[ Pobierz całość w formacie PDF ]
.1.Use this command to set a subinterface's IP address for all outgoing TACACSpackets.This address is used as long as the interface is in the up state.Inthis way, the TACACS server can use one IP address entry associated with thenetwork access client instead of maintaining a list of all IP addresses.This command is especially useful in cases where the router has manyinterfaces, and you want to ensure that all TACACS packets from a particularrouter have the same IP address.The specified interface must have an IP address associated with it.If thespecified subinterface does not have an IP address or is in a down state,TACACS reverts to the default.To avoid this, add an IP address to thesubinterface or bring the interface to the up state.ExampleThe following example makes TACACS use the IP address of subinterface s2 forall outgoing TACACS (TACACS, extended TACACS, or TACACS+) packets:ip tacacs source-interface s2Related CommandsA dagger (†) indicates that the command is documented outside this chapter.ip radius source-interface †ip telnet source-interface †ip tftp source-interface †[12.4.0] kerberos clients mandatoryUse the kerberos clients mandatory global configuration command to cause thersh, rcp, rlogin, and telnet commands to fail if they cannot negotiate theKerberos protocol with the remote server.Use the no form of this command todisable this option.kerberos clients mandatoryno kerberos clients mandatorySyntax DesctiptionThis command has no arguments or keywords.DefaultDisabledCommand ModeGlobal configurationUser GuidelinesThis command first appeared in Cisco IOS Release 11.2.If this command is not configured and the user has Kerberos credentials storedlocally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate theKerberos protocol with the remote server and will use the un-Kerberizedprotocols if unsuccessful.If this command is not configured and the user has no Kerberos credentials, thestandard protocols for rcp and rsh are used to negotiate the Keberos protocol.ExampleThe following example illustrates the kerberos clients mandatory command:kerberos clients mandatoryRelated CommandsA dagger (†) indicates that this command is documented outside this chapter.copy rcp †kerberos credentials forwardrlogin †rsh †telnet †[12.4.1] kerberos credentials forwardUse the kerberos credentials forward global configuration command to force allnetwork application clients on the router to forward users' Kerberoscredentials upon successful Kerberos authentication.Use the no form of thiscommand to turn off Kerberos credentials forwarding.kerberos credentials forwardno kerberos credentials forwardSyntax DescriptionThis command has no arguments or keywords.DefaultDisabledCommand ModeGlobal configurationUsage GuidelinesThis command first appeared in Cisco IOS Release 11.2.Enable credentials forwarding to have users' TGTs forwarded to the host theyauthenticate to.In this way, users can connect to multiple hosts in theKerberos realm without running the KINIT program each time they need to get aTGT.ExampleThe following example illustrates the kerberos credentials forward command:kerberos credentials forwardRelated CommandsA dagger (†) indicates that the command is documented outside this chapter.copy rcp †rlogin †rsh †telnet †[12.4.2] kerberos instance mapUse the kerberos instance map global configuration command to map Kerberosinstances to Cisco IOS privilege levels.Use the no form of this command toremove a Kerberos instance map.kerberos instance map instance privilege-levelno kerberos instance map instanceSyntax Descriptioninstance Name of a Kerberos instance.privilege-level The privilege level at which a user is set if the user'sKerberos principle contains the matching Kerberos instance.You can specify upto 16 privilege levels, using numbers 0 through 15.Level 1 is normal EXEC-modeuser privileges [ Pobierz caÅ‚ość w formacie PDF ]