Kerberos is another network authentication protocol supported by the Cisco IOS. Kerberos was originally developed by MIT, and is standardized in RFC 1510. Unlike TACACS+ and RADIUS, Kerberos only supports authentication, and not authorization or accounting.
Kerberos authentication works according to a three-headed model, which has proven to be a very secure method of providing authentication services. This model is made up of three main elements – clients, services, and Key Distribution Centers (KDCs). When a Kerberos client attempts to log on, a request is passed to the KDC. The KDC will encrypt what is known as a ticket-granting ticket (TGT), and pass it back to the client. The client’s supplied password is used to decrypt the ticket, thus validating them. Next, when the user attempts to gain access to a service (which could be telnet on a Cisco router), the client passes their TGT (which shows they are authenticated) back to the KDC, asking for a ticket to that service. Once the ticket is supplied by the KDC, the client can then access the service in question. In this way, the KDC acts as a trusted third-party, providing authentication services between clients and network services.