Cisco Systems 3130 Configuring Kerberos

7-35

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter7 Configuring Switch-Ba sed Authentication Controlling Switch Access with Kerberos

4. The KDC sends an encrypted TGT that includes the user identity to the switch.

5. The switch attempts to decrypt the TGT by using the password that the user entered.

•If the decryption is successful, the user is authenticated to the switch.

•If the decryption is not successful, the user repeats Step 2 either by re-entering the username

and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username

and password.

A remote user who initiates a un-Kerberized Telnet session and authenticates to a bo unda r y swi tch is

inside the firewall, but the user must still authenticate directly to the KDC before getting access to the

network services. The user must authenticate to the KDC becau se th e TGT that t he KDC is sues is stor ed

on the switch and cannot be used for additional authentication until the user logs on to the switch.

This section describes the second layer of security through which a remote user must pass. T he user must

now authenticate to a KDC and obtain a TGT from the KDC to access network services.

For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in

the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at

this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918

6a00800ca7ad.html#1000999

This section describes the third layer of security through which a remote user must pass. Th e u ser with

a TGT must now authenticate to the network services in a Kerberos realm.

For instructions about how to authenticate to a network service, see the “Authenticating to Network

Services” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration

Guide, Release12.2, at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918

6a00800ca7ad.html#1001010

Configuring Kerberos

So that remote users can authenticate to network services, you must configure the hosts and the KDC in

the Kerberos realm to communicate and mutually authenticate users and network services. To do this,

you must identify them to each other. You add e ntries for the hosts to the K erberos data base on the KDC

and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries

for the users in the KDC database.

When you add or create entries for the hosts and users, follow these guidelines:

•The Kerberos principal name must be in all lowercase character s.

•The Kerberos instance name must be in all lowercase characters.

•The Kerberos realm name must be in all uppercase character s.