Cisco WS-C6506 Software Manual page 940

Understanding How Authentication Works
Table 39-1
Table 39-1
Term
Kerberized
Kerberos credential
Kerberos identity
Kerberos principal
Kerberos realm
Kerberos server
Key distribution center
(KDC)
Service credential
SRVTAB
Ticket granting ticket
(TGT)
In the Catalyst 6500 series switches, the Telnet clients and servers through both the console and in-band
management port can be Kerberized.
Note Kerberos authentication does not work if TACACS+ is used as the authentication mechanism.
Note If you are logged in to the console through a modem or a terminal server, you cannot use a Kerberized
login procedure.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
39-6
defines the Kerberos terms.
Kerberos Terminology
Definition
Applications and services that have been modified to support the
Kerberos credential infrastructure.
Authentication tickets, such as ticket granting tickets (TGTs), and
service credentials. Kerberos credentials verify the ticket of a user or
service. If a network service decides to trust the Kerberos server that
issued the ticket, the Kerberos credential can be used in place of
retyping in a username and password. Credentials have a default life
span of eight hours.
(See Kerberos principal.)
The Kerberos principal is who you are or what a service is according to
the Kerberos server. (Also known as a Kerberos identity.)
A domain consisting of users, hosts, and network services that are
registered to a Kerberos server. The Kerberos server is trusted to verify
the identity of a user or network service to another user or network
service. Kerberos realms must always be in uppercase characters.
A daemon running on a network host. Users and network services
register their identity with the Kerberos server. Network services query
the Kerberos server to authenticate to other network services.
A Kerberos server and database program running on a network host that
allocates the Kerberos credentials to different users or network services.
A credential for a network service. When issued from the KDC, this
credential is encrypted with the password that is shared by the network
service and the KDC and with the user's TGT.
A password that a network service shares with the KDC. The network
service authenticates an encrypted service credential by using the
SRVTAB (also known as a KEYTAB) to decrypt it.
A credential that the KDC issues to authenticated users. When users
receive a TGT, they can authenticate to network services within the
Kerberos realm that is represented by the KDC.
Chapter 39 Configuring the Switch Access Using AAA
OL-8978-04