- Preface
- Using the Command-Line Interface
- Using the Web Graphical User Interface
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring Wireless Guest Access
- Managing Rogue Devices
- Classifying Rogue Access Points
- Configuring wIPS
- Configuring Intrusion Detection System
- Index
Configuring Kerberos
- Finding Feature Information
- Prerequisites for Controlling Switch Access with Kerberos
- Restrictions for Controlling Switch Access with Kerberos
- Information about Kerberos
- How to Configure Kerberos
- Monitoring the Kerberos Configuration
- Additional References
- Feature Information for Kerberos
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Controlling Switch Access with Kerberos
The following are the prerequisites for controlling switch access with Kerberos.
So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services. To do this, you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries for the users in the KDC database.
A Kerberos server can be a switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol.
When you add or create entries for the hosts and users, follow these guidelines:
Restrictions for Controlling Switch Access with Kerberos
The following lists any restrictions for controlling switch access with Kerberos.
Information about Kerberos
This section provides Kerberos information.
Kerberos and Switch Access
This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party.
Note | In the Kerberos configuration examples, the trusted third party can be any switch that supports Kerberos, that is configured as a network security server, and that can authenticate users by using the Kerberos protocol. |
Kerberos Overview
Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted third party to perform secure verification of users and services. This trusted third party is called the key distribution center (KDC).
Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which have a limited life span, are stored in user credential caches. The Kerberos server uses the tickets instead of user names and passwords to authenticate users and network services.
Note | A Kerberos server can be any switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. |
The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted.
This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Kerberos supports these network services:
Term |
Definition |
||||
---|---|---|---|---|---|
Authentication |
A process by which a user or service identifies itself to another service. For example, a client can authenticate to a switch or a switch can authenticate to another switch. |
||||
Authorization |
A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user can perform. |
||||
Credential |
A general term that refers to authentication tickets, such as TGTs1 and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a username and password. Credentials have a default life span of eight hours. |
||||
Instance |
An authorization level label for Kerberos principals. Most Kerberos principals are of the form user@REALM (for example, smith@EXAMPLE.COM). A Kerberos principal with a Kerberos instance has the form user/instance@REALM (for example, smith/admin@EXAMPLE.COM). The Kerberos instance can be used to specify the authorization level for the user if authentication is successful. The server of each network service might implement and enforce the authorization mappings of Kerberos instances but is not required to do so.
|
||||
KDC2 |
Key distribution center that consists of a Kerberos server and database program that is running on a network host. |
||||
Kerberized |
A term that describes applications and services that have been modified to support the Kerberos credential infrastructure. |
||||
Kerberos realm |
A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service.
|
||||
Kerberos server |
A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. |
||||
KEYTAB3 |
A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB4. |
||||
Principal |
Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server.
|
||||
Service credential |
A credential for a network service. When issued from the KDC, this credential is encrypted with the password shared by the network service and the KDC. The password is also shared with the user TGT. |
||||
SRVTAB |
A password that a network service shares with the KDC. In Kerberos 5 or later Kerberos versions, SRVTAB is referred to as KEYTAB. |
||||
TGT |
Ticket granting ticket that is a credential that the KDC issues to authenticated users. When users receive a TGT, they can authenticate to network services within the Kerberos realm represented by the KDC. |
Kerberos Operation
A Kerberos server can be a switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
To authenticate to network services by using a switch as a Kerberos server, remote users must follow these steps:
Authenticating to a Boundary Switch
This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs:
-
The user opens an un-Kerberized Telnet connection to the boundary switch.
-
The switch prompts the user for a username and password.
-
The switch requests a TGT from the KDC for this user.
-
The KDC sends an encrypted TGT that includes the user identity to the switch.
-
The switch attempts to decrypt the TGT by using the password that the user entered.
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside the firewall, but the user must still authenticate directly to the KDC before getting access to the network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional authentication until the user logs on to the switch.
Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. The user must now authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.
Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. The user with a TGT must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the “Authenticating to Network Services” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.
How to Configure Kerberos
To set up a Kerberos-authenticated server-client system, follow these steps:
Monitoring the Kerberos Configuration
Additional References
Related Documents
Related Topic | Document Title |
---|---|
Kerberos Commands |
Cisco IOS Security Command Reference |
Error Message Decoder
Description | Link |
---|---|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
MIBs
MIB | MIBs Link |
---|---|
All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Kerberos
Release | Feature Information |
---|---|
Cisco IOS XE 3.2SE | This feature was introduced. |