Chapter 4.2 Flashcards
Distinguished name
A distinguished name in an X.500 directory, or similar directory, identifies a resource by attribute=value pairs, separated by commas. The attributes are listed in order from most specific to broadest term.
schema
A schema is the organizational plan the directory follows. Attributes within the directory are defined by the overall schema. For example, an X.500 directory may contain attribute=value pairs such as Common Name (CN)=Samuel, and Organizational Unit (OU)= Sales.
RADIUS
The RADIUS client password can be set up and reset any time an administrator accesses the Network Policy Server manager tool. It is typically established when the RADIUS client is configured.
X.500 distinguished naming convention standard
This order is correct: Common Name(CN), Organizational Unit(OU), Organization(O), Country(C), Domain Component(DC). In X.500 naming convention, the most specific attribute goes first, and definitions become broader further down the list.
LAN Manager
Local Area Network Manager (LM) is more vulnerable to password cracking attempts. If the compatibility feature is not disabled, the client sends both LM and New Technology LAN Manager (NTLM) responses that can be captured by a network sniffer.
PAP
Password Authentication Protocol (PAP) is a weak, obsolete protocol. It is designed for use with dial-up connections and transfers password information in cleartext rather than over a secure connection.
CHAP
Challenge Handshake Authentication Protocol (CHAP) is stronger than Password Authentication Protocol (PAP), as CHAP was designed for authenticating remotely linked users. CHAP relies on a three-way handshake method of challenge, response, and verification to authenticate users. In CHAP, the handshake is repeated with different challenge messages throughout the session, which updates the session timestamp and guards against replay attacks. Unless specified, Challenge Handshake Authentication Protocol (CHAP) typically only provides one-way authentication. CHAP can provide two-way authentication when two Cisco routers are used to authenticate to one another.
Kerberos
Kerberos is a strong authentication protocol, which utilizes service tickets, symmetric encryption, and mutual authentication. It is much stronger than Password Authentication Protocol (PAP). Kerberos provides mutual authentication for domain networks. Kerberos uses the concept of single sign-on to aid accessibility to domain resources once a user is authenticated. The server and client authenticate to each other with Kerberos through shared knowledge of a secret key.
NTLM
NT LAN Manager (NTLM) authentication is not the strongest protocol available, but it is a challenge/response protocol, which requires the password to be encrypted, rather than sent via plaintext, so it is stronger than Password Authentication Protocol (PAP). NT LAN Manager (NTLM) is currently the only choice for non-domain networks (workgroups), and NTLMv2 should be used exclusively, disabling backward compatibility with LM due to LM’s vulnerability to password cracking attacks, which NTLMv2 compensates for. NTLM only provides for client authentication, not mutual authentication.
TACACS+ vs RADIUS
TACACS+ is preferable for device administration. RADIUS gives remote users network access, when the remote user connects to a RADIUS client, such as an access point, switch, or remote access server. TACACS+ is better than RADIUS for device management, as it can separate the Authentication, Authorization, and Accounting (AAA) functions for greater flexibility, whereas RADIUS cannot separate authentication and authorization.
MS-CHAPv2
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) supports mutual authentication, whereas CHAP, the unenhanced version, does not support mutual authentication unless between two Cisco routers.
In the Kerberos authentication system, the ticket granting ticket (TGT) is a logical token. What information does this ticket convey?
The authentication service grants the TGT and the TGS session key. The TGT contains only the user’s authentication information: name, IP, and timestamp.
What makes the basic version of Lightweight Directory Access Protocol (LDAP) protocol vulnerable to Denial of Service (DoS) attacks?
The basic implementation of LDAP does not require client authentication, making it possible to overload the server with a DoS attack.
Shibboleth
is an identity provider, and a service provider, one of Shibboleth’s main components, the Embedded Discovery Service, allows the user to choose a preferred identity provider. it supports authentication from several different directory and authentication systems. Shibboleth is open source
SAML
Security Association Markup Language (SAML) is not an identity provider; it is an open standard that allows identity providers (IdP) to pass authorization to service providers (SP). Security Association Markup Language (SAML) can be implemented on mobile devices.