1-42
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring Switch-Based Authentication
Controlling Switch Access with Kerberos
3.
The switch requests a TGT from the KDC for this user.
4.
The KDC sends an encrypted TGT that includes the user identity to the switch.
5.
The switch attempts to decrypt the TGT by using the password that the user entered.
•
If the decryption is successful, the user is authenticated to the switch.
•
If the decryption is not successful, the user repeats Step 2 either by re-entering the username
and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username
and password.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is
inside the firewall, but the user must still authenticate directly to the KDC before getting access to the
network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored
on the switch and cannot be used for additional authentication until the user logs on to the switch.
Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. The user must
now authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in
the “Security Server Protocols”
chapter of the
Cisco IOS Security Configuration Guide, Release 12.4.
Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. The user with
a TGT must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the “Authenticating to Network
Services” section in the “Security Server Protocols”
chapter of the
Cisco IOS Security Configuration
Guide, Release 12.4.
Configuring Kerberos
So that remote users can authenticate to network services, you must configure the hosts and the KDC in
the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
When you add or create entries for the hosts and users, follow these guidelines:
•
The Kerberos principal name
must
be in all lowercase characters.
•
The Kerberos instance name
must
be in all lowercase characters.
•
The Kerberos realm name
must
be in all uppercase characters.
Note
A Kerberos server can be a Catalyst 3750-X or 3560-X switch that is configured as a network security
server and that can authenticate users by using the Kerberos protocol.
Summary of Contents for Catalyst 3560-X Series
Page 12: ...Contents 10 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 13: ...Contents 11 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 14: ...Contents 12 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 15: ...Contents 13 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 16: ...Contents 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 17: ...Contents 15 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 18: ...Contents 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 19: ...Contents 17 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 20: ...Contents 18 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 21: ...Contents 19 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 22: ...Contents 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 23: ...Contents 21 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 24: ...Contents 22 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 25: ...Contents 23 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 26: ...Contents 24 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 27: ...Contents 25 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 28: ...Contents 26 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 29: ...Contents 27 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 30: ...Contents 28 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 31: ...Contents 29 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 32: ...Contents 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 33: ...Contents 31 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 34: ...Contents 32 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 35: ...Contents 33 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 36: ...Contents 34 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 37: ...Contents 35 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 38: ...Contents 36 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...
Page 42: ...56 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Preface ...
Page 1538: ...Index IN 58 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...