manualshive.com logo in svg

H3C WA4600 Series, Руководство по базовой конфигурации, Страница: 55 / 119

Поделиться
Скачать
H3C WA4600 Series Скачать руководство пользователя страница 55

 

28 

# Create certificate attribute-based access control policy 

myacp

 and configure a certificate 

attribute-based access control rule, specifying that a certificate is considered valid when it matches 
an attribute rule in certificate attribute group 

myacp

.  

[AP] pki certificate access-control-policy myacp 

[AP-pki-cert-acp-myacp] rule 1 permit mygroup1 

[AP-pki-cert-acp-myacp] quit 

# Associate the HTTPS service with SSL server policy 

myssl

[AP] ip https ssl-server-policy myssl 

# Associate the HTTPS service with certificate attribute-based access control policy 

myacp

.  

[AP] ip https certificate access-control-policy myacp 

# Enable the HTTPS service.  

[AP] ip https enable 

# Create a local user named 

usera

, set the password to 

123

, and specify the Web service type. 

[AP] local-user usera 

[AP-luser-usera] password simple 123 

[AP-luser-usera] service-type web 

2.

 

Configure the host (HTTPS client):  
On the host, run the IE browser, and then enter 

http://10.1.2.2/certsrv

 in the address bar and 

request a certificate for the host as prompted.  

3.

 

Verify the configuration: 
On the host, enter

 https://10.1.1.1

 in the browser's address bar and then select the certificate 

issued by 

new-ca

. When the Web login page of the AP appears, enter the username 

usera

 and 

password 

123

 to log in to the Web interface.  

For more information about PKI configuration commands, SSL configuration commands, and the 

public-key local create rsa

 command, see 

Security Command Reference. 

 

Содержание WA4600 Series

Страница 1: ...ess Points Fundamentals Configuration Guide New H3C Technologies Co Ltd http www h3c com Software version WA4600 CMW520 R1507P09 WA4300 CMW520 R1507P09 WA4300S CMW520 R1507P09 Document version 6W101 2...

Страница 2: ...SecBlade Comware ITCMM and HUASAN are trademarks of New H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The informa...

Страница 3: ...ons used in the documentation Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments t...

Страница 4: ...or damage to hardware or software IMPORTANT An alert that calls attention to essential information NOTE An alert that contains additional or supplementary information TIP An alert that provides helpfu...

Страница 5: ...rovided in this document Examples in this document might use devices that differ from your device in hardware model configuration or software version It is normal that the port numbers sample output s...

Страница 6: ...d aliases 6 Configuring and using hotkeys 6 Enabling redisplaying entered but not submitted commands 7 Understanding command line error messages 8 Using the command history function 8 Viewing history...

Страница 7: ...xt represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated...

Страница 8: ...o For example the prompt Sysname vlan100 shows that you are in VLAN 100 view and can configure attributes for that VLAN You are placed in user view immediately after you are logged in to the CLI The u...

Страница 9: ...connection to the device In public key code view use the public key code end command to return to the upper level view public key view In public key view use the peer public key end command to return...

Страница 10: ...ds and arguments If you type a question mark in place of a keyword the CLI displays all possible keyword matches with a brief description for each keyword For example Sysname terminal debugging Send d...

Страница 11: ...eyword for the incomplete one and displays what you entered in the next line If there is more than one match you can press Tab repeatedly to pick the keyword you want to enter If there is no match the...

Страница 12: ...ultiple aliases the system gives you a prompt Configuration procedure To configure a command keyword alias Step Command Remarks 1 Enter system view system view N A 2 Enable the command keyword alias f...

Страница 13: ...trl P Displays the previous command in the command history buffer Ctrl R Redisplays the current line Ctrl V Pastes text from the clipboard Ctrl W Deletes the word to the left of the cursor Ctrl X Dele...

Страница 14: ...ter sequence matches more than one command Too many parameters The entered character sequence contains excessive keywords or arguments Wrong parameter found at position The argument in the marked posi...

Страница 15: ...g the command history buffer size for user interfaces Step Command Remarks 1 Enter system view system view N A 2 Enter user interface view user interface first num1 last num1 console vty first num2 la...

Страница 16: ...pression option at the end of the command When the system pauses after displaying a screen of output enter a forward slash minus sign or plus sign and a regular expression to filter subsequent output...

Страница 17: ...mple string There is no such limit on A character group It is usually used with or 123A means a character group 123A 408 12 matches 40812 or 408121212 But it does not match 408 index Repeats the chara...

Страница 18: ...tring containing matches a string containing and b matches a string containing b The following are several regular expression examples Use begin user interface in the display current configuration com...

Страница 19: ...ll configuration commands except for those at manage level 3 Manage Includes commands that influence the basic operation of the system and commands for configuring system support modules By default co...

Страница 20: ...not configure the user privilege level the user privilege level depends on the default configuration of the authentication server For more information about the local user and authorization attribute...

Страница 21: ...m2 N A 3 Configure the authentication mode for any user who uses the current user interface to log in to the device authentication mode none password Optional By default the authentication mode for VT...

Страница 22: ...TP connection tracert Trace route function undo Cancel current setting Configure the device to perform password authentication for Telnet users and to authorize authenticated Telnet users to use the c...

Страница 23: ...DIUS server for remote authentication To use this mode you must perform the following configuration tasks Configure the required HWTACACS or RADIUS schemes and configure the ISP domain to use the sche...

Страница 24: ...n authentication mode Level switching authentication mode Information required for the first authentication mode Information required for the second authentication mode none password local Password co...

Страница 25: ...the change does not result in any security risk or maintenance problem To change the level of a command Step Command Remarks 1 Enter system view system view N A 2 Change the level of a command in a s...

Страница 26: ...ng in through SSH 16 Configuring the SSH server on the device 16 Using the device to log in to an SSH server 18 Displaying and maintaining CLI login 19 Logging in to the Web interface 20 Configuring H...

Страница 27: ...procedure 34 SNMP login control configuration example 35 Configuring Web login control 36 Configuring source IP based Web login control 36 Logging off online Web users 36 Web login control configurat...

Страница 28: ...vice complete the following configuration tasks Enable the SSH server function and configure SSH attributes Assign an IP address to a Layer 3 interface and make sure the interface and the SSH client c...

Страница 29: ...aces varies by device For a CLI login the device always picks the lowest numbered user interface from the idle user interfaces available for the type of login For example four VTY user interfaces 0 to...

Страница 30: ...console port in Table 3 Table 3 Default console port properties Parameter Default Bits per second 9600 bps Flow control None Parity None Stop bits 1 Data bits 8 To log in through the console port fro...

Страница 31: ...port settings are the same as listed in Table 3 On Windows Server 2003 add the HyperTerminal program first and then log in to and manage the device as described in this document On Windows Server 200...

Страница 32: ...to access the CLI For more information about AAA see Security Configuration Guide By default console login does not require authentication Any user can log in through the console port without authenti...

Страница 33: ...face console first number last number N A 3 Enable none authentication mode authentication mode none By default you can log in to the device through the console port without authentication and have us...

Страница 34: ...nd executed commands are recorded on the HWTACACS server Follow these guidelines when you configure scheme authentication for console login To make the command authorization or command accounting func...

Страница 35: ...al user view local user user name N A 9 Set an authentication password for the local user password cipher simple password N A 10 Specifies a command level of the local user authorization attribute lev...

Страница 36: ...r Telnet terminal or both are set to ANSI when the total number of characters of the currently edited command line exceeds 80 an anomaly such as cursor corruption or abnormal display of the terminal d...

Страница 37: ...s a Telnet server configure login authentication and user privilege levels for Telnet users The following are authentication modes available for controlling Telnet logins None Requires no authenticati...

Страница 38: ...N A 2 Enable Telnet server telnet server enable By default the Telnet server function is enabled 3 Enter one or multiple VTY user interface views user interface vty first number last number N A 4 Enab...

Страница 39: ...authorization is enabled a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme Command accounting allows the HWTACAC...

Страница 40: ...tem view quit N A 8 Apply an AAA authentication scheme to the intended domain a Enter ISP domain view domain domain name b Apply an AAA scheme to the domain authentication default hwtacacs scheme hwta...

Страница 41: ...er one or multiple VTY user interface views user interface vty first number last number N A 3 Enable the terminal service shell Optional By default terminal service is enabled 4 Enable the user interf...

Страница 42: ...task the system automatically disconnect the Telnet session Using the device to log in to a Telnet server You can use the device as a Telnet client to log in to a Telnet server If the server is locat...

Страница 43: ...ble 7 SSH server and client requirements Device role Requirements SSH server Assign an IP address to a Layer 3 interface and make sure the interface and the client can reach each other Configure the a...

Страница 44: ...IUS or HWTACACS server The SSH client authentication method is password in this configuration procedure For more information about SSH and publickey authentication see Security Configuration Guide To...

Страница 45: ...password N A 13 Specify the command level of the user authorization attribute level level Optional 14 Specify SSH service for the user service type ssh N A 15 Exit to system view quit N A 16 Create an...

Страница 46: ...Display user interface information display user interface num1 console vty num2 summary begin exclude include regular expression Available in any view Display the configuration of the device when it s...

Страница 47: ...TTPS login are separate login methods To use HTTPS login you do not need to configure HTTP login Table 8 shows the basic Web login configuration requirements Table 8 Basic Web login configuration requ...

Страница 48: ...local user and enter local user view local user user name N A 9 Configure a password for the local user password cipher simple password N A 10 Specify the command level of the local user authorizatio...

Страница 49: ...Web login web captcha verification code Optional By default no fixed verification code is configured for Web login and a Web user must enter the verification code provided on the login page at login...

Страница 50: ...ional The default HTTPS service port number is 443 7 Associate the HTTPS service with an ACL ip https acl acl number By default the HTTPS service is not associated with any ACL The device allows only...

Страница 51: ...an interface id If the VLAN interface already exists the command enters its view You could replace this VLAN interface with any other Layer 3 interface as appropriate 17 Assign an IP address and subne...

Страница 52: ...e1 quit Create a local user named admin and set the password to admin for the user Specify the Web service type for the local user and set the command level to 3 for this user Sysname local user admin...

Страница 53: ...thorized users to access the AP s Web interface configure the AP as the HTTPS server and the host as the HTTPS client Request a certificate for each of them Figure 11 Network diagram Configuration pro...

Страница 54: ...f the modulus default 1024 Generating Keys Retrieve the CA certificate AP pki retrieval certificate ca domain 1 The trusted CA s finger print is MD5 fingerprint 3352 F952 0D8E FDF8 AB98 08ED 11D3 B005...

Страница 55: ...p Enable the HTTPS service AP ip https enable Create a local user named usera set the password to 123 and specify the Web service type AP local user usera AP luser usera password simple 123 AP luser u...

Страница 56: ...other as shown in Figure 12 This document describes only the basic SNMP configuration procedures on the device Figure 12 Network diagram IMPORTANT To make SNMP operate correctly make sure the SNMP set...

Страница 57: ...nt 3 Create or update MIB view information snmp agent mib view excluded included view name oid tree mask mask value Optional By default the MIB view name is ViewDefault and OID is 1 4 Configure the SN...

Страница 58: ...view Sysname system view Enable the SNMP agent Sysname snmp agent Configure an SNMP group Sysname snmp agent group v3 managev3group read view test write view test Add a user to the SNMP group Sysname...

Страница 59: ...CL and enter its view or enter the view of an existing basic ACL acl ipv6 number acl number name name match order config auto By default no basic ACL exists 3 Configure an ACL rule For IPv4 networks r...

Страница 60: ...e header ACLs apply to Telnet traffic only if the Telnet client and server are located in the same subnet To configure source MAC based Telnet login control Step Command Remarks 1 Enter system view sy...

Страница 61: ...user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound Configuring source IP based SNMP login control Use a basic ACL 2000 to 2999 to control SNMP logins by source IP address To access the request...

Страница 62: ...number SNMPv1 v2c user snmp agent usm user v1 v2c user name group name acl acl number SNMPv3 user snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy...

Страница 63: ...ased Web login control Step Command Remarks 1 Enter system view system view N A 2 Create a basic ACL and enter its view or enter the view of an existing basic ACL acl ipv6 number acl number name name...

Страница 64: ...ork diagram Configuration procedure Create ACL 2000 and configure rule 1 to permit packets sourced from Host B Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rul...

Страница 65: ...on the FTP server 3 Switching to another user account 4 Maintaining and troubleshooting the FTP connection 4 Terminating the FTP connection 4 FTP client configuration example 4 Displaying and maintain...

Страница 66: ...operation mode varies depending on the FTP client program The device can act as the FTP client Figure 1 FTP application scenario Using the device as an FTP client To connect to an FTP server or enter...

Страница 67: ...the output interface is used as the source IP address 3 Return to user view quit N A 4 Log in to the remote FTP server Approach 1 Log in to the remote FTP server in user view ftp server address servic...

Страница 68: ...er image files 4 Use the lcd command to display the local working directory of the FTP client You can upload the file or save the downloaded file in this directory 5 Upload or download the file To wor...

Страница 69: ...otocol command N A Enable information display in a detailed manner verbose By default the function is enabled Enable FTP related debugging when the device acts as the FTP client debugging By default t...

Страница 70: ...31 Give me your password please Password 230 Logged in successfully Set the file transfer mode to binary ftp binary 200 Type set to I Download the system software image file wa2600a_fat bin ftp get wa...

Страница 71: ...y of the storage medium You can copy or move a file to the root directory Reboot the AP to upgrade the system software image Sysname reboot Displaying and maintaining FTP Task Command Remarks Display...

Страница 72: ...tes the old file that has the same name as it If file download is interrupted both old and new files are lost Secure download The new file is downloaded to memory and will not be written to Flash unti...

Страница 73: ...erver address get put sget source filename destination filename source interface interface type interface number ip source ip address For IPv6 tftp ipv6 tftp ipv6 server i interface type interface num...

Страница 74: ...lete unreserved file url command to delete unused files Details not shown Download system software image file wa2600a_fat bin from the PC Sysname tftp 1 2 1 1 get wa2600a_fat bin Upload a configuratio...

Страница 75: ...ng a file 2 Deleting restoring a file 2 Emptying the recycle bin 3 Managing directories 3 Displaying directory information 3 Displaying the current working directory 3 Changing the current working dir...

Страница 76: ...ment If the file is in a nested folder separate each folder name by a forward slash 1 to 135 characters test a cfg indicates a file named a cfg in the test folder in the current working directory driv...

Страница 77: ...isplayed Renaming a file Perform this task in user view Task Command Rename a file rename fileurl source fileurl dest Copying a file Perform this task in user view Task Command Copy a file copy fileur...

Страница 78: ...the recycle bin Step Command Remarks 1 Enter the original working directory of the file to be deleted in user view cd directory Skip this step if the original directory of the file is the current work...

Страница 79: ...les in the recycle bin if any Perform this task in user view Task Command Remove a directory rmdir directory Managing storage medium space CAUTION After a storage medium is formatted all files on it a...

Страница 80: ...the file system operation mode The file systems support the following operation modes alert The system warns you about operations that might cause problems such as file corruption and data loss To pre...

Страница 81: ...me pwd flash test Display the files and the subdirectories in the test directory Sysname dir Directory of flash test 0 drw Feb 16 2006 15 28 14 mytest 2540 KB total 2519 KB free Return to the upper di...

Страница 82: ...configuration rollback 4 Configuration task list 4 Configuring configuration archive parameters 4 Enabling automatic configuration archiving 5 Manually archiving running configuration 5 Performing con...

Страница 83: ...le You can view the current startup configuration in either of the following ways Execute the display startup command To view detailed file contents use the more command After the device reboots execu...

Страница 84: ...upted or unavailable the device starts up with the factory defaults You can specify a main or backup next startup configuration file directly see Specifying a configuration file for the next startup o...

Страница 85: ...complete If a reboot or power failure occurs during the save operation the next startup configuration file is still retained Use the safe mode if the power source is not reliable or you are remotely c...

Страница 86: ...ion task list Task Remarks Configuring configuration archive parameters Required Enabling automatic configuration Manually archiving running configuration Required Perform either task Performing confi...

Страница 87: ...ling automatic configuration archiving Make sure you have set an archive path and file name prefix before performing this task To enable automatic configuration archiving Step Command Remarks 1 Enter...

Страница 88: ...not result in a valid undo command For example if the undo form designed for the A B C command is undo A C the configuration rollback function cannot undo the A B C command because the system does no...

Страница 89: ...me N A Restoring the next startup configuration file from a TFTP server To download a configuration file from a TFTP server to the device and specify the file as the next startup configuration file pe...

Страница 90: ...the file is still used as the main file To delete the file you must also execute the reset saved configuration main command Perform the following task in user view Task Command Delete the next startup...

Страница 91: ...g a patch step by step 7 Uninstalling a patch step by step 8 Displaying and maintaining software upgrade 9 Software upgrade examples 9 Reboot method software upgrade example 9 Hotfix method software u...

Страница 92: ...ystem software Upgrading method Software types Remarks Upgrading from the CLI Reboot approach BootWare image System software image excluding patches You must reboot the entire device to complete the u...

Страница 93: ...ge medium has been partitioned the file must be saved on the first partition 2 Read or upgrade BootWare on the device bootrom read update file file url all part N A 3 Reboot the device reboot N A Upgr...

Страница 94: ...re formally released to users Temporary patches are interim solutions that are provided to fix critical bugs They are not formally released A common patch always includes the functions of its previous...

Страница 95: ...pports up to 200 patches Figure 3 Patches that are not loaded to the patch memory area DEACTIVE state Patches in DEACTIVE state have been loaded to the patch memory area but have not yet run in the sy...

Страница 96: ...states in the system The patches that are in ACTIVE state change to the DEACTIVE state at a reboot Figure 5 Patches are activated RUNNING state After you confirm ACTIVE patches their states change to...

Страница 97: ...s the first three characters of the value for the Version field in the output from the display patch information command If a patch file is not correctly named the system cannot identify the file If t...

Страница 98: ...oading a patch file Required Activating patches Required Confirming ACTIVE patches Optional Specifying the patch file location For reliable patch loading H3C recommends saving patch files to the root...

Страница 99: ...boot you must change its state to RUNNING To activate patches Step Command 1 Enter system view system view 2 Activate patches patch active patch number Confirming ACTIVE patches To have an ACTIVE patc...

Страница 100: ...ormation about the system software image display boot loader begin exclude include regular expression Available in any view Display information about the patch package display patch begin exclude incl...

Страница 101: ...r aaa service type ftp FTP Server luser aaa authorization attribute work directory flash aaa 2 Configure the AP Log in to the FTP server the prompt may vary with servers AP ftp 2 2 2 2 Trying 2 2 2 2...

Страница 102: ...ver function Details not shown Save the patch file patch_xxx bin to the directory of the TFTP server Details not shown 2 Configure the AP CAUTION Make sure the flash of the AP has sufficient space for...

Страница 103: ...ized access to the original configuration file H3C recommends that you disable the password recovery feature If the password recovery feature is disabled a console user must restore the factory defaul...

Страница 104: ...H3C Technologies Co Ltd Compiled Date Mar 27 2017 CPU Type APM86791 CPU L1 Cache 32KB CPU Clock Speed 1000MHz Memory Type SDRAM Memory Size 256MB BootWare Size 512KB Flash Size 16MB CPLD Version 001 P...

Страница 105: ...tion will be lost save current configuration Y N n Info Now replacing the current configuration Please wait Info Succeeded in replacing current configuration with the file startup cfg Set a new consol...

Страница 106: ...uration file Save the configuration to the default configuration file Sysname save Handling user password loss when password recovery is disabled Enter 5 in the extended BootWare menu to restore the f...

Страница 107: ...uring the maximum number of concurrent users 6 Configuring the exception handling method 7 Rebooting the device 7 Rebooting devices immediately at the CLI 7 Scheduling a device reboot 8 Scheduling job...

Страница 108: ...management depends on an accurate system time setting because the timestamps of system messages and logs use the system time For NTP configuration see Network Management and Monitoring Configuration...

Страница 109: ...the daylight saving time range The system time increases by summer offset clock summer time ss one off 00 30 2005 1 1 1 00 2005 8 8 2 03 00 00 ss Sat 01 01 2005 If the original system time plus summer...

Страница 110: ...off 1 00 2007 1 1 1 00 2007 8 8 2 02 00 00 zone time Sat 01 01 2005 Original system clock zone offset outside the daylight saving time range Original system clock zone offset summer offset clock time...

Страница 111: ...nter system view system view N A 3 Set the time zone clock timezone zone name add minus zone offset Optional Coordinated UTC time zone by default 4 Set a daylight saving time scheme Set a non recurrin...

Страница 112: ...put text including the command keywords and the delimiters cannot exceed 510 characters In this mode do not press Enter before you input the end delimiter For example you can configure the shell banne...

Страница 113: ...rks 1 Enter system view system view N A 2 Configure the login banner header login text Optional 3 Configure the legal banner header legal text Optional 4 Configure the shell banner header shell text O...

Страница 114: ...ion before a reboot Use the display startup and display boot loader commands to verify that you have correctly set the startup configuration file and the main system software image file If the main sy...

Страница 115: ...mand is reached the job automatically executes the command If a confirmation is required while the command is running the system automatically enters Y or Yes If characters are required the system aut...

Страница 116: ...the system time and date or configure NTP for the device For NTP configuration see Network Management and Monitoring Configuration Guide In the modular approach Every job can have only one view and u...

Страница 117: ...specific time time time id one off repeating at time month date month day week day week daylist command command Configure a command to run after a delay time time id one off repeating delay time comma...

Страница 118: ...bit interface indexes and keep one interface index match one interface name for network management After deleting a logical interface the device retains its 16 bit interface index so the same index c...

Страница 119: ...ature modules display diagnostic information begin exclude include regular expression Available in any view Display device temperature information display environment begin exclude include regular exp...

Отзывы:

Нет отзывов