Identity and Access Services – CompTIA Security+ SY0-501 – 4.2

The authentication process can many different protocols to verify a person’s identity. In this video, you’ll learn about RADIUS, TACACS, LDAP, and more.

<< Previous Video: AAA and Authentication Next: PAP, CHAP, and MS-CHAP >>

When we want to gain access to some type of network resource, then we need to provide the credentials. Those credentials are going to be checked first by a AAA server before we’re able to gain access to that resource. Let’s take the example of someone who is authenticating through a VPN concentrator. We are out here on the client side. We make a request to the VPN concentrator to gain access. We send our username and password and any other type of authentication credentials, and those credentials are checked against a AAA server. The AAA server will confirm that the username, the password, and any other authentication factor is valid. It will approve those credentials and then send our request to whatever services may be on the inside of the network. There are many different protocols that can be used in this authentication process to the AAA server and in this video, we’ll learn about a number of those protocols.

One of the most common authentication protocols you’ll find is RADIUS. RADIUS stands for Remote Authentication Dial-in User Service. And although it has the term dial-in in the name, this is something that can be used on anyone’s network. Not just on dial-in networks. Using RADIUS services, we can centralize the authentication for many different kinds of systems. If we have users that are logging in to routers, or switches, or firewalls, or authenticating to VPN connections, or logging into the network using 802.1X, all of these different kinds of services could be centralized with a single authentication to a RADIUS server. It also helps that these RADIUS services are available on a number of different operating systems, so no matter what type of systems you have in your organization, there’s probably a RADIUS service that can run in your OS.

Another type of authentication service that’s very similar to RADIUS is TACACS. TACACS stands for Terminal Access Controller Access-Control System. This is another type of remote authentication protocol, and it also has been around for a very long time. It was used to control access to the dial-up lines that connected people to ARPANET. Cisco needed to extend the capabilities of TACACS, so they created their own version of TACACS called Extended TACACS. It’s a proprietary version that was used to authenticate to Cisco devices. In 1993, Cisco made an open standard of TACACS called TACACS+, although you still find that TACACS+ is used exclusively with Cisco Systems, there are capabilities to connect into this Cisco infrastructure using this open standard that’s now available. Sometimes you need more than a simple username and password authentication.

If you need to build a large directory of services, you may want to use LDAP, which stands for Lightweight Directory Access Protocol. This is very similar to a phone directory, where you can have a large number of services, and you can sort and organize those services into a structured database. You’ll often see the LDAP standard referred to as an X.500 standard. That was the specification written by the ITU. This original version was the Directory Access Protocol, ran on the OSI protocol stack. And when people wanted to use it on TCP/IP, they created a lightweight version and called it LDAP. These days app is a very common directory standard, and you’ll see it used in Microsoft Windows, Apple Open Directory, Open LDAP, and other directory services. An LDAP database contains information that’s stored as different fields. You can see the attributes like CN refers to common name and O stands for organization. And we usually use this attribute with an equal sign, and then the value that’s associated with that attribute.

For example, in this particular attribute, there is a common name called Widget Web, an organizational unit within Widget Web called marketing, within marketing there is an organization called Widget that has a locality in London. And so on. This makes it very easy to build a tree of information based on where a particular object happens to be in that directory. This hierarchical structure can contain the country name, organizational units, or you can customize it to be as extensive or as basic as you need. We usually refer to the country organization and organizational units as the container objects, and within those container objects are the actual leaf objects like users, printers, computers, and files.

If you’re authenticating exclusively to a Windows operating system, you may see a rather old authentication method called Microsoft NTLM. This is a Windows only method of challenge and response to be able to authenticate into a Windows domain. This name NTLM comes from the NT operating system combined with the LAN manager operating system to create this authentication method. The most common NTLM authentication, you’ll see these days is NT LAN Manager v2 or NTLM version two. It uses a hash challenge for this password authentication, but it’s using a relatively insecure method using MD4 as the hash type. There is an HMAC-MD5 hash of the username and server name, and then there’s a variable length challenge that uses a time stamp, some random data, and the name of the Windows domain. Even though the NTLM hash has been found to be relatively insecure, there are a number of Windows systems that still store the NTLM hash to provide backwards compatibility. Unfortunately, these credentials are susceptible to a forwarding attack, and so it’s not recommended that people continue to use an NTLM hash on their network. These days, Kerberos is the standard method of authenticating in Windows, and it removes all of these vulnerabilities that can commonly be found with an NTLM hash.

Kerberos is the modern Windows authentication method. It is a single sign on where we authenticate one time and we are then trusted by every other device in the system. There’s no need to constantly re-authenticate to gain access to other resources. Kerberos also includes mutual authentication between the client and the server, which means it’s protected against man in the middle attacks or replay attacks. Kerberos has been around since the 1980s and it’s a very trusted method of authentication. Microsoft integrated Kerberos into the Windows 2000 operating system, and it’s now compatible with practically any Windows system that’s available today. Kerberos makes use of extensive cryptography to provide this type of protection. A ticket granting ticket is provided from the client to a ticket granted service that then provides the service ticket. And that service ticket is then used to authenticate with all of the other services on the network. That means that the user doesn’t have to constantly put in a username and password. It simply shows the service ticket behind the scenes, and seamlessly, the user gains access to these resources. Obviously, this Kerberos authentication only works with devices that understand Kerberos. So if you need to authenticate to another type of system, you would use RADIUS, TACACS, LDAP, or some other type of authentication method.