30-31
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide
—
Release 8.1
78-15486-01
Chapter 30 Configuring Switch Access Using AAA
Configuring Authentication
Enable Authentication: Console Session Telnet Session
---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)
Console> (enable)
Configuring Kerberos Authentication
Before you can use Kerberos as an authentication method on the switch, you need to configure the
Kerberos server. You will need to create a database for the KDC and add the switch to the database.
To configure the Kerberos server, follow these steps:
Step 1
Before you can enter the switch in the Kerberos server’s key table, you must create the database that the
KDC will use. In the following example, a database called CISCO.EDU is created:
/usr/local/sbin/kdb5_util create -r CISCO.EDU -s
Step 2
Add the switch to the database. The following example adds a switch called Cat4012 to the CISCO.EDU
database:
ank host/[email protected]
Step 3
Add the username as follows:
Step 4
Add the Administrative Principals as follows:
ank user1/[email protected]
Step 5
Create the entry for the switch in the database using the admin.local ktadd command as follows:
ktadd host/[email protected]
Step 6
Move the keyadmin file to a place where the switch can reach it.
Step 7
Start the KDC server as follows:
/usr/local/sbin/krb4kdc
/usr/local/sbin/kadmind
Enabling Kerberos
To enable Kerberos authentication, perform this task in privileged mode:
Task
Command
Step 1
Enable Kerberos authentication.
set authentication login kerberos enable [all |
console | http | telnet] [primary]
Step 2
Verify the configuration.
show authentication