39-9
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 39 Configuring the Switch Access Using AAA
Configuring Authentication on the Switch
Using a Non-Kerberized Login Procedure
If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of the
authentication to the KDC on behalf of the login client. However, the user password is now transferred
in clear text from the login client to the switch.
Note A non-Kerberized login can be performed through a modem or terminal server through the in-band
management port. Telnet does not support non-Kerberized login.
If you launch a non-Kerberized login, the following process takes place:
1. The switch prompts you for a username and password.
2. The switch requests a TGT from the KDC so that you can be authenticated to the switch.
3. The KDC sends an encrypted TGT to the switch, which contains your identity, KDC’s identity, and
TGT’s expiration time.
4. The switch tries to decrypt the TGT with the password that you entered. If the decryption is
successful, you are authenticated to the switch.
5. If you want to access the other network services, the KDC must be contacted directly for
authentication. To obtain the TGT, you can run the program “kinit,” which is the client software that
is provided with the Kerberos package.
Figure 39-2 shows the non-Kerberized login process.
Figure 39-2 Non-Kerberized Telnet Connection
Configuring Authentication on the Switch
These sections describe how to configure the different authentication methods:
• Authentication Default Configuration, page 39-10
• Authentication Configuration Guidelines, page 39-11
• Configuring Login Authentication, page 39-11
• Configuring Local Authentication, page 39-13
• Configuring Local User Authentication, page 39-17
To Next Page
Loading...
Need help?
General