Security+: authentication services (RADIUS, TACACS+, LDAP, etc.) (SY0-401) [decommissioned article ]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
The authentication module is one of the most important components of any information security infrastructure. It’s needless to say that if you perfect your authentication process, unwanted infiltration can be greatly reduced. In this article, the various protocols via which authentication can be achieved on a huge scale (including LDAP, RADIUS, TACACS+, XTACACS, etc.) will be discussed, along with the importance of these authentication services in relation to CompTIA's Security+ certification.
For people who long to be looked upon as the shamans of information security, the security+ certification is a must-have. This certification validates the prowess of a professional by assessing them on their knowledge of the best IT security practices, fundamental/necessary network security principles, and risk management, among other things. In order to ace the Security+ exam, it’s of paramount importance to know about the different authentication protocols and services, as pertinent questions can often be found in abundance. Let’s now have a look at some of the most important ones:
If you are interested in knowing about some state-of-the-art cloud security certifications however, read all about them here.
Lightweight directory access protocol (LDAP) is a protocol that enables a system to find the location of individuals, files/devices or even organizations within a network (it works on both public networks and corporate intranets). Just as the name indicates, LDAP is the lightweight (lesser lines of code) version of DAP (directory access protocol), which is a networking standard used to access X.500 directory services.
Authentication of a service can be carried out easily using the LDAP protocol. To access any LDAP service, the client must at first carry out its own authentication to the service; this entails letting the LDAP server know the entities that can access the data to allow it. Once the LDAP client has successfully authenticated itself to the LDAP server, any subsequent client-to-server requests will be recognized by the server as “legitimate” and access will be granted. The LDAP protocol provides authentication in the bind function. The third LDAP version has support for three authentication types: SASL, simple and anonymous authentication. Any client who sends a LDAP authentication request without binding is recognized as an anonymous one. The simple authentication and security layer (SASL) authentication can provide a challenge response protocol that allows data exchange between the server and its clients for authentication purposes and also establishes a layer of security on which communication can be carried out. When SASL is used, the LDAP authentication module can support any agreed-upon authentication between the server and the clients.
Finally, the simple authentication includes the LDAP server receiving the complete (fully qualified) domain name of the client along with the password (in clear text form). Obviously, this method has security problems because of the password being present in unencrypted form. This is often avoided by including some sort of encryption (SSL) along with the simple authentication mode; this implementation is known as LDAPS or LDAP-secure. More information regarding the technology can be retrieved here.
Remote authentication dial-in user service (RADIUS) is a protocol that supports centralized authentication, authorization, and accounting management for clients that establish connection with a network and intend to use any of the provided services. Developed in 1991 by Livingston Enterprises, the RADIUS protocol is still heavily used in enterprises of all sizes.
A RADIUS server can provide different methods to carry out user authentication. Upon provision of a username and a password, it can support UNIX login, PPP, CHAP, or PAP, among other well-known authentication processes.
In order to gain access, a user sends a login request to the server. This request comprises an access request query (that has been sent from the NAS) and its pertinent response (access-reject or access-accept) to the NAS from the server. The access-requesting packet comprises the encrypted password, a port, the NAS IP address, and the username. The early RADIUS deployment used port 1645 but, because of its conflicts with some services, RFC 2865 officially altered the port number and designated port 1812 for all things RADIUS. Upon receiving the access request, a database search is carried out for the provided username. If the search doesn’t return success, the server either immediately sends an access reject message or just loads the default profile. The message normally also contains the reason why the access was declined. More information relating to RADIUS authentication can be retrieved here.
TACACS, or terminal access controller access control system, is an old authentication protocol that was used on UNIX networks to allow a remote server to forward logon requests to authentication servers for access control purposes. TACACS+ was later released by Cisco as response to RADIUS (as Cisco believed that RADIUS could use some design alterations). TACACS+ is another sophisticated way to carry out AAA for a system; it uses the transmission control protocol (TCP) compared to RADIUS’s use of UDP, primarily because TCP has inherent reliability. It also provides enhanced security as it includes encryption of the whole session compared to RADIUS’ password encryption. More information about TACACS+ and its implementation can be found here.
Extended TACACS was introduced by CISCO in 1990; it didn’t have backward computability to the originally released protocol. Instead of TACACS+’s addition of encryption (hence security) to the model, the extended version of TACACS (XTACACS) adds intelligence at the server level.
Password authentication is another process to carry out user validation. Some of the best-known password authentication protocols are:
For Windows-based networks, NTLM or NT LAN manager is a Microsoft security protocol suite that provides authentication, confidentiality, and integrity services. NTLM acted as the successor to the initially released LANMAN (Microsoft LAN manager), which acted as an authentication protocol. More information about the suite can be found here.
KERBEROS is a protocol that uses tickets to authenticate users. It’s a secure way of carrying out access control because it doesn’t store passwords locally and it also avoids sending them on the network. It uses symmetric-key cryptography to strengthen the process. More information can be found here.
Password authentication protocol (PAP) is another protocol that provides password based authentication. It’s used by the point to point protocol (PTP) to carry out user validation. PAP is often considered a weak protocol, as it’s vulnerable to sophisticated cyberattacks; more information can be found here.
Just like PAP, CHAP is a challenge handshake authentication protocol but is a lot more robust than its counterpart because it uses a far more secure way to authenticate by creating unique challenge phrases (randomly generated strings) for each user request. The created phrase is then combined with the host name of the device using a hashing function for authentication purposes. This ensures that nothing transmitted over the network is static.
Attaining the Security+ certification is a dream for anybody who wants to excel in the field of cybersecurity, but it goes without saying that passing the exam is not child’s play. This article tried to walk potential aspirants through the technologies (and their concepts) pertaining to authentication that form a pivotal part of the exam’s syllabus. It’s highly essential to not leave any stone unturned while preparing for the exam and joining a boot-camp can help a lot in this regard. InfoSec Institute’s dedicated boot-camp to help aspirants ace the security+ exam is worth mentioning here.