CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Comparing and Contrasting the Function Tutorial

1 Compare and Contrast the Function and Purpose of Authentication Services

Let me make your day better by offering an exciting deal. I have an offer for hosting your site on our Web Server at 50 percent discount. This is likely to sound quite appealing to you, right? However, would you like to subscribe to this offer without knowing my identity? I am sure you would like to know who I am, whether I am a genuine dealer, and what our company rules are, before we make an offer or engage you in the deal. In any kind of transaction between two individuals or parties, the most significant initial step for each party is to find out the identity and genuineness of the other. If any of the party is not confident about the other one, it is advisable not to go ahead with the transaction or deal. Finding or getting genuine identity credentials of the front party before entering into any transaction is exactly what authentication means! It provides a reply to the question, "Who are you?" Now, let us begin the lesson by introducing and comparing the various authentication services available for networking. The following screen explains the objectives covered in this lesson, ‘Comparing and Contrasting the Function and Purpose of Authentication Services.’ After completing this lesson, you will be able to: • Describe RADIUS, TACACS, EXTACACS, and TACACS+ • Compare and contrast RADIUS and TACACS+ • Describe Kerberos, LDAP, Secure LDAP, and SAML • Compare and contrast Kerberos and RADIUS • Compare and contrast LDAP and RADIUS • Compare and contrast LDAP and Kerberos • Compare and contrast SAML and Kerberos

2 Different Authentication Services Available for Networks

In this lesson, you will learn the different authentication services available for networks In the physical world, two individuals meet face to face to authenticate each other’s identity through IDs and certificates. However, this cannot happen on the Internet. On the Internet, the two parties involved in a transaction neither can see each other nor can exchange ID cards. The individual on the other end of a chat message, site, or email can be anyone: a 20-year old boy posing as a 64-year old man, or an unknown person acting as an employee. So, how do you find out who is accessing your site or service? For that, authentication should happen electronically by using a mix of identity and security technologies, such as passwords, tokens, and biometrics. The authentication services are collectively called as A-A-A or Authentication, Authorization, and Accounting. The authentication service identifies a user by validating the credentials submitted by the user against a dedicated account database. For instance, when username and password are provided, these credentials are verified against a dedicated account database. This verification against the database ensures that it is one of those users who can access the network or site. If the account information is successfully verified, the user is given the permission to access. The authorization service controls what the authenticated user can access on the network or a website. It might use other criteria apart from the account information of the user. For instance, the authorization service may need the authentication request from a particular subnet. The accounting service is concerned with the logging activity. This enables to track the usage of various services for each individual user for billing purpose. Over the years, several A-A-A services or protocols such as Remote Authentication Dial-In User Service or RADIUS, Kerberos, and Terminal Access Controller Access-Control System plus or TACACS+ have emerged in the market. These services allow to take advantage of a central authentication system to deliver authentication, authorization, and accounting for different networking environments such as Virtual Private Networks or VPNs, Remote Access Services or RAS, or wireless. This course provides an awareness of these services. We will compare and contrast each of them so that you will know which one is the ideal service to employ in a particular scenario.

3 RADIUS Authentication Service

Let’s learn about RADIUS authentication service. Remote Authentication Dial-In User Service or RADIUS refers to the A-A-A mechanism whose responsibility is to validate remote network connections. Originally proposed for dial-up connections, RADIUS has evolved significantly to provide several state-of the-art features. For connecting to the network, the client computer simply connects to a VPN server or dials into an RAS server through the Internet. This VPN or RAS server is called the RADIUS client, as it transfers the authentication request with the encrypted password to the RADIUS server in the background. The RADIUS server validates the credentials and replies to the RADIUS client, as to whether the network client can connect to the network or not. So, what do you think is the biggest advantage? Well, it is the presence of a centralized management of access rights through a remote RADIUS client and a single RADIUS server. RADIUS, as an A-A-A protocol, utilizes User Datagram Protocol or UDP as the transport layer protocol. It works on two UDP ports namely, 1-8-1-2 for authentication and authorization and 1-8-1-3 for accounting. Regarded as an Internet Engineering Task Force or I-E-T-F standard, the RADIUS protocol is implemented by several chief operating system manufacturers. You can also use 802 dot 1 x protocol to control access to supporting wireless switches as well as networks. 802 dot 1 x, as a common authentication protocol, authenticates wired or wireless access by a user against a RADIUS server or any other central authentication database. This is how you implement Network Access Control or N-A-C for controlling who can connect to the network. You can consider using RADIUS for improving network security with the help of a single source of authentication for remotely connecting to a network, and for auditing and accounting services. In a big environment with multiple connections, a single RADIUS server performs all authentications. However, can you guess the drawback of having such a RADIUS system? Well, the major limitation of such an environment is that all connections are refused when the server malfunctions. You can implement multiple RADIUS systems to ensure maximum reliability.

4 TACACS PLUS and XTACACS Authentication Services

Next, you will learn about the TACACS+ and XTACACS authentication services. Originally introduced as an authentication service running on the Unix platform, Terminal Access Controller Access Control System or TACACS refers to a client or server-oriented system by Cisco. Its services run over the UDP port 49 and operate much like RADIUS. In a typical TACACS environment, a terminal or dial-up user logs in only if the TACACS server successfully authenticates the credentials sent by the TACACS client. This can make you conclude that TACACS is perhaps Cisco's RADIUS version. So, what’s the difference between RADIUS and TACACS? Well, TACACS is superior in the sense that it encrypts whole authentication instead of only the password, when the request passes from a TACACS client to a TACACS server. Doesn’t this make TACACS preferable to RADIUS? Yes, it does. Moreover, another feature making TACACS preferable to RADIUS is that, it runs on TCP, while RADIUS runs on UDP. Over the years, two generations of TACACS have come up. Let’s now explore them in the next screen. After a few years of TACACS, Cisco came up with their proprietary authentication protocol or service called as Extended TACACS or XTACACS. Just as TACACS, X-TACACS allows a remote access server to connect to an authentication server to discover whether the user can access the network or not. However, unlike TACACS which is responsible for combining authentication and authorization, X-TACACS deals with authentication, authorization, and accounting tasks separately for auditing purpose. Currently, both TACACS and X-TACACS are replaced by the TACACS+, which is the latest version of the original TACACS. Let’s now learn more about the latest TACACS version, and compare it with the RADIUS protocol. TACACS+ refers to the AAA protocol used as an alternative to RADIUS protocol in Cisco networks and is incompatible with its predecessors. Unlike the original TACACS protocol, TACACS+ uses TCP to communicate and supports the Kerberos protocol. However, it implements the same topology as RADIUS, wherein the TACACS+ client sends the authentication request to the TACACS+ server. You can use TACACS+ to authenticate Telnet, Secure Shell or SSH, and Web management access connections. It is important to note that authentication for a remote user is commonly done through RADIUS, TACACS, XTACACS, or TACACS+. So, can you identify the difference between RADIUS and TACACS+? Let’s check them out in the next screen! RADIUS and TACACS+ both offer A-A-A services but differ significantly. The table below shows the main points of distinction between RADIUS and TACACS+. First, RADIUS as an open standard protocol merges authentication and authorization services, while TACACS+ as a Cisco proprietary standard separates all the A-A-A elements, making itself relatively more flexible. Second, RADIUS encrypts only the password, making itself vulnerable to different attacks, while TACACS+ encrypts both password and username. Third, RADIUS runs on connectionless protocol namely, UDP. On the other hand, TACACS+ runs on connection-oriented TCP protocol that guarantees delivery. This strengthens the argument that TACACS+ is more secured and reliable than RADIUS. Fourth, RADIUS is used to allow the end user to connect to the network through a remote server, while TACACS+ is used to grant access to an administrator accessing a device such as router in the network. Therefore, RADIUS offers A-A-A services to the subscribers, while TACACS+ is designed to offer A-A-A services to the administrators. Nevertheless, you can still use RADIUS for small network administrators who do not need authorization, or if there is homogeneous or one-vendor network. Fifth, RADIUS offers less granular control when it comes to authorizing the users. This means that you cannot check each entered command against the server for authorization. However, this is something that TACACS+ ensures. Moreover, RADIUS requires each network device to store configuration related to authorization. However, TACACS+ ensures central management for such a configuration. TACACS+ also makes it easy to define policies according to the user, location, type of device, or time of day. Lastly, there is less vendor support for RADIUS authorization, while several major vendors support TACACS+ authorization. Nevertheless, RADIUS is still the ideal choice for 802.1x communication. Well, you can easily conclude that both RADIUS and TACACS+ are different and have their own advantages.

5 Kerberos Authentication Service

Now, you will learn about Kerberos authentication service. Originally designed by Massachusetts Institute of Technology or M-I-T, Kerberos is a popular mutual authentication protocol. It is used with Active Directory by default, which follows the Lightweight Directory Access Protocol or L-D-A-P standard for querying a directory. Kerberos allows a single sign-on or S-S-O while accessing resources on a distributed network. With SSO, you can log on with your credentials just once and access all systems and applications along with servers of even other organizations. So, what does this mean? It means that you need only one password to access various applications or resources on the network. Kerberos works with the help of a Key Distribution Center or KDC server. This server is responsible for providing tickets required by a client to request a service on the network from any other server. The network becomes a realm for the Kerberos process, which start when the client logs on. The KDC validates a user, system, or program, which is technically termed as a principal. It consists of a component called the Authentication Server or AS offering an encrypted ticket-granting ticket or T-G-T with a time limit of almost up to 10 hours. The TGT contains the privileges, just as a token, for this principal. So, do you think that this TGT is enough to access the service? Well, actually no! This is because the principal needs a service ticket for accessing any service or other principal on the network. Whenever users want to access a network resource, their computer presents the TGT to the KDC for obtaining a service ticket. This ticket is issued by the Ticket Granting Service or T-G-S, which is a KDC component. This service ticket grants access to the desired service on the network, but lasts for not more than five minutes. The user’s computer sends this ticket to the server that is to be accessed. As per the final check, the server connects with the KDC to validate the service ticket. The table on the screen gives the difference between Kerberos and RADIUS. First, Kerberos is purely an authentication protocol. On the other hand, RADIUS is an A-A-A protocol. Second, Kerberos tells the network services who you are, while RADIUS asks to allow a particular device or user to access the network. Third, Kerberos implements SSO. However, RADIUS can eliminate the SSO feature of Kerberos, if used as a Kerberos front-end. Fourth, Kerberos is not suited for workstation and PC networks, which is not the case with RADIUS. Lastly, Kerberos is a trusted and secure protocol, due to KDC. On the other hand, RADIUS is a semi-trusted protocol with no encryption for password. Both RADIUS and Kerberos usually cover all authentication requirements of an internal network. You can use both RADIUS and Kerberos authentication services for having a better-secured wireless network. However, this totally depends upon the security level policy of an organization and the deployment budget. We conclude our discussion on Kerberos. We will now proceed to explore two more authentication services. Here, you will learn about the LDAP and Secure LDAP authentication services. LDAP refers to the standardized Internet protocol for accessing a directory service over TCP port 389 by querying the directory. It is a thin version of X dot 500. It facilitates LDAP-enabled applications to authenticate to a directory for obtaining information about the stored objects in that directory. You can query a directory whose service supports LDAP, with an LDAP client. The best examples of LDAP are the online yellow pages and an organization’s Active Directory. If LDAP works so well, then why would one use secure LDAP? Let’s find this out in the following screen.

6 LDAP and Secure LDAP Authentication Services

LDAP is not a secure protocol, which means its breach can trigger serious consequences. To overcome these consequences, a few organizations use secure LDAP or S-LDAP. In a secure LDAP, all communications are encrypted using Secure Socket Layer or SSL over TCP or Transport Layer Security or TLS protocol. All communications occur over TCP port 636. Kerberos itself uses LDAP, but both are different when it comes to authentication. The common relationship between the two is that Kerberos offers authentication for a user, application, or server, while LDAP helps in retrieving the desired information about that particular entity. The table on the screen explains the difference between Kerberos and LDAP. First, Kerberos refers to an authentication framework offering a variety of authentication features, which makes it relatively more scalable and flexible. On the other hand, LDAP offers data storage services for authorization and needs authentication to allow access to the directory. Second, Kerberos never sends passwords in any form across the network, while LDAP authentication requires the client to send them. This makes Kerberos a better security service. Third, Kerberos’ credentials come with a shelf life to ensure mitigation in case of a hijack, but LDAP does not have such a feature. If hijacked, it is not certain for how long the credentials can be used. Fourth, Kerberos supports multiple authentication mechanisms such as tokens, user ID and passwords, smart cards. However, LDAP supports only user ID and password mechanism. Fifth, Kerberos offers two-way authentication that is secured, while LDAP offers one-way secure authentication. Lastly, Kerberos supports setting security context between network and applications on a network, confidentiality services, and SSON. However, LDAP does not support any of these features. In a nutshell, Kerberos wins from the security standpoint, while LDAP wins from the simplicity viewpoint. Consider LDAP if you have rigid authentication requirements and are ready to compromise on security a little. Let’s now see the difference between LDAP and RADIUS. Well, now let’s find out the difference between LDAP and RADIUS, which is given in the table on the screen. First, while LDAP is a database access protocol, RADIUS is not. However, RADIUS can use an LDAP database to respond to requests. Unlike the LDAP servers for authentication, RADIUS servers are capable of doing a lot more processing and even taking decisions on their own. Second, LDAP's main function is to offer directory services, which is similar to a database. On the other hand, the main function of RADIUS is to provide A-A-A, which exceeds what an LDAP server can offer. Third, RADIUS servers can decouple the mechanism of internal authentication from the authentication process itself. It is possible to scale them independently. Further, you need not update all clients when you change the working of authentication mechanisms. Compared to LDAP servers, RADIUS servers offer much more than only authentication. Lastly, RADIUS servers are extensible to accept almost any database for accounting and authentication, such as SQL, LDAP, and password files. This is also true for LDAP servers, and is a reason for their popularity; but they do not get even close to the levels of RADIUS servers. In short, you should consider using RADIUS over LDAP, as LDAP is the final authority for authentication and authorization, while RADIUS splits them. Splitting authentication and authorization is essential if you need two-factor authentication. Supporting RADIUS will include LDAP and more security features, compared to only LDAP. Further, RADIUS is more flexible, as you can handle a few requests with LDAP, some with a flat file, and others with an SQL database or other authentication servers. Now, let’s explore the last authentication service.

7 SAML Authentication Service

Next, you will learn about the SAML authentication service. As the name indicates, Security Assertion Markup Language or SAML refers to an XML standard that allows systems to exchange information regarding authentication and authorization online. It is an open standard used by an identity alliance for proving the identity of an entity trying to connect to the service provider. SAML v2.0 is the latest version. SAML works through authentication assertion, issued as an evidence of an authentication event. Usually, an intermediary or authorization server authenticates the user by generating the assertion as a proof and including it in the message for the downstream service. You need to know that SAML itself does not authenticate but transfers the authentication information. It uses various authentication mechanisms, such as RADIUS, Active Directory, and LDAP implementing diverse identification methods such as SSL, Kerberos, biometrics, and passwords. SAML then assesses the assertion that the user is authenticated. Both SAML and Kerberos are SSO authentication and authorization protocols. However, there is a significant difference between the two, when it comes to their implementation. Let’s check out their difference in the given table. First, SAML is usually used for the Internet, while Kerberos is for enterprise LANs having Unix, Linux, or Windows systems. Essentially, Kerberos is like SAML, but it is not meant for Internet. SAML is ideal for web applications and web SSO. Second, SAML does not need systems to sign up in advance, while Kerberos requires it for authentication through a ticket in the Kerberos domain. Third, Kerberos is purely an authentication/authorization scheme, while SAML is more of a standardized way for safety markings. Lastly, Kerberos never reveals any kind of identity details, as it is unaware of anything else except the principal’s name. On the other hand, SAML has defined standards for sharing details such as who the principal is, how to allow or deny access to the principal, and what the attributes of the principal are. While both Kerberos and SAML work in different environment, the future might show us their integration for linking the Internet authentication technology with that of Intranet authentication technology. This will ensure more security and flexibility.

9 Summary

• TACACS is a Cisco-based client/server-oriented system. However, unlike RADIUS, it encrypts password and runs over UDP port 49. • TACACS+ is the latest TACACS version designed for administrator-based AAA, while RADIUS is purely for subscriber-based AAA. • TACACS+ ensures more granular control for authorization than RADIUS, by checking each user submitted command against the server. • Kerberos allows single sign on, uses Lightweight Directory Access Protocol and Active Directory, and has Key Distribution Center as its major component for authenticating users and applications. • While RADIUS is a less secure AAA protocol without single sign on, Kerberos is a more secure authentication protocol for single sign on. • LDAP refers to the standardized protocol for querying a directory over TCP port 389 to access a directory service. Because it is not secured, S-LDAP is used by many organizations, over TCP port 636. • Compared to LDAP, which is an authorization protocol, Kerberos is more secure and supports more authentication mechanisms such as passwords and tokens. • Compared to LDAP, RADIUS is a smarter protocol as it takes decisions and does much processing. However, both are extensible to accept any database for authentication and accounting. • SAML is an XML standard for exchanging information regarding authentication and authorization. • SAML is suitable for Web, while Kerberos is designed for enterprise-based LANs having Linux and Windows systems. With this we conclude this lesson, ‘Comparing and Contrasting the Function and Purpose of Authentication Services.’ The next lesson is, ‘Selecting the Appropriate Authentication, Authorization, or Access Control in a Given Scenario.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*