7-33
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter7 Configuring Switch-Ba sed Authentication Controlling Switch Access with Kerberos
This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5
to use the same Kerberos authentication database on the KDC that they are already using on their other
network hosts (such as UNIX servers and PCs).
In this software release, Kerberos supports these network services:
Telne t
rlogin
rsh (Remote Shell Protocol)
Table 7 -2 lists the common Kerberos-related terms and definitions:
Table7-2 Kerberos Terms
Term Definition
Authentication A process by which a user or service identifies itself to another service.
For example, a client can authenticate to a switch or a switch can
authenticate to another switch.
Authorization A means by which the switch identifies what privileges the user has in a
network or on the switch and what actions the user can perform.
Credential A general term that refers to authentication tickets, such as TGTs1 and
service credentials. Kerberos credential s ve rif y t h e id en t ity of a u ser o r
service. If a network service decides to trust the Kerberos server that
issued a ticket, it can be used in place of re-entering a username and
password. Credentials have a default lifespan of eight hours.
Instance An authorization level label for Kerberos principals. Most Kerberos
principals are of the form user@REALM (for example,
smith@EXAMPLE.COM). A Kerberos principal with a Kerberos
instance has the form user/instance@REALM (for example,
smith/admin@EXAMPLE.COM). The Kerberos instance can be used to
specify the authorization level for the user if authentication is successful.
The server of each network service might implement and enforce the
authorization mappings of Kerberos instances but is not required to do so.
Note The Kerberos principal and instance names must be in all
lowercase characters.
Note The Kerberos realm name must be in all uppercase characters.
KDC2Key distribution center that consists of a Kerberos server and database
program that is running on a network host.
Kerberized A term that describes applications and services that have been modified
to support the Kerberos credential infrastructure.
Kerberos realm A domain consisting of users, hosts, and network services that are
registered to a Kerberos server. The Kerberos server is trusted to verify
the identity of a user or network service to another user or network
service.
Note The Kerberos realm name must be in all uppercase characters.
Kerberos server A daemon that is running on a network host. Users and network services
register their identity with the Kerberos server. Network services query
the Kerberos server to authenticate to other network services.