Re: ACE module - http connection problems with kerberos authenti
As you know Kerberos is a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Although it is a widely used protocol, it has the following drawbacks:
1. Kerberos requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms.
2. Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized.
3. The administration protocol is not standardized and differs between server implementations. Password changes are described in RFC 3244.
4. Since the secret keys for all users are stored on the central server, a compromise of that server will compromise all users' secret keys.
5. A compromised client will compromise the user's password.
Can you please check if the clock time of your ACE module is properly in sync with the Kerberos Authentication Server.
Kerberos requires that the time between the client and server be within about five minutes. Other authentication devices could also fail when the times are off. It also makes troubleshooting more difficult because the log times are off by an hour.
New U.S. Daylight Savings Times rules go into effect in March 2007. Consequently, customers whose network components rely on the default U.S. summertime clock settings within CSS and GSS software will be affected by the following problem.
For operating systems that have not been updated with the new U.S. DST policy changes, timestamps will exhibit a one hour time clock offset lasting three weeks beginning at 2 A.M. on the second Sunday in March of 2007. They will also exhibit a one hour time clock offset lasting one week beginning at 2 A.M. on the first Sunday in November.
For the CSS 11100 series (EOL):
You can use the clock summer-time command to manually set the correct time via the CLI.
Here is an example:
CSS500-1# clock summer-time PST recurring
CSS500-1# show clock
TimeZone: : +00:+00:+00
[PST begins 04/01/2007 02:00:00]
Summer Time: PST
Change: 60 minutes
Added: First Sunday in April 02:00
Removed: Last Sunday in October 02:00
Similarly you can set the time on ACE module also.
Use the clear kerberos server command to clear a specified key distribution center (KDC) entry on your switch. Hope it will resolve your problem.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...