Configuring Kerberos Snooping
Context
In a Kerberos authentication scenario, you can enable Kerberos snooping on the device to control network access rights of users. The device allows only DHCP, DNS, ARP, and Kerberos protocol packets to pass through before user authentication is successful. Only authenticated users can access network network resources.
Ensure that the pre-connection function has been enabled using the authentication pre-authen-access enable command. Otherwise, Kerberos snooping cannot be implemented.
Procedure
- Run system-view
The system view is displayed.
- Run kerberos-snooping-profile name profile-name
A Kerberos snooping profile is created and the Kerberos snooping profile view is displayed.
- Run server-ip server-ip-address &<1-10>
The IP address of a Kerberos server is configured.
By default, no Kerberos server IP address is configured on the device.
- Run port port-number
The port number used by a Kerberos server to send packets is configured.
By default, a Kerberos server uses port 88 to send packets.
- Run quit
Return to the system view.
- Run authentication-profile name authentication-profile-name
An authentication profile is created and the authentication profile view is displayed.
- Run kerberos-snooping-profile profile-name
The Kerberos snooping profile is bound to the authentication profile.
- Run quit
Return to the system view.
- Run interface interface-type interface-number
The interface view is displayed.
- Run authentication-profile authentication-profile-name
The authentication profile is applied to the interface.
Kerberos snooping can be used only on Layer 2 physical interfaces.