2.2 - Authentication Methods Flashcards
1
Q
RADIUS (Remote Authentication Dial-in User Service)
A
- One of the more common AAA protocols
– Supported on a wide variety of platforms and devices
– Not just for dial-in - Centralize authentication for users
– Routers, switches, firewalls
– Server authentication
– Remote VPN access
– 802.1X network access - RADIUS services available on almost any server
operating system
2
Q
TACACS
A
- Terminal Access Controller
– Access-Control System
– Remote authentication protocol
– Created to control access to dial-up lines to ARPANET - TACACS+
– The latest version of TACACS
– More authentication requests and response codes
– Released as an open standard in 1993
3
Q
Kerberos
A
- Network authentication protocol
– Authenticate once, trusted by the system
– No need to re-authenticate to everything
– Mutual authentication - the client and the server
– Protect against on-path or replay attacks - Standard since the 1980s
– Developed by the Massachusetts Institute of
Technology (MIT) - Microsoft starting using Kerberos in Windows 2000
– Based on Kerberos 5.0 open standard
– Compatible with other operating systems and devices
4
Q
SSO with Kerberos
A
- Authenticate one time
– Lots of backend ticketing
– Cryptographic tickets - No constant username and password input!
– Save time - Only works with Kerberos
– Not everything is Kerberos-friendly - There are many other SSO methods
– Smart-cards, SAML, etc.
Which method to use? - Many different ways to communicate to an
authentication server
– More than a simple login process - Often determined by what is at hand
– VPN concentrator can talk to a RADIUS server
– We have a RADIUS server - TACACS+
– Probably a Cisco device - Kerberos - Probably a Microsoft network
5
Q
Multi-factor authentication
A
- More than one factor
– Something you are
– Something you have
– Something you know
– Somewhere you are
– Something you do - Can be expensive
– Separate hardware tokens
– Specialized scanning equipment - Can be inexpensive - Free smartphone applications