虚拟站点配置部分
SSL VPN门户(Virtual Site)建立 1
1 增加Virtual Site 1
2 配置virtual site SSL协议数字证书 3
11 Global Mode Virtual Site Mode 3
12 SSL 协议部分配置概述 4
13 生成CSR 4
14 导入virtual site 数字证书 5
15 客户端数字证书验证配置 8
16 LocalDB户认证配置 10
SSL VPN门户(Virtual Site)建立
增加Virtual Site
建立virtual site 假设IP址19216812Array SSL VPN 门户址设备端口址
Virtual Sites>Virtual Sites>Virtual Sites
图图形界面方式时需左角Global Mode config 状态加入新SSL门VPN户virtual site
中:
Site Name :站点英文表示取较易记忆名字:SPDemo
Site FQDN:full qualified domain nameIE等浏览器中输入域名果域名登陆项输入域名:spdemoarraynetworkscomcn果IP址登陆项需输入IP址:19216812果NAT项输入NAT公网址
IP Address:指virtual site IP址
Port:virtual site https 访问端口址缺省443
Virtual Site Type:缺省Exclusive指没子站点配成share方式名
命令行:
AN(config)# virtual site host
Virtual site idsite name
Domain_name FQDN
Vip virtual site ip address
AN(config)#ssl host virtual
ssl_host:采FQDN相名字
virtual_site_id:site name
:
AN(config)#virtual site host SPDemo 19216812 19216812 443 exclusive
AN(config)#ssl host virtual 192168122 SPDemo
者:
AN(config)#virtual site host SPDemo spdemoarraynetworkscomcn 192168122 443 exclusive
AN(config)#ssl host virtual spdemoarraynetworkscomcn SPDemo
命令查virtual site 建立情况:
AN(config)#show virtual site host
配置virtual site SSL协议数字证书
Global Mode Virtual site Mode
SPX设备言存两种配置方式:
Global Mode:配置SPX全局设置章述基配置加站点配置等
Virtual Site Mode:配置站点站点进入配置模式互相干扰virtual site 分配理员global 理员 array进入站点配置
global mode 进入 virtual site mode命令:
AN# switch
:AN# switch SPDemo
配置virtual site SSL 部分需进入virtual site config 模式
SSL 协议部分配置概述
建议您作配置前阅读关PKI数字证书CASSL协议相关材料样您非常容易理解配置
首先需virtual site 配置数字证书供客户端进行检验客户端检查访问否信SSL VPN网关需SPX生成CSR ( certificate sign request)数字证书签名申请供CA(认证中心)生成数字证书
果您CA您CSR提交生成Virtual Site 数字证书然数字证书importSPX
果您没CASPX会您动签名证书
客户端数字证书验证选客户端较高安全验证情况会时您需CA进行客户端数字证书颁发理时需CA信证书链导入SPX部作客户端数字证书签名验证
生成CSR
命令行:
AN(config)#switch SPDemo
SPDemo(config)ssl csr
We will now gather some required information about your ssl virtual host
This information is encoded into your certificate
Two character country code for your organization (eg US) CN
State or province beijing
location or local city bj
Organization Name arraynetworks
Organizational Unit Training
email address of administrator admin@examplecom
Do you want the private key to be exportable [Yes(No)]No
图形界面:
查csr生成命令行:
SPDemo(config)show ssl csr
:
SPDemo(config)show ssl csr
BEGIN CERTIFICATE REQUEST
MIIBzzCCATgCAQAwgY4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdiZWlqaW5nMQsw
CQYDVQQHEwJiajEWMBQGA1UEChMNYXJyYXluZXR3b3JrczEOMAwGA1UECxMFdHJh
aW4xFDASBgNVBAMTCzE5Mi4xNjguMS4yMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBh
cnJheWRlbW8uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnpTJfGnEP
8KYl0TW+GV6p7eVHpkzKlgFcmNG+C5XT9i9q8fCfC9z3B4L5EFoJbMU9gMP5VBPw
XL7OucR0OUxwnie+6C0eaLLN2OHz38B9OQUeoP+jT6ugQR7DVgAf8QegJHOlFon2
rY+aeKON+lmo01VJgV42dNbkrNHsndOQIDAQABoAAwDQYJKoZIhvcNAQEEBQAD
gYEAUtmxqnOIGrFMvw+t8cXF2yIpWeqsxcEKEZnDjTz66R+CkqFkX1yFV71fFsH
u9qIk7Q3urARZw+TRlEVEFMvDBG7qSRc7NwIg8POFQ5efdtlOU0x9Km48cVx+
M6YIEkBv9Nqnk7G2XkngfQNiOfPrjz99spVeK10anf0t8rE
END CERTIFICATE REQUEST
导入virtual site 数字证书
时您面生成csr 提交CA生成数字证书您没CASPX会您签名数字证书您需
SPDemo(config)ssl start virtual site
Site Configuration>Security Settings>SSL Settings>General
果您CA您virtual site 签名数字证书您导入virtual site 里面
:
SPDemo(config)ssl import certificate
You may overwrite an existing certificate file type YES without quotes to continueYES
Enter certificate use on a single line without quotes to terminate import
BEGIN CERTIFICATE
MIICnjCANgcANgEUMA0GCSqGSIb3DQEBBAUAMIG5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxHDAaBgNVBAoTE0NsaWNrQXJyYXkgTmV0d29yK4RHM11OClXVjm3xRhqKQnjzNboExIvkZsKIBbfLkBrM1eBnEaiYWXmsYGfxPkwdhKlQCLQgN+G3IKu2cRQLU
END CERTIFICATE
注意…结尾
面数字证书PEM格式果您格式TFTP方式倒入
命令行:
SPDemo(config)ssl import certificate
时您需tftp服务器存
图形界面:
Site Configuration>SSL Certificates>Certificates>Import
Site Configuration>SSL Certificates>Certificates>Import Via TFTP
通命令查ssl certificate
SPDemo(config) show ssl certificate
客户端数字证书验证配置
果您需认证客户端数字证书越节
需CA证书输入SP
SPDemo(config) ssl import rootca
This command is used to import the certificate of a trusted Certificate Authority This will
be utilized for the verification of client certificates It must be present when client
authentication is enabled for a virtual site
Site Configuration>SSL Certificates>Trusted Root CA
客户端证书验证功开:
SPDemo(config)ssl settings clientauth
This command allows the user to establish client authorization for the host All SSL clients
connecting to the specified virtual site will be required to present a client certificate before
communication will be allowed to continue
Site Configuration>Security Settings>SSL Settings>Client Authentication
LocalDB户认证配置
SSL VPN户认证SSL VPN较复杂部分会章详细叙述种认证方法节叙述系统缺省认证方式Local DBSSL VPN门户virtual site 基配置工作成功
SPDemo(config)show run aaa
#aaa configuration
aaa on
aaa radius accounting off
aaa method localdb 1
Local DB成功工作您需建立户数库数库分配关联virtual site 您加入新户者组
建立新户数库global mode:
AN(config)#localdb database
:
AN(config)#localdb database spdemo_db
数库virtual site相关联命令行:
AN(config)#localdb associate
:
AN(config)#localdb associate SPDemo spdemo_db
Global Resources>Local Database>Local Database
加入新户登陆帐号命令行:
SPDemo(config)localdb account username password
:
SPDemo(config)localdb account user1 pass1
Local Users & Group>Local Users>Local User
中UID GID NFS时选项internal IP address internal IP mask指作L3VPN时静态址分配时户L3 VPN址
您通https19216812 usernamepassword 登陆验证SSL VPN门户建立情况
文档香网(httpswwwxiangdangnet)户传
《香当网》用户分享的内容,不代表《香当网》观点或立场,请自行判断内容的真实性和可靠性!
该内容是文档的文本内容,更好的格式请下载文档