CISCO and kerberos

Tim Alsop Tim.Alsop at
Tue Sep 1 11:28:04 EDT 2009


You can use telnet and only if using DES (etype 1 or 3) or DES3-CBC-MD5 (etype 5). The code in the cisco IOS is based on CyberSafe code and a very very old release of it, so might not work with MS AD, and not with Heimdal code.


-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On Behalf Of Nikolay Shopik
Sent: 01 September 2009 14:41
To: kerberos at
Subject: Re: CISCO and kerberos

On 01.09.2009 14:55, Nikos Nikoleris wrote:
> jarek wrote:
>> Hi all!
>> I'd like to configure CISCO Catalyst to use kerberos against AD server
>> W2008. I'd like to login to cisco using ticket and telnet.krb5 from
>> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm
>> getting:
>> [ Kerberos V5 refuses authentication ]
>> kerberos_server_auth:    Couldn't authenticate client from
>> test-nms.test.local.
>> What can be wrong ?
>> Has someone working example of CISCO config for such scenario ?
>> J.
> Hi Jarek,
> A cisco working here with kerberos authentication but the kdc is heidmal
> kerberos. Some suggestions are:
> * Timing issues, you have to make sure both the kdc and the cisco are
> sync'd... (That's very important)
> * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco
> principal...
> * Your cisco should have a configuration like:
> aaa new-model
> aaa authentication login default krb5-telnet krb5 local enable
> aaa authorization exec default krb5-instance
> kerberos local-realm YOUR.REALM
> kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH at YOUR.REALM (there should
> be some numbers here as well)
> kerberos clients mandatory
> kerberos server YOUR.REALM $(IP of your KDC)
> kerberos instance map admin 15 # this will map kerberos users */admin to
> the superuser of cisco
> kerberos credentials forward # that's optinal
> # I strongly suggest this as well adjusted to your case
> ntp server your.ntp.server
> clock timezone GMT -6
> clock summer-time CDT recurring
> -- Nikos
> ________________________________________________
> Kerberos mailing list           Kerberos at
Hi Nikos,

If I'm not mistaken they don't yet support kerberos for SSH aren't they?

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list