plugin.090211.jarssh-plugin.080430.jarasdm-645-206.bincoredumpinfocsd_3.6.181-k9.pkgrdp-plugin.101215.jarvnc-plugin.080130.jar可以生成kvm系统（网卡必须选择e1000,把iso作为第一启动项或者导入ISOZStack，然后直接运行(导入ASA8.42.iso，格式必须是iso，平台是other)：创建虚拟机，根云盘规格选择10G，计算规格2核4G以上，网络按照需求选择，选择对应的ASA8.42iso镜像。创建虚拟机成功。(NetworkAnti-Spoofing功能注意关闭)由于zstack2.3.2不支持serial重定向，查看ASA8.42所在的计算节点，通过在宿主机上直接运行命令virshconsoleASA8.42_domain进入console控制台，配置基础管理功能（其他版本ASA可能支持直接从页面console口登陆）修改云主机启动顺序(CdRom,HardDisk)：asa[root@bjm8-zscns-10-0-3-16~]#virshlist--allId名称状态6687ba60019f04a5fa71b3f1501560d3arunning73459d91402c247ca8fabf0e7d922af7brunning909cabc8ca969429c9505fafaf14071ebrunning34fb4550f382fb496cbb03d77ca5f2456erunning428af69ae1236e4827880f6684987d9438running43zstack10310running[root@bjm8-zscns-10-0-3-16~]#virshconsole8af69ae1236e4827880f6684987d9438连接到域8af69ae1236e4827880f6684987d9438换码符为^]ASAGW7>ASAGW7>enaPassword:ASAGW7#showversionCiscoAdaptiveSecurityApplianceSoftwareVersion8.4(2)DeviceManagerVersion6.4(5)206CompiledonWed15-Jun-1118:17bybuildersSystemimagefileis"Unknown,monitormodetftpbootedimage"Configfileatbootwas"startup-config"ASAGW7up1day20hoursHardware:ASA5520,3072MBRAM,CPUPentiumII2095MHzInternalATACompactFlash,131072MBBIOSFlashunknown@0x0,0KB0:Ext:GigabitEthernet0:addressisfa1a.6c10.8800,irq01:Ext:GigabitEthernet1:addressisfa03.b8ec.3001,irq0Licensedfeaturesforthisplatform:MaximumPhysicalInterfaces:UnlimitedperpetualMaximumVLANs:100perpetualInsideHosts:UnlimitedperpetualFailover:Active/ActiveperpetualVPN-DES:EnabledperpetualVPN-3DES-AES:EnabledperpetualSecurityContexts:20perpetualGTP/GPRS:EnabledperpetualAnyConnectPremiumPeers:10000perpetualAnyConnectEssentials:0perpetualOtherVPNPeers:5000perpetualTotalVPNPeers:0perpetualSharedLicense:EnabledperpetualAnyConnectforMobile:EnabledperpetualAnyConnectforCiscoVPNPhone:EnabledperpetualAdvancedEndpointAssessment:EnabledperpetualUCPhoneProxySessions:5000perpetualTotalUCProxySessions:10000perpetualBotnetTrafficFilter:EnabledperpetualIntercompanyMediaEngine:DisabledperpetualThisplatformhasanASA5520VPNPluslicense.4.AnyConnectVPN配置41.webvpn配置webvpnwebvpnenableOutsidenoanyconnect-essentialsanyconnectimagedisk0:/anyconnect-win-3.0.0629-k9.pkg1anyconnectenabletunnel-group-listenablesysoptconnectionpermit-vpn4.2aaa-serverldap配置aaa-serverldapASAGW7#shorunning-configaaa-serveraaa-serverLdapServerGroup0protocolldapaaa-serverLdapServerGroup0(Inside)hostXXXXXXXXXXldap-base-dndc=tyun,dc=cnldap-scopesubtreeldap-naming-attributeuidldap-login-password*****ldap-login-dncn=admin,dc=tyun,dc=cnserver-typeopenldapldap-attribute-mapLdapMapClass04.3ldapattribute-map配置ldapattreibute-mapASAGW7#shorunldapldapattribute-mapLdapMapClass0map-nameCiscoACLinCisco-AV-Pairmap-nameCiscoBannerBanner1map-nameCiscoDNSPrimary-DNSmap-nameCiscoDomainIPSec-Default-Domainmap-nameCiscoGroupPolicyIETF-Radius-Classmap-nameCiscoIPAddressIETF-Radius-Framed-IP-Addressmap-nameCiscoIPNetmaskIETF-Radius-Framed-IP-Netmaskmap-nameCiscoSplitACLIPSec-Split-Tunnel-Listmap-nameCiscoSplitTunnelPolicyIPSec-Split-Tunneling-Policyldap用户ciscopersonobjectclass添加，以及ASA关键配置ciscoperson根据需要配置ciscoperson，案例如下，本次案例可以直接只使用group-policycatusers.ldiff#Useraccountdn:uid=zhuxiang,ou=operations,ou=users,dc=tyun,dc=cncn:zhuxianggivenName:zhuxiangsn:zhuxianguid:zhuxianguidNumber:10000gidNumber:10000homeDirectory:/home/zhuxiangmail:zhuxiang@objectClass:topobjectClass:posixAccountobjectClass:shadowAccountobjectClass:inetOrgPersonobjectClass:organizationalPersonobjectClass:personobjectClass:CiscoPersonloginShell:/bin/bashuserPassword:{CRYPT}*CiscoBanner:Thisisbanner1CiscoIPAddress:CiscoIPNetmask:28CiscoDomain:CiscoDNS:CiscoACLin:ip:inacl#1=permitip0055455ip:inacl#2=permitip0055055CiscoSplitACL:DefaultSplitVPNAcl0CiscoSplitTunnelPolicy:1CiscoGroupPolicy:DefaultGroupPolicy0ASA上对应配置ASAGW47#showrunning-configaccess-listaccess-listDefaultSplitVPNAcl0standardpermitaccess-listDefaultSplitVPNAcl1standardpermitiplocalpoolDefaultVPNPool01-4mask新建用户group-policy，以及默认denyall的group-policyASAGW47#shorunning-configgroup-policygroup-policyDefaultGroupPolicy0internalgroup-policyDefaultGroupPolicy0attributesvpn-simultaneous-logins10vpn-idle-timeout9999vpn-session-timeoutnonevpn-tunnel-protocolikev1ikev2l2tp-ipsecssl-clientssl-clientlesssplit-tunnel-policytunnelspecifiedsplit-tunnel-network-listvalueDefaultSplitVPNAcl0default-domainvalueaddress-poolsvalueDefaultVPNPool0group-policyNoAccessGroupPolicyinternalgroup-policyNoAccessGroupPolicyattributesvpn-simultaneous-logins0vpn-tunnel-protocolikev1ikev2l2tp-ipsecssl-clientssl-clientlessdefault-domainvalueaddress-poolsnoneLDAP用户匹配上group-policyDefaultGroupPolicy0才可以访问，其他用户默认匹配group-policyNoAccessGroupPolicy，该策略默认不可以访问vpnASAGW7#shoruntunnel-grouptunnel-groupDefaultTunnelGroup0typeremote-accesstunnel-groupDefaultTunnelGroup0general-attributesauthentication-server-groupLdapServerGroup0default-group-policyNoAccessGroupPolicytunnel-groupDefaultTunnelGroup0webvpn-attributesgroup-aliasOperationsAdminenableldapobjectclassciscoperson常见/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ref_extserver.pdf5.log配置开启ASAvpn以及authlogasasyslogloggingenableloggingtimestamploggingbuffer-size1048576loggingbufferednotificationsloggingclassvpnbufferednotificationsloggingclassauthbufferednotifications日志可以查看登录用户历史记录ASAGW7#showlogging|includezhuxiangMay23201817:54:02:%ASA-4-722041:TunnelGroup<DefaultTunnelGroup0>GroupPolicy<DefaultGroupPolicy0>User<zhuxiang>IP<22>NoIPv6addressavailableforSVCconnectionMay23201817:54:02:%ASA-5-722033:Group<DefaultGroupPolicy0>User<zhuxiang>IP<22>FirstTCPSVCconnectionestablishedforSVCsession.May23201817:54:02:%ASA-4-722051:Group<DefaultGroupPolicy0>User<zhuxiang>IP<22>Address<3>assignedtosessionMay23201817:57:20:%ASA-5-722012:Group<DefaultGroupPolicy0>User<zhuxiang>IP<22>SVCMessage:16/NOTICE:Abortedbycaller.May23201817:57:20:%ASA-5-722037:Group<DefaultGroupPolicy0>User<zhuxiang>IP<22>SVCclosingconnection:UserRequested.May23201817:57:20:%ASA-4-113019:Group=DefaultTunnelGroup0,Username=zhuxiang,IP=22,Sessiondisconnected.SessionType:AnyConnect-Parent,Duration:0h:03m:18s,Bytesxmt:8592,Bytesrcv:1053,Reason:UserRequestedMay23201818:45:44:%