Installing and Configuring Identity and Access Services

Installing and Configuring Identity and Access Services

RADIUS (Remote Authentication and Dial-in User Service)

- Authentication (MFA)
- Authorization (length of time allowed, ACLs, etc.)
- Accounting (Start/stop time)
UDP Connectionless (Ports 1645/1646, 1812/1813)
Designed for subscriber AAA

TACACS/+ (Terminal Access Controller Access-Control System)


Dev in 1984 for MILNET.
Replaced by XTACACS (Extended TACACS). Adds AAA. Not backwards compatible.
TACACS+:
Most common implementation. Runs on TCP 49. Encrypts entire communication.
Separates Auth and Authorization top more granular control
Not backwards compatible
Designed for Admin AAA

KERBEROS

Network Authentication Service
Dev. by MIT
Used for mutual Auth between client/server

Key Terms
- Key Distribution Server (KDC)
Authentication Service (AS)
Ticket Granting Service (TGS)
Ticket Granting Ticket (TGT)
Principal
Authenticator

LDAP (Lightweight Directory Access Protocol)

X.500 Directory Protocol
Utilizes TCP/IP
TCP/UDP ports 389

Used to query Information about the directory

Substructure
Common Name
Organizational Unit
Domain Component

SECURE LDAP

TCP Port 636
Mitigates vuln of sending LDAP queries in clear text

SAML (Security Association Markup Language)

Authenticating through a third party to gain access (Twitter, Facebook, openID, etc.)
Resource being accessed isn't responsible for authentication

PAP (Password Authentication Protocol)

Username and password is sent in plain text and no longer used.

CHAP (Challenge Handshake ASuthentication Protocol)

Used to authenticate PPP clients to a server
One way hash based on shared secret (i.e. user's password)
No plaintext sent

MS-CHAP (MicroSoft Version of CHAP)

2 versions v1, v2. V2 more secure but still weak. Uses 56 bit DES

oAUTH (Open Authorization)

OpenID

Tokens

Authentication Mechanism that can identify and authenticate
Tells servers what access rights a user possesses

NTLM/v2

Lan Manager: Dev by MS for their early network OS
NTLM: Used as authentication protocol in early MS OS versions
NTLMv2: Introduced with Windows NT4
Kerberos: Replaced NTLMv2, but NTLM still used in certain situations. Authentication protocol that can be used in Linux/Windows.

Show Comments