Authenticating To Network Services; Configuring Kerberos; Configuring The Switch For Local Authentication And Authorization - Cisco WS-CBS3032-DEL Software Configuration Manual

Configuring the Switch for Local Authentication and Authorization

Authenticating to Network Services

This section describes the third layer of security through which a remote user must pass. The user with
a TGT must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the "Authenticating to Network
Services" section in the "Security Server Protocols" chapter of the Cisco IOS Security Configuration
Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html#wp1001010

Configuring Kerberos

So that remote users can authenticate to network services, you must configure the hosts and the KDC in
the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
When you add or create entries for the hosts and users, follow these guidelines:
•
•
•
Note A Kerberos server can be a switch that is configured as a network security server and that can
authenticate users by using the Kerberos protocol.
To set up a Kerberos-authenticated server-client system, follow these steps:
•
•
For instructions, see the "Kerberos Configuration Task List" section in the "Security Server Protocols"
chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html#wp1001010
Configuring the Switch for Local Authentication and
Authorization
You can configure AAA to operate without a server by setting the switch to implement AAA in local
mode. The switch then handles authentication and authorization. No accounting is available in this
configuration.
Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA:
Command
Step 1 configure terminal
Step 2
aaa new-model
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
6-44
The Kerberos principal name must be in all lowercase characters.
The Kerberos instance name must be in all lowercase characters.
The Kerberos realm name must be in all uppercase characters.
Configure the KDC by using Kerberos commands.
Configure the switch to use the Kerberos protocol.
Purpose
Enter global configuration mode.
Enable AAA.
Chapter 6 Configuring Switch-Based Authentication
OL-13270-06