User authentication can be done locally on the router, by TACACS+, by RADIUS or by Kerberos using the configuration command "aaa authentication login default krb5", supported in IOS >= 11.1.
Authorization cannot be done by Kerberos. Either you have to allow Kerberos-authenticated users everything, or you can use TACACS+ for authorization.
Alternatively you can use an extention to the Cisco PD daemon created by Dan Engholm <mustang@iastate.edu>. It consists of source code changes and allows you to configure the daemon to use kerberos:
user test {
login = kerberos
}