When we want to gain access to
some type of network resource,
then we need to provide
the credentials.
Those credentials are
going to be checked first
by a AAA server before
we're able to gain access
to that resource.
Let's take the
example of someone
who is authenticating
through a VPN concentrator.
We are out here on
the client side.
We make a request to the VPN
concentrator to gain access.
We send our username and
password and any other type
of authentication credentials,
and those credentials
are checked against
a AAA server.
The AAA server will confirm
that the username, the password,
and any other authentication
factor is valid.
It will approve
those credentials
and then send our request
to whatever services may be
on the inside of the network.
There are many
different protocols
that can be used in this
authentication process
to the AAA server
and in this video,
we'll learn about a
number of those protocols.
One of the most common
authentication protocols
you'll find is RADIUS.
RADIUS stands for Remote
Authentication Dial-in User
Service.
And although it has the
term dial-in in the name,
this is something that can
be used on anyone's network.
Not just on dial-in networks.
Using RADIUS services, we can
centralize the authentication
for many different
kinds of systems.
If we have users that are
logging in to routers,
or switches, or firewalls,
or authenticating to VPN
connections, or logging into
the network using 802.1X,
all of these different kinds of
services could be centralized
with a single authentication
to a RADIUS server.
It also helps that these
RADIUS services are
available on a number of
different operating systems,
so no matter what
type of systems
you have in your
organization, there's
probably a RADIUS service
that can run in your OS.
Another type of
authentication service
that's very similar
to RADIUS is TACACS.
TACACS stands for
Terminal Access Controller
Access-Control System.
This is another type of remote
authentication protocol,
and it also has been around
for a very long time.
It was used to control
access to the dial-up lines
that connected
people to ARPANET.
Cisco needed to extend the
capabilities of TACACS,
so they created their
own version of TACACS
called Extended TACACS.
It's a proprietary version
that was used to authenticate
to Cisco devices.
In 1993, Cisco made an open
standard of TACACS called
TACACS+, although you still
find that TACACS+ is used
exclusively with Cisco
Systems, there are capabilities
to connect into this Cisco
infrastructure using this open
standard that's now available.
Sometimes you need more than
a simple username and password
authentication.
If you need to build a
large directory of services,
you may want to use LDAP,
which stands for Lightweight
Directory Access Protocol.
This is very similar to
a phone directory, where
you can have a large
number of services,
and you can sort and
organize those services
into a structured database.
You'll often see the
LDAP standard referred to
as an X.500 standard.
That was the specification
written by the ITU.
This original version was the
Directory Access Protocol,
ran on the OSI protocol stack.
And when people wanted
to use it on TCP/IP,
they created a lightweight
version and called it LDAP.
These days app is a very
common directory standard,
and you'll see it used in
Microsoft Windows, Apple Open
Directory, Open LDAP, and
other directory services.
An LDAP database contains
information that's
stored as different fields.
You can see the attributes like
CN refers to common name and O
stands for organization.
And we usually
use this attribute
with an equal sign,
and then the value
that's associated
with that attribute.
For example, in this
particular attribute,
there is a common name
called Widget Web,
an organizational unit within
Widget Web called marketing,
within marketing there is an
organization called Widget
that has a locality in London.
And so on.
This makes it very easy to
build a tree of information
based on where a
particular object happens
to be in that directory.
This hierarchical structure
can contain the country name,
organizational units,
or you can customize
it to be as extensive
or as basic as you need.
We usually refer to the
country organization
and organizational units
as the container objects,
and within those
container objects
are the actual leaf objects
like users, printers, computers,
and files.
If you're authenticating
exclusively
to a Windows
operating system, you
may see a rather old
authentication method
called Microsoft NTLM.
This is a Windows only method
of challenge and response
to be able to authenticate
into a Windows domain.
This name NTLM comes from the
NT operating system combined
with the LAN manager
operating system
to create this
authentication method.
The most common
NTLM authentication,
you'll see these days is NT LAN
Manager v2 or NTLM version two.
It uses a hash challenge for
this password authentication,
but it's using a
relatively insecure method
using MD4 as the hash type.
There is an HMAC-MD5 hash of
the username and server name,
and then there's a
variable length challenge
that uses a time stamp, some
random data, and the name
of the Windows domain.
Even though the
NTLM hash has been
found to be relatively
insecure, there
are a number of
Windows systems that
still store the
NTLM hash to provide
backwards compatibility.
Unfortunately, these credentials
are susceptible to a forwarding
attack, and so it's
not recommended
that people continue to use
an NTLM hash on their network.
These days, Kerberos
is the standard method
of authenticating
in Windows, and it
removes all of these
vulnerabilities that
can commonly be found
with an NTLM hash.
Kerberos is the modern
Windows authentication method.
It is a single sign on where
we authenticate one time
and we are then trusted by every
other device in the system.
There's no need to constantly
re-authenticate to gain access
to other resources.
Kerberos also includes
mutual authentication
between the client
and the server,
which means it's
protected against man
in the middle attacks
or replay attacks.
Kerberos has been
around since the 1980s
and it's a very trusted
method of authentication.
Microsoft integrated Kerberos
into the Windows 2000 operating
system, and it's now compatible
with practically any Windows
system that's available today.
Kerberos makes use of
extensive cryptography
to provide this
type of protection.
A ticket granting ticket
is provided from the client
to a ticket granted service
that then provides the service
ticket.
And that service
ticket is then used
to authenticate with all of the
other services on the network.
That means that the user
doesn't have to constantly put
in a username and password.
It simply shows the service
ticket behind the scenes,
and seamlessly, the user gains
access to these resources.
Obviously, this
Kerberos authentication
only works with devices
that understand Kerberos.
So if you need to authenticate
to another type of system,
you would use RADIUS, TACACS,
LDAP, or some other type
of authentication method.
