- Cisco Secure ACS Introduction
- Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers
- Administering and Troubleshooting Cisco Secure ACS for Windows
- TACACS+ Overview
- RADIUS Overview
- Kerberos Overview
- Chapter Summary
- Cisco IOS Commands Presented in This Chapter
- Chapter Review Questions
- Case Study
Kerberos is a secret-key network authentication protocol, developed at the Massachusetts Institute of Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, is based on the concept of a trusted third party that performs secure verification of users and services.
In the Kerberos protocol, this trusted third party is called the Key Distribution Center (KDC). It performs the same function as a certification authority (CA), which is discussed in Chapter 9, "Building Advanced IPSec VPNs Using Cisco Routers and Certificate Authorities." The following lists some of the distinguishing characteristics of Kerberos:
Secret-key authentication protocol
Authenticates users and network services that they use
Uses 40- or 56-bit DES for encryption and authentication (weak by today's standards)
Relies on a trusted third party (KDC) for key distribution
Embodies "single login" concept
Expensive to administerlabor intensive
Cisco IOS Release 12.0 includes Kerberos 5 support, which allows organizations that are already deploying Kerberos 5 to use an existing KDC (similar to a CA in IP Security [IPSec]) with their routers and NAS. The following network services are Kerberized in Cisco IOS software:
TelnetLogs a client (from router to another host) into a server (from another host to router) to permit interactive Telnet sessions
rloginLogs a user in to a remote UNIX host for an interactive session similar to Telnet
rshLogs a user in to a remote UNIX host and allows execution of one UNIX command
rcpLogs a user in to a remote UNIX host and allows copying of files from the host
You can use the connect EXEC command with the /telnet or /rlogin keyword to log in to a host that supports Telnet or rlogin, respectively. You can use the /encrypt kerberos keyword to establish an encrypted Telnet session from a router to a remote Kerberos host. Alternatively, you can use the telnet EXEC command with the /encrypt kerberos keyword to establish an encrypted Telnet session.
You can use the rlogin and rsh EXEC commands to initiate rlogin and rsh sessions.
You can use the copy rcp EXEC command or configuration command to enable obtaining configuration or image files from an RCP server.