•
So that remote users can authenticate to network services, you must configure the hosts and the KDC
in the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
•
A Kerberos server can be a switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.
When you add or create entries for the hosts and users, follow these guidelines:
•
The Kerberos principal name
must
be in all lowercase characters.
•
The Kerberos instance name
must
be in all lowercase characters.
•
The Kerberos realm name
must
be in all uppercase characters.
Information About Kerberos
Kerberos and Switch Access
This section describes how to enable and configure the Kerberos security system, which authenticates requests
for network resources by using a trusted third party.
In the Kerberos configuration examples, the trusted third party can be any switch that supports Kerberos,
that is configured as a network security server, and that can authenticate users by using the Kerberos
protocol.
Note
Kerberos Overview
Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute
of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption
and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted
third party to perform secure verification of users and services. This trusted third party is called the
key
distribution center
(KDC).
Kerberos verifies that users are who they claim to be and the network services that they use are what the
services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which
have a limited life span, are stored in user credential caches. The Kerberos server uses the tickets instead of
user names and passwords to authenticate users and network services.
A Kerberos server can be any switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.
Note
The Kerberos credential scheme uses a process called
single logon
. This process authenticates a user once
and then allows secure authentication (without encrypting another password) wherever that user credential is
accepted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
980
Information About Kerberos
Summary of Contents for Catalyst 2960 Series
Page 96: ......
Page 196: ......
Page 250: ......
Page 292: ......
Page 488: ......
Page 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Page 590: ......
Page 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Page 620: ......
Page 750: ......
Page 1604: ......
Page 1740: ......
Page 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Page 2106: ......
Page 2118: ......
Page 2164: ......