7-34
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter7 Configuring Switch-Based Authentication
Controlling Switch Access with Kerberos
Kerberos Operation
A Kerberos server can be a Cisco ME switch that is configured as a ne twor k secu ri ty serv er and th at can
authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a
number of ways, remote users attempting to access network services must pass through three layers of
security before they can access network services.
To authenticate to network services by using a Cisco ME switch as a K er beros se rve r , remote u sers must
follow these steps:
1. Authenticating to a Boundary Switch, page 7-35
2. Obtaining a TGT from a KDC, page 7-35
3. Authenticating to Network Services, page 7-35
KEYTAB3A password that a network service shares with the KDC. In Kerberos5
and later Kerberos versions, the network service authenticates an
encrypted service credential by using the KEYTAB to decrypt it. In
Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as
SRVTAB4.
Principal Also known as a Kerberos identity, this is who you are or what a service
is according to the Kerberos server.
Note The Kerberos principal name must be in all lowercase characters.
Service credential A credential for a network service. When issued from the KDC, this
credential is encrypted with the password shared by the network service
and the KDC. The password is also shared with the user TGT.
SRVTAB A password that a network service shares with the KDC. In Kerberos5
or later Kerberos versions, SRVTAB is referred to as KEYTAB.
TGT Ticket granting ticket that is a credential that the KDC issues to
authenticated users. When users receive a TGT, they can authenticate to
network services within the Kerberos realm represented by the KDC.
1. TGT = ticket granting ticket
2. KDC = key distribution center
3. KEYTAB = key table
4. SRVTAB = serv e r t a b le
Table7-2 Kerberos Terms (continued)
Term Definition