Table of Contents
Advertisement
Chapter 27
Configuring Switch Access Using AAA
This example shows how to define which Kerberos server will serve as the KDC for the specified
Kerberos realm and how to clear the entry:
Console> (enable) set kerberos server CISCO.COM 187.0.2.1 750
Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750
Console> (enable)
Console> (enable) clear kerberos server CISCO.COM 187.0.2.1 750
Kerberos Realm-Server-Port entry CISCO.COM-187.0.2.1-750
Console> (enable)
Mapping a Kerberos Realm to a Host Name or DNS Domain
Optionally, you can map a host name or domain name server (DNS) domain to a Kerberos realm.
To map a Kerberos realm to either a host name or DNS domain, perform this task in privileged mode:
Task
Step 1
Optionally, map a host name or DNS domain to a
Kerberos realm.
Step 2
Clear the Kerberos realm domain or host mapping
entry.
This example shows how to map a Kerberos realm, called cisco.com, to a DNS domain and how to clear
the entry:
Console> (enable) set kerberos realm CISCO CISCO.COM
Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM
Console> (enable)
Console> (enable) clear kerberos realm CISCO CISCO.COM
Kerberos DnsDomain-Realm entry CISCO - CISCO.COM deleted
Console> (enable)
Copying SRVTAB Files
To make it possible for remote users to authenticate to the switch using Kerberos credentials, the switch
must share a key with the KDC. To allow this configuration, you must give the switch a copy of the file
that is stored in the KDC and which contains the key. These files are called SRVTAB files on the switch
and KEYTAB files on the servers.
The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto
physical media and then manually copy the files onto the system. To copy SRVTAB files to a switch that
does not have a physical media drive, you must transfer them through the network by using the Trivial
File Transfer Protocol (TFTP).
When you copy the SRVTAB file from the switch to the KDC, the switch parses the information in this
file and stores it in the running configuration in the Kerberos SRVTAB entry format. If you enter the
SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch.
The entries are maintained in the SRVTAB table. The maximum size of the table is 20 entries.
78-12647-02
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
deleted
Command
set kerberos realm {dns-domain | host}
kerberos-realm
clear kerberos realm {dns-domain | host}
kerberos-realm
Configuring Authentication
27-33
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
