2.3 - Authentication Methods
Overview of Authentication Systems
When logging into a work computer, users provide:
A username
A password
Potentially other authentication credentials
Attempting to connect to a corporate network from home via VPN requires the same username and password.
Centralized Authentication
The organizational system uses a centralized authentication server and specialized authentication protocols for consistency.
Upon accessing the VPN:
Scenario Components:
Laptop at home
VPN concentrator (often functions as a firewall)
Authentication server (located behind the firewall)
Internal file server
Process:
The user sends a login request to the VPN concentrator.
The login request contains username and password.
The VPN concentrator verifies credentials by communicating with the authentication server.
The authentication server evaluates the credentials.
If correct, it sends an approval message back.
If approved, the VPN concentrator grants access to the internal network.
Authentication Protocols
Several protocols exist to facilitate communication between devices and authentication servers for validating login credentials.
Commonly referred to as AAA Protocols (Authentication, Authorization, and Accounting).
RADIUS Protocol
RADIUS:
Stands for Remote Authentication Dial-In User Service.
Enables central authentication regardless of the network architecture.
Key Functions:
Stores authentication credentials
Commonly employed by routers, switches, firewalls, servers, and VPN concentrators.
Allows consistent use of the same login credentials across various devices and services.
Compatibility:
Supported on multiple operating systems.
TACACS Protocol
TACACS:
Stands for Terminal Access Controller Access Control System.
Originally designed to control access to early dial-up lines of the ARPANET.
Modern version: TACACS+
Introduced in 1993 as an open standard.
Enhanced authentication capabilities and provided detailed response codes.
Common Usage:
Primarily associated with Cisco devices (e.g., switches and routers).
Kerberos Protocol
Kerberos:
A protocol allowing single sign-on (SSO) authentication system.
Developed at MIT in the 1980s for efficient network authentication.
Process:
User logs in to request a ticket-granting service (TGS).
Upon successful authentication, the TGS issues a service ticket.
The user uses this service ticket to access multiple network resources without repeated logins.
Mutual Authentication:
Ensures both user and server authenticate each other, enhancing security.
Protects against on-path and replay attacks.
Integrated into Windows OS, governing logins to the Windows ecosystem.
Limitations:
May not be compatible with non-Windows systems, necessitating supplementary technologies (e.g., smart cards, SAML).
Choosing an Authentication Protocol
Determinants for protocol selection:
Different organizations have various requirements; existing infrastructure and technologies dictate compatibility.
Example Scenarios:
A VPN concentrator may only interface with RADIUS servers.
Organizations heavily reliant on Cisco devices may implement TACACS+ for authentication.
Multifactor Authentication (MFA)
Multifactor Authentication (MFA):
Involves using multiple authentication factors for enhanced security.
Types of Authentication Factors:
Something you are: Biometric verification (e.g., fingerprints).
Something you have: A mobile phone app providing authentication codes or hardware tokens.
Something you know: Traditional credentials like passwords or PINs.
Somewhere you are: Location-based verification through GPS.
Something you do: Behavioral authentication (e.g., signature for deliveries).
Cost Implications:
Various authentication methods have different cost profiles (e.g., hardware tokens may incur greater expense while mobile apps might be free).