Table of Contents
Advertisement
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
1.
TGT = ticket granting ticket
2.
KDC = key distribution center
3.
KEYTAB = key table
4.
SRVTAB = server table
Kerberos Operation
A Kerberos server can be a switch that is configured as a network security server and that can authenticate remote users
by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to
access network services must pass through three layers of security before they can access network services.
To authenticate to network services by using a switch as a Kerberos server, remote users must follow these steps:
1.
Authenticating to a Boundary Switch, page 160
2.
Obtaining a TGT from a KDC, page 160
3.
Authenticating to Network Services, page 160
Authenticating to a Boundary Switch
This section describes the first layer of security through which a remote user must pass. The user must first authenticate
to the boundary switch. This process then occurs:
1.
The user opens an un-Kerberized Telnet connection to the boundary switch.
2.
The switch prompts the user for a username and password.
3.
The switch requests a TGT from the KDC for this user.
4.
The KDC sends an encrypted TGT that includes the user identity to the switch.
5.
The switch attempts to decrypt the TGT by using the password that the user entered.
• If the decryption is successful, the user is authenticated to the switch.
• If the decryption is not successful, the user repeats Step 2 either by reentering the username and password
(noting if Caps Lock or Num Lock is on or off) or by entering a different username and password.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside the firewall,
but the user must still authenticate directly to the KDC before getting access to the network services. The user must
authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional
authentication until the user logs on to the switch.
Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. The user must now
authenticate to a KDC and obtain a TGT from the KDC to access network services.
Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. The user with a TGT must now
authenticate to the network services in a Kerberos realm.
160
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
