39-39
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 39 Configuring the Switch Access Using AAA
Configuring Authentication on the Switch
This example shows how to delete an SRVTAB entry:
kerberos> (enable) clear kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0
kerberos> (enable)
Enabling Credentials Forwarding
A user that is authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on
the network. However, if forwarding is not enabled and a user tries to list the credentials after
authenticating to a host, the output will show that no Kerberos credentials are present.
To enable credentials forwarding, configure the switch to forward user TGTs when they authenticate
from the switch to the Kerberized remote hosts on the network using Kerberized Telnet.
As an additional layer of security, you can configure the switch so that after the users authenticate to it,
these users can authenticate only to the other services on the network with the Kerberized clients. If you
do not make Kerberos authentication mandatory and Kerberos authentication fails, the application
attempts to authenticate the users using the default method of authentication for that network service.
For example, Telnet prompts for a password.
To configure the clients to forward the user credentials as they connect to the other hosts in the Kerberos
realm, perform this task in privileged mode:
This example shows how to configure the clients to forward the user credentials and verify the
configuration:
kerberos> (enable) set kerberos credentials forward
Kerberos credentials forwarding enabled
kerberos> (enable) show kerberos
Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM, Server:187.0.2.1, Port:750
Realm:CISCO.COM, Server:187.20.2.1, Port:750
Kerberos Domain<->Realm entries:
Domain:cisco.com, Realm:CISCO.COM
Kerberos Clients NOT Mandatory
Kerberos Credentials Forwarding Enabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9
kerberos> (enable)
This example shows how to configure the switch so that Kerberos clients are mandatory for users to
authenticate to other network services:
Console> (enable) set kerberos clients mandatory
Kerberos clients set to mandatory
Console> (enable)
Task Command
Step 1
Enable all clients to forward the user credentials
upon successful Kerberos authentication.
set kerberos credentials forward
Step 2
(Optional) Configure Telnet to fail if the clients
cannot authenticate to the remote server.
set kerberos clients mandatory
To Next Page
Loading...
Need help?
General