8-31
Cisco ME 3800X and 3600X Switch Software Configuration Guide
OL-23400-01
Chapter 8 Configuring Switch-Based Authentication
Controlling Switch Access with Kerberos
Controlling Switch Access with Kerberos
This section describes how to enable and configure the Kerberos security system, which authenticates
requests for network resources by using a trusted third party. To use this feature, the cryptographic (that
is, supports encryption) version of the switch software must be installed on your switch. You must obtain
authorization to use this feature and to download the cryptographic software files from Cisco.com. For
more information, see the release notes for this release.
These sections contain this information:
•
Understanding Kerberos, page 8-31
•
Kerberos Operation, page 8-33
•
Configuring Kerberos, page 8-34
For Kerberos configuration examples, see the “Kerberos Configuration Examples” section in the
“Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this
URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html
For complete syntax and usage information for the commands used in this section, see the “Kerberos
Commands” section in the Cisco IOS Security Command Reference, Release 12.4, at this URL:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_k1.html#wp1044486
Note
In the Kerberos configuration examples and in the Cisco IOS Security Command Reference,
Release 12.2, the trusted third party can be a Cisco ME switch that supports Kerberos, that is configured
as a network security server, and that can authenticate users by using the Kerberos protocol.
Understanding Kerberos
Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts
Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for
encryption and authentication and authenticates requests for network resources. Kerberos uses the
concept of a trusted third party to perform secure verification of users and services. This trusted third
party is called the key distribution center (KDC).
Kerberos verifies that users are who they claim to be and the network services that they use are what the
services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets,
which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets
instead of usernames and passwords to authenticate users and network services.
Note
A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can
authenticate users by using the Kerberos protocol.
The Kerberos credential scheme uses a process called single logon. This process authenticates a user
once and then allows secure authentication (without encrypting another password) wherever that user
credential is accepted.
The switch supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the
same Kerberos authentication database on the KDC that they are already using on their other network
hosts (such as UNIX servers and PCs).