目錄
本文主要介紹通過Windows NPS構建RADIUS服務器的記賬及後期用戶流量審計
關於如何使用NPS與域控集成認證,可以參照前一篇文章
Windows Server NPS服務構建基於AD域控的radius認證
本文涉及的知識點:
1、NPS記賬功能
2、Microsoft AD集成認證
3、SQL Server部署
4、SQL 存儲過程修改
5、三層設備SNMP配置
6、三層路由設備Snmp ARP獲取
7、Python 連接SQL Server
8、Python OS包獲取操作系統指令
9、Python字符串處理,截取和拼接
10、行爲審計設備操作
鬼知道爲什麼要用到這麼多知識點
本文用的到知識點跨專業比較大,各位同學選擇你感興趣的點看就好。
一、安裝SQL Server
1、安裝SQL Server服務器
賊簡單,一路Next就好,下方放出MSDN Itell you的連接
SQL Server 2016 Developer with Service Pack 2 (x64) - DVD (Chinese-Simplified)
ed2k://|file|cn_sql_server_2016_developer_with_service_pack_2_x64_dvd_12195013.iso|3217154048|AC379F2A852760E54316A2CDAEFCB42C|/
2、新建一個數據庫
運行SQL Server 2016 Master Data Services Configuration Manager
新建數據庫
二、安裝Microsoft SQL Server Management Studio
賊簡單,一路Next就好,下方放出下載鏈接
Microsoft | 下載 SQL Server Management Studio (SSMS)
三、配置NPS記賬功能
官方手冊
Microsoft | Configure Network Policy Server Accounting
1、使用嚮導初始化記賬配置
建議勾選同時記錄到SQL Server和本地文本文件
配置記賬數據庫連接信息
配置本地文件日誌記錄
初始化數據庫,點擊重新生成
2、更改SQL Server日誌記錄屬性
選擇啓用文本文件日誌記錄進行故障轉移,避免因SQL Server故障導致RADIUS拒絕認證
四、學習閱讀記賬數據庫基礎數據
1、認識dbo.accounting_data表
此表默認包含以下字段
大部分字段都是字面意思,具體需要解釋的,參閱以下文檔
Microsoft | Interpret NPS Database Format Log Files
Timestamp,
Computer_Name,
Packet_Type,
User_Name,
Client_IP_Address,
Fully_Qualified_Machine_Name,
NP_Policy_Name,
MS_Quarantine_State,
MS_Extended_Quarantine_State,
SystemHealthResult,
SystemHealthResultEx,
MS_Network_Access_Server_Type,
Called_Station_Id,
MS_Quarantine_Grace_Time,
MS_Quarantine_User_Class,
Client_IPv6_Address,
Not_Quarantine_Capable,
AFW_Zone,
AFW_Protection_Level,
Quarantine_Update_Non_Compliant,
MS_Machine_Name,
OS_Version,
MS_Quarantine_Session_Id
2、認識dbo.report_event存儲過程
NPS 將記帳數據格式化爲 XML 文檔,該文檔將其發送到你在 NPS 中指定的 SQL Server 數據庫中的report_event存儲過程。 若要使 SQL Server 日誌記錄正常工作,SQL Server 數據庫中必須有一個名爲report_event的存儲過程,該存儲過程可接收和分析 NPS 中的 XML 文檔。
通過修改dbo.report_event存儲過程,我們可以將我們感興趣的字段加入數據庫並進行記錄
USE [NPS]
GO
/****** Object: StoredProcedure [dbo].[report_event] Script Date: 2020/3/9 20:36:59 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[report_event]
@doc ntext
AS
SET NOCOUNT ON
DECLARE @idoc int
EXEC sp_xml_preparedocument @idoc OUTPUT, @doc
/*
Combine multiple System-Health-Result string into one string with delimiter as ":"
*/
DECLARE @SystemHealthResult NVARCHAR(4000)
SELECT @SystemHealthResult = COALESCE(@SystemHealthResult+':','')+ISNULL(SHR.System_Health_Result,'')
FROM (SELECT *
FROM OPENXML(@idoc, '/Event/System-Health-Result')
WITH (System_Health_Result NVARCHAR(4000) 'text()')) AS SHR
/*
Combine multiple System-Health-ResultEx string into one string
*/
DECLARE @SystemHealthResultEx NVARCHAR(MAX)
IF @SystemHealthResult IS NOT NULL SELECT @SystemHealthResultEx = COALESCE(@SystemHealthResultEx,'')+ISNULL(CAST(SHR.System_Health_ResultEx AS NVARCHAR(MAX)),'')
FROM (SELECT *
FROM OPENXML(@idoc, '/Event/System-Health-ResultEx')
WITH (System_Health_ResultEx xml '.')) AS SHR
/*
All RADIUS attributes written to the ODBC format logfile are declared here. Refer to IAS ODBC Formatted Log Files in Online Help for information on interpreting these values.
*/
INSERT accounting_data
SELECT
Timestamp,
Computer_Name,
Packet_Type,
[User_Name],
Client_IP_Address,
Fully_Qualified_Machine_Name,
NP_Policy_Name,
MS_Quarantine_State,
MS_Extended_Quarantine_State,
@SystemHealthResult,
@SystemHealthResultEx,
MS_Network_Access_Server_Type,
Called_Station_Id,
Calling_Station_Id,
MS_Quarantine_Grace_Time,
MS_Quarantine_User_Class,
Client_IPv6_Address,
Not_Quarantine_Capable,
AFW_Zone,
AFW_Protection_Level,
Quarantine_Update_Non_Compliant,
MS_Machine_Name,
OS_Version,
MS_Quarantine_Session_Id
FROM OPENXML(@idoc, '/Event')
WITH (
Timestamp datetime './Timestamp',
Computer_Name nvarchar(255) './Computer-Name',
Packet_Type int './Packet-Type',
[User_Name] nvarchar(255) './User-Name',
Client_IP_Address nvarchar(15) './Client-IP-Address',
Fully_Qualified_Machine_Name nvarchar(255) './Fully-Qualified-Machine-Name',
NP_Policy_Name nvarchar(255) './NP-Policy-Name',
MS_Quarantine_State int './MS-Quarantine-State',
MS_Extended_Quarantine_State int './MS-Extended-Quarantine-State',
System_Health_Result nvarchar(4000),
System_Health_ResultEx nvarchar(MAX),
MS_Network_Access_Server_Type int './MS-Network-Access-Server-Type',
Called_Station_Id nvarchar(255) './Called-Station-Id',
Calling_Station_Id nvarchar(255) './Calling-Station-Id',
MS_Quarantine_Grace_Time datetime './MS-Quarantine-Grace-Time',
MS_Quarantine_User_Class nvarchar(255) './MS-Quarantine-User-Class',
Client_IPv6_Address nvarchar(32) './Client-IPv6-Address',
Not_Quarantine_Capable int './Not-Quarantine-Capable',
AFW_Zone int './AFW-Zone',
AFW_Protection_Level int './AFW-Protection-Level',
Quarantine_Update_Non_Compliant int './Quarantine-Update-Non-Compliant',
MS_Machine_Name nvarchar(255) './MS-Machine-Name',
OS_Version nvarchar(255) './Machine-Inventory',
MS_Quarantine_Session_Id nvarchar(255) './MS-Quarantine-Session-Id'
)
EXEC sp_xml_removedocument @idoc
SET NOCOUNT OFF
3、添加認證設備MAC地址,記錄至數據庫
3.1更新dbo.accounting_data表
CREATE TALBE加入[Calling_Station_Id] [nvarchar](255) NULL,然後點執行!
3.2更新dbo.report_event存儲過程
認證設備MAC地址一般在RADIUS認證報文中以Calling Station ID字段進行傳輸。
但是NPS默認記賬不記錄Calling Station ID字段,我們需要修改dbo.report_event存儲過程,添加數據庫記錄字段。
INSERT語句添加Calling_Station_Id,
XML解釋添加Calling_Station_Id nvarchar(255) './Calling-Station-Id',然後點執行!
3.3驗證修改結果
查看dbo.accounting_data表,可以看到用戶認證終端的MAC地址,記錄在Calling_Station_Id字段中
五、SNMP獲取ARP表
通過上述操作,我們獲取了認證後的用戶MAC address—User_Name的對應關係。
但是很多行爲審計設備要求獲取IP Address—User_Name的對應關係。
因此我們需要一些辦法,獲取MAC address—IP Address的對應關係。
那這不就是ARP表麼!
1、SNMP基礎解釋
我也不知道看這邊文章的同學,你們是搞服務器運維的,還是搞數據庫的,還是搞網絡的。有些同學不知道SNMP,簡單介紹一下
2、SNMP ARP OID
雖然不同的廠商設備OID會相差很大,因此廠商通常會提供MIB庫來檢索OID
但是,對於獲取ARP表有一個通用的OID:
OID 1.3.6.1.2.1.4.22.1.2
使用walk方法可以跑出全部端口的ARP表
3、安裝snmpwalk工具
linux和windows均有snmpwalk安裝程序
Linux:yum install -y net-snmp net-snmp-utils
windows下安裝net-snmp,我們可以去net-snmp官網進行下載。
http://www.net-snmp.org/download.html
安裝方法CSDN上一大堆,比如其他大大們的指導
https://blog.csdn.net/weixin_30752699/article/details/98688984
4、網絡設備配置SNMP
HUAWEI H3C CISCO百度搜索一下方法一大堆
舉例H3C:
<H3C>dis cu | in snmp
snmp-agent
snmp-agent local-engineid 800063A28008688D43D19600000001
snmp-agent community read wulalalwulalala
snmp-agent sys-info version v2c v3
snmp-server arp-sync enable
舉例HUAWEI
<HUAWEI>dis cu | in snmp
snmp-agent
snmp-agent local-engineid 800007DB03A4BE2B3B80A0
snmp-agent community read cipher %^%#Myph,aG8/Ke]v1'gt@G#+W]EVCBrGQ]:>YDShMB#QjT`Phq'R8)OvPNrHANLf[(;L_<^-:o0/nJ*S5rE%^%#
snmp-agent sys-info version v2c v3
舉例Aruba
(Aruba-AC) *[mynode] #show running-config | include snmp
Building Configuration...
netservice svc-snmp udp 161
netservice svc-snmp-trap udp 162
ipv6 any user svc-snmp permit
ipv6 user any svc-snmp-trap permit
any user svc-snmp permit
user any svc-snmp-trap permit
snmp-server community "jiubugaosuniwodemima"
snmp-server enable trap
snmp-server trap source 0.0.0.0
舉例CISCO
Router# configure terminal
Router(config)# snmp-server community aishashajiushibushuo ro
Router(config)# snmp-server trap link ietf
Router(config)# snmp-server enable traps snmp
5、使用snmpwalk獲取ARP表
以Linux爲例
snmpwalk -v 2c -c snmp祕鑰 設備IP地址 1.3.6.1.2.1.4.22.1.2
夠直白的ARP表,如下圖所示
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.12 = STRING: 94:e1:ac:74:5b:2c
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.13 = STRING: 94:e1:ac:74:5d:18
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.14 = STRING: 94:e1:ac:60:49:74
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.15 = STRING: 58:3:fb:5b:fd:81
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.16 = STRING: 94:e1:ac:74:5a:e6
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.17 = STRING: 94:e1:ac:74:58:cd
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.18 = STRING: 94:e1:ac:74:5a:f5
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.19 = STRING: 64:db:8b:65:c1:f2
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.20 = STRING: 64:db:8b:65:c3:a1
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.21 = STRING: 64:db:8b:65:bd:95
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.22 = STRING: 64:db:8b:65:c3:a7
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.23 = STRING: 64:db:8b:65:c2:3
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.24 = STRING: 68:6d:bc:25:85:57
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.25 = STRING: 68:6d:bc:25:83:ac
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.26 = STRING: 68:6d:bc:25:83:c7
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.27 = STRING: 68:6d:bc:25:83:b7
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.28 = STRING: 68:6d:bc:25:85:df
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.29 = STRING: 68:6d:bc:25:85:da
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.32 = STRING: 60:23:a4:5e:fc:a4
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.34 = STRING: 0:50:56:8b:58:74
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.35 = STRING: 0:c:29:f9:98:7c
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.37 = STRING: 60:23:a4:7c:73:8e
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.39 = STRING: 60:23:a4:7c:65:e
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.45 = STRING: b8:27:eb:c5:83:28
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.150 = STRING: 58:3:fb:cc:52:5d
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.151 = STRING: b4:a3:82:db:f6:3
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.251 = STRING: 0:17:61:11:f1:de
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.252 = STRING: 0:17:61:10:f2:ad
IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.253 = STRING: 0:17:61:10:9b:7f
六、同步ARP表至SQL Server數據庫
1、安裝python及相關pip包
找臺linux服務器,Windows也行,隨便你
安裝Python和pymssql包
yum install python
pip install pymssql
特別注意Windows下pip install pymssql需要VC++運行環境,嫌麻煩不想安裝VC++的話,可以如下操作
1、先去 https://www.lfd.uci.edu/~gohlke/pythonlibs/#pymssql
上面下載對應Windows操作系統版本和python版本的安裝包
2、放到安裝目錄下,然後使用命令進入這個目錄
3、執行pip3 install --user pymssql-2.1.4-cp38-cp38-win_amd64.whl
2、寫Python
# encoding=utf-8
import pymssql
import commands
import re
import os
import sys
import datetime
server1 = "10.0.20.28"
server2 = "10.0.20.29"
#主備兩臺RADIUS的地址,如果你所在的環境就一個的話,刪除掉多餘的就行
user = "sa"
password = "數據庫密碼"
database = "NPS"
#數據庫連接信息
conn = pymssql.connect(server1, user, password, database)
conn2 = pymssql.connect(server2, user, password, database)
cursor = conn.cursor()
cursor2 = conn2.cursor()
#構建數據庫connect和cursor
def execComand(command):
#執行命令,獲取返回結果
data = commands.getoutput(command)
return data
#-------------------------------------------------------------------------------
#定義一個函數,處理SNMPWALK返回的數據
def format_result(result_txt):
#原格式是這樣的:
#IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.253 = STRING: 0:17:1:10:9b:7f(注意這個MAC地址沒有補零)
#IP-MIB::ipNetToMediaPhysAddress.828.10.0.21.28 = STRING: 68:6d:bc:25:85:df
result_out=result_txt.replace("IP-MIB::ipNetToMediaPhysAddress.","")
result_out=result_out.replace("STRING:","")
result_out=result_out.replace(" ","")
result_out=result_out.split('\n')
#以上四句,該刪的刪,該替換的替換
i=0
for result_line in result_out:
result_line=result_line[4:]
result_line=result_line.split('=')
mac_addr=result_line[1].split(':')
i2=0
for mac in mac_addr:
mac_addr[i2]=mac_addr[i2].zfill(2)
#snmpwalk工具返回的MAC地址沒有補零,需要進行補零操作
#0:17:1:10:9b:7f 變換成 00:17:01:10:9b:7f
i2=i2+1
result_line[1]="".join(mac_addr)
result_out[i]=result_line
i=i+1
return result_out
#-------------------------------------------------------------------------------
#定義一個函數,在數據庫裏創建ARP表
def CreateTable():
sql = """
IF OBJECT_ID('arp', 'U') IS NOT NULL DROP TABLE arp
CREATE TABLE arp (ip VARCHAR(100),mac VARCHAR(100))
"""
cursor.execute(sql)
conn.commit()
cursor2.execute(sql)
conn2.commit()
#-------------------------------------------------------------------------------
#定義一個函數,在ARP表裏插入數據
def InsertData(ip,mac):
sql = "INSERT INTO arp(ip,mac) VALUES ('"+ip+"', '"+mac+"')"
cursor.execute(sql)
conn.commit()
cursor2.execute(sql)
conn2.commit()
def main():
command='snmpwalk -v 2c -c snmpsharekeyshshsh 10.0.250.1 1.3.6.1.2.1.4.22.1.2'
#linux下執行snmp的腳本命令
#如果是windows平臺,使用下面這兩句,並且不需要def execComand函數
#command=os.popen(" C:/usr/bin/snmpwalk.exe -v 2c -c snmpsharekeyshshsh 10.1.1.1 1.3.6.1.2.1.4.22.1.2")
#data=command.read()
data=execComand(command)
data=format_result(data)
#獲取命令返回的結果,並且進行格式化處理
now_time = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')
CreateTable()
#創建一個表
InsertData(now_time,"Update Time")
#插入當前時間,用於監控平臺監控ARP表更新狀態
for data_sub in data:
InsertData(data_sub[0],data_sub[1])
#寫入ARP表數據
if __name__ == '__main__':
main()
3、查看SQL Server中dbo.arp表內容
select * from arp
可以看到ARP表正常更新
以下語句通過計算Update_Time與現在時間差值可以監控ARP表是否正常更新
select datediff(s,ip,GETDATE()) from arp where mac='Update Time'
4、創建定時任務
[root@sz_radius_10 ~]# crontab -l
*/1 * * * * /root/AC-SQL-ARP/ARP-SQL.sh
[root@sz_radius_10 ~]#
[root@sz_radius_10 ~]# cat /root/AC-SQL-ARP/ARP-SQL.sh
#!/bin/bash
cd /root/AC-SQL-ARP/
python ARP-TO-SQL.py
#---------------------------------------------------------
七、聯合查詢記賬數據表和ARP表
1、聯合查詢語句
select timestamp,id,User_Name,mac,ip from accounting_data,arp where
(
id in
(SELECT max(id) from accounting_data group by Calling_Station_Id)
#查詢同一個Calling_Station_Id最後更新的記錄id
and
replace(Calling_Station_Id,'-','')=mac
#HUAWEI和H3C設備帶過來的MAC地址會攜帶“-”,需要去除
)
order by timestamp
炒雞簡單,查詢出一下數據
2、創建查詢視圖
CREATE VIEW [dbo].[userip]
AS
select User_Name,ip from accounting_data,arp where
(
id in
(SELECT max(id) from accounting_data group by Calling_Station_Id)
and
replace(Calling_Station_Id,'-','')=mac
)
union all
(select user_name collate Chinese_PRC_CI_AI_WS,ip from user_vpn_ip where ip<>'Update Time')
#如果還有其他表,可以使用union all聯合查詢,沒有的話,忽略上面兩句
八、行爲審計設備配置
以深信服行爲審計設備爲例
1、添加SQL Server數據庫作爲外部認證數據庫
2、添加單點登錄服務器配置
數據庫服務器選擇剛纔新添加的數據庫服務器
查詢語句:select * from userip
測試一下有效性
3、配置單點登錄策略
認證範圍填寫用戶終端地址段。
認證方式選項卡內,認證方式選擇單點登錄。同時單點登錄失敗的用戶配置使用以IP地址作爲用戶名。
配置完成之後,目前到達行爲審計設備的流量,會觸發此條認證策略創建用戶。
並且,會通過之前關聯的認證數據庫,自動獲取用戶名並創建用戶!!
