Introduction
•Authentication Service (AS)
–Provides the authentication ticket containing information about the client and the session key used with the KDC.
•Ticket Granting Ticket Service (TGS)
–Permits devices to communicate with a service (this could be any application or service such as the AP RF services).
The default expiration time of a ticket is 12 hours (for the AP) and is not user configurable. If the lifetime of a ticket in the KDC's security policy is different than what is requested, the KDC selects the shortest expiration time between the two. Each time a ticket is generated a new session and WEP encryption key is generated.
The KDC resides on the Kerberos server (the Kerberos server can also be the DNS server). In addition to the KDC, a Kerberos Setup Service (KSS) is installed on the Kerberos server. The KSS runs as a client on the KDC server when initially launched. The KSS can be used to administer Spectrum24 devices authorized on the network. For example, an AP on the Access Control List (ACL) is lost or stolen. The KSS marks the AP (using the MAC address of the AP) as not authorized and notifies the administrator if the missing AP appears elsewhere on the network attempting authentication. All clients (MUs), KDC and services (APs) participating in the Kerberos authentication system must have their internal clocks synchronized within a specified maximum amount of time (known as clock skew). The KSS uses Network Time Protocol (NTP) or the system clock on the Kerberos server to provide clock synchronization (timestamp) between the KDC and APs as part of the authentication process. Clock synchronization is essential since the expiration time is associated with each ticket. If the clock skew is exceeded between any of the participating hosts, requests are rejected.
Additionally, the KSS provides a list of authorized APs and other security setup information that the KDC uses to authenticate clients. When setting up KSS, assign APs an ESSID as the User ID to authenticate with the KDC.
28 |
|
