Kerberos Configuration Task List

To configure Kerberos support on a Cisco router, complete the following tasks: Step 1 Define the default realm for the router:

kerberos local-realm kerberos-realm

Step 2 Specify to the router which KDC to use in a given Kerberos realm and, optionally, the port number that the KDC is monitoring. (The default port number is 88.)

kerberos server kerberos-realm {hostname I ip-address} [port-number]

Step 3 Map a host name or DNS domain to a Kerberos realm (optional):

kerberos realm {dns-domain I host} kerberos-realm

NOTE The kerberos local-realm, kerberos realm, and kerberos server commands are equivalent to the UNIX krb.conf file.

Example 5-12 displays a sample Kerberos configuration.

Example 5-12 Kerberos Configuration kerberos local-realm CISCO.COM kerberos server CISCO.COM 3.3.3.3 kerberos realm.cisco.com CISCO.COM

RADIUS and TACACS+ are far more common than Kerberos in today's networks. Microsoft 2000, for example, uses Kerberos for internal authentication in Active Directory.

NOTE For a complete guide to Kerberos, a defined and open standard, please visit the following: http://web.mit.edu/is/help/kerberos/

For UNIX experts, some of the most common UNIX executable commands when configuring and enabling Kerberos are as follows:

• Kdb5_util—Allows the UNIX administrator to create the Kerberos database

• Kadmin—Allows the administrator to administer the Kerberos database

• Krb5kdc/kadmin—Starts the KDC daemon on the server Cisco routers support encryption and Kerberos is used.

Another way for users to open a secure Telnet session is to use Encrypted Kerberized Telnet, which authenticates users by their Kerberos credentials before a Telnet session is established. The IOS command is connect host [port] /encrypt Kerberos and the exec prompt.

0 0

Post a comment