Configuring Authentication
Configuring Kerberos Authentication
Before you can use Kerberos as an authentication method on the switch, you need to configure the
Kerberos server. You will need to create a database for the KDC and add the switch to the database.
To configure the Kerberos server, follow these steps:
Before you can enter the switch in the Kerberos server's key table, you must create the database the KDC
Step 1
will use. In the following example, a database called CISCO.EDU is created:
/usr/local/sbin/kdb5_util create -r CISCO.EDU -s
Add the switch to the database. The following example adds a switch called Cat4012 to the CISCO.EDU
Step 2
database:
ank host/Cat4012.cisco.edu@CISCO.EDU
Add the user name.
Step 3
ank user1@CISCO.EDU
Step 4
Add the Administrative Principals.
ank user1/admin@CISCO.EDU
Step 5
Create the entry for the switch in the database, using the admin.local ktadd command.
ktadd host/Cat4012.cisco.edu@CISCO.EDU
Move the keytab file to a place where the switch can reach it.
Step 6
Start the KDC server.
Step 7
/usr/local/sbin/krb4kdc
The following sections describe how to configure Kerberos authentication on the switch:
•
•
•
•
•
•
•
•
•
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
27-30
/usr/local/sbin/kadmind
Enabling Kerberos, page 27-31
Defining the Kerberos Local-Realm, page 27-31
Specifying a Kerberos Server, page 27-32
Mapping a Kerberos Realm to a Host Name or DNS Domain, page 27-33
Copying SRVTAB Files, page 27-33
Enabling Credentials Forwarding, page 27-35
Defining a Private DES Key, page 27-37
Encrypting a Telnet Session, page 27-37
Monitoring and Maintaining Kerberos, page 27-38
Chapter 27
Configuring Switch Access Using AAA
78-12647-02