Authorization, Authentication, and Accounting

Question 1

AAA framework

Answer 1

• Identification - This is who you claim to be
  
  • Usually your username
• Authentication
  
  • Prove you are who you say you are
  • Password and other authentication factors

• Authorization
• Based on your identification and authentication,
what access do you have?

• Accounting
• Resources used: Login time, data sent and received,
logout time

Question 2

RADIUS (Remote Authentication Dial-in User Service)

Answer 2

• One of the more common AAA protocols
• Supported on a wide variety of platforms and
devices
• Not just for dial-in

• Centralize authentication for users
  
  • Routers, switches, firewalls
  • Server authentication
  • Remote VPN access
  • 802.1X network access

• RADIUS services available on almost any server
operating system

Question 3

TACACS

Answer 3

• Terminal Access Controller Access-Control System
• Remote authentication protocol
• Created to control access to dial-up lines to
ARPANET

• XTACACS (Extended TACACS)
  
  • A Cisco-created (proprietary) version of TACACS
  • Additional support for accounting and auditing

• TACACS+
• The latest version of TACACS, not backwards
compatible
• More authentication requests and response codes
• Released as an open standard in 1993

Question 4

Kerberos

Answer 4

• Network authentication protocol
  
  • Authenticate once, trusted by the system
• No need to re-authenticate to everything
  
  • Mutual authentication - the client and the server
  • Protect against man-in-the-middle or replay attacks

• Standard since the 1980s
• Developed by the Massachusetts Institute of
Technology (MIT)
• RFC 4120

• Microsoft starting using Kerberos in Windows 2000
• Based on Kerberos 5.0 open standard
• Compatible with other operating systems and
devices

Question 5

SSO with Kerberos

Answer 5

• Authenticate one time
  
  • Lots of backend ticketing, uses cryptographic tickets

• No constant username and password input! - Save
time
• Only works with Kerberos
• Not everything is Kerberos-friendly

Question 6

LDAP (Lightweight Directory Access Protocol)

Answer 6

• Protocol for reading and writing directories over an IP
network
• An organized set of records, like a phone directory

• X.500 specification was written by the International
Telecommunications Union (ITU)
• They know directories!

• DAP ran on the OSI protocol stack
• LDAP is lightweight, and uses TCP/IP (tcp/389 and
udp/389)

• LDAP is the protocol used to query and update an
X.500 directory
• Used in Windows Active Directory, Apple
OpenDirectory, OpenLDAP, etc.

• Hierarchical structure - Builds a tree

• Container objects
  
  • Country, organization, organizational units

• Leaf objects - Users, computers, printers, files

Question 7

Local authentication

Answer 7

• Credentials are stored on the local device
  
  • Does not use a centralized database
• Most devices include an initial local account
  
  • Good devices will force a password change
• Difficult to scale local accounts
  
  • No centralized administration
  • Must be added or changed on all devices
• Sometimes useful as a backup
  
  • The AAA server might not be available

Question 8

Certificate-based authentication

Answer 8

• Smart card - Private key is on the card

• PIV (Personal Identity Verification) card
  
  • US Federal Government smart card
  • Picture and identification information
• CAC (Common Access Card)
  
  • US Department of Defense smart card
  • Picture and identification
• IEEE 802.1X
  
  • Gain access to the network using a certificate
  • On device storage or separate physical device

Question 9

Auditing

Answer 9

• Log all access details
  
  • Automate the log parsing
  • OS logins, VPN, device access
• Usage auditing
  
  • How are your resources used?
  • Are your systems and applications secure?
• Time-of-day restrictions
  
  • Nobody needs to access the lab at 3 AM