Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works
Table 21-1
defines the terms used in Kerberos.
In the Catalyst 6000 family switches, Telnet clients and servers through both the console and in-band
management port can be Kerberized.
Kerberos authentication does not work if is used as the authentication mechanism.
If you are logged in to the console through a modem or a terminal server, you cannot use a Kerberized
login procedure.
Table 21-1
Kerberos Terminology
Applications and services that have been modified to support the
Kerberos credential infrastructure.
Kerberos credential
General term referring to authentication tickets, such as ticket granting
tickets (TGTs) and service credentials. Kerberos credentials verify the
ticket of a user or service. If a network service decides to trust the
Kerberos server that issued the ticket, the Kerberos credential can be
used in place of retyping in a username and password. Credentials have
a default life span of eight hours.
Kerberos identity
(See Kerberos principal.)
Kerberos principal
The Kerberos principal is who you are or what a service is according to
the Kerberos server. (Also known as a Kerberos identity.)
Kerberos realm
A domain consisting of users, hosts, and network services that are
registered to a Kerberos server. The Kerberos server is trusted to verify
the identity of a user or network service to another user or network
service. Kerberos realms must always be in uppercase characters.
Kerberos server
A daemon running on a network host. Users and network services
register their identity with the Kerberos server. Network services query
the Kerberos server to authenticate to other network services.
Key distribution center
A Kerberos server and database program running on a network host that
allocates the Kerberos credentials to different users or network services.
Service credential
A credential for a network service. When issued from the KDC, this
credential is encrypted with the password shared by the network service
and the KDC and with the user’s TGT.
A password that a network service shares with the KDC. The network
service authenticates an encrypted service credential by using the
SRVTAB (also known as a KEYTAB) to decrypt it.
Ticket granting ticket
A credential that the KDC issues to authenticated users. When users
receive a TGT, they can authenticate to network services within the
Kerberos realm represented by the KDC.