Authentication Methods - CompTIA A+ 220-1102 - 2.2

Common Authentication Scenario

  • Logging into various network devices (e.g., access points, VPN concentrators, firewalls)

  • Sending login credentials (username & password) to the device

  • Device does not hold user credentials locally; checks against a centralized database on an authentication server

Authentication Process

  • Device sends credentials to authentication server for verification

  • If the credentials match, the server approves access and sends confirmation back to the device

  • Once approved, the user can communicate with other devices on the network

Communication with Authentication Server

  • Key aspect of authentication is communication with the authentication server

  • Various protocols facilitate this conversation:

  • RADIUS (Remote Authentication Dial-In User Service)

    • Suitable for all types of network connections, not just dial-in

    • Often called a AAA protocol (Authentication, Authorization, Accounting)

  • Advantages of centralized authentication:

  • Simplifies the management by having a single source for authentications (e.g., RADIUS server)

RADIUS Protocol

  • Well-supported across many devices and operating systems

  • Commonly integrated into VPN servers and other network devices

  • Provides a centralized point for managing user authentication

Other Authentication Protocols

  • TACACS (Terminal Access Controller Access-Control System)

    • Associated with Cisco devices but released as an open standard in 1993

    • TACACS+ extends this protocol, commonly used in Cisco environments

  • Kerberos

    • Utilized in Windows domains for single sign-on (SSO)

    • Developed in the 1980s at MIT; popularized with Windows 2000

    • Uses cryptographic tickets for authentication

    • SSO allows a user to access multiple resources without re-entering credentials

Kerberos Authentication Flow

  • Upon first login, a ticket is issued to the user

  • This ticket is presented to various devices throughout the day for seamless access without additional passwords

Choosing an Authentication Method

  • Decision typically depends on available protocols in the existing network:

  • If using a RADIUS server, RADIUS will be employed

  • TACACS+ will be favored in environments with Cisco devices

  • Kerberos is often used where Active Directory is in place

Multi-Factor Authentication (MFA)

  • Enhances security beyond username and password

  • Can include factors such as:

  • Something you know (password)

  • Something you have (e.g., smart card, mobile app)

  • Something you are (biometric data)

  • Something you do (user behavior)

  • Implementation can vary in cost:

  • Can be expensive (hardware tokens, readers)

  • Can be cost-effective (mobile applications generating time-based codes)