Cisco WS-C4003 Software Guide - Page 389
Enabling Credentials Forwarding
View all Cisco WS-C4003 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 389 highlights
Chapter 27 Configuring Switch Access Using AAA Configuring Authentication This example shows how to clear a SRVTAB entry: Console> (enable) clear kerberos srvtab entry host/[email protected] 0 Console> (enable) Enabling Credentials Forwarding A user authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on the network. However, if forwarding is not enabled and a user tries to list credentials after authenticating to a host, the output will show no Kerberos credentials present. To enable credentials forwarding, configure the switch to forward user TGTs when they authenticate from the switch to Kerberized remote hosts on the network using Kerberized Telnet. As an additional layer of security, you can configure the switch so that after users authenticate to it, these users can authenticate only to other services on the network with Kerberized clients. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to authenticate users using the default method of authentication for that network service. For example, Telnet prompts for a password. To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm, perform this task in privileged mode: Step 1 Step 2 Task Set all clients to forward user credentials upon successful Kerberos authentication. Optionally, configure Telnet to fail if clients cannot authenticate to the remote server. Command set kerberos credentials forward set kerberos clients mandatory This example shows how to configure clients to forward user credentials and verify the configuration: Console> (enable) set kerberos credentials forward Kerberos credentials forwarding enabled Console> (enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM, Server:187.0.2.1, Port:750 Realm:CISCO.COM, Server:187.20.2.1, Port:750 Kerberos DomainRealm entries: Domain:cisco.com, Realm:CISCO.COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/[email protected] 0 933974942 1 1 8 00?91:107:423=:;9 Console> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console> (enable) set kerberos clients mandatory Kerberos clients set to mandatory Console> (enable) 78-12647-02 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 27-35