Authenticating To A Boundary Switch; Obtaining A Tgt From A Kdc; Authenticating To Network Services - Cisco WS-C3750-48PS-S Software Configuration Manual

Chapter 9 Configuring Switch-Based Authentication

Authenticating to a Boundary Switch

This section describes the first layer of security through which a remote user must pass. The user must
first authenticate to the boundary switch. This process then occurs:
1.
2.
3.
4.
5.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is
inside the firewall, but the user must still authenticate directly to the KDC before getting access to the
network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored
on the switch and cannot be used for additional authentication until the user logs on to the switch.

Obtaining a TGT from a KDC

This section describes the second layer of security through which a remote user must pass. The user must
now authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, refer to the "Obtaining a TGT from a KDC" section
in the "Security Server Protocols" chapter of the Cisco IOS Security Configuration Guide, Release 12.2,
at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht
m#1000999.

Authenticating to Network Services

This section describes the third layer of security through which a remote user must pass. The user with
a TGT must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, refer to the "Authenticating to Network
Services" section in the "Security Server Protocols" chapter of the Cisco IOS Security Configuration
Guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht
m#1001010.
78-16180-02
The user opens an un-Kerberized Telnet connection to the boundary switch.
The switch prompts the user for a username and password.
The switch requests a TGT from the KDC for this user.
The KDC sends an encrypted TGT that includes the user identity to the switch.
The switch attempts to decrypt the TGT by using the password that the user entered.
• If the decryption is successful, the user is authenticated to the switch.
• If the decryption is not successful, the user repeats Step 2 either by re-entering the username
and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username
and password.
Controlling Switch Access with Kerberos
Catalyst 3750 Switch Software Configuration Guide
9-35