Cisco Systems IE3010 Understanding Kerberos

9-41

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with Kerberos

Understanding Kerberos

Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts

Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for

encryption and authentication and authenticates requests for network resources. Kerberos uses the

concept of a trusted third party to perform secure verification of users and services. This trusted third

party is called the key distribution center (KDC).

Kerberos verifies that users are who they claim to be and the network services tha t they use are what the

services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets,

which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets

instead of usernames and passwords to authenticate users and network serv ices.

Note A Kerberos server can be an IE 3010 switch that is configured as a network security server and that can

authenticate users by using the Kerberos protocol.

The Kerberos credential scheme uses a process called single logon. This process authenticates a user

once and then allows secure authentication (without encrypting another password) wherever that user

credential is accepted.

This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5

to use the same Kerberos authentication database on the KDC that they are already using on their other

network hosts (such as UNIX servers and PCs).

In this software release, Kerberos supports these network services:

• Telne t

• rlogin

• rsh (Remote Shell Protocol)

Table 9-5 lists the common Kerberos-related terms and definitions:

Tab l e 9-5 Kerberos Terms

Term Definition

Authentication A process by which a user or service identifies itself to another service.

For example, a client can authenticate to a switch or a switch can

authenticate to another switch.

Authorization A means by which the switch identifies what privileges the user has in a

network or on the switch and what actions the user can perform.

Credential A general term that refers to authentication tickets, such as TGTs1 and

service credentials. Kerberos credential s verify the identity of a user or

service. If a network service decides to trust the Kerberos server that

issued a ticket, it can be used in place of re-entering a username and

password. Credentials have a default lifespan of eight hours.