Enabling Mandatory Kerberos Authentication
As an added layer of security, you can optionally configure the device so that, after remote users authenticate
to it, these users can authenticate to other services on the network only with Kerberized Telnet, rlogin, rsh,
and rcp. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application
attempts to authenticate users using the default method of authentication for that network service; for example,
Telnet and rlogin prompt for a password, and rsh attempts to authenticate using the local rhost file.
To make Kerberos authentication mandatory, use the following command in global configuration mode:
Purpose
Command
Sets Telnet, rlogin, rsh, and rcp to fail if they cannot
negotiate the Kerberos protocol with the remote
server.
Device(config)#
kerberos clients mandatory
Enabling Kerberos Instance Mapping
You can create administrative instances of users in the KDC database. The
kerberos instance map
command
allows you to map those instances to Cisco IOS privilege levels so that users can open secure Telnet sessions
to the device at a predefined privilege level, obviating the need to enter a clear text password to enter enable
mode.
To map a Kerberos instance to a Cisco IOS privilege level, use the following command in global configuration
mode:
Purpose
Command
Maps a Kerberos instance to a Cisco IOS privilege
level.
Device(config)#
kerberos instance map
instance
privilege-level
If there is a Kerberos instance for user
loki
in the KDC database (for example,
loki/admin
), user
loki
can now
open a Telnet session to the device as loki/admin and authenticate automatically at privilege level 15, assuming
instance
“
admin
”
is mapped to privilege level 15.
Cisco IOS commands can be set to various privilege levels using the
privilege level
command.
After you map a Kerberos instance to a Cisco IOS privilege level, you must configure the device to check for
Kerberos instances each time a user logs in. To run authorization to determine if a user is allowed to run an
EXEC shell based on a mapped Kerberos instance, use the
aaa authorization
command with the
krb5-instance
keyword. For more information, refer to the chapter
“
Configuring Authorization.
”
Monitoring the Kerberos Configuration
To display the Kerberos configuration, use the following commands:
•
show running-config
•
show kerberos creds
: Lists the credentials in a current user
’
s credentials cache.
•
clear kerberos creds
: Destroys all credentials in a current user
’
s credentials cache, including those
forwarded.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
991
How to Configure Kerberos
Summary of Contents for Catalyst 2960 Series
Page 96: ......
Page 196: ......
Page 250: ......
Page 292: ......
Page 488: ......
Page 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Page 590: ......
Page 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Page 620: ......
Page 750: ......
Page 1604: ......
Page 1740: ......
Page 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Page 2106: ......
Page 2118: ......
Page 2164: ......