Cisco WS-C4003 Software Guide - Page 358
Understanding How RADIUS Authentication Works, Understanding How Kerberos Authentication Works
View all Cisco WS-C4003 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 358 highlights
Understanding How Authentication Works Chapter 27 Configuring Switch Access Using AAA Understanding How RADIUS Authentication Works RADIUS is a client-server authentication and authorization access protocol used by the NAS to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport between the RADIUS client and server. You can configure a RADIUS key on the client and server. If you configure a key on the client, it must be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not configure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network. Note For more information about how the RADIUS protocol operates, see RFC 2138, "Remote Authentication Dial In User Service (RADIUS)." You can configure the following RADIUS parameters on the switch: • Enable or disable RADIUS authentication to control login access • Enable or disable RADIUS authentication to control enable access • Specify the IP addresses and UDP ports of the RADIUS servers • Specify the RADIUS key used to encrypt RADIUS packets • Specify the RADIUS server timeout interval • Specify the RADIUS retransmit count • Specify the RADIUS server deadtime interval RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can specify which method to use first using the primary keyword. If local authentication is disabled and you then disable all other authentication methods, local authentication is reenabled automatically. Understanding How Kerberos Authentication Works Kerberos is a client-server-based secret-key network authentication method that uses a trusted Kerberos server to verify secure access to both services and users. In Kerberos, this trusted server is called the key distribution center (KDC). The KDC issues tickets to validate users and services. A ticket is a temporary set of electronic credentials that verify the identity of a client for a particular service. These tickets have a limited life span and can be used in place of the standard user password authentication mechanism if a service trusts the Kerberos server from which the ticket was issued. If the standard user password method is used, Kerberos encrypts user passwords into the tickets, ensuring that passwords are not sent on the network in clear text. When you use Kerberos, passwords are not stored on any machine (except for the Kerberos server) for more than a few seconds. Kerberos also guards against intruders who might pick up the encrypted tickets from the network. Table 27-1 defines terms used in Kerberos. 27-4 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 78-12647-02