Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management Definitions

Question 1

AAA

Answer 1

Authentication, Authorization, and Accounting

Question 2

Identification

Answer 2

Identification is the process of providing the identity of a subject or user. This is the first step in the authentication, authorization, and accounting process.

Question 3

one-time passcode (OTP)

Answer 3

A one-time passcode (OTP) is a set of characteristics that can be used to prove a subject’s identity one time and one time only. Because the OTP is valid for only one access, if it’s captured, additional access would be automatically denied.

Question 4

Out-of-band authentication

Answer 4

Out-of-band authentication requires communication over a channel that is distinct from the first factor.

Question 5

Multifactor authentication

Answer 5

Multifactor authentication is when two or more factors are presented. Multilayer authentication is when two or more of the same type of factors are presented. Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a threat being exercised should all be considered when you’re deciding on the level of authentication required.

Question 6

Multilayer authentication

Answer 6

Multilayer authentication is when two or more of the same type of factors are presented.

Question 7

SAML

Answer 7

Security Assertion Markup Language (SAML) SAML is an open standard for exchanging authentication and authorization data between identity providers. SAML is used in many single sign-on (SSO) implementations.

Question 8

Zero trust

Answer 8

This concept assumes that no system or user will be “trusted” when requesting access to the corporate network, systems, and applications hosted on the premises or in the cloud. You must first verify their trustworthiness before granting access.

Question 9

BeyondCorp

Answer 9

Google’s implementation of zero trust. This model shifts access control from the network perimeter firewalls and other security devices to individual devices and users.

Question 10

Federated Identity Management

Answer 10

A collection of shared protocols that allows user identities to be managed across organizations.

Question 11

Forest

Answer 11

A collection of domains managed by a centralized system.

Question 12

Kerberos:

Answer 12

Kerberos: A ticket-based protocol for authentication built on symmetric-key cryptography.

Question 13

Multitenancy

Answer 13

A term in computing architecture referring to the serving of many users (tenants) from a single instance of an application. Software as a Service (SaaS) offerings are examples of multitenancy. They exist as a single instance but have dedicated shares served to many companies and teams.

Question 14

OAuth

Answer 14

An open standard for authorization used by many APIs and modern applications. You can access OAuth and OAuth 2.x specifications and documentation at https://oauth.net/2.

Question 15

OpenID (or OpenID Connect)

Answer 15

Another open standard for authentication. OpenID Connect allows third-party services to authenticate users without clients needing to collect, store, and subsequently become liable for a user’s login information. Detailed information about OpenID can be accessed at

Question 16

Passwordless

Answer 16

A type of authentication based on tokens. Passwordless authentication challenges are typically received and sent through SMS, email (magic links), or biometric sensors.

Question 17

Social identity provider (social IdP)

Answer 17

A type of identity provider originating in social services like Google, Facebook, Twitter, and so on.

Question 18

Web identity

Answer 18

The identifying data is typically obtained from an HTTP request (often these are retrieved from an authenticated email address).

Question 19

Windows identity

Answer 19

This is how Active Directory in Microsoft Windows environments organizes user information.

Question 20

WS-Federation

Answer 20

A common infrastructure (federated standard) for identity, used by web services and browsers on Windows Identity Foundation. Windows Identity Foundation is a framework created by Microsoft for building identity-aware applications. You can obtain detailed information about Windows Identity Foundation and WS-Federation at https://docs.microsoft.com/en-us/dotnet/framework/security/.

Question 21

Authorization

Answer 21

Authorization is the process of assigning authenticated subjects permission to carry out a specific operation. The authorization model defines how access rights and permission are granted. The three primary authorization models are object capability, security labels, and ACLs.

Question 22

Implicit deny

Answer 22

If no rule is specified for the transaction of the subject/object, the authorization policy should deny the transaction.

Question 23

Need to know:

Answer 23

A subject should be granted access to an object only if the access is needed to carry out the job of the subject.

Question 24

Mandatory access controls (MACs)

Answer 24

Mandatory access controls (MACs) are defined by policy and cannot be modified by the information owner. MACs are primarily used in secure military and government systems that require a high degree of confidentiality.

Question 25

Discretionary access controls (DACs)

Answer 25

Discretionary access controls (DACs) are defined by the owner of the object. DACs are used in commercial operating systems.

Question 26

Role-based access controls (RBACs, also called “nondiscretionary controls”)

Answer 26

Role-based access controls (RBACs, also called “nondiscretionary controls”) are access permissions based on a specific role or function. Administrators grant access rights and permissions to roles.

Question 27

Accounting

Answer 27

Accounting is the process of auditing and monitoring what a user does once a specific resource is accessed.

Question 28

Access control list (ACL)

Answer 28

This is the simplest way to implement a DAC-based system. ACLs can apply to different objects (like files) or they can also be configured statements (policies) in network infrastructure devices (routers, firewalls, etc.).

Question 29

Capability table

Answer 29

This is a collection of objects that a subject can access, together with the granted permissions.

Question 30

Access control matrix (ACM)

Answer 30

This is an access control mechanism that is usually associated with a DAC-based system. An ACM includes three elements: the subject, the object, and the set of permissions.

Question 31

RADIUS

Answer 31

RADIUS operates in most cases over UDP protocol port 1812 for authentication and authorization, and port 1813 for accounting, which are the officially assigned ports for this service. In earlier implementations, RADIUS operated over UDP port 1645 for authentication and authorization, and port 1646 for accounting.

The authentication and authorization phase consist of two messages:

The access server sends an ACCESS-REQUEST to the RADIUS server that includes the user identity, the password, and other information about the requestor of the access (for example, the IP address).

The RADIUS server may reply with three different messages:

ACCESS-ACCEPT if the user is authenticated. This message will also include in the Attribute field authorization information and specific vendor information used by the access server to provide services.

ACCESS-REJECT if access for the user is rejected.

ACCESS-CHALLENGE if additional information is needed. RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.

Answer 32

Terminal Access Controller Access Control System Plus (TACACS+) is a proprietary protocol developed by Cisco. It also uses a client-server model, where the TACACS+ client is the access server and the TACACS+ server is the machine providing TACACS+ services (that is, authentication, authorization, and accounting). Uses Port tcp/49

The TACACS+ exchange requires several packets:

START, REPLY, and CONTINUE packets are used during the authentication process.

REQUEST and RESPONSE packets are used during the authorization and accounting process.

Question 33

Diameter

Answer 33

RADIUS and TACACS+ were created with the aim of providing AAA services to network access via dial-up protocols or terminal access. Due to their success and flexibility, they have been used in several other scopes. To respond to newer access requirements and protocols, the IETF has proposed a new protocol called Diameter, which is described in RFC 6733.

Diameter has been built with the following functionality in mind:

Failover: Diameter implements application-level acknowledgment and failover algorithms.

Transmission-level security: Diameter protects the exchange of messages by using TLS or DTLS.

Reliable transport: Diameter uses TCP or SCTP as the transport protocol.

Agent support: Diameter specifies the roles of different agents such as proxy, relay, redirect, and translation agents.

Server-initiated messages: Diameter makes mandatory the implementation of server-initiated messages. This enables capabilities such as on-demand re-authentication and re-authorization.

**Transition support: **Diameter allows compatibility with systems using RADIUS.

Capability negotiation: Diameter includes capability negotiations such as error handling as well as mandatory and nonmandatory attribute/value pairs (AVP).

**Peer discovery: ** Diameter enables dynamic peer discovery via DNS.

Question 34

802.1X

Answer 34

802.1X is an IEEE standard that is used to implement port-based access control. In simple terms, an 802.1X access device will allow traffic on the port only after the device has been authenticated and authorized.

Question 35

Authentication server

Answer 35

An entity that provides an authentication service to an authenticator. The authentication server determines whether the supplicant is authorized to access the service.

Question 36

Supplicant

Answer 36

An entity that seeks to be authenticated by an authenticator. For example, this could be a client laptop connected to a switch port. An example of a supplicant software is the Cisco AnyConnect Secure Mobility Client.

Question 37

Authenticator

Answer 37

An entity that facilitates authentication of other entities attached to the same LAN. This is sometimes referred to as the policy enforcement point (PeP). Cisco switches, wireless routers, and access points are examples of authenticators.

Question 38

EAP over LAN (EAPoL)

Answer 38

An encapsulation defined in 802.1X that’s used to encapsulate EAP packets to be transmitted from the supplicant to the authenticator.

Question 39

Extensible Authentication Protocol (EAP)

Answer 39

An authentication protocol used between the supplicant and the authentication server to transmit authentication information.

Question 40

VLAN ACLs

Answer 40

VLAN ACLs, also called VLAN maps, are not specifically Layer 2 ACLs; however, they are used to limit the traffic within a specific VLAN. A VLAN map can apply a MAC access list, a Layer 3 ACL, and a Layer 4 ACL to the inbound direction of a VLAN to provide access control.

Question 41

SGACL

Answer 41

A security group–based ACL (SGACL) is an ACL that implements access control based on the security group assigned to a user (for example, based on his role within the organization) and the destination resources. SGACLs are implemented as part of Cisco TrustSec policy enforcement.

Question 42

dACL

Answer 42

A downloadable ACL (dACL), also called a per-user ACL, is an ACL that can be applied dynamically to a port. The term downloadable stems from the fact that these ACLs are pushed from the authenticator server (for example, from a Cisco ISE) during the authorization phase.

Question 43

pxGrid

Answer 43

Cisco pxGrid provides a cross-platform integration capability among security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platform. Cisco ISE supports Cisco pxGrid to provide a unified ecosystem to integrate multivendor tools to exchange information either unidirectionally or bidirectionally.

Question 44

MAB

Answer 44

MAC Authentication Bypass (MAB): You already learned that MAB relies on a MAC address for authentication. A MAC address is a globally unique identifier that is assigned to all network-attached devices. Consequently it can be used in authentication.

Question 45

TrustSec Security Group Tags

Answer 45

TrustSec Security Group Tags: Cisco TrustSec is a solution for identity and policy enforcement. ISE can use security group tags (SGTs) for authentication and authorization. SGTs are values that are inserted into the client’s data frames by a network device (for example, a switch, firewall, or wireless AP).

Question 46

Posture assessment

Answer 46

Posture assessment includes a set of rules in a security policy that define a series of checks before an endpoint is granted access to the network. Posture assessment checks include the installation of operating system patches, host-based firewalls, antivirus and anti-malware software, disk encryption, and more