Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Trusted access control commands
- 30-Location identification commands
- 31-Server connection detection commands
- 32-MAC authentication commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 29-Trusted access control commands | 69.72 KB |
CSAP trusted access control commands
peer-service url
Use peer-service url to specify the peer service URL used for providing trusted access control services.
Use undo peer-service url to restore the default.
Syntax
peer-service url service-url
undo peer-service url
Default
No peer service URL is specified.
Views
CSAP trusted access controller view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
service-url: Specifies a peer service URL, a case-insensitive string of 1 to 255 characters. Question marks (?) are supported.
Usage guidelines
The device uses the peer service URL to access the Threat Discovery and Security Operations Platform (CSAP) trusted access controller in order to obtain security status of users and assets.
The peer service URL must be in the format of protocol type://server IP address:port number/resource path.
· The protocol type is HTTP or HTTPS. The default is HTTP.
· The server IP address must be an IPv4 address.
To specify an IPv6 address in the URL, enclose the IPv6 address with a pair of square brackets, for example, http://[1234::5678]:8080.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure peer service URL http://10.153.10.121:80 for the CSAP trusted access controller.
<Sysname> system-view
[Sysname] trusted-access controller csap
[Sysname-tac-csap] peer-service url https://10.153.10.120:443
rule
Use rule to configure a trusted access rule.
Use undo rule to restore the default.
Syntax
rule user-risk-level { fallen | high-risk | low-risk | trust } asset-risk-level { fallen | high-risk | low-risk | trust } action { allow | deny }
undo rule user-risk-level { fallen | high-risk | low-risk | trust } asset-risk-level { fallen | high-risk | low-risk | trust }
Default
See CSAP trusted access control configuration in Security Configuration Guide.
Views
CSAP trusted access policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
user-risk-level: Specifies the user security status.
asset-risk-level: Specifies the asset security status.
fallen: Specifies the compromised security status.
high-risk: Specifies the high-risk security status.
low-risk: Specifies the low-risk security status.
trust: Specifies the trusted security status.
action: Specifies the action to take on access requests.
allow: Permits requests from users to access assets.
deny: Denies requests from users to access assets.
Usage guidelines
Use this command to configure trusted access rules that specify the actions to take on user requests to access assets based on their security statuses.
The device predefines 16 trusted access rules that can be edited. You cannot create or delete rules.
Examples
# In CSAP trusted access policy view, configure a rule that denies requests from users in high-risk security status to access assets in high-risk security status.
<Sysname> system-view
[Sysname] trusted-access policy csap
[Sysname-tap-csap] rule user-risk-level high-risk asset-risk-level high-risk action deny
service enable
Use service enable to enable the CSAP trusted access policy.
Use undo service enable to disable the CSAP trusted access policy.
Syntax
service enable
undo service enable
Default
The CSAP trusted access policy is disabled.
Views
CSAP trusted access policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Enable the CSAP trusted access policy.
<Sysname> system-view
[Sysname] trusted-access policy csap
[Sysname-tap-csap]service enable
ssl-client-policy
Use ssl-client-policy to specify an SSL client policy used for establishing an SSL connection to the trusted access controller.
Use undo ssl-client-policy to restore the default.
Syntax
ssl-client-policy policy-name
undo ssl-client-policy
Default
No SSL client policy is specified for establishing an SSL connection to the trusted access controller.
Views
Trusted access controller view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command is required if the peer service URL type is HTTPS. When the device acts as an SSL client, you can specify an SSL client policy to encrypt traffic sent to the trusted access controller.
For modification of the SSL client policy for a trusted access controller to take effect, you must delete and then specify the policy again for the trusted access controller. For more information about SSL policies, see SSL configuration in Security Configuration Guide.
The CSAP trusted access controller does not support SSL client policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.
Examples
# Specify SSL client policy scp for the CSAP trusted access controller.
<Sysname> system-view
[Sysname] trusted-access controller csap
[Sysname-tac-csap] ssl-client-policy scp
Related commands
peer-service url
trusted-access controller csap
Use trusted-access controller csap to enter CSAP trusted access controller view.
Use undo trusted-access controller csap to delete the CSAP trusted access controller view and all its configurations.
Syntax
trusted-access controller csap
undo trusted-access controller csap
Default
The CSAP trusted access controller view does not exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device collaborates with the CSAP trusted access controller to obtain security status of users and assets, and controls access permissions for users to specific assets based on the specified trusted access policy.
Examples
# Enter CSAP trusted access controller view.
<Sysname> system-view
[Sysname] trusted-access controller csap
[Sysname-tac-csap]
trusted-access policy csap
Use trusted-access policy csap to enter CSAP trusted access policy view.
Use undo trusted-access policy csap to delete the CSAP trusted access policy view and all its configurations.
Syntax
trusted-access policy csap
undo trusted-access policy csap
Default
The CSAP trusted access policy view does not exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
A CSAP trusted access policy defines user access permissions to assets based on the security status of users and assets.
Based on the security status information obtained from the CSAP trusted access controller, the device uses the CSAP trusted access policy to implement asset access control.
Examples
# Enter CSAP trusted access policy view.
<Sysname> system-view
[Sysname] trusted-access policy csap
[Sysname-tap-csap]
vpn-instance
Use vpn-instance to specify a VPN instance for the trusted access controller.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The trusted access controller belongs to the public network.
Views
CSAP trusted access controller view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Examples
# Specify VPN instance vpn1 for the CSAP trusted access controller.
<Sysname> system-view
[Sysname] trusted-access controller csap
[Sysname-tac-csap] vpn-instance vpn1
