Configuring Kerberos

• Prerequisites for Controlling Switch Access with Kerberos, on page 1

• Information about Kerberos, on page 1
• How to Configure Kerberos, on page 5
• Monitoring the Kerberos Configuration, on page 5
• Feature History for Kerberos, on page 5

Prerequisites for Controlling Switch Access with Kerberos

The following are the prerequisites for controlling switch access with Kerberos.
• So that remote users can authenticate to network services, you must configure the hosts and the KDC in
the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
• A Kerberos server can be a switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.

When you add or create entries for the hosts and users, follow these guidelines:
• The Kerberos principal name must be in all lowercase characters.
• The Kerberos instance name must be in all lowercase characters.
• The Kerberos realm name must be in all uppercase characters.

Information about Kerberos

This section provides Kerberos information.

Kerberos and Switch Access

This section describes how to enable and configure the Kerberos security system, which authenticates requests
for network resources by using a trusted third party.

Configuring Kerberos
1
 Configuring Kerberos
Kerberos Overview

Note In the Kerberos configuration examples, the trusted third party can be any switch that supports Kerberos, that
is configured as a network security server, and that can authenticate users by using the Kerberos protocol.

Kerberos Overview
Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute
of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption
and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted
third party to perform secure verification of users and services. This trusted third party is called the key
distribution center (KDC).
Kerberos verifies that users are who they claim to be and the network services that they use are what the
services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which
have a limited life span, are stored in user credential caches. The Kerberos server uses the tickets instead of
user names and passwords to authenticate users and network services.

Note A Kerberos server can be any switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.

The Kerberos credential scheme uses a process called single logon. This process authenticates a user once
and then allows secure authentication (without encrypting another password) wherever that user credential is
accepted.
This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to
use the same Kerberos authentication database on the KDC that they are already using on their other network
hosts (such as UNIX servers and PCs).
Kerberos supports these network services:
• Telnet
• rlogin
• rsh

This table lists the common Kerberos-related terms and definitions.

Table 1: Kerberos Terms

Term Definition

Authentication A process by which a user or service identifies itself to another service. For example, a
client can authenticate to a switch or a switch can authenticate to another switch.

Authorization A means by which the switch identifies what privileges the user has in a network or on
the switch and what actions the user can perform.

Configuring Kerberos
2
Configuring Kerberos
Kerberos Overview

Term Definition

Credential A general term that refers to authentication tickets, such as TGTs1 and service credentials.
Kerberos credentials verify the identity of a user or service. If a network service decides
to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a
username and password. Credentials have a default life span of eight hours.

Instance An authorization level label for Kerberos principals. Most Kerberos principals are of the
form user@REALM (for example, smith@[Link]). A Kerberos principal with
a Kerberos instance has the form user/instance@REALM (for example,
smith/admin@[Link]). The Kerberos instance can be used to specify the
authorization level for the user if authentication is successful. The server of each network
service might implement and enforce the authorization mappings of Kerberos instances
but is not required to do so.
Note The Kerberos principal and instance names must be in all lowercase characters.

Note The Kerberos realm name must be in all uppercase characters.

KDC2 Key distribution center that consists of a Kerberos server and database program that is
running on a network host.

Kerberized A term that describes applications and services that have been modified to support the
Kerberos credential infrastructure.

Kerberos realm A domain consisting of users, hosts, and network services that are registered to a Kerberos
server. The Kerberos server is trusted to verify the identity of a user or network service
to another user or network service.
Note The Kerberos realm name must be in all uppercase characters.

Kerberos server A daemon that is running on a network host. Users and network services register their
identity with the Kerberos server. Network services query the Kerberos server to
authenticate to other network services.

KEYTAB3 A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos
versions, the network service authenticates an encrypted service credential by using the
KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred
to as SRVTAB4.

Principal Also known as a Kerberos identity, this is who you are or what a service is according to
the Kerberos server.
Note The Kerberos principal name must be in all lowercase characters.

Service A credential for a network service. When issued from the KDC, this credential is encrypted
credential with the password shared by the network service and the KDC. The password is also
shared with the user TGT.

SRVTAB A password that a network service shares with the KDC. In Kerberos 5 or later Kerberos
versions, SRVTAB is referred to as KEYTAB.

Configuring Kerberos
3
 Configuring Kerberos
Kerberos Operation

Term Definition

TGT Ticket granting ticket that is a credential that the KDC issues to authenticated users. When
users receive a TGT, they can authenticate to network services within the Kerberos realm
represented by the KDC.
1
ticket granting ticket
2
key distribution center
3
key table
4
server table

Kerberos Operation
A Kerberos server can be a device that is configured as a network security server and that can authenticate
remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways,
remote users attempting to access network services must pass through three layers of security before they can
access network services.
To authenticate to network services by using a device as a Kerberos server, remote users must follow these
steps:

Authenticating to a Boundary Switch

This section describes the first layer of security through which a remote user must pass. The user must first
authenticate to the boundary switch. This process then occurs:
1. The user opens an un-Kerberized Telnet connection to the boundary switch.
2. The switch prompts the user for a username and password.
3. The switch requests a TGT from the KDC for this user.
4. The KDC sends an encrypted TGT that includes the user identity to the switch.
5. The switch attempts to decrypt the TGT by using the password that the user entered.
• If the decryption is successful, the user is authenticated to the switch.
• If the decryption is not successful, the user repeats Step 2 either by re-entering the username and
password (noting if Caps Lock or Num Lock is on or off) or by entering a different username and
password.

A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside
the firewall, but the user must still authenticate directly to the KDC before getting access to the network
services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch
and cannot be used for additional authentication until the user logs on to the switch.

Obtaining a TGT from a KDC

This section describes the second layer of security through which a remote user must pass. The user must now
authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the
“Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.

Configuring Kerberos
4
 Configuring Kerberos
Authenticating to Network Services

Authenticating to Network Services

This section describes the third layer of security through which a remote user must pass. The user with a TGT
must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the “Authenticating to Network Services”
section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.

How to Configure Kerberos

To set up a Kerberos-authenticated server-client system, follow these steps:
• Configure the KDC by using Kerberos commands.
• Configure the switch to use the Kerberos protocol.

Monitoring the Kerberos Configuration

To display the Kerberos configuration, use the following commands:
• show running-config
• show kerberos creds: Lists the credentials in a current user’s credentials cache.
• clear kerberos creds: Destroys all credentials in a current user’s credentials cache, including those
forwarded.

Feature History for Kerberos

This table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted
otherwise.

Release Feature Feature Information

Cisco IOS XE Everest Kerberos Kerberos is a secret-key network

16.5.1a authentication protocol, which was
developed at the Massachusetts Institute of
Technology (MIT). It uses the Data
Encryption Standard (DES) cryptographic
algorithm for encryption and authentication
and authenticates requests for network
resources. Kerberos uses the concept of a
trusted third party to perform secure
verification of users and services.
Support for this feature was introduced on
all the models of the Cisco Catalyst 9500
Series Switches.

Configuring Kerberos
5
 Configuring Kerberos
Feature History for Kerberos

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco
Feature Navigator, go to [Link]

Configuring Kerberos
6