Cisco Systems IE 2000 Switch Access with Kerberos

12-17

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 12 Configuring Switch-Based Authentication

Information About Configuring Switch-Based Authentication

attributes not suitable for general use. The Cisco RADIUS implementatio n supports one vendor-specific

option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported

option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:

protocol : attribute sep value *

protocol is a value of the Cisco protocol attribute for a particular type o f authorization. Attribute and

value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep

is = for mandatory attributes and is * for optional attributes. The full set of features available for

TACACS+ authorization can then be used for RADIUS.

For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP

authorization (during PPP IPCP address assignment):

cisco-avpair= ”ip:addr-pool=first“

Although an IETF draft standard for RADIUS specifies a method for commu nicating vendor-proprietary

information between the switch and the RADIUS server, some vendors have extended the RADIUS

attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS

attributes.

As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-comp liant), you

must specify the host running the RADIUS server daemon and the secret text string it shares with the

switch. You specify the RADIUS host and secret text string by using the radius-server global

configuration commands.

Switch Access with Kerberos

This section describes how to enable and configure the Kerberos security system, which authenticates

requests for network resources by using a trusted third party. To use this feature, the cryptographic (that

is, supports encryption) versions of the switch software must be installed on your switch.

You must obtain authorization to use this feature and to download the cryptographic software files from

Cisco.com. For more information, see the release notes for this release.

Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts

Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for

encryption and authentication and authenticates requests for network resources. Kerberos uses the

concept of a trusted third party to perform secure verification of users and services. This trusted third

party is called the key distribution center (KDC).

Kerberos verifies that users are who they claim to be and the network services tha t they use are what the

services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets,

which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets

instead of usernames and passwords to authenticate users and network serv ices.

Note A Kerberos server can be a switch that is configured as a netwo rk security server and that can

authenticate users by using the Kerberos protocol.