Cisco Systems 3560-X, 3750-X

10-40

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 10 Configuring Switch-Based Authentication

Controlling Switch Access with Kerberos

Kerberos verifies that users are who they claim to be and the network services that they use are what the

services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets,

which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets

instead of usernames and passwords to authenticate users and network services.

Note A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security

server and that can authenticate users by using the Kerberos protocol.

The Kerberos credential scheme uses a process called single logon. This process authenticates a user

once and then allows secure authentication (without encrypting another password) wherever that user

credential is accepted.

This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5

to use the same Kerberos authentication database on the KDC that they are already using on their other

network hosts (such as UNIX servers and PCs).

In this software release, Kerberos supports these network services:

• Telne t

• rlogin

• rsh (Remote Shell Protocol)

Table 10-5 lists the common Kerberos-related terms and definitions:

Tab le 10-5 Kerber os Terms

Term Definition

Authentication A process by which a user or service identifies itself to another service.

For example, a client can authenticate to a switch or a switch can

authenticate to another switch.

Authorization A means by which the switch identifies what privileges the user has in a

network or on the switch and what actions the user can perform.

Credential A general term that refers to authentication tickets, such as TGTs1 and

service credentials. Kerberos credentials verify the identity of a user or

service. If a network service decides to trust the Kerberos server that

issued a ticket, it can be used in place of re-entering a username and

password. Credentials have a default lifespan of eight hours.

Instance An authorization level label for Kerberos principals. Most Kerberos

principals are of the form user@REALM (for example,

smith@EXAMPLE.COM). A Kerberos principal with a Kerberos

instance has the form user/instance@REALM (for example,

smith/admin@EXAMPLE.COM). The Kerberos instance can be used to

specify the authorization level for the user if authentication is successful.

The server of each network service might implement and enforce the

authorization mappings of Kerberos instances but is not required to do so.

Note The Kerberos principal and instance names must be in all

lowercase characters.

Note The Kerberos realm name must be in all uppercase characters.

KDC2Key distribution center that consists of a Kerberos server and database

program that is running on a network host.