Your software release may not support all the features documented in
this module. For the latest caveats and feature information, see Bug Search
Tool and the release notes for your platform and software release. To find
information about the features documented in this module, and to see a list of
the releases in which each feature is supported, see the feature information
table at the end of this module.
Use Cisco Feature Navigator to find information about platform support
and Cisco software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is
Prerequisites for Controlling Switch Access with Kerberos
The following are the prerequisites for controlling switch access with Kerberos.
So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services. To do this, you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries for the users in the KDC database.
A Kerberos server can be a switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol.
When you add or create entries for the hosts and users, follow these guidelines:
The Kerberos principal name must be in all lowercase characters.
The Kerberos instance name must be in all lowercase characters.
The Kerberos realm name must be in all uppercase characters.
This section describes
how to enable and configure the Kerberos security system, which authenticates
requests for network resources by using a trusted third party.
configuration examples, see the “Kerberos Configuration Examples” section in
the “Security Server Protocols” chapter of the
Security Configuration Guide, Release 12.4..
For complete syntax
and usage information for the commands used in this section, see the “Kerberos
Commands” section in the “Security Server Protocols” chapter of the
Security Command Reference, Release 12.4.
In the Kerberos
configuration examples and in the
Security Command Reference, Release 12.4, the trusted third party can be
switch that supports Kerberos, that is configured as a network
security server, and that can authenticate users by using the Kerberos
Kerberos is a
secret-key network authentication protocol, which was developed at the
Massachusetts Institute of Technology (MIT). It uses the Data Encryption
Standard (DES) cryptographic algorithm for encryption and authentication and
authenticates requests for network resources. Kerberos uses the concept of a
trusted third party to perform secure verification of users and services. This
trusted third party is called the
Kerberos verifies that
users are who they claim to be and the network services that they use are what
the services claim to be. To do this, a KDC or trusted Kerberos server issues
tickets to users. These tickets, which have a limited life span, are stored in
user credential caches. The Kerberos server uses the tickets instead of user
names and passwords to authenticate users and network services.
A Kerberos server
can be a
switch that is configured as a network security
server and that can authenticate users by using the Kerberos protocol.
credential scheme uses a process called
This process authenticates a user once and then allows secure authentication
(without encrypting another password) wherever that user credential is
This software release
supports Kerberos 5, which allows organizations that are already using
Kerberos 5 to use the same Kerberos authentication database on the KDC that
they are already using on their other network hosts (such as UNIX servers and
In this software
release, Kerberos supports these network services:
This table lists
the common Kerberos-related terms and definitions.
Table 1 Kerberos
A process by
which a user or service identifies itself to another service. For example, a
client can authenticate to a switch or a switch can authenticate to another
A means by
which the switch identifies what privileges the user has in a network or on the
switch and what actions the user can perform.
A general term
that refers to authentication tickets, such as TGTs1
and service credentials. Kerberos credentials verify the identity of a user or
service. If a network service decides to trust the Kerberos server that issued
a ticket, it can be used in place of re-entering a username and password.
Credentials have a default life span of eight hours.
authorization level label for Kerberos principals. Most Kerberos principals are
of the form
user@REALM (for example, smith@EXAMPLE.COM). A Kerberos
principal with a Kerberos instance has the form
user/instance@REALM (for example, smith/admin@EXAMPLE.COM).
The Kerberos instance can be used to specify the authorization level for the
user if authentication is successful. The server of each network service might
implement and enforce the authorization mappings of Kerberos instances but is
not required to do so.
principal and instance names
be in all lowercase characters.
be in all uppercase characters.
distribution center that consists of a Kerberos server and database program
that is running on a network host.
A term that
describes applications and services that have been modified to support the
Kerberos credential infrastructure.
consisting of users, hosts, and network services that are registered to a
Kerberos server. The Kerberos server is trusted to verify the identity of a
user or network service to another user or network service.
Kerberos realm name
be in all uppercase characters.
that is running on a network host. Users and network services register their
identity with the Kerberos server. Network services query the Kerberos server
to authenticate to other network services.
that a network service shares with the KDC. In Kerberos 5 and later Kerberos
versions, the network service authenticates an encrypted service credential by
using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5,
KEYTAB is referred to as SRVTAB4.
as a Kerberos identity, this is who you are or what a service is according to
the Kerberos server.
Kerberos principal name
be in all lowercase characters.
for a network service. When issued from the KDC, this credential is encrypted
with the password shared by the network service and the KDC. The password is
also shared with the user TGT.
that a network service shares with the KDC. In Kerberos 5 or later Kerberos
versions, SRVTAB is referred to as KEYTAB.
granting ticket that is a credential that the KDC issues to authenticated
users. When users receive a TGT, they can authenticate to network services
within the Kerberos realm represented by the KDC.
A Kerberos server can
that is configured as a network security server and that can authenticate
remote users by using the Kerberos protocol. Although you can customize
Kerberos in a number of ways, remote users attempting to access network
services must pass through three layers of security before they can access
To authenticate to
network services by using a
as a Kerberos server, remote users must follow these steps:
This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs:
The user opens an un-Kerberized Telnet connection to the boundary switch.
The switch prompts the user for a username and password.
The switch requests a TGT from the KDC for this user.
The KDC sends an encrypted TGT that includes the user identity to the switch.
The switch attempts to decrypt the TGT by using the password that the user entered.
If the decryption is successful, the user is authenticated to the switch.
If the decryption is not successful, the user repeats Step 2 either by re-entering the username and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username and password.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside the firewall, but the user must still authenticate directly to the KDC before getting access to the network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional authentication until the user logs on to the switch.
Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. The user must now authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC”
section in the “Security Server Protocols” chapter of the Cisco IOS Security
Configuration Guide, Release 12.4.
Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. The user with a TGT must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the “Authenticating to
Network Services” section in the “Security Server Protocols” chapter of the Cisco IOS
Security Configuration Guide, Release 12.4.
How to Configure Kerberos
To set up a Kerberos-authenticated server-client system, follow these steps:
Configure the KDC by using Kerberos commands.
Configure the switch to use the Kerberos protocol.
For instructions, see the “Kerberos Configuration Task List” section in the “Security
Server Protocols” chapter of the Cisco IOS Security Configuration Guide,
Monitoring the Kerberos Configuration
To display the Kerberos configuration, use the show running-config privileged EXEC command.
Configuring Identity Control policies and Identity Service
templates for Session Aware networking.
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
most tools on the Cisco Support website requires a Cisco.com user ID and