EasyManua.ls Logo

Alcatel-Lucent AOS-W 6.5.3.x - OCSP Configuration for AOS-W VIA

Alcatel-Lucent AOS-W 6.5.3.x
1160 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
In this example, a user is configured without the RCP:
(host)(config) #mgmt-user ssh-pubkey client-cert client2-rg test2 root
Displaying Revocation Checkpoint for the SSH Pubkey User
The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the
revocation check fails, the user is denied access using the ssh-pubkey authentication method. However, the
user can still authenticate through a username and password if configured to do so. This feature allows the
ssh-pubkey management user to be optionally configured with a Revocation Checkpoint (RCP). This meets the
requirement for a two-factor authentication and integration of device management with PKI for SSH pubkey
authentication. The AOS-W implementation of SSH using Pubkey authentication is designed for integration
with smart cards or other technologies that use X.50.
Configuring the SSH Pubkey User with RCP
The column REVOCATION CHECKPOINT displays the configured RCP for the ssh-pubkey user. If no RCP is
configured for the user, the word none is displayed.
In the WebUI
Navigate to Configuration > Management > Administration.
The column SSH Revocation Checkpoint displays the RCP configured (if any) for the ssh pubkey user.
In the CLI
(host)#show mgmt-user ssh-pubkey
Removing the SSH Pubkey User
In the WebUI
1. Navigate to Configuration > Management > Administration.
2. Click Delete next to the management user you want to delete.
In the CLI
(host) (config) #no mgmt-user ssh-pubkey client-cert <certname> <username>
OCSPConfiguration for AOS-W VIA
In AOS-W 6.5, the OCSPconfiguration for AOS-W VIA is simplified with the following configuration parameters
removed:
n ocsp-responder ike-url (OCSP responder's URL for IKE)
n ocsp-responder eap-url (OCSP responder's URL for EAP)
n ocsp-responder ike-cn (OCSP responder's CN for IKE)
n ocsp-responder eap-cn (OCSP responder's CN for EAP)
These parameters will be picked up directly from the certificate. The WebUI path and the CLIcommand to
enable OCSPcertificate verification are as follows.
In the WebUI
To enable the OCSPcertificate verification in the WebUI, perform the following steps:
1. Navigate to Configuration > Advanced Services > All Profiles.
AOS-W 6.5.3.x | User Guide Certificate Revocation | 304

Table of Contents