Previous Next Table of Contents

11. How does TACACS interact with Kerberos?

User authentication can be done locally on the router, by TACACS+, by RADIUS or by Kerberos using the configuration command "aaa authentication login default krb5", supported in IOS >= 11.1.

Authorization cannot be done by Kerberos. Either you have to allow Kerberos-authenticated users everything, or you can use TACACS+ for authorization.

Alternatively you can use an extention to the Cisco PD daemon created by Dan Engholm <mustang@iastate.edu>. It consists of source code changes and allows you to configure the daemon to use kerberos:

user test {
  login = kerberos
}


Previous Next Table of Contents