Cisco WS-C2948G-GE-TX Configuration Manual page 452

Catalyst 4500 series switch
Table of Contents

Advertisement

Understanding How Authentication Works
Table 30-1 Kerberos Terminology (continued)
Term
SRVTAB
Ticket granting ticket
(TGT)
Telnet clients and servers through both the console and in-band management port can be Kerberized.
Kerberos authentication does not work if TACACS+ is used as the authentication mechanism.
Note
Note
If you are logged in to the console through a modem or a terminal server, you cannot use a Kerberized
login procedure.
Using a Kerberized Login Procedure
You can use a Kerberized Telnet session if you are logging in through the in-band management port.
After the Telnet client and services have been Kerberized, the following process takes place when a user
attempts to Telnet to the switch:
1.
2.
3.
4.
5.
6.
Figure 30-1
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
30-6
Definition
A password that a network service shares with the KDC. The network
service authenticates an encrypted service credential by using the
SRVTAB (also known as a KEYTAB) to decrypt it.
A credential that the KDC issues to authenticated users. When users
receive a TGT, they can authenticate network services within the Kerberos
realm represented by the KDC.
The Telnet client asks the user for the username and issues a request for a TGT to the KDC on the
Kerberos server.
The KDC creates the TGT, which contains the user's identity, the KDC's identity, and the TGT's
expiration time. The KDC then encrypts the TGT with the user's password and sends the TGT to the
client.
When the Telnet client receives the encrypted TGT, it prompts the user for the password. If the
Telnet client can decrypt the TGT with the entered password, the user is successfully authenticated
to the KDC. The client then builds a service credential request and sends this request to the KDC.
This request contains the user's identity and a message saying that it wants to Telnet to the switch.
This request is encrypted using the TGT.
When the KDC successfully decrypts the service credential request with the TGT that it issued to
the client, it builds a service to the switch. The service credential has the client's identity and the
identity of the desired Telnet server. The KDC then encrypts the credential with the password that
it shares with the switch's Telnet server and encrypts the resulting packet with the Telnet client's
TGT and sends this packet to the client.
The Telnet client decrypts the packet first with its TGT. If encryption is successful, the client then
sends the resulting packet to the switch's Telnet server. At this point, the packet is still encrypted
with the password that the switch's Telnet server and the KDC share.
If the Telnet client has been instructed to do so, it forwards the TGT to the switch. This process
ensures that the user does not need to get another TGT in order to use another network service from
the switch.
shows the Kerberos Telnet connection process.
Chapter 30
Configuring Switch Access Using AAA
78-15908-01

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents