Presentation is loading. Please wait.

Presentation is loading. Please wait.

Radius, LDAP, Radius used in Authenticating Users

Published byAnabel Eaton Modified over 5 years ago

Similar presentations

Presentation on theme: "Radius, LDAP, Radius used in Authenticating Users"— Presentation transcript:

1 Radius, LDAP, Radius used in Authenticating Users
CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users

2 Introduction to Centralized Authentication
Kerberos is for authentication only and provides Single Sign-on (SSO) LDAP can be used for authentication, authorization, and name services (no SSO) Active Directory is a directory service with an LDAP interface – based on LDAP Use Kerberos for authentication, Radius is also used for authentication, LDAP for authorization and name services

3 The Authentication Process in General
The act of identifying users and providing network services to them based on their identity Two forms Local authentication Centralized authentication service (often uses two-factor authentication) 3

4 User Authentication Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access internal servers in a network must be added to access control lists (ACLs) 4

5 User Authentication Showing Roles 5

6 Client Authentication
Same as user authentication but with additional time limit or usage limit restrictions Notion of paying for services When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system 6

7 Client Authentication
7

8 Session Authentication
Required any time the client establishes a session with a server of other networked resource 8

9 Comparison of Authentication Methods
9

10 Centralized Authentication
Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service) Look at each of these …. 10

11 Process of Centralized Authentication
11

12 Kerberos: etymology The 3-headed dog that guards the entrance to Hades
Originally, the 3 heads represented the 3 A’s Authenticatio n Authorization Auditing But one A was work enough!

13 Kerberos Provides authentication and encryption through standard clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP and other versions Advantages Passwords are not stored on local system Also, widely used in UNIX environment; enables authentication across operating systems 13

14 Design Requirements Interactions between hosts and clients should be encrypted. Must be convenient for users (or they won’t use it). Protect against intercepted credentials.

15 Cryptography Approach
Trusted Private Key: Each party uses the same secret key to encode and decode messages Symmetric Cryptography Uses a trusted third party which can vouch for the identity of both parties in a transaction. Security of third party is critical

16 Symmetric Key Cryptography
Aka, Secret Key cryptography The same key is used for both encryption and decryption operations (symmetry) Examples: DES, 3-DES, AES

17 How does Kerberos work? Instead of client sending password to application server: Requests Ticket from authentication server Ticket and encrypted request sent to application server How to request tickets without repeatedly sending credentials? Ticket granting ticket (TGT)

18 Kerberos Authentication
TGT = Ticket Granting Ticket 18

19 TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services Authentication Authorization Auditing Uses MD5 algorithm to encrypt data 19

20 TACACS+ Terminal Access Controller Access- Control System (TACACS, usually pronounced like tack-axe) Family of related protocols handling remote authentication and related services for networked access control through a centralized server Original TACACS protocol, … dates back to 1984, Used to communicate with an authentication server, Common in older UNIX networks Spawned related protocols . one of which is TACACS+

21 TACACS+ TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD TACACS+ uses TCP It determines whether to accept or deny the authentication request and send a response back

22 RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management Uses UDP and transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported 22

23 Radius RADIUS is an AAA protocol which manages network access.
RADIUS uses two packet types to manage the full AAA process; Access-Request, which manages authentication and authorization; and Accounting-Request, which manages accounting.

24 Radius Steps User or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. In turn,NAS sends a RADIUS Access Request message to RADIUS server, requesting authorization to grant access via RADIUS protocol. RADIUS server checks information is correct using authentication schemes such as PAP, CHAP or EAP The user's proof of identification is verified, along with, optionally, other information related to the request,

25 Radius Steps 5. The RADIUS server then returns one of three responses
to the Network Access Server: 1) Access Reject, 2) Access Challenge, or 3) Access Accept. Access Reject The user is unconditionally denied access to all requested network resources. Access Challenge Requests additional information from the user such as a secondary password, PIN, token, or card. Access Accept The user is granted access.

26 Radius Authentication Steps

27 TACACS+ and RADIUS Compared
Strength of security Filtering characteristics Proxy characteristics NAT characteristics 27

28 Strength of Security Radius and TACACS+
28

29 LDAP Windows Active Directory is based on LDAP
Active Directory is a directory of objects and provides single location for object management Queries to Active Directory uses the LDAP format Will cover Active Directory later ...

30 Single Sign On (SSO)

31 Single Sign On Traditional Single Sign-On
Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications May Also Provide Access Control / Authorization Features Authorization policies restrict which applications or systems a user has access And what the user can and can’t do on these applications and systems

32 Traditional SSO: Pros and Cons
Very Easy to Use Reduces Support Costs Reduces Logon Cycles Cons Integration of Legacy Can Be Expensive and Time Consuming Single Point of Attack, attack the SSO host Scripting Solutions Often Lead to Storage of Passwords And IDs on the Client

33 Traditional SSO: How It Works
“Authenticate Once To Access Many” Login Credentials (ID And Authentication) Usually Stored Locally Transparently presented to the System or Application When Needed User does not always know his/her credentials are being presented

34 Centralized Authentication Summary
Overview of authentication and its importance to networks and system security Authentication server handles Username and password maintenance/generation Login requests Auditing Examples of centralized authentication systems: Kerberos TACACS+ RADIUS 34

35 The End See Assignments page for new assignment on Authentication

Download ppt "Radius, LDAP, Radius used in Authenticating Users"

Similar presentations

Authentication.

Authentication.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Similar presentations

Ads by Google