7-36
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter7 Configuring Switch-Based Authentication
Configuring the Switch for Local Authentication and Authorization

Configuring Kerberos

So that remote users can authenticate to network services, you must configure the hosts and the KDC in
the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add e ntries for the hosts to the K erberos data base on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
When you add or create entries for the hosts and users, follow these guidelines:
The Kerberos principal name must be in all lowercase character s.
The Kerberos instance name must be in all lowercase characters.
The Kerberos realm name must be in all uppercase character s.
Note A Kerberos server can be a Cisco ME switch that is configured as a ne twor k se curi ty serv er and th at can
authenticate users by using the Kerberos protocol.
To set up a Kerberos-authenticated server-client system, follow these steps:
Configure the KDC by using Kerberos commands.
Configure the switch to use the Kerberos protocol.
For instructions, see the “Kerberos Configuration Task List” section in the “Security Server Protocols”
chapter of the Cisco IOS Security Configuration Guide, Release 1 2.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht
m#1001027.
Configuring the Switch for Local Authentication and Authorization
You can configure AAA to operate without a server by setting the switch to implement AAA in local
mode. The switch then handles authentication and authorization. No accounting is available in this
configuration.
Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 aaa new-model Enable AAA.
Step3 aaa authentication login default local Set the login authentication to use the local username database. The
default keyword applies the local user database authentication to all
ports.
Step4 aaa authorization exec local Configure user AAA authorization, check the local database, and allow
the user to run an EXEC shell.
Step5 aaa authorization network local Configure user AAA authorization for all network-related service
requests.