Obtaining A Tgt From A Kdc; Authenticating To Network Services; Configuring Kerberos - Cisco 3845 - Security Bundle Router Software Manual
Software configuration guide
Hide thumbs
Also See for 3845 - Security Bundle Router:
- Manual (94 pages) ,
- Quick start manual (38 pages) ,
- Hardware installation manual (418 pages)
Table of Contents
Advertisement
Controlling Switch Access with Kerberos
5.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is
inside the firewall, but the user must still authenticate directly to the KDC before getting access to the
network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored
on the switch and cannot be used for additional authentication until the user logs on to the switch.
Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. The user must
now authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, see the "Obtaining a TGT from a KDC" section in
the "Security Server Protocols" chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at
this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html
Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. The user with
a TGT must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the "Authenticating to Network
Services" section in the "Security Server Protocols" chapter of the Cisco IOS Security Configuration
Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html
Configuring Kerberos
So that remote users can authenticate to network services, you must configure the hosts and the KDC in
the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
When you add or create entries for the hosts and users, follow these guidelines:
•
•
•
Note
A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can
authenticate users by using the Kerberos protocol.
To set up a Kerberos-authenticated server-client system, follow these steps:
•
Cisco ME 3800X and 3600X Switch Software Configuration Guide
8-34
The switch attempts to decrypt the TGT by using the password that the user entered.
•
If the decryption is successful, the user is authenticated to the switch.
If the decryption is not successful, the user repeats Step 2 either by re-entering the username
•
and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username
and password.
The Kerberos principal name must be in all lowercase characters.
The Kerberos instance name must be in all lowercase characters.
The Kerberos realm name must be in all uppercase characters.
Configure the KDC by using Kerberos commands.
Chapter 8
Configuring Switch-Based Authentication
OL-23400-01
- Quick Links:
- Vlan Features
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
