Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with Kerberos

This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).

In this software release, Kerberos supports these network services:

Telnet

rlogin

rsh (Remote Shell Protocol)

Table 9-2lists the common Kerberos-related terms and definitions:

Table 9-2

Kerberos Terms

 

 

 

Term

 

Definition

 

 

 

Authentication

 

A process by which a user or service identifies itself to another service.

 

 

For example, a client can authenticate to a switch or a switch can

 

 

authenticate to another switch.

 

 

 

Authorization

 

A means by which the switch identifies what privileges the user has in a

 

 

network or on the switch and what actions the user can perform.

 

 

 

Credential

 

A general term that refers to authentication tickets, such as TGTs1 and

 

 

service credentials. Kerberos credentials verify the identity of a user or

 

 

service. If a network service decides to trust the Kerberos server that

 

 

issued a ticket, it can be used in place of re-entering a username and

 

 

password. Credentials have a default lifespan of eight hours.

 

 

 

Instance

 

An authorization level label for Kerberos principals. Most Kerberos

 

 

principals are of the form user@REALM (for example,

 

 

smith@EXAMPLE.COM). A Kerberos principal with a Kerberos

 

 

instance has the form user/instance@REALM (for example,

 

 

smith/admin@EXAMPLE.COM). The Kerberos instance can be used to

 

 

specify the authorization level for the user if authentication is successful.

 

 

The server of each network service might implement and enforce the

 

 

authorization mappings of Kerberos instances but is not required to do so.

 

 

Note The Kerberos principal and instance names must be in all

 

 

lowercase characters.

 

 

Note The Kerberos realm name must be in all uppercase characters.

 

 

 

KDC2

 

Key distribution center that consists of a Kerberos server and database

 

 

program that is running on a network host.

 

 

 

Kerberized

 

A term that describes applications and services that have been modified

 

 

to support the Kerberos credential infrastructure.

 

 

 

Kerberos realm

 

A domain consisting of users, hosts, and network services that are

 

 

registered to a Kerberos server. The Kerberos server is trusted to verify

 

 

the identity of a user or network service to another user or network

 

 

service.

 

 

Note The Kerberos realm name must be in all uppercase characters.

 

 

 

Kerberos server

 

A daemon that is running on a network host. Users and network services

 

 

register their identity with the Kerberos server. Network services query

 

 

the Kerberos server to authenticate to other network services.

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

OL-9775-02

9-33

 

 

 

Page 235
Image 235
Cisco Systems 3750E manual Term Definition, Kdc