Authorization, Authentication, and Accounting Flashcards Preview

CompTIA N10-007 Network+ > Authorization, Authentication, and Accounting > Flashcards

Flashcards in Authorization, Authentication, and Accounting Deck (9)
Loading flashcards...
1
Q

AAA framework

A
  • Identification - This is who you claim to be
    • Usually your username
  • Authentication
    • Prove you are who you say you are
    • Password and other authentication factors

• Authorization
• Based on your identification and authentication,
what access do you have?

• Accounting
• Resources used: Login time, data sent and received,
logout time

2
Q

RADIUS (Remote Authentication Dial-in User Service)

A

• One of the more common AAA protocols
• Supported on a wide variety of platforms and
devices
• Not just for dial-in

  • Centralize authentication for users
    • Routers, switches, firewalls
    • Server authentication
    • Remote VPN access
    • 802.1X network access

• RADIUS services available on almost any server
operating system

3
Q

TACACS

A

• Terminal Access Controller Access-Control System
• Remote authentication protocol
• Created to control access to dial-up lines to
ARPANET

  • XTACACS (Extended TACACS)
    • A Cisco-created (proprietary) version of TACACS
    • Additional support for accounting and auditing

• TACACS+
• The latest version of TACACS, not backwards
compatible
• More authentication requests and response codes
• Released as an open standard in 1993

4
Q

Kerberos

A
  • Network authentication protocol
    • Authenticate once, trusted by the system
  • No need to re-authenticate to everything
    • Mutual authentication - the client and the server
    • Protect against man-in-the-middle or replay attacks

• Standard since the 1980s
• Developed by the Massachusetts Institute of
Technology (MIT)
• RFC 4120

• Microsoft starting using Kerberos in Windows 2000
• Based on Kerberos 5.0 open standard
• Compatible with other operating systems and
devices

5
Q

SSO with Kerberos

A
  • Authenticate one time
    • Lots of backend ticketing, uses cryptographic tickets

• No constant username and password input! - Save
time
• Only works with Kerberos
• Not everything is Kerberos-friendly

6
Q

LDAP (Lightweight Directory Access Protocol)

A

• Protocol for reading and writing directories over an IP
network
• An organized set of records, like a phone directory

• X.500 specification was written by the International
Telecommunications Union (ITU)
• They know directories!

• DAP ran on the OSI protocol stack
• LDAP is lightweight, and uses TCP/IP (tcp/389 and
udp/389)

• LDAP is the protocol used to query and update an
X.500 directory
• Used in Windows Active Directory, Apple
OpenDirectory, OpenLDAP, etc.

• Hierarchical structure - Builds a tree

  • Container objects
    • Country, organization, organizational units

• Leaf objects - Users, computers, printers, files

7
Q

Local authentication

A
  • Credentials are stored on the local device
    • Does not use a centralized database
  • Most devices include an initial local account
    • Good devices will force a password change
  • Difficult to scale local accounts
    • No centralized administration
    • Must be added or changed on all devices
  • Sometimes useful as a backup
    • The AAA server might not be available
8
Q

Certificate-based authentication

A

• Smart card - Private key is on the card

  • PIV (Personal Identity Verification) card
    • US Federal Government smart card
    • Picture and identification information
  • CAC (Common Access Card)
    • US Department of Defense smart card
    • Picture and identification
  • IEEE 802.1X
    • Gain access to the network using a certificate
    • On device storage or separate physical device
9
Q

Auditing

A
  • Log all access details
    • Automate the log parsing
    • OS logins, VPN, device access
  • Usage auditing
    • How are your resources used?
    • Are your systems and applications secure?
  • Time-of-day restrictions
    • Nobody needs to access the lab at 3 AM

Decks in CompTIA N10-007 Network+ Class (86):