39-6
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 39 Configuring the Switch Access Using AAA
Understanding How Authentication Works
Table 39-1 defines the Kerberos terms.
In the Catalyst 6500 series switches, the Telnet clients and servers through both the console and in-band
management port can be Kerberized.
Note Kerberos authentication does not work if TACACS+ is used as the authentication mechanism.
Note If you are logged in to the console through a modem or a terminal server, you cannot use a Kerberized
login procedure.
Table 39-1 Kerberos Terminology
Term Definition
Kerberized Applications and services that have been modified to support the
Kerberos credential infrastructure.
Kerberos credential Authentication tickets, such as ticket granting tickets (TGTs), and
service credentials. Kerberos credentials verify the ticket of a user or
service. If a network service decides to trust the Kerberos server that
issued the ticket, the Kerberos credential can be used in place of
retyping in a username and password. Credentials have a default life
span of eight hours.
Kerberos identity (See Kerberos principal.)
Kerberos principal The Kerberos principal is who you are or what a service is according to
the Kerberos server. (Also known as a Kerberos identity.)
Kerberos realm A domain consisting of users, hosts, and network services that are
registered to a Kerberos server. The Kerberos server is trusted to verify
the identity of a user or network service to another user or network
service. Kerberos realms must always be in uppercase characters.
Kerberos server A daemon running on a network host. Users and network services
register their identity with the Kerberos server. Network services query
the Kerberos server to authenticate to other network services.
Key distribution center
(KDC)
A Kerberos server and database program running on a network host that
allocates the Kerberos credentials to different users or network services.
Service credential A credential for a network service. When issued from the KDC, this
credential is encrypted with the password that is shared by the network
service and the KDC and with the user’s TGT.
SRVTAB A password that a network service shares with the KDC. The network
service authenticates an encrypted service credential by using the
SRVTAB (also known as a KEYTAB) to decrypt it.
Ticket granting ticket
(TGT)
A credential that the KDC issues to authenticated users. When users
receive a TGT, they can authenticate to network services within the
Kerberos realm that is represented by the KDC.
To Next Page
Loading...
Need help?
General