Cisco Systems 3130 Understanding Kerberos

7-32

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter7 Configuring Switch-Based Authentication

Controlling Switch Access with Kerberos

You can download the cryptographic so ftware ima ge from www.dell.com/support For more information,

see the release notes for this release.

These sections contain this information:

•Understanding Kerberos, page 7-32

•Kerberos Operation, page 7-34

•Configuring Kerberos, page 7-35

For Kerberos configuration examples, see the “Kerberos Configuration Examples” section in the

“Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this

URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918

6a00800ca7ad.html

Note For complete syntax and usage information for the commands used in this section, see the “Kerberos

Commands” section in the “Security Server Protocols” chapter of the Cisco IOS Security Command

Reference, Release 12.2, at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter0918

6a00800ca7b9.html

Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference,

Release12.2, the trusted third party can be a switch that suppo rts Kerberos, tha t is configured as a

network security server, and that can authenticate users by using th e Kerberos pro toc ol.

Understanding Kerberos

Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts

Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for

encryption and authentication and authenticates requests for network resources. Kerberos uses the

concept of a trusted third party to perform secure verification of users and services. This trusted third

party is called the key distribution center (KDC).

Kerberos verifies that users are who they claim to be and the network services tha t they use are what the

services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets,

which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets

instead of usernames and passwords to authenticate users and network serv ices.

Note A Kerberos server can be a switch that is configured as a netwo rk secur ity server a nd t ha t c an

authenticate users by using the Kerberos protocol.

The Kerberos credential scheme uses a process called single logon. This process authenticates a user

once and then allows secure authentication (without encrypting another password) wherever that user

credential is accepted.

This software release supports Kerberos 5, which allows organizations that are already using Kerberos5

to use the same Kerberos authentication database on the KDC that they are already using on their other

network hosts (such as UNIX servers and PCs).