Configuring Stateful Kerberos Authentication

The Stateful Kerberos Authentication profile requires that you specify a server group, which includes the Kerberos servers and the role assigned to authenticated users. For details on defining a windows server used for Kerberos authentication, see Configuring a Windows Server.

When the user logs off or shuts down the client machine, the user remains in the authenticated role until the user ages out, meaning there is no user traffic for the amount of time specified in the User idle timeout setting under Configuration > AuthenticationAdvancedAuthentication Timers

The following procedure describes how to configure a stateful Kerberos authentication profile:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Authentication page.
  2. Select Stateful Kerberos Authentication from the L3 Authentication tab.
  3. Under Stateful Kerberos Authentication Profile: New Profile, click the Add button to add a new profile entry.

    To modify an existing stateful Kerberos authentication profile, select a profile entry below Stateful Kerberos Authentication in the L3 Authentication list.

  4. Enter a Profile name.
  5. From the Default Role drop-down list, select the role to be assigned to all users after completing stateful Kerberos authentication.
  6. Specify the Timeout period for authentication requests, between 1 and 20 seconds.

    The default value is 10 seconds.

  7. Click Submit.
  8. In the All Profiles list, select the Server Group entry below the stateful Kerberos authentication profile.
  9. Select the group of Windows servers to be used for stateful Kerberos authentication from the Server Group drop-down list.
  10. To enable authentication fail through and load balancing, select the check boxes for Fail Through and Load Balance.
  11. Click Submit.
  12. Select Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure stateful Kerberos authentication. The first set of commands defines the server used for Kerberos authentication, and the second set adds that server to a server group, and the third set of commands associates that server group with the stateful NT LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. Manager authentication profile then defines the profile settings.

(host) [md] (config) #aaa authentication-server windows <windows_server_name>

clone <source>

domain <domain>

enable

host <host>

(host) [md] (config) #aaa server-group <sg_name>

allow-fail-through

auth-server <name> [match-authstring {contains <sub_string>|equals <sub_string>|starts-with <sub_string>][match-fqdn {all|<fqdn>}][position <prio>][trim-fqdn]

clone <source>

load-balance

set {role|vlan} condition <attribute> [contains <operand>|ends-with <operand>|equals <operand>|not-equals <operand>|starts-with <operand>][value-of][set-value <set-value-str>][position <number>]

(host) [md] (config) #aaa authentication stateful-kerberos <profile-name>

clone <source>

default-role <default-role>

server-group <server-group>

timeout <timeout>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands display the servers and profiles configured for stateful Kerberos authentication:

(host) [md] #show aaa authentication-server windows

(host) [md] #show aaa server-group

(host) [md] #show aaa authentication stateful-kerberos