7-35
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter7 Configuring Switch-Ba sed Authentication Controlling Switch Access with Kerberos
Authenticating to a Boundary Switch
This section describes the first layer of security through which a re mo te u ser must p ass. T he use r must
first authenticate to the boundary switch. This process then occurs:
1. The user opens an un-Kerberized Telnet connection to the boundary switch.
2. The switch prompts the user for a username and password.
3. The switch requests a TGT from the KDC for this user.
4. The KDC sends an encrypted TGT that includes the user identity to the switch.
5. The switch attempts to decrypt the TGT by using the password that the user entered.
If the decryption is successful, the user is authenticated to the switch.
If the decryption is not successful, the user repeats Step 2 either by re-entering the username
and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username
and password.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a bo unda r y swi tch is
inside the firewall, but the user must still authenticate directly to the KDC before getting access to the
network services. The user must authenticate to the KDC becau se th e TGT that t he KDC is sues is stor ed
on the switch and cannot be used for additional authentication until the user logs on to the switch.
Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. T he user must
now authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in
the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at
this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht
m#1000999.
Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. Th e u ser with
a TGT must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the “Authenticating to Network
Services” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration
Guide, Release12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht
m#1001010.