H3C Technologies H3C S3600 Series Switches User Manual
Page 1192
1-5
[Switch-pki-entity-en] quit
# Create a PKI domain and configure it.
[Switch] pki domain 1
[Switch-pki-domain-1] ca identifier ca1
[Switch-pki-domain-1] certificate request from ra
[Switch-pki-domain-1] certificate request entity en
[Switch-pki-domain-1] quit
# Create the local RSA key pairs.
[Switch] public-key local create rsa
# Retrieve the CA certificate.
[Switch] pki retrieval-certificate ca domain 1
# Request a local certificate.
[Switch] pki request-certificate domain 1
2) Configure an SSL server policy
# Create an SSL server policy named myssl.
[Switch] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as 1.
[Switch-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Switch-ssl-server-policy-myssl] client-verify enable
[Switch-ssl-server-policy-myssl] quit
3) Configure Web authentication
# Set the IP address and port number of the Web authentication server.
[Sysname] web-authentication web-server ip 10.10.10.10 port 8080
# Configure to perform Web authentication in HTTPS mode using SSL server policy myssl.
[Switch] web-authentication protocol https server-policy myssl
# Enable Web authentication on Ethernet1/0/1 and set the user access method to designated.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] web-authentication select method designated
# Create RADIUS scheme radius1 and enter its view.
[Sysname] radius scheme radius1
# Set the IP address of the primary RADIUS authentication server.
[Sysname-radius-radius1] primary authentication 10.10.10.164
# Enable accounting optional.
[Sysname-radius-radius1] accounting optional
# Set the password that will be used to encrypt the messages exchanged between the switch and the
RADIUS authentication server.
[Sysname -radius-radius1] key authentication expert