Kerberos Operation - Cisco Catalyst 3750-X Software Configuration Manual

Chapter 10 Configuring Switch-Based Authentication
Table 10-5
Term
Kerberized
Kerberos realm
Kerberos server
KEYTAB
Principal
Service credential
SRVTAB
TGT
1. TGT = ticket granting ticket
2. KDC = key distribution center
3. KEYTAB = key table
4. SRVTAB = server table

Kerberos Operation

A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security
server and that can authenticate remote users by using the Kerberos protocol. Although you can
customize Kerberos in a number of ways, remote users attempting to access network services must pass
through three layers of security before they can access network services.
To authenticate to network services by using a Catalyst 3750-X or 3560-X switch as a Kerberos server,
remote users must follow these steps:
1.
2.
3.
OL-21521-01
Kerberos Terms (continued)
Definition
A term that describes applications and services that have been modified
to support the Kerberos credential infrastructure.
A domain consisting of users, hosts, and network services that are
registered to a Kerberos server. The Kerberos server is trusted to verify
the identity of a user or network service to another user or network
service.
Note
A daemon that is running on a network host. Users and network services
register their identity with the Kerberos server. Network services query
the Kerberos server to authenticate to other network services.
3
A password that a network service shares with the KDC. In Kerberos 5
and later Kerberos versions, the network service authenticates an
encrypted service credential by using the KEYTAB to decrypt it. In
Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as
SRVTAB
Also known as a Kerberos identity, this is who you are or what a service
is according to the Kerberos server.
Note
A credential for a network service. When issued from the KDC, this
credential is encrypted with the password shared by the network service
and the KDC. The password is also shared with the user TGT.
A password that a network service shares with the KDC. In Kerberos 5
or later Kerberos versions, SRVTAB is referred to as KEYTAB.
Ticket granting ticket that is a credential that the KDC issues to
authenticated users. When users receive a TGT, they can authenticate to
network services within the Kerberos realm represented by the KDC.
Authenticating to a Boundary Switch, page 10-42
Obtaining a TGT from a KDC, page 10-42
Authenticating to Network Services, page 10-42
The Kerberos realm name must be in all uppercase characters.
4
.
The Kerberos principal name must be in all lowercase characters.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Controlling Switch Access with Kerberos
10-41