RAS Authentication Methods (PAP, TACACS+, etc) Flashcards
In which ways do clients enter a RAS server?
Through dial-up or a VPN
What is PAP
Password Authentication Protocol, an authentication method used with Point-to-Point Protocol (PPP)
Why is PAP rarely used?
It uses PPP to send passwords or PINs over a network in cleartext.
What is CHAP?
Challenge Handshake Authentication Protocol, an authentication method that authenticates remote users and uses PPP, but does not send passwords over a network in plaintext.
How is a shared secret used in CHAP?
The handshake process in CHAP includes a shared secret (known by the user and server, not a password but similar), combined with a nonce (# only used once) provided by the server and then hashed by the client.
This hashed secret is sent to the server. This process (a handshake) happens at the initial connection by the client, and also multiple times during the connection.
What are Microsoft’s versions of CHAP?
MS-CHAP and MS-CHAPv2
What improvement does MS-CHAPv2 have over MS-CHAP?
Mutual authentication. Provides assurance that client is not sending info to a rogue server.
In RADIUS’ authentication process, what is encrypted?
In RADIUS, only the password is encrypted. TACACS+, encrypts the whole authentication process.
What is RADIUS?
A centralized authentication service, that centralizes the user database so that all authentication requests are handled by a central RADIUS server.
Which authentication service is an extension of RADIUS?
Diameter
Why do many organizations prefer Diameter over RADIUS?
It adds extra capabilities including support for EAP for added security.
What is XTACACS?
An older Cisco proprietary authentication protocol, rarely used today.
What is TACACS+?
Terminal Access Controller Access-Control System Plus
A Cisco alternative to RADIUS, can be used for remote access, and authentication with routers and other network devices.
Encrypts the entire authentication process, and uses multiple challenge and responses between the sever and client.
TACACS+ can interact with what authentication service/
Kerberos, allowing a Cisco RAS (or VPN concentrator) to interact in a Microsoft AD environment.