9-43
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-08
Chapter 9 Configuring Switch-Based Authentication
Configuring the Switch for Local Authentication and Authorization
For instructions about how to authenticate to a network service, see the “Authenticating to Network
Services” section in the “Security Server Protocols”
chapter of the
Cisco IOS Security Configuration
Guide, Release 12.2.
Configuring Kerberos
So that remote users can authenticate to network services, you must configure the hosts and the KDC in
the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
When you add or create entries for the hosts and users, follow these guidelines:
•
The Kerberos principal name
must
be in all lowercase characters.
•
The Kerberos instance name
must
be in all lowercase characters.
•
The Kerberos realm name
must
be in all uppercase characters.
Note
A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security
server and that can authenticate users by using the Kerberos protocol.
To set up a Kerberos-authenticated server-client system, follow these steps:
•
Configure the KDC by using Kerberos commands.
•
Configure the switch to use the Kerberos protocol.
For instructions, see the “Kerberos Configuration Task List” section in the “Security Server Protocols”
chapter of the
Cisco IOS Security Configuration Guide, Release 12.2.
Configuring the Switch for Local Authentication and
Authorization
You can configure AAA to operate without a server by setting the switch to implement AAA in local
mode. The switch then handles authentication and authorization. No accounting is available in this
configuration.
Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication login default local
Set the login authentication to use the local username database. The
default
keyword applies the local user database authentication to all
ports.
Step 4
aaa authorization exec local
Configure user AAA authorization, check the local database, and allow
the user to run an EXEC shell.
Содержание Catalyst 3750-E Series
Страница 48: ...Contents xlviii Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 ...
Страница 52: ...lii Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Preface ...
Страница 1414: ...Index IN 58 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 ...