User's Manual
12-18
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 12 Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
The Kerberos credential scheme uses a process called single logon. This process authenticates a user 
once and then allows secure authentication (without encrypting another password) wherever that user 
credential is accepted.
This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 
to use the same Kerberos authentication database on the KDC that they are already using on their other 
network hosts (such as UNIX servers and PCs).
In this software release, Kerberos supports these network services:
  • Telnet
  • rlogin
  • rsh (Remote Shell Protocol)
Table 12-5 lists the common Kerberos-related terms and definitions.
Ta b l e  12-5 Kerberos Terms 
Term Definition
Authentication A process by which a user or service identifies itself to another service. 
For example, a client can authenticate to a switch or a switch can 
authenticate to another switch.
Authorization A means by which the switch identifies what privileges the user has in a 
network or on the switch and what actions the user can perform.
Credential A general term that refers to authentication tickets, such as TGTs
1
 and 
service credentials. Kerberos credentials verify the identity of a user or 
service. If a network service decides to trust the Kerberos server that 
issued a ticket, it can be used in place of reentering a username and 
password. Credentials have a default lifespan of eight hours.
Instance An authorization level label for Kerberos principals. Most Kerberos 
principals are of the form user@REALM (for example, 
smith@EXAMPLE.COM). A Kerberos principal with a Kerberos 
instance has the form user/instance@REALM (for example, 
smith/admin@EXAMPLE.COM). The Kerberos instance can be used to 
specify the authorization level for the user if authentication is successful. 
The server of each network service might implement and enforce the 
authorization mappings of Kerberos instances but is not required to do so. 
Note The Kerberos principal and instance names must be in all 
lowercase characters.
Note The Kerberos realm name must be in all uppercase characters.
KDC
2
Key distribution center that consists of a Kerberos server and database 
program that is running on a network host.
Kerberized A term that describes applications and services that have been modified 
to support the Kerberos credential infrastructure.
Kerberos realm A domain consisting of users, hosts, and network services that are 
registered to a Kerberos server. The Kerberos server is trusted to verify 
the identity of a user or network service to another user or network 
service. 
Note The Kerberos realm name must be in all uppercase characters.










