Table of Contents
Advertisement
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Table 27
Kerberos-related terms
Term
Authentication
Authorization
Credential
Instance
2
KDC
Kerberized
Kerberos realm
Kerberos server
3
KEYTAB
Principal
Service credential
SRVTAB
TGT
Definition
A process by which a user or service identifies itself to another service. For example,
a client can authenticate to a switch or a switch can authenticate to another switch.
A means by which the switch identifies what privileges the user has in a network or
on the switch and what actions the user can perform.
A general term that refers to authentication tickets, such as TGTs
credentials. Kerberos credentials verify the identity of a user or service. If a network
service decides to trust the Kerberos server that issued a ticket, it can be used in
place of reentering a username and password. Credentials have a default lifespan
of eight hours.
An authorization level label for Kerberos principals. Most Kerberos principals are of
the form user@REALM (for example, smith@EXAMPLE.COM). A Kerberos principal
with a Kerberos instance has the form user/instance@REALM (for example,
smith/admin@EXAMPLE.COM). The Kerberos instance can be used to specify the
authorization level for the user if authentication is successful. The server of each
network service might implement and enforce the authorization mappings of
Kerberos instances but is not required to do so.
Note:
The Kerberos principal and instance names must be in all lowercase
characters.
Note:
The Kerberos realm name must be in all uppercase characters.
Key distribution center that consists of a Kerberos server and database program that
is running on a network host.
A term that describes applications and services that have been modified to support
the Kerberos credential infrastructure.
A domain consisting of users, hosts, and network services that are registered to a
Kerberos server. The Kerberos server is trusted to verify the identity of a user or
network service to another user or network service.
Note:
The Kerberos realm name must be in all uppercase characters.
A daemon that is running on a network host. Users and network services register
their identity with the Kerberos server. Network services query the Kerberos server
to authenticate to other network services.
A password that a network service shares with the KDC. In Kerberos 5 and later
Kerberos versions, the network service authenticates an encrypted service
credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than
Kerberos 5, KEYTAB is referred to as SRVTAB
Also known as a Kerberos identity, this is who you are or what a service is according
to the Kerberos server.
Note:
The Kerberos principal name must be in all lowercase characters.
A credential for a network service. When issued from the KDC, this credential is
encrypted with the password shared by the network service and the KDC. The
password is also shared with the user TGT.
A password that a network service shares with the KDC. In Kerberos 5 or later
Kerberos versions, SRVTAB is referred to as KEYTAB.
Ticket granting ticket that is a credential that the KDC issues to authenticated users.
When users receive a TGT, they can authenticate to network services within the
Kerberos realm represented by the KDC.
159
1
and service
4
.
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
