4.2 Given a scenario, install and configure identity and access services. Flashcards
LDAP
The Lightweight Directory Access Protocol is an Internet protocol designed for access to a directory service over TCP port 389 and allows LDAP-enabled applications to authenticate to a directory and then retrieve information about objects stored in the directory.
Kerberos
Kerberos is a popular mutual authentication protocol and is used by default with Microsoft Active Directory environments. Active Directory adheres to the Lightweight Directory Access Protocol (LDAP) standard, which is the Internet protocol for accessing and querying a directory.
Kerberos uses a key distribution center (KDC) server that is responsible for issuing tickets. These tickets are needed in order for a client to request a service from any other server on the network (known as a realm).
The Kerberos process starts when the client logs on to the network. The KDC has a component known as the Authentication Server (AS), which gives the client a ticket granting ticket (TGT), which gives the client permission to request a service ticket.
The service ticket is required to request service from a server on the network. When the client wants to connect to a specific server on the network, it must request a ticket from the ticket-granting service (TGS), which is another component of the KDC. The TGS grants the ticket to the client so the client can access the required server on the network.
TACACS+
The Terminal Access Controller Access Control System+ (TACACS+) protocol is the AAA protocol used by Cisco networks and supersedes the original TACAS and XTACACS protocols. TACACS+ uses TCP for communication and uses the same topology as RADIUS in the sense that the client tries to connect to the network, and the NAS (which is the TACACS client) sends the authentication request to the TACACS server.
CHAP
With the Challenge Handshake Authentication Protocol, the server sends a challenge to the client that is then used in the authentication process.
The following steps are performed by CHAP:
- The server sends the client a challenge (a key).
- The client then combines the challenge with the password. Both the user’s password and the challenge are run through the MD5 hashing algorithm (a formula), which generates a hash value, or mathematical answer. The hash value is sent to the server for authentication.
- The server uses the same key to create a hash value with the password stored on the server and then compares the resulting value with the hash value sent by the client. If the two hash values are the same, the client has supplied the correct password. The benefit is that the user’s credentials have not been passed across the network
at all.
PAP
Password Authentication Protocol sends the user’s credentials in plain text and is very insecure because of how easy it is for someone to analyze and interpret the logon traffic.
MSCHAP
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
MS-CHAP is a variation of CHAP that uses MD4 as the hashing algorithm, versus MD5 used by CHAP. MS-CHAP also uses the Microsoft Point-to-Point Encryption (MPPE) protocol along with MS-CHAP to encrypt all traffic from the client to the server.
MS-CHAPv2
With MS-CHAP version 2, the authentication method has been extended to authenticate both the client and the server. MSCHAPv2 also uses stronger encryption keys than CHAP and MSCHAP.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a central authentication service that has been popular for many years. As its name suggests, it was originally used with dial-in services.
The client computer that needs access to the network connects to the network by dialing into a Remote Access Server (RAS server) or making a connection to a VPN server from across the Internet.
The RAS or VPN server, in this case, is known as the RADIUS client because it sends the authentication request to the RADIUS server that is running in the background. This RADIUS server verifies the credentials and sends back a reply as to whether the network client is to be granted or denied access.
RADIUS is an AAA protocol that uses UDP as the transport layer protocol and uses the following UDP ports:
+UDP port 1812 for authentication and authorization services
+UDP port 1813 for accounting services
Remember that 802.1X is a common authentication protocol that controls who gains access to a wired or wireless network by requiring the client to authenticate against a central authentication database such as a RADIUS server. You can use 802.1X to control access to wireless networks and switches that support 802.1X authentication. This is a method of implementing network access control (NAC), where you are controlling who can connect to the network.
SAML
Security Assertion Markup Language is an XML standard that is designed to allow systems to exchange authentication and authorization information. This is often used with identity federation and claims-based authentication.
OpenID Connect
OpenID Connect is the authentication protocol that works with the OAuth authorization protocol. OpenID Connect allows applications to retrieve information about the authentication session.
For more info:
https://openid.net/connect/faq/
OAUTH
OAUTH is an industry-standard protocol for authorizing applications to access user information without exposing sensitive information such as a password.
Shibboleth
Shibboleth is a software implementation that uses SAML
tokens and federation services for SSO (single sign-on) applications
Shibboleth is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.
More info:
https://en.wikipedia.org/wiki/Shibboleth_(Shibboleth_Consortium)
Secure Token
A secure token is a hardware token that a user uses to gain access to network resources. The secure token could come in the form of a smartcard or key fob.
NTLM
NT LAN Manager is a security protocol found on older Microsoft networks that provided authentication services to the network. NTLM has been replaced by Kerberos.
