30-7
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
78-15908-01
Chapter 30 Configuring Switch Access Using AAA
Understanding How Authentication Works
Figure 30-1 Kerberized Telnet Connection
Using a Non-Kerberized Login Procedure
If you log into a switch using a non-Kerberized login procedure, the switch takes care of authentication
to the KDC on behalf of the login client. However, the user password transfers, in clear text, from the
login client to the switch.
Note You can launch a non-Kerberized login through a modem or terminal server through the inband
management port. Telnet does not support non-Kerberized login.
When you launch a non-Kerberized login, the following process takes place:
1. The switch prompts you for a username and password.
2. The switch requests a TGT from the KDC so that you can be authenticated to the switch.
3. The KDC sends an encrypted TGT to the switch, which contains your identity, KDC’s identity, and
TGT’s expiration time.
4. The switch tries to decrypt the TGT with the password that you entered. If the decryption is
successful, you are authenticated to the switch.
5. If you want to access other network services, you must contact the KDC directly for authentication.
To obtain the TGT, run the program kinit, which is the client software that is provided with the
Kerberos package.
Figure 30-2 shows the non-Kerberized login process.
1
2
3
4
5
6
Host
(Telnet client)
Kerberos server
(contains KDC)
Catalyst 4500
switch
99518
To Next Page
Loading...
