Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual page 416

Understanding How Authentication Works
Using Kerberized Login Procedure
You can use a Kerberized Telnet session if you are logging in through the in-band management port.
When the Telnet client and services have been Kerberized, you will follow this process when attempting
to Telnet to the switch:
1.
2.
3.
4.
5.
6.
Figure 21-1
Figure 21-1 Kerberized Telnet Connection
(Telnet client)
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
21-6
The Telnet client asks the user for the username and issues a request for a TGT to the KDC on the
Kerberos server.
The KDC creates the TGT, which contains the user's identity, the KDC's identity, and the TGT's
expiration time. The KDC then encrypts the TGT with the user's password and sends the TGT to the
client.
When the Telnet client receives the encrypted TGT, it prompts the user for the password. If the
Telnet client can decrypt the TGT with the entered password, the user is successfully authenticated
to the KDC. The client then builds a service credential request and sends this to the KDC. This
request contains the user's identity and a message saying that it wants to Telnet to the switch. This
request is encrypted using the TGT.
When the KDC successfully decrypts the service credential request with the TGT that it issued to
the client, it builds a service to the switch. The service credential has the client's identity and the
identity of the desired Telnet server. The KDC then encrypts the credential with the password that
it shares with the switch's Telnet server and encrypts the resulting packet with the Telnet client's
TGT and sends this packet to the client.
The Telnet client decrypts the packet first with its TGT. If encryption is successful, the client then
sends the resulting packet to the switch's Telnet server. At this point, the packet is still encrypted
with the password that the switch's Telnet server and the KDC share.
If the Telnet client has been instructed to do so, it forwards the TGT to the switch. This step ensures
that the user does not need to get another TGT in order to use another network service from the
switch.
shows the Kerberos Telnet connection process.
Host
5
6
6000
Catalyst 6500 series switches
Kerberos server
(contains KDC)
1
2
3
4
Chapter 21 Configuring Switch Access Using AAA
78-13315-02