AP-4131 Access Point Product Reference Guide E-1
Appendix E Installing and Configuring
Kerberos Setup Service
The Kerberos Setup Service (KSS) program runs on the Key Distribution
Center (KDC) server. The KSS can be used optionally to administer
Spectrum24 access points authorized on the network. For example, an AP on
the Access Control List (ACL) is lost or stolen. The KSS marks the AP (using the
MAC address of the AP) as not authorized and notifies the administrator if
the missing AP appears elsewhere on the network attempting authentication.
All clients (MUs), KDC and services (APs) participating in the Kerberos
authentication system are required to have their internal clocks synchronized
within a specified maximum amount of time (known as clock skew). The KSS
uses Network Time Protocol (NTP) or the system clock on the Kerberos server
to provide clock synchronization (timestamp) between the KDC and APs as
part of the authentication process. Clock synchronization is essential since
the expiration time is associated with each request for resources. If the clock
skew is exceeded between any of the participating hosts, requests are
rejected.
Additionally, the KSS provides a list of authorized APs and other security setup
information that the KDC uses to authenticate clients. When setting up the
KSS, assign APs an ESSID to authenticate with the KDC. In Open Enrollment
mode, the KSS dynamically creates an AP Setup Account for the AP and
creates a Kerberos account with the KDC. The KSS continues to do this until
the administrator disables Open Enrollment.
For additional information on KSS and KDC functionality, refer to the sections
of this document.
E.1 Creating a Windows 2000 Environment for the KSS
The KSS runs only on a Windows 2000 server with Active Directory enabled
and Java Runtime Environment version 1.3 (or higher) running.