Authentication is at the core of most security implementations. In this video, you’ll learn about local authentication, multi-factor authentication, RADIUS, TACACS, LDAP, Kerberos, and more.
If you have a wireless router at home, you’ve probably connected to that router to make configuration changes. And when you first connect to that device, it asks for a username and a password. That username and password is often stored on the device itself. We refer to that as local authentication because the credentials you’re using are stored on that local device. If you need to add another user, you would log back into the device. Add that user credential. And then store it on that local machine. If you change your password, you have to change your password on this local device.
This could be a very manual process if you have to change your password across many different systems using local authentication. If you have 10 different switches, then you’ll need to log in to all 10 of those devices and make the password change on all 10 of those switches. In a large, corporate environment, we would usually have these devices referred to a separate authentication server that’s on a different device. That way we can have all of these devices using a centralized set of usernames and passwords.
But if you lose connectivity to that authentication server or the authentication server itself was to fail, it might be useful to have one single set of username and password credentials set up as local authentication on this device. We often think of this authentication process as using our username and our password, but we might want to add additional authentication factors as well. There might be something you are, something you have, something you know, somewhere you are, and something you do. Adding these additional authentication factors may have a cost associated with them.
For example, the authentication factor, something you have, might involve you having some type of hardware token that you would take along with you. Or if you’re using something you are as the authentication factor, that may include biometrics, which includes an expensive reader for your fingerprint or hand print. In some cases, these authentication factors can be very inexpensive. For example, instead of having a separate hardware token, you can use something you have to have a software token that might run on your existing smartphone.
There are many different authentication services that you might have running on a centralized authentication server. One common type of authentication is RADIUS authentication this refers to Remote Authentication Dial-in User Service. And although it does have dial-in the name, these days we’re commonly using RADIUS over our Ethernet networks. This provides a centralized database of usernames and passwords. And you can use that to authenticate for your routers and switches, maybe authenticate as you’re logging into a server, or if people are connecting over a VPN and need to authenticate to the VPN concentrator, you might have their credentials checked against a back-end RADIUS server.
RADIUS is one of the most popular types of authentication primarily because it’s used by so many devices, and there are so many different RADIUS servers that you can use across many different operating systems. Another common remote authentication protocol is TACACS. This stands for Terminal Access Controller Access-Control System. This goes back to the ARPANET days to provide authentication. But these days, it’s common to see TACACS being used as an authentication protocol on our local networks. Today, we use TACACS+, although we sometimes simply refer to it as TACACS.
This was released as an open standard in 1993. And you often see TACACS being used as an authentication method for network devices. Another common authentication protocol you might see used is LDAP or the Lightweight Directory Access Protocol. LDAP can certainly be used as a way to authenticate a username and password. But the LDAP databases can contain extensive information about the devices and users on your network. LDAP uses standard from the International Telecommunications Union, or ITU, called X.500. This X.500 standard was originally used with the Directory Access Protocol that ran on the old OSI protocol stack.
But we updated this type of authentication to a lightweight version called LDAP. It uses X.500. And you’ll commonly see LDAP used with directory systems such as Windows Active Directory or Apple’s Open Directory. A more advanced type of authentication protocol is Kerberos. Kerberos is a network authentication protocol where you can authenticate one time. And once you authenticate, you’re trusted by the entire system. This means that you only need to authenticate one time. And you don’t have to re-authenticate each time you connect to another file system or another printer.
Kerberos also supports mutual authentication, which means both the client and the server are able to authenticate with each other, preventing on-path attacks and replay attacks. This is a standard that was originally created at MIT in the 1980s. But we’ve updated it through the years. And Microsoft began integrating it into Windows, starting with Windows 2000. This is also a type of authentication you’ll find on many other types of operating systems. And it’s not something that’s just exclusive to Windows. Kerberos is able to provide that single sign-on functionality by using cryptographic tickets.
This means that you can log in with your username, password, and any other credentials. And it is remembered by the system whenever you try to connect to other resources that are available. This back-end ticketing process is what allows you to log in with one set of credentials but have access to many different resources on the same network. Kerberos is a relatively complex process which involves a number of different devices and a lot of cryptography.
But it does provide some additional functions that you won’t find in other authentication systems. And of course, Kerberos is not the only single sign-on function out there. You can implement single sign-on using smart cards, SAML, and other third-party cloud-based services as well. So with all of these different back-end authentication systems, do you use RADIUS, TACACS, LDAP, Kerberos, or something else? Usually, it’s based on what you’re implementing and what happens to be available in that particular service. For example, you might be installing a VPN concentrator.
And inside that VPN concentrator, it can use a RADIUS server as an authentication method. And in your network, you may already have a RADIUS server installed. So those two would be a perfect match, and we’ll implement radius as our back-end authentication protocol. Or you might be installing a Cisco switch or a Cisco router, and those primarily support TACACS as an authentication method. Or you might have a Microsoft network, which uses Kerberos by default, and you may be able to integrate into that Kerberos network using LDAP.
And since we’re talking about authentication methods, it would be worthwhile to mention 802.1X again in this video. 802.1X is a Port-based Network Access Control, or what you commonly refer to as NAC. This means you can plug your Ethernet cable into a network or connect to a wireless network, but you’re not able to send or receive any traffic from that network until you authenticate. We commonly see 802.1X using EAP, or the Extensible Authentication Protocol. This often uses an authentication database to validate your credentials.
So you would use EAP to provide your authentication details for 802.1X, and those credentials would be checked against RADIUS, LDAP, TACACS+, or some other type of authentication service. EAP is not specific to 802.1X. You may see the Extensible Authentication Protocol being used for other services as well. There are many different ways to implement EAP, and you may find that certain systems use different flavors of the Extensible Authentication Protocol. 802.1X relies on EAP to provide this authentication functionality, and it’s a core foundation of Network Access Control.