Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with Kerberos

Table 9-2

Kerberos Terms (continued)

 

 

 

Term

 

Definition

 

 

 

KEYTAB3

 

A password that a network service shares with the KDC. In Kerberos 5

 

 

and later Kerberos versions, the network service authenticates an

 

 

encrypted service credential by using the KEYTAB to decrypt it. In

 

 

Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as

 

 

SRVTAB4.

Principal

 

Also known as a Kerberos identity, this is who you are or what a service

 

 

is according to the Kerberos server.

 

 

Note The Kerberos principal name must be in all lowercase characters.

 

 

Service credential

A credential for a network service. When issued from the KDC, this

 

 

credential is encrypted with the password shared by the network service

 

 

and the KDC. The password is also shared with the user TGT.

 

 

 

SRVTAB

 

A password that a network service shares with the KDC. In Kerberos 5

 

 

or later Kerberos versions, SRVTAB is referred to as KEYTAB.

 

 

 

TGT

 

Ticket granting ticket that is a credential that the KDC issues to

 

 

authenticated users. When users receive a TGT, they can authenticate to

 

 

network services within the Kerberos realm represented by the KDC.

 

 

 

1.TGT = ticket granting ticket

2.KDC = key distribution center

3.KEYTAB = key table

4.SRVTAB = server table

Kerberos Operation

A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.

To authenticate to network services by using a Catalyst 3750-E or 3560-E switch as a Kerberos server, remote users must follow these steps:

1.Authenticating to a Boundary Switch, page 9-34

2.Obtaining a TGT from a KDC, page 9-35

3.Authenticating to Network Services, page 9-35

Authenticating to a Boundary Switch

This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs:

1.The user opens an un-Kerberized Telnet connection to the boundary switch.

2.The switch prompts the user for a username and password.

3.The switch requests a TGT from the KDC for this user.

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

9-34

OL-9775-02

 

 

Page 236
Image 236
Cisco Systems 3750E manual Kerberos Operation, Authenticating to a Boundary Switch, Keytab, Srvtab, Tgt