Configuring A Certificate-Based Access Control Policy - HPE FlexNetwork 5510 HI Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 5510 HI Series:
- Configuration manual (572 pages) ,
- Mpls configuration manual (505 pages) ,
- Layer 3 - ip routing configuration manual (486 pages)
Table of Contents
Advertisement
To remove a certificate:
Step
1.
Enter system view.
2.
Remove a certificate.
Configuring a certificate-based access control
policy
Certificate-based access control policies allow you to authorize access to a device (for example, an
HTTPS server) based on the attributes of an authenticated client's certificate.
A certificate-based access control policy is a set of access control rules (permit or deny statements),
each associated with a certificate attribute group. A certificate attribute group contains multiple
attribute rules, each defining a matching criterion for an attribute in the certificate issuer name,
subject name, or alternative subject name field.
If a certificate matches all attribute rules in a certificate attribute group associated with an access
control rule, the system determines that the certificate matches the access control rule. In this
scenario, the match process stops, and the system performs the access control action defined in the
access control rule.
The following conditions describe how a certificate-based access control policy verifies the validity of
a certificate:
•
If a certificate matches a permit statement, the certificate passes the verification.
•
If a certificate matches a deny statement or does not match any statements in the policy, the
certificate is regarded invalid.
•
If a statement is associated with a non-existing attribute group, or the attribute group does not
have attribute rules, the certificate matches the statement.
•
If the certificate-based access control policy referenced by a security application (for example,
HTTPS) does not exist, all certificates in the application pass the verification.
To configure a certificate-based access control policy:
Step
1.
Enter system view.
2.
Create a certificate attribute
group and enter its view.
3.
(Optional.)
attribute rule for issuer name,
subject name, or alternative
subject name.
4.
Return to system view.
5.
Create a certificate-based
access control policy and
enter its view.
Command
system-view
pki delete-certificate domain domain-name { ca
| local | peer [ serial serial-num ] }
Command
system-view
pki certificate attribute-group
group-name
attribute id { alt-subject-name
Configure
an
{ fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn | ip } }
{ ctn | equ | nctn | nequ}
attribute-value
quit
pki
access-control-policy
policy-name
certificate
238
Remarks
N/A
If you use the peer
keyword
specifying
a
number, the command
removes
all
certificates.
Remarks
N/A
By default, no certificate attribute
groups exist.
By default, not attribute rules are
configured.
N/A
By default, no certificate-based
access control policy exists.
without
serial
peer
- Quick Links:
- Radius
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
