19 configuring certificate authentication, 19 configuring certificate, Authentication – H3C Technologies H3C Intelligent Management Center User Manual
Page 418
400
19 Configuring certificate authentication
Certificate authentication is an advanced security authentication method. It authenticates users by using
a certificate rather than usernames and passwords.
UAM certificate authentication supports 802.1X access, portal access, and local authentication.
However, it does not support VPN or MAC address access, RSA, or roaming authentication. Some of the
certificate authentication methods support LDAP authentication.
Implementing local certificate authentication for 802.1X or
portal users
1.
Configure UAM:
a.
Manage the root certificate, server certificate, and certificate revocation list (CRL) in UAM.
The CRL records revoked certificates. For more information, see "
server certificate, and CRL in UAM
."
b.
Add an access condition, policy, or service.
An access condition and service can be added regardless of whether or not certificate
authentication is configured. For more information, see "
."
When adding an access policy, you must enable certificate authentication. The certificate type
can be EAP-TLS, EAP-TTLS, or EAP-PEAP. Each of EAP-TTLS and EAP-PEAP includes
EAP-PEAP-MD5, EAP-PEAP-GTC, and EAP-PEAP-MSCHAPv2.
EAP-PEAP-MD5 is an H3C proprietary EAP type and is used for LDAP authentication
exclusively. When you use EAP-PEAP-MD5, iNode clients and UAM must cooperate with an
LDAP server to implement LDAP authentication.
c.
Add an access device.
See "
."
d.
Add an access user.
The supported authentication certificate types and subtypes vary by access users as shown
in
. For more information about access user configuration, see "
Table 29 Authentication certificate types and subtypes supported by different access users
Access user type
Supported authentication certificate types and subtypes
Common access user
•
EAP-TLS
•
EAP-TTLS
•
EAP-PEAP-MSCHAPv2
•
EAP-PEAP-MD5
•
EAP-PEAP-GTC