Radius, LDAP, Radius used in Authenticating Users

Similar documents
Radius, LDAP, Radius, Kerberos used in Authenticating Users

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Overview. RADIUS Protocol CHAPTER

REMOTE AUTHENTICATION DIAL IN USER SERVICE

How to Integrate an External Authentication Server

RADIUS - QUICK GUIDE AAA AND NAS?

User Databases. ACS Internal Database CHAPTER

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Indicate whether the statement is true or false.

Configuring L2TP over IPsec

Chapter 12. AAA. Upon completion of this chapter, you will be able to perform the following tasks:

CPSC 467b: Cryptography and Computer Security

AAA and the Local Database

Configuring Request Authentication and Authorization

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Unit-VI. User Authentication Mechanisms.

Authentication. Chapter 2

Configuring the CSS as a Client of a TACACS+ Server

Network Access Flows APPENDIXB

Cisco PIX. Quick Start Guide. Copyright 2006, CRYPTOCard Corporation, All Rights Reserved

Configuring Authentication Proxy

Cisco IOS Firewall Authentication Proxy

Trusted Intermediaries

AIT 682: Network and Systems Security

Configuring Authentication Proxy

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Configuring Authentication, Authorization, and Accounting

AAA Configuration. Terms you ll need to understand:

Data Structure Mapping

Configuring Authentication Proxy

CSN11111 Network Security

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

IT Exam Training online / Bootcamp

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

ISE Primer.

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Data Structure Mapping

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Data Structure Mapping

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

Managing GSS User Accounts Through a TACACS+ Server

Part II. Raj Jain. Washington University in St. Louis

Coding & Information Theory Lab.

How to Configure Authentication and Access Control (AAA)

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Lecture 08: Networking services: there s no place like

ISSN: EverScience Publications 149

Configuring Switch-Based Authentication

(2½ hours) Total Marks: 75

Network Security: Kerberos. Tuomas Aura

Chapter 8. User Authentication

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Protected EAP (PEAP) Application Note

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Remote Administration

Data Structure Mapping

PSUMAC101: Intro to Auth

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Configuring Content Authentication and Authorization on Standalone Content Engines

802.1x Port Based Authentication

Configuring RADIUS Servers

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

User Directories. Overview, Pros and Cons

PPP Configuration Options

Cisco Secure ACS 3.0+ Quick Start Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved

Identity Firewall. About the Identity Firewall

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CompTIA JK CompTIA Academic/E2C Security+ Certification. Download Full Version :

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Configuring RADIUS Clients

Security Setup CHAPTER

User Management: Configuring Auth Servers

CS November 2018

Security: Focus of Control. Authentication

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Fundamentals of Network Security v1.1 Scope and Sequence

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Configuring Security Features on an External AAA Server

Table of Contents 1 AAA Overview AAA Configuration 2-1

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Configure advanced audit policies

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Configuring the Client Adapter through the Windows XP Operating System

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Application Note. Using RADIUS with G6 Devices

Operation Manual Security. Table of Contents

Control Device Administration Using TACACS+

Chapter 5 Authentication and Basic Cryptography

Securizarea Calculatoarelor și a Rețelelor 7. Implementarea scalabila a unei arhitecturi AAA

Security: Focus of Control

LDAP Servers for AAA

Control Device Administration Using TACACS+

Contents. Configuring SSH 1

This is an introductory tutorial designed for beginners to help them understand the basics of Radius.

Managing External Identity Sources

Transcription:

CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users

Introduction to Centralized Authentication Kerberos is for authentication only and provides Single Sign-on (SSO) LDAP can be used for authentication, authorization, and name services (no SSO) Active Directory is a directory service with an LDAP interface based on LDAP Use Kerberos for authentication, Radius is also used for authentication, LDAP for authorization and name services

The Authentication Process in General The act of identifying users and providing network services to them based on their identity Two forms Local authentication Centralized authentication service (often uses two-factor authentication)

User Authentication Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access internal servers in a network must be added to access control lists (ACLs)

User Authentication Showing Roles

Client Authentication Same as user authentication but with additional time limit or usage limit restrictions Notion of paying for services When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system

Client Authentication

Session Authentication Required any time the client establishes a session with a server of other networked resource

Comparison of Authentication Methods

Centralized Authentication Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service) Look at each of these.

Process of Centralized Authentication

Kerberos: etymology The 3-headed dog that guards the entrance to Hades Originally, the 3 heads represented the 3 A s Authentication Authorization Auditing But one A was work enough! 12

Kerberos Provides authentication and encryption through standard clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP and other versions Advantages Passwords are not stored on local system Also, widely used in UNIX environment; enables authentication across operating systems

Design Requirements Interactions between hosts and clients should be encrypted. Must be convenient for users (or they won t use it). Protect against intercepted credentials.

Cryptography Approach Private Key: Each party uses the same secret key to encode and decode messages Symmetric Cryptography Uses a trusted third party which can vouch for the identity of both parties in a transaction. Security of third party is critical Trusted

Symmetric Key Cryptography Aka, Secret Key cryptography The same key is used for both encryption and decryption operations (symmetry) Examples: DES, 3-DES, AES 16

How does Kerberos work? Instead of client sending password to application server: Requests Ticket from authentication server Ticket and encrypted request sent to application server How to request tickets without repeatedly sending credentials? Ticket granting ticket (TGT)

Kerberos Authentication TGT = Ticket Granting Ticket

TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services Authentication Authorization Auditing Uses MD5 algorithm to encrypt data

TACACS+ Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) Family of related protocols handling remote authentication and related services for networked access control through a centralized server Original TACACS protocol, dates back to 1984, Used to communicate with an authentication server, Common in older UNIX networks Spawned related protocols. one of which is TACACS+

TACACS+ TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD TACACS+ uses TCP It determines whether to accept or deny the authentication request and send a response back

RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management Uses UDP and transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported

Radius RADIUS is an AAA protocol which manages network access. RADIUS uses two packet types to manage the full AAA process; Access-Request, which manages authentication and authorization; and Accounting-Request, which manages accounting.

Radius Steps 1. User or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. 2. In turn,nas sends a RADIUS Access Request message to RADIUS server, requesting authorization to grant access via RADIUS protocol. 3. RADIUS server checks information is correct using authentication schemes such as PAP, CHAP or EAP The user's proof of identification is verified, along with, optionally, other information related to the request,

Radius Steps 5. The RADIUS server then returns one of three responses to the Network Access Server: 1) Access Reject, 2) Access Challenge, or 3) Access Accept. Access Reject The user is unconditionally denied access to all requested network resources. Access Challenge Requests additional information from the user such as a secondary password, PIN, token, or card. Access Accept The user is granted access.

Radius Authentication Steps

TACACS+ and RADIUS Compared Strength of security Filtering characteristics Proxy characteristics NAT characteristics

Strength of Security Radius and TACACS+ http://etutorials.org/networking/wireless+lan+security/chapter+2.+basic+secur ity+mechanics+and+mechanisms/authentication+and+identity+protocols/

LDAP Windows Active Directory is based on LDAP Active Directory is a directory of objects and provides single location for object management Queries to Active Directory uses the LDAP format Will cover Active Directory later...

Single Sign On (SSO)

Single Sign On Traditional Single Sign-On Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications May Also Provide Access Control / Authorization Features Authorization policies restrict which applications or systems a user has access And what the user can and can t do on these applications and systems 31

Traditional SSO: Pros and Cons Pros Very Easy to Use Reduces Support Costs Reduces Logon Cycles Cons Integration of Legacy Can Be Expensive and Time Consuming Single Point of Attack, attack the SSO host Scripting Solutions Often Lead to Storage of Passwords And IDs on the Client 32

Traditional SSO: How It Works Authenticate Once To Access Many Login Credentials (ID And Authentication) Usually Stored Locally Transparently presented to the System or Application When Needed User does not always know his/her credentials are being presented 33

Centralized Authentication Summary Overview of authentication and its importance to networks and system security Authentication server handles Username and password maintenance/generation Login requests Auditing Examples of centralized authentication systems: Kerberos TACACS+ RADIUS

The End See Assignments page for new assignment on Authentication

CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users 1

Introduction to Centralized Authentication Kerberos is for authentication only and provides Single Sign-on (SSO) LDAP can be used for authentication, authorization, and name services (no SSO) Active Directory is a directory service with an LDAP interface based on LDAP Use Kerberos for authentication, Radius is also used for authentication, LDAP for authorization and name services 2

The Authentication Process in General The act of identifying users and providing network services to them based on their identity Two forms Local authentication Centralized authentication service (often uses two-factor authentication) 3 3

User Authentication Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access internal servers in a network must be added to access control lists (ACLs) 4 4

User Authentication Showing Roles 5 5

Client Authentication Same as user authentication but with additional time limit or usage limit restrictions Notion of paying for services When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system 6 6

Client Authentication 7 7

Session Authentication Required any time the client establishes a session with a server of other networked resource 8 8

Comparison of Authentication Methods 9 9

Centralized Authentication Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service) Look at each of these. 10 10

Process of Centralized Authentication 11 11

Kerberos: etymology The 3-headed dog that guards the entrance to Hades Originally, the 3 heads represented the 3 A s Authentication Authorization Auditing But one A was work enough! 12

Kerberos Provides authentication and encryption through standard clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP and other versions Advantages Passwords are not stored on local system Also, widely used in UNIX environment; enables authentication across operating systems 13 13

Design Requirements Interactions between hosts and clients should be encrypted. Must be convenient for users (or they won t use it). Protect against intercepted credentials. 14

Cryptography Approach Trusted Private Key: Each party uses the same secret key to encode and decode messages Symmetric Cryptography Uses a trusted third party which can vouch for the identity of both parties in a transaction. Security of third party is critical 15

Symmetric Key Cryptography Aka, Secret Key cryptography The same key is used for both encryption and decryption operations (symmetry) Examples: DES, 3-DES, AES 16

How does Kerberos work? Instead of client sending password to application server: Requests Ticket from authentication server Ticket and encrypted request sent to application server How to request tickets without repeatedly sending credentials? Ticket granting ticket (TGT) 17

Kerberos Authentication TGT = Ticket Granting Ticket 18 18

TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services Authentication Authorization Auditing Uses MD5 algorithm to encrypt data 19 19

TACACS+ Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) Family of related protocols handling remote authentication and related services for networked access control through a centralized server Original TACACS protocol, dates back to 1984, Used to communicate with an authentication server, Common in older UNIX networks Spawned related protocols. one of which is TACACS+ 20

TACACS+ TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD TACACS+ uses TCP It determines whether to accept or deny the authentication request and send a response back 21

RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management Uses UDP and transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported 22 22

Radius RADIUS is an AAA protocol which manages network access. RADIUS uses two packet types to manage the full AAA process; Access-Request, which manages authentication and authorization; and Accounting-Request, which manages accounting. 23

Radius Steps 1. User or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. 2. In turn,nas sends a RADIUS Access Request message to RADIUS server, requesting authorization to grant access via RADIUS protocol. 3. RADIUS server checks information is correct using authentication schemes such as PAP, CHAP or EAP The user's proof of identification is verified, along with, optionally, other information related to the request, 24

Radius Steps 5. The RADIUS server then returns one of three responses to the Network Access Server: 1) Access Reject, 2) Access Challenge, or 3) Access Accept. Access Reject The user is unconditionally denied access to all requested network resources. Access Challenge Requests additional information from the user such as a secondary password, PIN, token, or card. Access Accept The user is granted access. 25

Radius Authentication Steps 26

TACACS+ and RADIUS Compared Strength of security Filtering characteristics Proxy characteristics NAT characteristics 27 27

Strength of Security Radius and TACACS+ http://etutorials.org/networking/wireless+lan+security/chapter+2.+basic+secur ity+mechanics+and+mechanisms/authentication+and+identity+protocols/ 28 28

LDAP Windows Active Directory is based on LDAP Active Directory is a directory of objects and provides single location for object management Queries to Active Directory uses the LDAP format Will cover Active Directory later... 29

Single Sign On (SSO) 30

Single Sign On Traditional Single Sign-On Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications May Also Provide Access Control / Authorization Features Authorization policies restrict which applications or systems a user has access And what the user can and can t do on these applications and systems 31

Traditional SSO: Pros and Cons Pros Very Easy to Use Reduces Support Costs Reduces Logon Cycles Cons Integration of Legacy Can Be Expensive and Time Consuming Single Point of Attack, attack the SSO host Scripting Solutions Often Lead to Storage of Passwords And IDs on the Client 32

Traditional SSO: How It Works Authenticate Once To Access Many Login Credentials (ID And Authentication) Usually Stored Locally Transparently presented to the System or Application When Needed User does not always know his/her credentials are being presented 33

Centralized Authentication Summary Overview of authentication and its importance to networks and system security Authentication server handles Username and password maintenance/generation Login requests Auditing Examples of centralized authentication systems: Kerberos TACACS+ RADIUS 34 34

The End See Assignments page for new assignment on Authentication 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback