CISCO and kerberos

Nikos Nikoleris nikos at
Tue Sep 1 06:55:01 EDT 2009

jarek wrote:
> Hi all!
> I'd like to configure CISCO Catalyst to use kerberos against AD server
> W2008. I'd like to login to cisco using ticket and telnet.krb5 from
> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm
> getting:
> [ Kerberos V5 refuses authentication ]
> kerberos_server_auth:    Couldn't authenticate client from
> test-nms.test.local.
> What can be wrong ?
> Has someone working example of CISCO config for such scenario ?
> J.

Hi Jarek,

A cisco working here with kerberos authentication but the kdc is heidmal
kerberos. Some suggestions are:
* Timing issues, you have to make sure both the kdc and the cisco are
sync'd... (That's very important)
* Try uploading the keytab using only the DES-CBC-CRC enc of the cisco
* Your cisco should have a configuration like:
aaa new-model
aaa authentication login default krb5-telnet krb5 local enable
aaa authorization exec default krb5-instance
kerberos local-realm YOUR.REALM
kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH at YOUR.REALM (there should
be some numbers here as well)
kerberos clients mandatory
kerberos server YOUR.REALM $(IP of your KDC)
kerberos instance map admin 15 # this will map kerberos users */admin to
the superuser of cisco
kerberos credentials forward # that's optinal

# I strongly suggest this as well adjusted to your case
ntp server your.ntp.server
clock timezone GMT -6
clock summer-time CDT recurring

-- Nikos

More information about the Kerberos mailing list