Cisco WS-C6506 Software Manual page 971

Chapter 39 Configuring the Switch Access Using AAA
This example shows how to specify which Kerberos server will serve as the KDC for the specified
Kerberos realm and clear the entry:
kerberos> (enable) set kerberos server CISCO.COM 187.0.2.1 750
Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750
kerberos> (enable)
Console> (enable) clear kerberos server CISCO.COM 187.0.2.1 750
Kerberos Realm-Server-Port entry CISCO.COM-187.0.2.1-750
Console> (enable)
Mapping a Kerberos Realm to a Host Name or DNS Domain
Optionally, you can map a host name or domain name system (DNS) domain to a Kerberos realm.
To map a Kerberos realm to either a host name or DNS domain, perform this task in privileged mode:
Task
Step 1
(Optional) Map a host name or DNS domain to a
Kerberos realm.
Step 2 Clear the Kerberos realm domain or host mapping
entry.
This example shows how to map a Kerberos realm to a DNS domain and clear the entry:
Console> (enable) set kerberos realm CISCO CISCO.COM
Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM
Console> (enable)
Console> (enable) clear kerberos realm CISCO CISCO.COM
Kerberos DnsDomain-Realm entry CISCO - CISCO.COM deleted
Console> (enable)
Copying SRVTAB Files
To allow the remote users to authenticate to the switch using the Kerberos credentials, the switch must
share a key with the KDC. You must give the switch a copy of the key, which is on a file that is stored
in the KDC. These files are called SRVTAB files on the switch and KEYTAB files on the servers.
The most secure method to copy the SRVTAB files to the hosts in your Kerberos realm is to copy them
onto physical media and go to each host in turn and manually copy the files onto the system. To copy the
SRVTAB files to a switch that does not have a physical media drive, you must transfer the files through
the network by using the Trivial File Transfer Protocol (TFTP).
When you copy the SRVTAB file from the switch to the KDC, the switch parses the information in this
file and stores it in the running configuration in the Kerberos SRVTAB entry format. If you enter the
SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch.
The entries are maintained in the SRVTAB table. The maximum size of the table is 20 entries.
OL-8978-04
Command
set kerberos realm {dns_domain | host}
kerberos_realm
clear kerberos realm {dns_domain | host}
kerberos_realm
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Authentication on the Switch
deleted
39-37