Dell POWEREDGE M1000E User Manual

8-33

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 8 Configuring Switch-Based Authentication

Controlling Switch Access with Kerberos

Note

A Kerberos server can be a switch that is configured as a network security server and that can
authenticate users by using the Kerberos protocol.

The Kerberos credential scheme uses a process called single logon. This process authenticates a user
once and then allows secure authentication (without encrypting another password) wherever that user
credential is accepted.

This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5
to use the same Kerberos authentication database on the KDC that they are already using on their other
network hosts (such as UNIX servers and PCs).

In this software release, Kerberos supports these network services:

•

Telnet

•

rlogin

•

rsh (Remote Shell Protocol)

Table 8-2

lists the common Kerberos-related terms and definitions:

Table 8-2

Kerberos Terms

Term

Definition

Authentication

A process by which a user or service identifies itself to another service.
For example, a client can authenticate to a switch or a switch can
authenticate to another switch.

Authorization

A means by which the switch identifies what privileges the user has in a
network or on the switch and what actions the user can perform.

Credential

A general term that refers to authentication tickets, such as TGTs

1

and

service credentials. Kerberos credentials verify the identity of a user or
service. If a network service decides to trust the Kerberos server that
issued a ticket, it can be used in place of re-entering a username and
password. Credentials have a default lifespan of eight hours.

Instance

An authorization level label for Kerberos principals. Most Kerberos
principals are of the form user@REALM (for example,
[email protected]). A Kerberos principal with a Kerberos
instance has the form user/instance@REALM (for example,
smith/[email protected]). The Kerberos instance can be used to
specify the authorization level for the user if authentication is successful.
The server of each network service might implement and enforce the
authorization mappings of Kerberos instances but is not required to do so.

Note

The Kerberos principal and instance names must be in all
lowercase characters. The Kerberos realm name must be in all
uppercase characters.

KDC

2

Key distribution center that consists of a Kerberos server and database
program that is running on a network host.

Kerberized

A term that describes applications and services that have been modified
to support the Kerberos credential infrastructure.