3.8 Given a scenario, implement authentication and authorization solutions.

Question 1

TACAS

Answer 1

Terminal Access Controller Access-Control System Plus (TACACS+) is specifically designed for network administration of routers. TACACS+ data packets are encrypted and make it easier for network admins to work with multiple routers simultaneously.

Question 2

RADIUS

Answer 2

Remote Authentication Dial Up (RADIUS) is used primarily for network access control. Although it can be used to administer network appliances, TACACS+ performs authentication, authorization, and accounting functions better.

Question 3

802.1x

Answer 3

802.1X Port-based Network Access Control (NAC) protocol provides the means of using an Extensible Authentication Protocol (EAP) method when a device connects to a switch port, wireless access point, or VPN gateway.

Question 4

PAP

Answer 4

The Password Authentication Protocol (PAP) is an unsophisticated authentication method used as the basic authentication mechanism in HTTP. It relies on clear-text password exchange.

Question 5

ABAC

Answer 5

Attribute-Based Access Control (ABAC) is the ideal choice for assigning complex rule-based privileges. ABAC makes access decisions based on subject and object attributes, as well as context-dependent and system-wide attributes, making it the most fine-tuned control.

Question 6

RBAC

Answer 6

Role-Based Access Control (RBAC) allocates user permissions based on roles or group memberships. This company requires more fine-grained access controls that take into account other factors, as well.

Question 7

DAC

Answer 7

Discretionary Access Control (DAC) gives access based on a content creator or owner, who grants permissions. This type of control is flexible, yet vulnerable to an insider attack, and task-heavy for the content creator.

Question 8

MAC

Answer 8

Mandatory Access Control (MAC) enforces rules based on security clearances and labels of resources, to which a user is granted “need to know” or not. This form is ideal for military units and highly secure information but is cumbersome for normal use.

Question 9

SAML

Answer 9

Security Association Markup Language (SAML) authorizations or tokens are written and signed with the eXtensible Markup Language (XML) signature specification; this digital signature allows the service provider to trust the identity provider.
SAML tokens are not encrypted using Public Key Infrastructure (PKI) digital signatures, but with the eXtensible Markup Language (XML) signature specification.

Question 10

OIDC

Answer 10

OpenID and OpenID Connect (OIDC) are examples of user-centric identity management protocols; whereas, SAML implementations are controlled by the system, or enterprise controlled. These use JavaScript Object Notation (JSON) and JSON Web Tokens (JWT) rather than eXtensible Markup Language (XML).

Question 11

OAUTH

Answer 11

The “auth” in OAuth stands for “authorization,” not authentication. This is an easy method to distinguish between OAuth and OpenID Connect (OIDC). OAuth facilitates the transfer of information between sites with authentication delegated to the OAuth provider, not the OAuth consumer. OIDC authenticates federated applications.