How do I configure NE TLS client authentication?

Purpose

This procedure describes TLS client configurations for NEs. For TLS server configurations, see How do I configure NE TLS server authentication?.

TLS configurations are distributed to NEs using the NFM-P policy framework; see “Policies overview” in the NSP NFM-P User Guide.

Steps


1	Choose Administration→Security→NE TLS Authentication from the NFM-P main menu. The NE TLS Authentications form opens.
2	Configure a TLS client cipher list. To create a new client cipher list, click Create→TLS Client Cipher List. The TLS Client Cipher List (Create\|Edit) form opens. To modify an existing client cipher list, choose TLS Client Cipher List (NE Security) in the object drop down of the NE TLS Authentications form, click Search, select a cipher list, and click Properties. If you are creating a new cipher list, enter a name for the Client Cipher List in the General tab. Click on the TLS Client Cipher List Param tab. You can configure up to eight parameter entries for the cipher list. Click Create, or choose an entry in the list and click Properties. The TLS Client Cipher List Param form opens. Configure the cipher list parameters. Save your changes and close the form. Click on the TLS 1.3 Client Cipher List Param tab. You can configure up to eight parameter entries for the cipher list. Click Create, or choose an entry in the list and click Properties. The TLS 1.3 Client Cipher List Param form opens. Configure the required parameters. Save your changes and close the form. Save your changes on the TLS Client Cipher List (Create\|Edit) form and distribute the list to the required NEs.
3	Configure a TLS trust anchor profile. To create a trust anchor profile, click Create→TLS Trust Anchor Profile. The TLS Trust Anchor Profile (Create\|Edit) form opens. To modify a trust anchor profile, choose TLS Trust Anchor Profile (NE Security) in the object drop-down of the NE TLS Authentications form, click Search, select a trust anchor profile, and click Properties. If you are creating a new profile, configure the Trust Anchor Profile Name on the General tab. Click on the TLS Trust Anchors tab to add PKI certificate authority profiles. Click Create, or choose a Trust Anchor CA Profile entry in the list and click Properties. The TLS Trust Anchor Entry form opens. Select a Certificate Authority Profile. At least one PKI certificate authority profile must be selected; see How do I configure a PKI certificate authority profile?. Save your changes and close the form. Save your changes on the TLS Trust Anchor Profile (Create\|Edit) form and distribute the profile to the required NEs.
4	Configure a TLS certificate profile. To create a new TLS certificate profile, click Create→TLS Certificate Profile. To modify an existing certificate profile, choose TLS Certificate Profile (NE Security) in the object drop down of the NE TLS Authentications form, click Search, select a certificate profile, and click Properties. The TLS Certificate Profile (Create\|Edit) form opens. If you are creating a new certificate profile, configure the Displayed Name parameter on the General tab. Click on the TLS Certificate Profile Entry tab and configure the required parameters. Click on the Send Chain tab to add the required PKI certificate authority profiles. Click Create. The TLS Certificate CA Profile Entry form opens. Select a Certificate Authority Profile; see How do I configure a PKI certificate authority profile?. Save your changes and close the TLS Certificate CA Profile Entry form. On the TLS Certificate Profile (Create\|Edit) form, configure the Administrative State parameter if required. Save your changes and distribute the list to the required NEs.
5	Note: The TLS client profile can be associated with a RADIUS server. For information, see How do I configure an NE RADIUS authentication policy?. Configure a TLS client profile. To create a new TLS client profile, click Create→TLS Client Profile. The TLS Client Profile (Create\|Edit) form opens. To modify an existing client profile, choose TLS Client Profile (NE Security) in the object drop down of the NE TLS Authentications form, click Search, select a client profile, and click Properties. If you are creating a new client profile, configure the Displayed Name parameter. Select a Cipher List; see Step 2. Select a Trust Anchor Profile; see Step 3. Select a Certificate Profile; see Step 4 . Select TLS client group list and TLS Client Signature List profiles. Configure the required parameters. Save your changes on the TLS Client Profile form and distribute the profile to the required NEs.
6	Close the NE TLS Authentications form. End of steps


1	Choose Administration→Security→NE TLS Authentication from the NFM-P main menu. The NE TLS Authentications form opens.
2	Configure a TLS client cipher list. To create a new client cipher list, click Create→TLS Client Cipher List. The TLS Client Cipher List (Create\|Edit) form opens. To modify an existing client cipher list, choose TLS Client Cipher List (NE Security) in the object drop down of the NE TLS Authentications form, click Search, select a cipher list, and click Properties. If you are creating a new cipher list, enter a name for the Client Cipher List in the General tab. Click on the TLS Client Cipher List Param tab. You can configure up to eight parameter entries for the cipher list. Click Create, or choose an entry in the list and click Properties. The TLS Client Cipher List Param form opens. Configure the cipher list parameters. Save your changes and close the form. Click on the TLS 1.3 Client Cipher List Param tab. You can configure up to eight parameter entries for the cipher list. Click Create, or choose an entry in the list and click Properties. The TLS 1.3 Client Cipher List Param form opens. Configure the required parameters. Save your changes and close the form. Save your changes on the TLS Client Cipher List (Create\|Edit) form and distribute the list to the required NEs.
3	Configure a TLS trust anchor profile. To create a trust anchor profile, click Create→TLS Trust Anchor Profile. The TLS Trust Anchor Profile (Create\|Edit) form opens. To modify a trust anchor profile, choose TLS Trust Anchor Profile (NE Security) in the object drop-down of the NE TLS Authentications form, click Search, select a trust anchor profile, and click Properties. If you are creating a new profile, configure the Trust Anchor Profile Name on the General tab. Click on the TLS Trust Anchors tab to add PKI certificate authority profiles. Click Create, or choose a Trust Anchor CA Profile entry in the list and click Properties. The TLS Trust Anchor Entry form opens. Select a Certificate Authority Profile. At least one PKI certificate authority profile must be selected; see How do I configure a PKI certificate authority profile?. Save your changes and close the form. Save your changes on the TLS Trust Anchor Profile (Create\|Edit) form and distribute the profile to the required NEs.
4	Configure a TLS certificate profile. To create a new TLS certificate profile, click Create→TLS Certificate Profile. To modify an existing certificate profile, choose TLS Certificate Profile (NE Security) in the object drop down of the NE TLS Authentications form, click Search, select a certificate profile, and click Properties. The TLS Certificate Profile (Create\|Edit) form opens. If you are creating a new certificate profile, configure the Displayed Name parameter on the General tab. Click on the TLS Certificate Profile Entry tab and configure the required parameters. Click on the Send Chain tab to add the required PKI certificate authority profiles. Click Create. The TLS Certificate CA Profile Entry form opens. Select a Certificate Authority Profile; see How do I configure a PKI certificate authority profile?. Save your changes and close the TLS Certificate CA Profile Entry form. On the TLS Certificate Profile (Create\|Edit) form, configure the Administrative State parameter if required. Save your changes and distribute the list to the required NEs.
5	Note: The TLS client profile can be associated with a RADIUS server. For information, see How do I configure an NE RADIUS authentication policy?. Configure a TLS client profile. To create a new TLS client profile, click Create→TLS Client Profile. The TLS Client Profile (Create\|Edit) form opens. To modify an existing client profile, choose TLS Client Profile (NE Security) in the object drop down of the NE TLS Authentications form, click Search, select a client profile, and click Properties. If you are creating a new client profile, configure the Displayed Name parameter. Select a Cipher List; see Step 2. Select a Trust Anchor Profile; see Step 3. Select a Certificate Profile; see Step 4 . Select TLS client group list and TLS Client Signature List profiles. Configure the required parameters. Save your changes on the TLS Client Profile form and distribute the profile to the required NEs.
6	Close the NE TLS Authentications form. End of steps