Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual page 446

Configuring Authentication
This example shows how to delete an SRVTAB entry:
kerberos> (enable) clear kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0
kerberos> (enable)
Enabling Credentials Forwarding
A user authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on the
network. However, if forwarding is not enabled and a user tries to list credentials after authenticating to
a host, the output will show no Kerberos credentials present.
To enable credentials forwarding, configure the switch to forward user TGTs when they authenticate
from the switch to Kerberized remote hosts on the network using Kerberized Telnet.
As an additional layer of security, you can configure the switch so that after users authenticate to it, these
users can authenticate only to other services on the network with Kerberized clients. If you do not make
Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to
authenticate users using the default method of authentication for that network service. For example,
Telnet prompts for a password.
To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm,
perform this task in privileged mode:
Task
Step 1
Set all clients to forward user credentials upon
successful Kerberos authentication.
Step 2
(Optional) Configure Telnet to fail if clients
cannot authenticate to the remote server.
This example shows how to configure clients to forward user credentials and verify the configuration:
kerberos> (enable) set kerberos credentials forward
Kerberos credentials forwarding enabled
kerberos> (enable) show kerberos
Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM,
Realm:CISCO.COM,
Kerberos Domain<->Realm entries:
Domain:cisco.com,
Kerberos Clients NOT Mandatory
Kerberos Credentials Forwarding Enabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9
kerberos> (enable)
This example shows how to configure the switch so that Kerberos clients are mandatory for users to
authenticate to other network services:
Console> (enable) set kerberos clients mandatory
Kerberos clients set to mandatory
Console> (enable)
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
21-36
Server:187.0.2.1, Port:750
Server:187.20.2.1, Port:750
Realm:CISCO.COM
Chapter 21 Configuring Switch Access Using AAA
Command
set kerberos credentials forward
set kerberos clients mandatory
78-13315-02