Authentication & Authorization

Question 1

RADIUS

Answer 1

Used for AUTHENTICATION & AUTHORIZATION purposes. Does NOT provide further access control. Uses UDP.

Question 2

RADIUS Federation

Answer 2

Allows authentication to be SHARED without having to re-authenticate.

Question 3

TACACS+

Answer 3

More reliable than RADIUS and uses TCP.

Question 4

PAP

Answer 4

Username and password are sent in plaintext. NO PROTECTION. BAD.

Question 5

CHAP

Answer 5

Better than PAP. Uses a one-way hashing function.

Question 6

MSCHAP

Answer 6

Microsoft CHAP.

Question 7

PAP, CHAP, and MSCHAP are old unsecure protocols.

Answer 7

Instead use MSCHAP with PEAP or L2TP/IPsec.

Question 8

802.1X (not to be confused with 802.11)

Answer 8

Provides standards for port-based access control. Facilitates the use of EAP, RADIUS, digital certificates, etc.

Question 9

SAML

Answer 9

An XML framework used for single sign-on AUTHENTICATION.

Question 10

OAuth

Answer 10

Provides API authorization between applications.
IMPORTANT: Doesn’t provide authentication, only authorization.

Question 11

OpenID Connect

Answer 11

Used for consumer single sign-on for AUTHENTICATION.

Question 12

Shibboleth

Answer 12

SAML-based federated identity solution that provides SSO capabilities. Just another SSO option.

Question 13

Kerberos

Answer 13

Symmetric key authentication protocol. Uses TICKETS. If you see questions with tickets or ticket granting tickets, it’s talking about Kerberos.

Question 14

Mandatory access control (MAC)

Answer 14

Often used in the government. Think SENSITIVE, SECRET, and PUBLIC, or Classified, Secret, and Top Secret.

Question 15

Discretionary access control (DAC)

Answer 15

Allows individual resources to be made available or secured. Think of your privacy settings on YOUR social media accounts. You control what people see, at your DISCRETION.

Question 16

Role-based access control (RBAC)

Answer 16

Access rights are assigned to roles. Example: A server at a restaurant doesn’t need access to security cameras, but security guards would have that access.

Question 17

Rule-based access control (also known as RBAC 🙃)

Answer 17

Controls are based on certain criteria like time of day, GPS, etc. Example: Users should only be logging in from the United States. That’s a rule.

Question 18

Attribute-based access control (ABAC)

Answer 18

Access control based on characteristics/attributes. Examples: I’m allowing access to this file if you’re a cashier. I’m allowing you to DELETE something. (Actions can be attributes). ABAC is complicated.

Question 19

Privileged access management (PAM)

Answer 19

Just think “least privilege”. PAM limits access to only those with the privilege to see/do something. Helps avoid elevated privilege incidents.