The login process is often centralized to a specific authentication server. In this video, you’ll learn about RADIUS, TACACS+, Kerberos, and multi-factor authentication.
Let’s look at a common scenario that goes on many, many times a day across all of our networks. We need to log in to a device, we need to log into an access point, a VPN concentrator, a firewall or some other device that’s connected to our network. We’ll send a request to that device with our username and password. But this device doesn’t have a list of everyone’s username and password on it.
There’s a centralized database that has all of that information and it’s contained on an authentication server. So in order to check that we have the right username and password, that device will send a message to the authentication server with our login credentials. Those credentials will be checked on the server. And if our credentials do match what’s on the authentication server, a message is sent back saying that those credentials are approved and that person can access this device.
Now that our credentials have been approved, we have permission to now communicate with those other devices on the network. The key to this process is the communication that occurs to the authentication server. And in this video, we’ll look at a number of different ways that this conversation can take place. One of these protocols that’s used to communicate to an authentication server is called RADIUS.
RADIUS is an abbreviation for remote authentication dial in user service. And although it references dial in the name of the protocol, this is used on almost any type of network connection. You’ll sometimes hear the authentication server referred to as a AAA server that stands for authentication, authorization, and accounting. So whenever we refer to a protocol that communicates to the authentication server, we are referring to a AAA protocol.
Without having some type of centralized authentication on the network, you would have to manage authentication on all of these separate devices. So you would have to manage authentication on your VPN server, a file server, a web server, and so on. Instead, you can have one central authentication source, such as a RADIUS server, and send all of your authentication requests to that server for approval.
If, it’s not obvious by having the word dial in the name RADIUS has been around for a very long time. And because of that, it has a great deal of support in the industry. There are many devices and many operating systems that can support RADIUS communication. And you’ll find that many of the VPN servers and other devices that you’re connecting on your network do have an option to provide authentication via RADIUS.
But of course, RADIUS is not the only way to provide authentication to a AAA server. One very common protocol is TACACS that stands for terminal access controller access control system. Although TACACS and TACACS+ are commonly associated with Cisco devices. This was released as an open standard in 1993. Even so, whenever you hear TACACS or TACACS+, it’s very common for that to be associated with a Cisco device.
If you log into a Windows domain, then you’re using an authentication method called Kerberos. This is an authentication method that supports single sign on. So you would log in the morning with your username and password, and throughout the day as you’re accessing other resources, you’re now forced to log in with your credentials every time you connect to a new device. This is also a standard that’s been around for a long time. It was developed in the 1980s at MIT.
But where it really became popular in the enterprise is with the introduction of Kerberos in Windows 2000. Now when you log into a Windows domain, the authentication method that’s occurring behind the scenes is using Kerberos. The single sign on functionality of Kerberos is enabled through the use of cryptographic tickets. When a user is initially logging in to the domain, they’re provided with a ticket that they can then show to all of the devices that they would like to use.
And because that ticket was signed by the central authentication server, you can show it to any of the devices on your network and they’ll trust that you’ve been properly authenticated. This means when you first log in the morning, your system behind the scenes receives that ticket. And when you access other devices throughout the day, that ticket is shown to the devices and you don’t have to put in a separate username and password every time you want to access a network share or a network printer.
This method of single sign on is obviously specific to Kerberos. But there are many other ways to provide single sign on either through devices or services that are local on your network, or cloud based single sign on services. So if you have the choice of RADIUS, TACACS+, and Kerberos, which one of those authentication methods should you use?
Often it tends to be a case of whatever it happens to be available on your current network. If you have a VPN concentrator that talks to RADIUS and you have already set up a RADIUS server, then you’ll probably use RADIUS for that communication. But if you have many Cisco devices that commonly use TACACS+ then you probably have a TACACS+ AAA server on your network.
And of course, if you’re using Microsoft Windows then you’re obviously using Kerberos to be able to access your active directory domain. When you provide this authentication, you are commonly asked for a username and password. But the authentication process may want you to add additional information and we refer to that as a multi-factor authentication, or sometimes abbreviated as MFA or 2FA for two factor authentication.
You can think of your memorization of a password as something. So if you’d like to have an additional factor during the authentication process, you would need to include something you are, something you have, somewhere you are, or something you do. There’s many different ways to implement these different factors of authentication. You might carry around a smart card and you have to plug it into a smart card reader, or you may have to provide some type of fingerprint or handprint for biometrics.
The implementation of multifactor authentication could be relatively expensive. You might have to have a separate card reader or a fingerprint reader at every place where you would need to authenticate to the network. Or the implementation may be relatively inexpensive because it might just be an app that you add to your mobile phone, and that’s what provides that pseudo random token that you would use along with your username and password.