jarek wrote: > Hi all! > > I'd like to configure CISCO Catalyst to use kerberos against AD server > W2008. I'd like to login to cisco using ticket and telnet.krb5 from > krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm > getting: > > [ Kerberos V5 refuses authentication ] > kerberos_server_auth: Couldn't authenticate client from > test-nms.test.local. > > What can be wrong ? > > Has someone working example of CISCO config for such scenario ? > > J.
Hi Jarek, A cisco working here with kerberos authentication but the kdc is heidmal kerberos. Some suggestions are: * Timing issues, you have to make sure both the kdc and the cisco are sync'd... (That's very important) * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco principal... * Your cisco should have a configuration like: aaa new-model aaa authentication login default krb5-telnet krb5 local enable aaa authorization exec default krb5-instance kerberos local-realm YOUR.REALM kerberos srvtab entry host/[email protected] (there should be some numbers here as well) kerberos clients mandatory kerberos server YOUR.REALM $(IP of your KDC) kerberos instance map admin 15 # this will map kerberos users */admin to the superuser of cisco kerberos credentials forward # that's optinal # I strongly suggest this as well adjusted to your case ntp server your.ntp.server clock timezone GMT -6 clock summer-time CDT recurring -- Nikos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
