No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
FAQ

FAQ

What Can I Do If a Security Certificate Problem Message Is Displayed on the Web Browser When the Built-in Portal Authentication Is Performed?

Possible Causes

In the portal authentication system using a built-in Portal server, no external independent Portal server is used, and functions of the Portal server are implemented by the access device.

For security purposes, the access device provides the built-in Portal server function in HTTPS mode. In HTTPS mode, the web browser checks whether the certificate carried by the website is a certificate issued by the trusted certification authority (CA). The web browser contains some certificates issued by trusted CAs by default, and you can also import the CA certificate to the web browser to add trusted certificates. If the certificate carried by the website is issued by an untrusted CA, the web browser displays a message indicating that the security certificate of this website is faulty, as shown in the following figure (using the Firefox browser as an example):

After you click Advanced, a message indicating that the certificate is incorrect is displayed in the lower part of the window. You can find that the security certificate is invalid.

In addition to checking whether the certificate is issued by a trusted server, the web browser also checks whether the domain name (the value of the Subject: CN field) in the certificate matches the domain name in the address bar of the browser. If they do not match, a message indicating that the security certificate of the website is faulty is displayed, as shown in the following figure:

By default, the device has a self-signed certificate, which can be used for HTTPS services. However, this certificate is an untrusted certificate that is issued by the device itself. Therefore, when you use this certificate to perform HTTPS services, a message indicating that the security certificate of the website is faulty is displayed.

The trusted certificate is issued by the trusted CA. To obtain the security certificate, the certificate user needs to contact the CA and apply for the related information according to the requirements of the CA. After the application is successful, the CA issues the certificate file and password to the certificate user. The domain name in the certificate must match the domain name of the web page. Therefore, you need to configure the DNS server in advance so that the DNS server can correctly parse the domain name of the built-in Portal page. In this case, the web browser can access the built-in Portal page of the device. When configuring an IP address for a service terminal, you need to configure the DNS server. If the IP address is automatically obtained through the DHCP server, you need to configure the IP address of the DNS server for the client on the DHCP server.

Solution

The trusted certificates need to be imported to the device. Generally, certificates issued by the CA include the CA certificate, local certificate, private key file of the local certificate, and password of the private key file. You need to import the CA certificate, local certificate, and private key file of the local certificate to the device through TFTP.

  1. Run the pki realm command to create a PKI domain. For example, create a PKI domain named test.

    <Huawei> system-view
    [Huawei] pki realm test
    [Huawei-pki-realm-test] quit
  2. Run the commands to import CA certificate and local certificate.

    The device supports three encoding formats for certificates and private key file: DER, PEM, and PKCS12. It is recommended that the CA provides certificates and private key file according to the three encoding formats. The certificates and private key file in other formats can be imported after conversion.
    • The commonly used file name extensions of DER (ASCII) include .DER, .CER, and .CRT.
    • The commonly used file name extensions of PEM (Base64) include .PEM, .CER, and .CRT.
    • The commonly used file name extensions of PKCS12 include .P12 and .PFX.
    For a certificate with the file name extension of .CER or .CRT, you can use the text editor to open the certificate and view the content to check whether the DER or PEM format is used. If the certificate starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----", the certificate format is PEM. If the certificate content is displayed as garbled characters, the certificate format is DER.
    A complete certificate chain contains CA certificates and a local certificate. There may be multiple CA certificates, which are provided by the CA directly and imported to the device. CA certificates are usually encoded in DER or PEM format. There is only one local certificate and a private key file that matches the local certificate. You can obtain the certificate chain using either of the following methods:
    • Method 1: The applicant only provides the basic information (such as the domain name and user) to the CA, the CA issues certificates and private key file, and the device needs to import the certificates and private key file. It is noted that the password is needed when the private key file is imported. In this mode, certificates and private key files are encoded in DER, PEM, or PKCS12 format. The certificates and private key file in DER or PEM format are separated, so they need to be imported separately. The certificates and private key file in PKCS12 format are in the same file, so the file is imported when the certificates or private key file needs to be imported and the password is needed when the file is imported.
    • Method 2: The device generates a certificate request file. In this case, the private key is generated on the device. The applicant sends the request file to the CA, the CA issues certificates, and the device imports the certificates. Here, the certificates are usually encoded in DER or PEM format.
    • In V200R006, if the CA issues a CA certificate root.pem, local certificate local.pem, and private key file of the local certificate privatekey.pem, perform the following procedures:
      1. Import the CA certificate. You can run the pki import-certificate ca test pem command and perform operations as prompted.
        [Huawei] pki import-certificate ca test pem
         Please enter the name of certificate file <length 1-127>: root.pem          
          The CA's Subject is CN=GeoTrust DV SSL CA,OU=Domain Validated SSL,O=GeoTrust I
        nc.,C=US                                                                        
          The CA's fingerprint is:                                                      
            MD5  fingerprint: f4858289  ead55c53  b36d4b55  3f267837                    
            SHA1 fingerprint: bae30b15  dbb1544c  f194d076  b75b7bb9  e3d6b760          
          Is the fingerprint correct? [Y/N]: y                                          
          The CA's Subject is CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US                
          The CA's fingerprint is:                                                      
            MD5  fingerprint: 2e7db2a3  1d0e3da4  b25f49b9  542a2e1a                    
            SHA1 fingerprint: 7359755c  6df9a0ab  c3060bce  369564c8  ec4542a3          
          Is the fingerprint correct? [Y/N]: y                                          
         Successfully imported the certificate.   
      2. Import the local certificate. You can run the pki import-certificate local test pem command and perform operations as prompted.
        [Huawei] pki import-certificate local test pem
         Please enter the name of certificate file <length 1-127>: local.pem        
         You are importing a local certificate.                                         
         You can directly enter "Enter" only when the local certificate is obtained by p
        kcs10 message.                                                                  
         Please enter the name of private key file <length 1-127>: privatekey.pem
         Please enter the type of private key file(pem , p12 , der): pem                
         The current password is required, please enter your password <length 1-31 >:***
        *******                                                                         
         Successfully to import the certificate.  
    • In V200R007 and later versions,
      • The certificates and private key file in DER or PEM format are separated. When they are imported, only the file name extension is different and other parameters are the same. If the CA provides two CA certificates rootca.pem and middleca.pem, local certificate localcert.pem, and private key file local_privatekey.pem in PEM format, and they need to be imported to the PKI domain named test, perform the following procedures:
        1. Import CA certificates one by one. You can run the display pki certificate ca realm test command to view the imported certificates.
          [Huawei] pki import-certificate ca realm test pem filename rootca.pem
          [Huawei] pki import-certificate ca realm test pem filename middleca.pem
        2. Import the local certificate. You can run the display pki certificate local realm test command to view the imported certificate.
          [Huawei] pki import-certificate local realm test pem filename localcert.pem
        3. Import the private key file. If the CA provides a private key file, import the private key file. Otherwise, skip this step and assume that the password is set to Admin@123. You can run the display pki rsa local-key-pair name test public command to view the imported file.
          [Huawei] pki import rsa-key-pair test pem local_privatekey.pem password Admin@123
        4. Check whether the imported certificate matches the private key. If no matching key pair is found, check whether the imported file is correct.
          [Huawei] pki match-rsa-key certificate-filename localcert.pem
          Info: The file localcert.pem contains certificates 1.
          Info: Certificate 1 from file localcert.pem matches RSA key test.
          
      • The certificates and private key file in PKCS12 format are in the same file. If the CA provides two CA certificates rootca.pem and middleca.pem, local certificate, and private key file localcert.p12 in PKCS12 format, and they need to be imported to the PKI domain named test, perform the following procedures:
        1. Import CA certificates one by one. You can run the display pki certificate ca realm test command to view the imported certificates.
          [Huawei] pki import-certificate ca realm test pem filename rootca.pem
          [Huawei] pki import-certificate ca realm test pem filename middleca.pem
        2. Import the local certificate. You can run the display pki certificate local realm test command to view the imported certificate.
          [Huawei] pki import-certificate local realm test pkcs12 filename localcert.p12
        3. Import the private key file. If the CA provides a private key file, import the private key file. Otherwise, skip this step and assume that the password is set to Admin@123. You can run the display pki rsa local-key-pair name test public command to view the imported file.
          [Huawei] pki import rsa-key-pair test pkcs12 localcert.p12 password Admin@123
        4. Check whether the imported certificate matches the private key. If no matching key pair is found, check whether the imported file is correct.
          [Huawei] pki match-rsa-key certificate-filename localcert_local.cer
          Info: The file localcert_local.cer contains certificates 1.                                                                        
          Info: Certificate 1 from file localcert_local.cer matches RSA key test.
          
  3. Create a server SSL policy and bind the created PKI domain to the SSL policy.

    [Huawei] ssl policy test type server
    [Huawei-ssl-policy-test] pki realm test
    [Huawei-ssl-policy-test] quit
    
  4. Configure a server SSL policy that is associated with the HTTPS server. If an SSL policy has been bound to the HTTPS server, the system prompts you whether to overwrite the existing one.

    [Huawei] http secure-server ssl-policy test
  5. Configure a domain name for the built-in Portal page on the device, and the domain name must be the same as the value of the Subject: CN field in the certificate, which can be configured using the portal local-server url command. You can assume that the domain name is set to test.com.

    [Huawei] portal local-server url test.com
  6. Configure the DNS server to parse domain names. This step takes the device functioning as the DNS server as an example. If other DNS servers are used, you do not need to perform this step and perform configurations on other DNS servers. If the device functions as the DNS server, the functions are limited. It is recommended that a professional DNS server be used. If the IP address of the Portal server is 192.168.25.1, you need to enable the DNS Proxy function and configure dynamic and static domain name resolution.

    [Huawei] dns proxy enable
    [Huawei] dns resolve
    [Huawei] ip host test.com 192.168.25.1
  7. Configure a free rule to allow DNS packets to pass through and allow the terminal to access the DNS server before the authentication succeeds. You can assume that the IP address of the DNS server is set to 192.168.101.1.

    • In V200R005, the configuration procedure is as follows:
      [Huawei] portal free-rule 0 destination ip 192.168.101.1 mask 255.255.255.255
    • In V200R006 and later versions, the configuration procedure is as follows:
      [Huawei] free-rule-template name default_free_rule
      [Huawei-free-rule-default_free_rule] free-rule 0 destination ip 192.168.101.1 mask 255.255.255.255
      [Huawei-free-rule-default_free_rule] quit
      [Huawei] authentication-profile name p1
      [Huawei-authentication-profile-p1] free-rule-template default_free_rule
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116806

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next