Configuring a certificate-based access control policy
Certificate-based access control policies allow you to authorize access to a device (for example, an HTTPS server) based on the attributes of an authenticated client's certificate.
A certificate-based access control policy is a set of access control rules (permit or deny statements), each associated with a certificate attribute group. A certificate attribute group contains multiple attribute rules, each defining a matching criterion for an attribute in the certificate issuer name, subject name, or alternative subject name field.
If a certificate matches all attribute rules in a certificate attribute group associated with an access control rule, the system determines that the certificate matches the access control rule. In this scenario, the match process stops, and the system performs the access control action defined in the access control rule.
The following conditions describe how a certificate-based access control policy verifies the validity of a certificate:
If a certificate matches a permit statement, the certificate passes the verification.
If a certificate matches a deny statement or does not match any statements in the policy, the certificate is regarded invalid.
If a statement is associated with a non-existing attribute group, or the attribute group does not have attribute rules, the certificate matches the statement.
If the certificate-based access control policy specified for a security application (for example, HTTPS) does not exist, all certificates in the application pass the verification.
To configure a certificate-based access control policy:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a certificate attribute group and enter its view. | pki certificate attribute-group group-name | By default, no certificate attribute groups exist. |
3. (Optional.) Configure an attribute rule for issuer name, subject name, or alternative subject name. | attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value | By default, not attribute rules are configured. |
4. Return to system view. | quit | N/A |
5. Create a certificate-based access control policy and enter its view. | pki certificate access-control-policy policy-name | By default, no certificate-based access control policies exist. |
6. Create a certificate access control rule. | rule [ id ] { deny | permit } group-name | By default, no certificate access control rules are configured, and all certificates can pass the verification. You can create multiple certificate access control rules for a certificate-based access control policy. |