Chapter 27
Configuring Switch Access Using AAA
Note
A non-Kerberized login can be performed through a modem or terminal server through the in-band
management port. Telnet does not support non-Kerberized login.
If a non-Kerberized login is launched, the following process takes place:
1.
2.
3.
4.
5.
Figure 27-2
Figure 27-2 Non-Kerberized Telnet Connection
(Telnet client)
Understanding How 802.1x Authentication Works
IEEE 802.1x is a client-server-based access control and authentication protocol that restricts
unauthorized devices from connecting to a local area network (LAN) through publicly accessible ports.
802.1x authenticates each user device connected to a switch port before making available any services
offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only
Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is
connected. After authentication is successful, normal traffic can pass through the port.
802.1x controls network access by the creating two distinct virtual access points at each port. One access
point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available
to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is
always open. The controlled port is open only when the device connected to the port has been authorized
by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass.
78-12647-02
The switch prompts you for a username and password.
The switch requests a TGT from the KDC so that you can be authenticated to the switch.
The KDC sends an encrypted TGT to the switch, which contains your identity, KDC's identity, and
TGT's expiration time.
The switch tries to decrypt the TGT with the password that you entered. If the decryption is
successful, you are authenticated to the switch.
If you want to access other network services, the KDC must be contacted directly for authentication.
To obtain the TGT, you can run the program "kinit," the client software provided with the Kerberos
package.
illustrates the non-Kerberized login process.
Host
1
Catalyst switch
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
Understanding How Authentication Works
Kerberos server
(contains KDC)
2
3
27-7