Identity and Access Services – SY0-601 CompTIA Security+ : 3.8

As a security professional, you’ll need to use different authentication methods in different situations. In this video, you’ll learn about authentication using RADIUS, TACACS, Kerberos, and 802.1X.

One of the more common authentication authorization and accounting protocols is the RADIUS protocol. RADIUS is the Remote Authentication Dial-in User Service. And although it has dial-in in the name, it’s also very common to use RADIUS on a local area network, or wide area network as well.

This is a very common way to centralize authentication for your users. So if someone is logging in to the network, they’re logging into a VPN concentrator, or they’re trying to authenticate to a switch or router, they could use RADIUS to be able to authenticate the username and password.

This is a very common authentication type to use. There are RADIUS services available for practically any operating system, and that’s why you’ll probably find RADIUS running somewhere in most enterprise networks.

As an alternative to RADIUS, you might use TACACS. TACACS is the Terminal Access Controller Access-Control System. It is a remote authentication protocol. And again, this was a type of authentication that was originally built when we were using dial-up lines.

Cisco found that this was a very useful authentication method, and updated it into a new version called Extended TACACS, that provided additional support for accounting and auditing.

When you see TACACS in an environment today, it’s probably using the latest version of TACACS, which is TACACS+. This was an open standard that was released in 1993. And although TACACS+ is not a Cisco specific protocol any longer, it’s still very common to see Cisco devices using TACACS+ for authentication.

A more complex, but more robust, authentication method would be Kerberos. This is a type of authentication system that is able to use single sign on. Which means we can authenticate one time, and after that point, we are trusted by the system.

This means we can access different file shares during the day, we can print to different printers during the day, or access other resources on the network, and we don’t have to keep putting in our username and password. Kerberos remembers that we authenticated properly at the beginning, and is able to authenticate us throughout the day automatically.

Unlike RADIUS or TACACS, Kerberos also provides mutual authentication, which means you’re not only authenticating to the server, the server is also authenticating to you, so that both sides know exactly who they’re talking to.

With this mutual authentication, we can avoid any type of replay attack, or any type of on-path or man-in-the-middle attack.

Kerberos has been around for a very long time. It was created in the 1980s by MIT. And you’ll find that Kerberos has been integrated into Windows since the year 2000. This is based on an open standard of Kerberos, called Kerberos 5.0, and it works not only with Microsoft Windows, but any other operating system that is written to this open standard.

You often see Kerberos described as a ticketing system. That’s because the cryptography that is used is referenced as a cryptographic ticket.

When you authenticate to a ticket-granting service, which would be your Centralized Authentication server, that ticket-granting service gives you a service ticket. And then, instead of having to put in a username and password every time you access a different resource, you simply have to show the service ticket that device recognizes that you were properly authenticated by the ticket-granting service, and then provide you access to those services, without going through the process of re-entering a username and password.

This saves you a lot of time during the day because you don’t have to keep putting in a username and password every time you access yet another resource. But it only works if those devices are compatible with Kerberos. Not everything is compatible with Kerberos, so you may find that some of the devices you’re authenticating to cannot use this Kerberos functionality.

There are other methods that can provide single sign-on, such as SAML, or smart cards, or even cloud-based single sign-on services, but Kerberos is certainly one of the most popular you might find.

What sounds like we have three different ways to authenticate that are very similar to each other, with only minor differences in functionality. So you may wonder, which one of these should you be using?

Should you be using RADIUS, TACACS+, or Kerberos? The answer usually depends on what you’re connecting to, and what is supported by that device that you’re connecting to.

For example, you may have a VPN concentrator that only knows how to authenticate to a RADIUS server. So you might use RADIUS for that particular service. You might have other network administrators that are authenticating to a Cisco switch, or, a Cisco router, and perhaps they’d like to have their own authentication methods that are outside the scope of what you would use elsewhere on the network. So they may set up TACACS+ server just for their Cisco authentication.

And if you’re on a Microsoft network, then by default, you’re using Kerberos. And you may find that, throughout the day, you may be using all of these different methods, depending on exactly what service you happen to be using.

Another type of access control is Network Access Control. This means you can prevent people from accessing the network until they’ve gone through this specific authentication method. This is called 802.1X, sometimes referred to as port-based Network Access Control, or very simply, NAC.

It’s common to see 802.1X used with wireless network authentication, but 802.1X can also be used for wired authentication as well. We often integrate 802.1X with EAP. This is the Extensible Authentication Protocol, which is a framework that can be used for many different types of authentication protocols.

And on the back end, we probably have a RADIUS server, an LDAP server, a TACACS+ server, a Kerberos server, or any other type of authentication service.

When the user first tries to connect to the network, 802.1X will stop that connection, ask for credentials, the user will provide that username, password, and any other authentication credentials, and then it will be checked with these databases on the back end to make sure that the user has the proper access. And if all of that authenticates properly, the user then can access the network.