No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Controlling Certificate Access Based on Certificate Attributes

Controlling Certificate Access Based on Certificate Attributes

The access control policy based on certificate attributes is an extra measure for certificate-based authentication. Only the certificates meeting specific requirements can be authenticated. This achieves refined control on user access permissions.

Context

In the application scenario where the certificate verification mechanism is used to establish an IPSec tunnel, there is a possibility that only the certificates meeting specific requirements can be authenticated for the establishment of the IPSec tunnel. For example, only certificates issued by a specific CA can be authenticated. You can also configure the access control policy that allows only certificates of specific devices to be authenticated, and these specific devices can establish IPSec tunnels. This achieves refined control on user access permissions.

If information in a certificate does not match the rules in the access control policy, the default action permit in the access control policy is performed on the NE20E. As a result, the certificate can be authenticated.

Procedure

  • Configure the access control policy based on certificate attributes.

    NOTE:
    • If multiple attribute rules are configured in a certificate attribute group, the relationship between the rules is "And". This means that the action defined in the certificate attribute group will be implemented only if the certificate to be authenticated matches all the rules.
    • If multiple control rules are configured in an access control policy based on certificate attributes, the relationship between the rules is "Or". This means that the action defined in the access control policy is implemented as long as the certificate to be authenticated matches one rule. The following rules will not be matched.
    • If multiple access control policies are configured in the system based on certificate attributes, the policies are matched one by one. If the certificate to be authenticated matches no control policy, the action in the default access control policy is implemented.

    1. Run system-view

      The system view is displayed.

    2. Run pki certificate attribute-group group-name

      A certificate attribute group is created and the view of the certificate attribute group is displayed.

    3. Run the following commands to configure certificate attribute rules:

      • Run attribute id alt-subject-name fqdn { ctn | equ | nctn | nequ } attribute-value

        The attribute rule for matching a specific FQDN in an alternative subject name is configured.

      • Run attribute id alt-subject-name ip { ctn | equ | nctn | nequ } ip-address

        The attribute rule for matching a specific IP address in an alternative subject name is configured.

      • Run attribute id issuer-name dn { ctn | equ | nctn | nequ } attribute-value

        The attribute rule for matching a specific certificate issuer name is configured.

      • Run attribute id subject-name dn { ctn | equ | nctn | nequ } attribute-value

        The attribute rule for matching a specific certificate subject name is configured.

    4. Run quit

      Return to the system view.

    5. Run pki certificate access-control-policy policy-name

      The access control policy based on certificate attributes is created and the view of the access control policy is displayed.

    6. Run rule id { permit | deny } group-name

      The control rules for certificate attributes are configured.

    7. Run commit

      The configuration is committed.

  • Configure the default access control policy based on certificate attributes.
    1. Run system-view

      The system view is displayed.

    2. Run pki certificate access-control-policy default { deny | permit }

      The default access control policy based on certificate attributes is configured.

      If the certificate access control policy is not required during negotiation for establishing an IPSec tunnel, run the pki certificate access-control-policy default permit command to permit the certificate to be authenticated.

    3. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20076

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next