kerberos

Configures Kerberos authentication parameters on a WLAN. Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection.

Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses NTP for synchronizing the clocks of its KDC server(s).

Supported on the following devices:

Syntax

kerberos [password|realm|server]
kerberos password [0 <LINE>|2 <LINE>|<LINE>]
kerberos realm <REALM>
kerberos server [primary|secondary|timeout]
kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}
kerberos server timeout <1-60>

Parameters

kerberos password [0 <LINE>|2 <LINE>|<LINE>]
kerberos Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.

password Configures a Kerberos KDC server password. The password should not exceed 127 characters. The password options are:
  • 0 <LINE> – Configures a clear text password
  • 2 <LINE> – Configures an encrypted password
  • <LINE> – Specify the password.
kerberos realm <REALM>
kerberos Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.

realm <REALM> Configures a Kerberos KDC server realm. The REALM should not exceed 127 characters.
kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}

kerberos

Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.

server [primary|secondary]

Configures the primary and secondary KDC server parameters

  • primary – Configures the primary KDC server parameters

  • secondary – Configures the secondary KDC server parameters

host <IP/HOSTNAME>

Sets the primary or secondary KDC server address

  • <IP/HOSTNAME> – Specify the IP address or name of the KDC server.

port <1-65535>

Optional. Configures the UDP port used to connect to the KDC server

  • <1-65535> – Specify the port from 1 - 65535. The default is 88.

kerberos server timeout <1-60>
kerberos Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.

timeout <1-60> Modifies the Kerberos KDC server‘s timeout parameters
  • <1-60> – Specifies the wait time for a response from the Kerberos KDC server before retrying. Specify a value from 1 - 60 seconds.

Examples

nx9500-6C8809(config-wlan-test)#kerberos server timeout 12
nx9500-6C8809(config-wlan-test)#kerberos server primary host 172.16.10.2 port 88
nx9500-6C8809(config-wlan-test)#show context
wlan test
 description TestWLAN
 ssid test
 bridging-mode local
 encryption-type tkip-ccmp
 authentication-type eap
 kerberos server timeout 12
 kerberos server primary host 172.16.10.2
 accounting syslog host 172.16.10.4 port 2
 data-rates 2.4GHz gn
 client-load-balancing probe-req-intvl 5ghz 5
 client-load-balancing band-discovery-intvl 2
 captive-portal-enforcement fall-back
 ip dhcp trust
 acl exceed-rate wireless-client-denied-traffic 20 disassociate
 enforce-dhcp
 broadcast-dhcp validate-offer
 http-analyze controller
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Removes Kerberos authentication related parameters on the WLAN