Cisco Catalyst 3750 Software Configuration Manual page 155

Chapter 7 Configuring Switch-Based Authentication
Table 7-2
Table 7-2
Term
Authentication
Authorization
Credential
Instance
KDC
Kerberized
Kerberos realm
Kerberos server
KEYTAB
Principal
Service credential A credential for a network service. When issued from the KDC, this credential is
78-15870-01
lists the common Kerberos-related terms and definitions:
Kerberos Terms
Definition
A process by which a user or service identifies itself to another service. For
example, a client can authenticate to a switch or a switch can authenticate to
another switch.
A means by which the switch identifies what privileges the user has in a network
or on the switch and what actions the user can perform.
A general term that refers to authentication tickets, such as ticket granting tickets
(TGTs) and service credentials. Kerberos credentials verify the identity of a user
or service. If a network service decides to trust the Kerberos server that issued a
ticket, it can be used in place of re-entering a username and password. Credentials
have a default lifespan of 8 hours.
An authorization level label for Kerberos principals. Most Kerberos principals are
of the form user@REALM (for example, smith@EXAMPLE.COM). A Kerberos
principal with a Kerberos instance has the form user/instance@REALM (for
example, smith/admin@EXAMPLE.COM). The Kerberos instance can be used to
specify the authorization level for the user if authentication is successful. The
server of each network service might implement and enforce the authorization
mappings of Kerberos instances but is not required to do so.
Note The Kerberos principal and instance names must be in all lowercase
characters. The Kerberos realm name must be in all uppercase characters.
Key distribution center (KDC) that consists of a Kerberos server and database
program that is running on a network host.
A term that describes applications and services that have been modified to support
the Kerberos credential infrastructure.
A domain consisting of users, hosts, and network services that are registered to a
Kerberos server. The Kerberos server is trusted to verify the identity of a user or
network service to another user or network service.
Note The Kerberos realm name must be in all uppercase characters.
A daemon that is running on a network host. Users and network services register
their identity with the Kerberos server. Network services query the Kerberos server
to authenticate to other network services.
A password that a network service shares with the KDC. In Kerberos 5 and later
Kerberos versions, the network service authenticates an encrypted service
credential by using the key table (KEYTAB) to decrypt it. In Kerberos versions
earlier than Kerberos 5, KEYTAB is referred to as server table (SRVTAB).
Also known as a Kerberos identity, this is who you are or what a service is
according to the Kerberos server.
The Kerberos principal name must be in all lowercase characters.
Note
encrypted with the password shared by the network service and the KDC. The
password is also shared with the user TGT.
Controlling Switch Access with Kerberos
Catalyst 3750 Metro Switch Software Configuration Guide
7-33