Table of Contents
Advertisement
Installing and Configuring
Appendix E
Kerberos Setup Service
The Kerberos Setup Service (KSS) is an optional program running on the Key
Distribution Center (KDC) server. The KSS can be used optionally to
administer Spectrum24 access points authorized on the network. For
example, an AP on the Access Control List (ACL) is lost or stolen. The KSS
marks the AP (using the MAC address of the AP) as not authorized and
notifies the administrator if the missing AP appears elsewhere on the network
attempting authentication. All clients (MUs), KDC and services (APs)
participating in the Kerberos authentication system are required to have their
internal clocks synchronized within a specified maximum amount of time
(known as clock skew). The KSS uses Network Time Protocol (NTP) or the
system clock on the Kerberos server to provide clock synchronization
(timestamp) between the KDC and APs as part of the authentication process.
Clock synchronization is essential since the expiration time is associated with
each request for resources. If the clock skew is exceeded between any of the
participating hosts, requests are rejected.
Additionally, the KSS provides a list of authorized APs and other security setup
information that the KDC uses to authenticate clients. When setting up the
KSS, assign APs an ESSID to authenticate with the KDC. In Open Enrollment
mode, the KSS dynamically creates an AP Setup Account for the AP and
creates a Kerberos account with the KDC. The KSS continues to do this until
the administrator disables Open Enrollment.
For additional information on KSS and KDC functionality, refer to the sections
of this document.
E.1 Creating a Windows 2000 Environment for the KSS
The KSS runs only on a Windows 2000 server with Active Directory enabled
and Java Runtime Environment version 1.3 (or higher) running.
AP-4131 Access Point Product Reference Guide
E-1
Advertisement
Table of Contents
