Enabling Mandatory Kerberos Authentication
As an added layer of security, you can optionally configure the device so that, after remote users authenticate
to it, these users can authenticate to other services on the network only with Kerberized Telnet, rlogin, rsh,
and rcp. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application
attempts to authenticate users using the default method of authentication for that network service; for example,
Telnet and rlogin prompt for a password, and rsh attempts to authenticate using the local rhost file.
To make Kerberos authentication mandatory, use the following command in global configuration mode:
PurposeCommand
Sets Telnet, rlogin, rsh, and rcp to fail if they cannot
negotiate the Kerberos protocol with the remote
server.
Device(config)# kerberos clients mandatory
Enabling Kerberos Instance Mapping
You can create administrative instances of users in the KDC database. The kerberos instance map command
allows you to map those instances to Cisco IOS privilege levels so that users can open secure Telnet sessions
to the device at a predefined privilege level, obviating the need to enter a clear text password to enter enable
mode.
To map a Kerberos instance to a Cisco IOS privilege level, use the following command in global configuration
mode:
PurposeCommand
Maps a Kerberos instance to a Cisco IOS privilege
level.
Device(config)# kerberos instance map
instance
privilege-level
If there is a Kerberos instance for user loki in the KDC database (for example, loki/admin ), user loki can now
open a Telnet session to the device as loki/admin and authenticate automatically at privilege level 15, assuming
instance “admin” is mapped to privilege level 15.
Cisco IOS commands can be set to various privilege levels using the privilege levelcommand.
After you map a Kerberos instance to a Cisco IOS privilege level, you must configure the device to check for
Kerberos instances each time a user logs in. To run authorization to determine if a user is allowed to run an
EXEC shell based on a mapped Kerberos instance, use the aaa authorization command with the krb5-instance
keyword. For more information, refer to the chapter “Configuring Authorization.”
Monitoring the Kerberos Configuration
To display the Kerberos configuration, use the following commands:
•
show running-config
• show kerberos creds: Lists the credentials in a current user’s credentials cache.
• clear kerberos creds: Destroys all credentials in a current user’s credentials cache, including those
forwarded.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
991
How to Configure Kerberos
To Next Page
Loading...
Need help?
General
