Table of Contents
Advertisement
Configuring Authentication
Copying SRVTAB Files
To allow remote users to authenticate to the switch using Kerberos credentials, the switch must share a
key with the KDC. You must give the switch a copy of the file that is stored in the KDC that contains the
key. These files are called SRVTAB files on the switch and KEYTAB files on the servers.
The most secure method of copying SRVTAB files to the hosts in your Kerberos realm is to copy them
onto physical media and then manually copy the files onto the system. To copy SRVTAB files to a switch
that does not have a physical media drive, you must transfer them through the network by using the
Trivial File Transfer Protocol (TFTP).
When you copy the SRVTAB file from the switch to the KDC, the switch parses the information in this
file and stores it in the running configuration in the Kerberos SRVTAB entry format. If you enter the
SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch.
The entries are maintained in the SRVTAB table. The maximum size of the table is 20 entries.
To retrieve SRVTAB files to the switch from the KDC, perform this task in privileged mode:
Task
Step 1
Retrieve a specified SRVTAB file from the KDC. set kerberos srvtab remote {hostname |
Step 2
(Optional) You can enter the SRVTAB directly
into the switch.
This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the
switch, and verify the configuration:
Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab
Console> (enable)
Console> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1
1 8 03;;5>00>50;0=0=0
Kerberos SRVTAB entry set to
Principal:host/niners.cisco.com@CISCO.COM
Principal Type:0
Timestamp:932423923
Key version number:1
Key type:1
Key length:8
Encrypted key tab:03;;5>00>50;0=0=0
Console> (enable) show kerberos
Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM,
Realm:CISCO.COM,
Kerberos Domain<->Realm entries:
Domain:cisco.com,
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
30-34
Server:187.0.2.1,
Port:750
Server:187.20.2.1,
Port:750
Realm:CISCO.COM
Chapter 30
Configuring Switch Access Using AAA
Command
ip-address} filename
set kerberos srvtab entry kerberos-principal
principal-type timestamp key-version number
key-type key-length encrypted-keytab
78-15908-01
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco WS-C2948G-GE-TX
Related Products for Cisco WS-C2948G-GE-TX
- Cisco WS-C2960-48TT-S-RF - Catalyst Switch
- Cisco WS-C2960S-24PD-L
- Cisco Catalyst WS-C2960L-8PS-LL
- Cisco Catalyst WS-C2960L-SM-48TS
- Cisco Catalyst WS-C2960L-SM-24TQ
- Cisco WS-C2955T-12
- Cisco WS-C2960-48TT-L - Syst. CATALYST 2960 48PT 10/100-2PT GETH UPL LAN-BASE IM
- Cisco WS-C2960-24TC-L - Catalyst Switch