39-7
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 39 Configuring the Switch Access Using AAA
Understanding How Authentication Works
Using a Kerberized Login Procedure
You can use a Kerberized Telnet session if you are logging in through the in-band management port.
When the Telnet client and services have been Kerberized, you follow this process when attempting to
access the switch through Telnet:
1. The Telnet client asks you for the username and issues a request for a TGT to the KDC on the
Kerberos server.
2. The KDC creates the TGT, which contains the user’s identity, the KDC’s identity, and the TGT’s
expiration time. The KDC then encrypts the TGT with your password and sends the TGT to the
client.
3. When the Telnet client receives the encrypted TGT, it prompts you for the password. If the Telnet
client can decrypt the TGT with the entered password, you are successfully authenticated to the
KDC. The client then builds a service credential request and sends it to the KDC. This request
contains your user identity and a message saying that it wants to access the switch through Telnet.
This request is encrypted using the TGT.
4. When the KDC successfully decrypts the service credential request with the TGT that it issued to
the client, it builds a service to the switch. The service credential has the client’s identity and the
identity of the desired Telnet server. The KDC then encrypts the credential with the password that
it shares with the switch’s Telnet server, encrypts the resulting packet with the Telnet client’s TGT,
and sends this packet to the client.
5. The Telnet client decrypts the packet first with its TGT. If the encryption is successful, the client
then sends the resulting packet to the switch’s Telnet server. At this point, the packet is still
encrypted with the password that the switch’s Telnet server and the KDC share.
6. If the Telnet client has been instructed to do so, it forwards the TGT to the switch. This step ensures
that you do not need to get another TGT in order to use another network service from the switch.
Figure 39-1 shows the Kerberos Telnet connection process.
To Next Page
Loading...
Need help?
General