39-34
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 39 Configuring the Switch Access Using AAA
Configuring Authentication on the Switch
• Mapping a Kerberos Realm to a Host Name or DNS Domain, page 39-37
• Copying SRVTAB Files, page 39-37
• Deleting an SRVTAB Entry, page 39-38
• Enabling Credentials Forwarding, page 39-39
• Disabling Credentials Forwarding, page 39-40
• Defining and Clearing a Private DES Key, page 39-41
• Encrypting a Telnet Session, page 39-41
• Displaying and Clearing Kerberos Configurations, page 39-42
Configuring a Kerberos Server
Before you can use Kerberos as an authentication method on the switch, you need to configure the
Kerberos server. You will need to create a database for the KDC and add the switch to the database.
Note Kerberos authentication requires that NTP is enabled. Additionally, we recommend that you enable
DNS.
To configure the Kerberos server, perform these steps:
Step 1 Before you can enter the switch in the Kerberos server’s key table, you must create the database that the
KDC will use. In the following example, a database called CISCO.EDU is created:
/usr/local/sbin/kdb5_util create -r CISCO.EDU -s
Step 2 Add the switch to the database. The following example adds a switch called Cat6509 to the CISCO.EDU
database:
ank host/Cat6509.cisco.edu@CISCO.EDU
Step 3 Add the username as follows:
ank user1@CISCO.EDU
Step 4 Add the administrative principals as follows:
ank user1/admin@CISCO.EDU
Step 5 Using the admin.local ktadd command, create the database entry for the switch as follows:
ktadd host/Cat6509.cisco.edu@CISCO.EDU
Step 6 Move the keytab file to a place where the switch can reach it.
Step 7 Start the KDC server as follows:
/usr/local/sbin/krb5kdc
/usr/local/sbin/kadmind
To Next Page
Loading...
Need help?
General