Example: Configuring a certificate-based access control policy
Network configuration
As shown in Figure 108, the host accesses the device through HTTPS.
Configure a certificate-based access control policy on the device to authenticate the host and verify the validity of the host's certificate.
Figure 108: Network diagram
Procedure
Create PKI domain domain1 to be used by SSL. (Details not shown.)
Request an SSL server certificate for the device from the CA server. (Details not shown.)
Configure the HTTPS server:
# Configure an SSL server policy named abc.
<Device> system-view [Device] ssl server-policy abc [Device-ssl-server-policy-abc] pki-domain domain1 [Device-ssl-server-policy-abc] client-verify enable [Device-ssl-server-policy-abc] quit
# Apply SSL server policy abc to the HTTPS server.
[Device] ip https ssl-server-policy abc
# Enable the HTTPS server.
[Device] ip https enable
Configure certificate attribute groups:
# Create a certificate attribute group named mygroup1 and add two attribute rules. The first rule defines that the DN in the subject DN contains the string of aabbcc. The second rule defines that the IP address of the certificate issuer is 10.0.0.1.
[Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1 [Device-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute group named mygroup2 and add two attribute rules. The first rule defines that the FQDN in the alternative subject name does not contain the string of apple. The second rule defines that the DN of the certificate issuer name contains the string of aabbcc.
[Device] pki certificate attribute-group mygroup2 [Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup2] quit
Configure a certificate-based access control policy:
# Create a certificate-based access control policy named myacp.
[Device] pki certificate access-control-policy myacp
# Define a statement to deny the certificates that match the attribute rules in certificate attribute group mygroup1.
[Device-pki-cert-acp-myacp] rule 1 deny mygroup1
# Define a statement to permit the certificates that match the attribute rules in certificate attribute group mygroup2.
[Device-pki-cert-acp-myacp] rule 2 permit mygroup2 [Device-pki-cert-acp-myacp] quit
# Apply certificate-based access control policy myacp to the HTTPS server.
[Device] ip https certificate access-control-policy myacp
Verifying the configuration
# On the host, access the HTTPS server through a Web browser.
The server first verifies the validity of the host's certificate according to the configured certificate-based access control policy. In the host's certificate, the subject DN is aabbcc, the IP address of the certificate issuer is 1.1.1.1, and the FQDN of the alternative subject name is banaba.
The host's certificate does not match certificate attribute group mygroup1 specified in rule 1 of the certificate-based access control policy. The certificate continues to match against rule 2.
The host's certificate matches certificate attribute group mygroup2 specified in rule 2. Because rule 2 is a permit statement, the certificate passes the verification and the host can access the HTTPS server.