production networks. Alcatel-Lucentstrongly recommends that you replace the default certificate with a
custom certificate issued for your site or domain by a trusted Certificate Authority (CA). This section describes
how to generate a Certificate Signing Request (CSR) to submit to a CA and how to import the signed certificate
received from the CA into the switch.
The switch supports client authentication using digital certificates for specific user-centric network services,
such as AAA FastConnect, VPN (see Virtual Private Networks on page 346), and WebUI and SSH management
access. Each service can employ different sets of client and server certificates.
During certificate-based authentication, the switch provides its server certificate to the client for
authentication. After validating the switch’s server certificate, the client presents its own certificate to the
switch for authentication. To validate the client certificate, the switch checks the certificate revocation list (CRL)
maintained by the CA that issued the client certificate. After validating the client’s certificate, the switch can
check the user name in the certificate with the configured authentication server (this action is optional and
configurable).
When using X.509 certificates for authentication, if a banner message has been configured on the switch, it displays
before the user can login. Click on a “login” button after viewing the banner message to complete the login process.
About Digital Certificates
Clients and the servers to which they connect may hold authentication certificates that validate their identities.
When a client connects to a server for the first time, or the first time since its previous certificate has expired or
been revoked, the server requests that the client transmit its authentication certificate. The client’s certificate is
then verified against the CA which issued it. Clients can also request and verify the server’s authentication
certificate. For some applications, such as 802.1X authentication, clients do not need to validate the server
certificate for the authentication to function.
Digital certificates are issued by a CA which can be either a commercial, third-party company or a private CA
controlled by your organization. The CA is trusted to authenticate the owner of the certificate before issuing a
certificate. A CA-signed certificate guarantees the identity of the certificate holder. This is done by comparing
the digital signature on a client or server certificate to the signature on the certificate for the CA. When CA-
signed certificates are used to authenticate clients, the switch checks the validity of client certificates using
certificate revocation lists (CRLs) maintained by the CA that issued the certificate.
Digital certificates employ public key infrastructure (PKI), which requires a private-public key pair. A digital
certificate is associated with a private key, known only to the certificate owner, and a public key. A certificate
encrypted with a private key is decrypted with its public key. For example, party A encrypts its certificate with
its private key and sends it to party B. Party B decrypts the certificate with party A’s public key.
Obtaining a Server Certificate
Best practices is to replace the default server certificate in the switch with a custom certificate issued for your
site or domain by a trusted CA. To obtain a security certificate for the switch from a CA:
1. Generate a Certificate Signing Request (CSR) on the switch using either the WebUI or CLI.
2. Submit the CSR to a CA. Copy and paste the output of the CSR into an email and send it to the CA of your
choice.
3. The CA returns a signed server certificate and the CA’s certificate and public key.
4. Install the server certificate, as described in Importing Certificates on page 857.
There can be only one outstanding CSR at a time in the switch. Once you generate a CSR, you need to import the CA-
signed certificate into the switch before you can generate another CSR.
AOS-W 6.5.3.x | User Guide Management Access | 855
To Next Page
Loading...