Licensing Requirements and Limitations for Kerberos Snooping

This feature involves a Kerberos server and an application server.

Kerberos snooping is a basic feature of a switch and is not under license control.

All models of S2720, S5700, and S6700 series switches support kerberos snooping.

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Ensure that the pre-connection function has been enabled using the authentication pre-authen-access enable command. Otherwise, Kerberos snooping cannot be implemented.
Kerberos snooping takes effect only for wired IPv4 users.
Kerberos snooping does not apply to the policy association or SVF scenario.
Kerberos snooping cannot be used together with port security.
Kerberos snooping does not support packet forwarding through MPLS or VXLAN tunnels.
Kerberos snooping can be used only on Layer 2 physical interfaces.
Kerberos authentication and have a lower priority than 802.1X, MAC address, and Portal authentication.
The aging time of online Kerberos user entries needs to be set using the authentication timer handshake-period command.