H3C Technologies H3C S12500 Series Switches User Manual
Page 50
38
Step Command
Remarks
5.
Associate the HTTPS
service with a certificate
attribute-based access
control policy.
ip https certificate
access-control-policy
policy-name
Optional.
By default, the HTTPS service is not
associated with any certificate-based
attribute access control policy.
The switch uses the associated policy to
control client access rights.
You must configure the client-verify
enable command and at least one
permit rule in the SSL server policy.
Otherwise, no clients can log in through
HTTPS.
For more information about certificate
attribute-based access control policies,
see the chapter on PKI in Security
Configuration Guide.
6.
Specify the HTTPS service
port number.
ip https port port-number
Optional.
The default HTTPS service port is 443.
7.
Associate the HTTPS
service with an ACL.
ip https acl acl-number
By default, the HTTPS service is not
associated with any ACL.
The switch allows only clients permitted
by the associated ACL to log in.
8.
Set the HTTPS user
authentication mode.
web https-authorization mode
{ auto | manual }
Optional.
The default HTTPS user authentication
mode is manual.
In manual mode, a user must enter the
correct username and password to log in
through HTTPS.
In auto mode, the device first
authenticates users by their certificates:
•
If the certificate is correct and not
expired, the CN field in the
certificate is used as the username to
perform AAA authentication. If the
authentication succeeds, the Web
interface of the device appears on
the user's terminal.
•
If the certificate is correct and not
expired, but the AAA authentication
fails, the device shows the Web login
page and the user must enter the
correct username and password to
log in.
•
If the certificate is incorrect or
expired, the HTTPS connection is
terminated.
9.
Create a local user and
enter local user view.
local-user user-name
By default, no local user is configured.
10.
Configure a password for
the local user.
password { cipher | simple }
password
By default, no password is configured
for the local user.