Kerberos Operation; Authenticating To A Boundary Switch - Cisco WS-C3020 Software Configuration Manual

Controlling Switch Access with Kerberos
Table 7-2 Kerberos Terms (continued)
Term
Service credential
SRVTAB
TGT
1. TGT = ticket granting ticket
2. KDC = key distribution center
3. KEYTAB = key table
4. SRVTAB = server table

Kerberos Operation

A Kerberos server can be a switch that is configured as a network security server and that can
authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a
number of ways, remote users attempting to access network services must pass through three layers of
security before they can access network services.
To authenticate to network services by using a switch as a Kerberos server, remote users must follow
these steps:
1.
2.
3.

Authenticating to a Boundary Switch

This section describes the first layer of security through which a remote user must pass. The user must
first authenticate to the boundary switch. This process then occurs:
1.
2.
3.
4.
5.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is
inside the firewall, but the user must still authenticate directly to the KDC before getting access to the
network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored
on the switch and cannot be used for additional authentication until the user logs on to the switch.
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
7-34
Definition
A credential for a network service. When issued from the KDC, this credential is encrypted with
the password shared by the network service and the KDC. The password is also shared with the
user TGT.
A password that a network service shares with the KDC. In Kerberos 5 or later Kerberos
versions, SRVTAB is referred to as KEYTAB.
Ticket granting ticket that is a credential that the KDC issues to authenticated users. When users
receive a TGT, they can authenticate to network services within the Kerberos realm represented
by the KDC.
Authenticating to a Boundary Switch, page 7-34
Obtaining a TGT from a KDC, page 7-35
Authenticating to Network Services, page 7-35
The user opens an un-Kerberized Telnet connection to the boundary switch.
The switch prompts the user for a username and password.
The switch requests a TGT from the KDC for this user.
The KDC sends an encrypted TGT that includes the user identity to the switch.
The switch attempts to decrypt the TGT by using the password that the user entered.
If the decryption is successful, the user is authenticated to the switch.
•
If the decryption is not successful, the user repeats Step 2 either by re-entering the username
•
and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username
and password.
Chapter 7 Configuring Switch-Based Authentication
OL-8915-03