***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/nkp-authentication-access-control/blob/main/README.md) >

## CompTIA Network+ - Course Material 2022
### Topic: ``Authentication and Access Control``
***

Course material for the ``CompTIA Network+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

###### Quick Links
***

* [Authentication and Access Control](#topauthenticationandAccessControl)

<hr width=50%;>

<a id="topauthenticationandAccessControl"></a>
### [Authentication and Access Control](#authenticationandAccessControl)

- [1. Authentication, Authorization, and Accounting](#authenticationandAccessControl1AuthenticationAuthorizationandAccounting) <br/><br/>
- [2. Additional Authentication Types](#authenticationandAccessControl2AdditionalAuthenticationTypes) <br/><br/>
- [3. Multifactor Authentication (MFA)](#authenticationandAccessControl3MultifactorAuthentication) <br/><br/>
- [4. Access Control - Physical - Logical](#authenticationandAccessControl4AccessControl)

### [Practice: Implementing Access Control](#authenticationandAccessControlpractice)

* [1. Exercise: Implementing Access Control](#authenticationandAccessControlexercise)

<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="authenticationandAccessControl"></a>
***
### Authentication and Access Control
***

After completing this topic, you should be able to: ``describe authentication, authorization, and accounting features such as Kerberos, Single Sign-On, auditing, and logging``.

< [Table of Contents](#top) | [References](#references) >
<a id="authenticationandAccessControl1AuthenticationAuthorizationandAccounting"></a>
***
######  1. Authentication, Authorization, and Accounting
***

Authentication, Authorization, and Accounting - sometimes referred to as AAA services - examine these processes within the internal LAN environment but the processes themselves are still the same. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Authentication
***

Authentication determines whether the user is who they claim to be. 

It is always just the identify yourself component, typically by supplying a username and a password. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Authorization
***

Authorization is then the act of giving permissions based on who you are:

> What are you allowed to do?

> Which resources can you access? 

> Which administrative tasks can you perform? 

You can never be authorized until you are authenticated - must prove your identity first that then determines which abilities you have. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Accounting
***

Accounting measures resources consumed by a user during access, for example, the amount of data sent or received or the amount of time they are connected. 

Now with respect to that term and the context, you would probably see accounting used more so for remote connections because in some cases, if for example you are using a dedicated VPN that is provided by an Internet service provider or a TelCo, then they might actually bill you based on the bandwidth consumed. 

So that's a better use of the term accounting - might still see it in a LAN environment because you might be interested in assessing the bandwidth usage by any given user while using a particular application or service, so it's still assessing the resource consumption. 

But in an internal environment, I think more so what you would see is the term auditing and that's what we'll actually take a look at. 

They are similar because both of them are still keeping track of things but accounting is just more so that resource usage. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Auditing
***

Whereas auditing is a little more from the perspective of security. 

> Who is doing what? 

> Are people doing the things they are supposed to do? 

> And/or conversely, was somebody able to do something that they should not have been able to do? 

Some sort of intrusion - that's more so auditing, but in day-to-day conversation it's not uncommon to hear accounting and auditing used a little bit interchangeably because you still have to account for what a person does but officially accounting more so this resource consumption, auditing more so a little bit of a security perspective if you will. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Kerberos - Authentication Protocol 
***

As mentioned it begins with authentication, and in many environments in particular, a Windows Active Directory environment ``Kerberos`` is the protocol that handles authentication. 

It holds cryptographic keys of all users and services, because services have to log in and identify themselves as well and it's responsible for distributing the keys, providing the authentication and the security services and again, in a Windows Active Directory environment, the server providing this service is known as the domain controller. 

It also requires a time synchronization because what happens is the user submits a login request, and as long as the credentials are valid, then they are authenticated. 

If there was a problem such as an incorrect password, then they are not authenticated but when they do log in, let's just assume a successful log in, they are granted a ticket - can see that in the graphic, so the components are the authentication, yes, you are valid and this ticket granting server which says, okay, here's a little security badge and the reason why you get that is because once you are authenticated, you then have to start performing tasks - have to go to a file server to get the file you need - have to go to print a particular document - have to check your email. 

All of these things require interactions with different servers, so, when you make the request of that different server, it says hold on a second, show me your ticket and the time synchronization is required because the ticket has a validity period, it says when it was issued and when it expires. 

Just to exaggerate here but let's say the two servers were out of sync by a few hours, that wouldn't happen but let's just imagine, then it is very possible that the resource server or the email server, the file server might think that your ticket has already expired when in fact, it has not, so time synchronization is a component of the protocol that says we more or less have to agree on what time it is and this is where things like the Network Time Protocol ``NTP`` come into play but the default tolerance of variance for that time synchronization, using Kerberos in an Active Directory environment, there's only five minutes, so if they disagree on the time by more than that, then there's a problem, and you have to address that. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
######  Kerberos - Single Sign-on (SSO)
***

Single Sign-on is the approach of only needing to be authenticated one time, so users are not required to remember multiple usernames and passwords to be able to access these various different resources. 

A file server, a print server, a mail server, in a Windows Active Directory environment, might be an Exchange Server, a SharePoint Server, a SQL Server - all of these different servers with different types of resource - Single Sign-on means that you do not have to log in again to access those resources and in fact, you'd have to go back quite a ways for this but in a lot of early network environments, you did have to log on to each separate server to be able to access the resources, so that was somewhat cumbersome. 

This allows you to combine all the permissions from that single authentication to be then able to access various network resources, so again, this has been in place for quite some time now but certainly alleviates all of those login requests. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
######  Auditing and Logging
***

Finally as mentioned, auditing and logging is typically tracking users' activity while accessing network resources, for example, the services that they access may be the files that they access and the permissions that they exercise, so again, it's similar to accounting in that you are keeping track of things - it's just that auditing is more so from the perspective of security - is everybody behaving quite simply is what it comes down to. 

Logging captures events by the operating system components. 

They quite literally track just about everything that happens, so if for example, a user logs in, then that is actually logged - it says they logged in at this time from this computer using this identity, so you can go through the logs, in essence as part of the auditing process but they are separate. 

Auditing is the creation of a policy that says, I want to track access to that file or this resource. 

General logging is just that, it is very general, just logs the fact that a user did login or that a user shut down a computer, or just performed any kind of task within the confines of the operating system. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Conclusion - Keeping Track
***

But overall, auditing, logging, and accounting are parts of that process of just keeping track. 

What is going on so that we can find possible examples of things that happen, that maybe shouldn't have happened, and that again can be from a permission standpoint or just a troubleshooting standpoint. 

If something's going wrong, you can check the logs and hopefully you can run that down.

So again, those are all different components of the AAA services in a LAN environment. Authentication, Authorization and Accounting or Auditing.

< [Table of Contents](#top) | [References](#references) >
<a id="authenticationandAccessControl2AdditionalAuthenticationTypes"></a>
***
######  2. Additional Authentication Types
***

After completing this topic, you should be able to: ``describe additional authentication types including local authentication, LDAP, and certificates``.

Earlier, we took a look at some of the AAA processes, one of which was authentication but in this presentation, we will take a look at some other methods for authentication that you might see depending on the circumstances of any given environment but we'll begin with local authentication. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
######  Local Authentication
***

This is still an authentication process but it is performed by the local operating system. 

The login credentials are provided by a user and they are authenticated but they are authenticated by that system only, not something like an Active Directory domain controller. 

So as such, a local logon only grants a user permissions to resources on the local computer. 

Perhaps another way to state that is that when you logon locally, you cannot access resources on the network, even if that computer is attached to the network. 

You would have to provide a different set of credentials to be able to access network resources - now this isn't particularly common in something like a Windows Active Directory environment but local logins do still exist, for example, if you are just a regular standard user, using a Windows 10 system as a client, then chances are you log on almost exclusively with your Active Directory user account but there are still local logins on that computer, perhaps most notably, the local administrator account. 

So in certain circumstances, you might find people logging in as the local administrator to be able to perform a task that maybe they could not do otherwise. 

One common example, installing software - maybe they are not allowed to install software as a regular user but maybe there's a tech support person who does - now they would probably still use their own Active Directory account as well because they would be given that permission. 

But in some cases you might see them just log in as the local administrator that gives them administrative permissions, but only on that computer. 

As such, they can install the software, log off, go about their business - now again, that's just one example. 

But local authentications can still be used if appropriate but again, they are very limited at least in their scope. 

They are only able to perform those tasks on that computer only. 

Now you might see local logins used exclusively in something like a workgroup, a small office or a home office environment where it just does not warrant having servers and/or running the Active Directory service. 

It's fine to just use the local logins of each computer, typically that is acceptable for smaller environments once you start to get up around maybe 10, 15, 20 systems it gets a little harder to manage because if you do use multiple computers, you need an account on each of those computers. 

So imagine if you were the administrator of this small office environment and you did have 20 computers to manage, you would need to use the administrator account on each of those systems and you would have to ensure that the username and the password was the same on all of them if you wanted to be able to use that same username and password. 

In other words, administrator of computer one, is in fact different than administrator of computer two. 

You can set the same name and you can set the same password but, they are still separate accounts, so you have to login to each computer everytime you want to do whatever it is you need to do, so again, fine for smaller environments, not particularly common in larger. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Lightweight Directory Access Protocol (LDAP)
***

LDAP or Lightweight Directory Access protocol is a software protocol that is able to access resources in a network environment and users still have to authenticate first to access this service. 

But, the typical implementation of this is based on the fact that if you do have a directory service such as Active Directory then you already have, let's just call it a list of usernames - those same users may use an application that is not entirely compatible with an Active Directory environment. 

It might not be a Windows application or even if it is designed for Windows, it was still built by a third party - it runs on Windows but it's software company x that developed it but you might still have the same users that are using that application, that already exist in the Active Directory. 

As such, the LDAP protocol can be used to effectively extract the users from the Active Directory and import it, for lack of a better word, into that application, so that they can still use the same identity. 

They will still have to log in separately to that application, but it can be the same username and the same password and if they change their password in the Active Directory, the LDAP protocol can synchronize that so that they do not have to go and change it in the other application. 

Now it's typically a one way communication only, from the Active Directory to the LDAP application and this prevents the LDAP application from actually making any changes back to Active Directory and that's the way you want it - want the changes to happen in Active Directory then flow down to the application, not the other way around. 

So again, it depends on the types of applications that you are implementing and whether or not you need those same user accounts in the Active Directory to be used for the LDAP application. 

Maybe you want completely separate accounts, that's fine and really that's your call but if the application supports LDAP, then you can do that, that sort of export if you will to easily get the users into the application. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Certificates
***

Finally certificates, these are digital documents used to secure network access and authentication.

They provide strong security for authenticating users and they eliminate the need for weak password-based authentication. 

Most people are familiar with certificates when accessing secure websites but they can absolutely be used in networking applications as well, and again maybe aren't entirely compatible with something like the Active Directory environment. 

If, for example, you are using a messaging application that is not Windows-based, then you can still secure your emails by using things like digital certificates, so they store encryption keys and provide the identity of both users and computers, so that any computer communicating with any other computer can basically say, well, show me your certificate and they exchange that certificate information, they exchange the keys that are part of them and that communication is now secured and safe. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Conclusion - Other Options
***

So again, it depends on the environment, it depends on the implementation, and it depends on the existing security mechanisms in place with respect to which types of protocols and/or which types of authentications you use, but you do have this other options beyond what is natively supplied through something like an Active Directory environment.

< [Table of Contents](#top) | [References](#references) >
<a id="authenticationandAccessControl3MultifactorAuthentication"></a>
***
######  3. Multifactor Authentication (MFA)
***

After completing this topic, you should be able to: ``describe multifactor authentication types``.

MFA is a security mechanism that requires more than one method of authentication - combines two or more independent sets of credentials. 

Now, most of us are familiar with the internal LAN environment, whereby you authenticate by supplying a username and a password - those are two separate pieces of information but it is considered to be a single set of credentials because for the duration of that password, in other words, let's say the password policy defines the lifespan of the password to be 60 days then, for that 60 days, you pass in the same username with the same password every time, so, it's a single set of credentials and as such, that is only considered to be single-factor authentication. 

So multifactor would be, supply the username and password and then something else and this, of course, makes it more secure. 

While the username and password does work fairly well in most internal LAN environments, it's not all that secure - most people within the organization are probably going to trust each other to a certain degree - not uncommon for one user to say well, just log in as me, here is my password - that, of course, reveals your password, and it is instantly less secure. 

Beyond that, it's not all that difficult, in some cases, to guess a person's password, particularly if you know them very well and you are very familiar with the password policy that's in place. 

Of course, attackers will use many different means to compromise your password, including social engineering, tricking you into revealing it, getting a keylogger installed on your system, so it quite literally records your keystrokes, things along those lines. 

So, in higher security environments, single-factor authentication typically is not implemented, so multifactor ensures a layered defense, which makes it more difficult to gain unauthorized access and this can be with respect to a physical location, a computing device, or the entire network environment. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Technologies
***

Some of the technologies involved might include security tokens and those are typically hardware-based things like a key fob, or a smart card, for example. 

Soft tokens is some kind of software-issued token, such as an authentication code that is issued to you for one-time access to any kind of resource. 

Mobile authentication is you typically receive some kind of a code via a text message or something along those lines, so, you also have to enter that before you can access a resource. 

Biometrics are certainly common, retina scans, fingerprint analysis and GPS is becoming somewhat common as well, on any given smartphone, your location can be determined and that can also be used as an authentication factor, in other words, you should only be attempting to access this resource when you are in this location. 

If you are anywhere else, you aren't allowed to access it, so again, you can really use any combination of any of those technologies - it's really up to you, and of course what your environment supports. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Scenarios
***

So some of the scenarios with respect to multifactor authentication, having to swipe a card and provide a pin. 

Now, that's somewhat similar to single-factor in that a username and a password are tied together, if you will but they're two separate pieces of information. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Scenarios - Swipe Card
***

A swipe card and a pin.

Somewhat similar to single factor in that a username and password are tied together but are two separate pieces of information.

Swipe and pin have a similar relationship in that this particular pin is attached to that particular card but it is still two separate entities because you have to have the card physically in your possession and you must know the pin, so, in other words, if I know your pin, the pin is useless unless I can obtain your card. 

If I obtain your card, the card is useless unless I know the pin, so that, in essence, does qualify as multifactor but ideally, it would still be something over and above the swipe card and the pin such as, perhaps the location.

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Scenarios - Website Login
***

Logging in to a website, the website might require an additional one-time password, so that's that soft-generated token that you might see sometimes, so you do whatever you normally do to authenticate then it issues you this one-time password, you have to enter it and then you can gain access, but it's only good for that session. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Scenarios - VPN
***

VPN, sometimes clients are required to provide a valid digital certificate, so the computer they are using or the device must have a digital certificate installed on it to be able to connect. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Scenarios - Combination
***

Any combination, swipe a card, maybe implement biometrics, or answer a security question, and that's fairly common as well. 

I'm sure some of you have attempted to maybe logon to your online banking and if you did it from a strange device, such as a public kiosk in a hotel, then you were prompted, most likely with a security question, to verify that it is in fact you. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Components of Authentication - Something You Know
***

The three main components of authentication are something you know which, of course, is the password, and this is the most common type of authentication, users enter passwords every day but they can be forgotten, and they're often written down, which of course represents a security liability and again, in some cases, they aren't that hard to guess. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Components of Authentication - Something You Have
***

Something you have represents some type of physical component or device. 

A smart card, for example, with this, users no longer have to worry about forgetting their passwords but the smart card itself can be lost or stolen but this is where you also implement something like a pin to go along with it, so the card by itself is useless. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Components of Authentication - Something You Are
***

Usually something you are can also be incorporated, so this includes things like the fingerprint, which of course is very difficult to lose. 

Not withstanding injuries or accidents, you don't just lose your fingerprints, so, as opposed to a token or a smartcard, you will always have your fingerprint available. 

But some considerations include the cost of the infrastructure necessary to implement fingerprint readers. 

The reliability and revocation, which can basically mean that this particular fingerprint has been discovered to have been compromised, so we can revoke it but, they're not all that reliable either because again, somebody could physically force you to swipe your own fingerprint, for example. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Components of Authentication - Something You Do 
***

But one other consideration is something you do and/or somewhere you are and something you do can include gestures, or handwriting kinematics, so sometimes authentication mechanisms quite literally require you to perform a specific gesture to be authenticated - the idea is, of course, that you are the only one that knows the appropriate gestures and handwriting can literally analyze your handwriting to ensure that it is you. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Components of Authentication - Somewhere You Are
***

Somewhere You Are, is something that you can rely on to a degree, because there can be trusted or less trusted locations, such as branch offices of your own corporate environment. 

Those would be trusted, but a public WiFi would not be as trusted. 

It can be based on GPS zones or even time of day restrictions - that's not so much where you are, but rather when. You can say that this is only accessible at a certain time of day. 

But just one other quick example of the somewhere - with something like a bank card and a PIN, you need the card and you need to know the PIN but you can also implement the location because it would of course be physically impossible for you to use your bank card, let's say, somewhere in the United States and then ten minutes later, to use it somewhere in Europe.

That just can't happen, so if that was the case, then clearly some fraudulent activity is happening, so ultimately, again, it's up to you, but there are a number of different methods available these days to enhance authentication by using these other factors.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="authenticationandAccessControl4AccessControl"></a>
***
######  4. Access Control - Physical - Logical
***

After completing this topic, you should be able to: ``recognize the various access control features such as 802.1x, NAC, port security, MAC filtering, captive portal, and access control lists``.

Now in this presentation we'll take a look at access control, which in and of itself refers to a fairly broad scope of methods and/or implementations but there are quite specific ways by which you can implement access control, so overall, it's a security technique that's used to regulate access to resources in a computing environment. 

Now, among the more common methods that most people are familiar with are permissions - when dealing with access to files or folders, you need to have permission to gain access to that file or folder and it is maintained by what's called an access control list and quite literally if you are on the list, you are allowed to access the file or the folder or the printer or whatever it is - if you aren't on the list, you aren't allowed, so again, that's a specific example of a very general approach, so the types, when it comes to access control, are certainly not limited to folders and files. 

It can really begin with things like physical access, which can limit your access to a building or any kind of physical IT asset. 

Another common example there, most regular users would not be allowed to enter the server room or the wiring closet where the routers and switches are, things along those lines, so you quite literally prevent them from being able to gain access to those locations. 

But logical more so does refer to computer networks and/or data and again, that's not where it starts or ends, there's a lot of variance, if you will, in between those but ultimately, it all comes down with:

> Can you access something? 

Whether it's physical or logical certainly depends on the circumstances but one way or another, you generally need to control the access to any kind of resource. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### 802.1X
***

One method is by using 802.1x and this typically refers to any kind of device that is attempting to access any kind of network - that's a fairly general explanation but it does effectively indicate what the challenge is accessing the network and then, of course:

> What is trying to access it? 

If we just think about authentication, this is a user typically supplying something like a username or a password to gain access to a file or a folder or any other network resource but at a lower level, you are using a computer that is attached to a physical network - can implement authentication at that level as well, in other words, you can prevent certain devices from being able to access a network environment - that's what 802.1x refers to. 

Might more commonly hear it referenced these days with respect to wireless networks because that's just very common - people want to access wireless networks from their laptops, from their tablets, from their phones, so it's certainly something that's quite common these days but it's not limited to wireless networks at all, it can really refer to any physical device that is attempting to connect to any kind of physical network. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### 802.1X - Extensible Authentication Protocol (EAP)
***

``802.1X`` is primarily based on what's known as the ``Extensible Authentication Protocol`` or ``EAP`` - the extensible means that it is literary quite pliable, quite flexible - it was designed to grow and evolve, so it's not limited to one specific method of authentication. 

It includes:

- ``MD5`` which is ``Message Digest 5``


- ``TLS`` is ``Transport Layer Security``, the successor to ``SSL`` 


- ``TTLS`` is ``Tunneled TLS``, for when you are creating a secure connection over something like the Internet, as opposed to an internal environment


- ``EAP``, in and of itself is just the ``Extensible Authentication Protocol`` - ``LEAP`` and ``PEAP`` are ``Lightweight`` and ``Protected``: 

> ``L`` (Lightweight) was originally developed by Cisco for specific devices, had some shortcomings

> ``P`` (Protected) actually implements a combination of ``TLS`` and ``EAP`` to create a secure tunnel using key exchangers, then it implements the ``EAP`` component of authentication

The overall idea is to simply provide some means to authenticate a device that is connecting to a network, as opposed to a user authenticating to a directory service.

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Network Access Control (NAC)
***

``Network Access Control`` (``NAC``) is another approach whereby you can enforce access to the network through various types of policies that can include what's referred to as pre-admission endpoint security checks.

But then admission controls refer to the extent of network access, so if you are allowed, if you pass the checkpoints, then you can still limit what is capable of being done with that access and those pre-admission security checks refer to the fact that devices have to meet certain standards to gain access:

- so the authentication method that is being used is considered


- can check for the presence of an antivirus application


- can check for system updates to ensure that you aren't missing a critical security patch 


- can also verify specific app configurations such as having a firewall disabled, things along those lines

So you have to meet these standards before you are given access and again, even if you are given access, you can still restrict that level of access depending on the circumstances. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Port Security
***

Port security refers to a layer 2 traffic control feature that is commonly found on switches and it implements security by only allowing certain MAC addresses to be able to communicate through the physical port of a switch. 

If a packet arrives from a MAC address that is not secure or not registered, if you will, the port quite simply does not forward the packet, it just discards it, so this prevents multiple users from sharing a single port or from somebody trying to sneak their way in, if you will, through a switch port. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### MAC Filtering
***

Similar to that is MAC filtering and this is based on the fact that every single network interface in the world has a globally unique 48-bit address that is assigned to only that interface and it never changes and it is never reused, so this allows you to specify a list of devices to allow or deny on a network, so you can whitelist or blacklist certain MAC addresses, so that, again, if a packet arrives that does not indicate that MAC address that you feel is acceptable, you can simply drop or discard the packet. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Captive Portal
***

A captive portal is usually just something that users have to agree to, quite often a webpage that users are presented with before accessing a network. 

It can be used to present terms and conditions, expectations of the users, and to perform verification - commonly found in airports, hotels, lobbies, coffee shops, basically it is just you agreeing to the terms before you can access the resource.

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Access Control List (ACL)
***

Finally, access control lists as mentioned, very common in terms of restricting access to files and folder - you simply have a list of acceptable users and what their permissions are. 

In terms of networking, it can allow or deny traffic based on the IP address and/or the port that is being used and ultimately, it just determines the permissions and access rights to grant to a user or a group, so it's typically controlled by an administrator, but it is up to them to say yes you are allowed, no you are not allowed. 

If you are allowed, there can be variance in terms of the abilities as well, such as read only versus full control. 

But any or all of these methods can be used to implement various degrees of access control. 

< [Table of Contents](#top) | [References](#references) >
<a id="___"></a>
***
###### Conclusion - Only Authorized Users gain Access
***

But in many cases it is definitely something you need to pay attention to, to ensure that only the authorized users are gaining access to the resources that they need.

< [Table of Contents](#top) | [References](#references) >
<a id="authenticationandAccessControlpractice"></a>
***
### Practice: Implementing Access Control
***

After completing this topic, you should be able to: ``implement access control``

i. Describe the difference between authentication and authorization. 


ii. Then to describe the benefits of Single Sign-on, or SSO. 


iii. Then to list the different types of multifactor authentication. 


iv. Finally to describe various access control features. 

< [Table of Contents](#top) | [References](#references) >
<a id="authenticationandAccessControlexercise"></a>
***
###### 1. Exercise: Implementing Access Control
***

i. Describe the difference between authentication and authorization. 

Authentication is always simply establishing your identity - prove to me that you are who you claim to be. 

Authorization is then what you are allowed to do, so you can never be authorized to do anything until you have been authenticated - need to know who you are before I can decide what you are allowed to do.

In essence the two pretty much work together so that you can prove your identity and then you can be granted the permissions you need to be able to perform your job. 

ii. Describe the benefits of Single Sign-on, or SSO. 

This allows a single authentication to be used to access many network resources without having to authenticate to each resource separately and again, if you go back quite a ways, some early network environments did actually require you to authenticate to each server that you wanted to access, so it was just a little bit cumbersome, a little bit of a pain to put it simply, to login over and over and over again for each of those resource servers. 

Single Sign-on says authenticate once, then that authentication will be trusted by the other servers and the other resources in the environment, so that you do not have to log in again and again and again. 

iv. List the different types of multifactor authentication and there were several.

In almost every case there is a username and a password but then to go beyond that is to enter into the multifactor authentication world and that can include something like a smart card and/or a pin. 

Any kind of biometric, such as a fingerprint or a retina scan. 

A mobile device where you can be sent an authentication code by text message, for example.

Your location can actually be used - can only access this resource provided you are in our branch office, for example and gestures can also be included so that you have to literally perform a specific gesture to be able to gain access. 

So again, there are several options, but multifactor authentication in and of itself typically refers to supplying a username and password and then at least one other method to establish your identity.

iv Finally we asked to describe various access control features. 

This can be implemented at two different levels if you will, physical and logical. 

Physical can refer to things like locks or security guards, controlling access to a building or to a secure room.

Logical more so refers to accessing network resources and they can involve components such as ``802.1x``, which controls access to a network at the device level, so any kind of device wanting to connect to a network can implement ``802.1x`` authentication to be able to validate its identity before it can connect. 

Network access control, this can be used to verify the integrity of a system - features such as whether or not there is an antivirus - all the security patches have been applied - a firewall is present, things along those lines have to be detected before access is granted. 

Port security whereby a switch needs to see a specific IP address or a specific port before it will allow traffic over that physical port, a TCP port that is over a physical port. 

MAC filtering can be implemented so that only acceptable MAC addresses will be allowed to communicate on the network - anything other than those that are specifically white-listed are not allowed. 

Finally, access control lists, files and folders and printers have, quite literally, lists of acceptable users and their level of access and if you are on the list, you are granted access - if you are not on the list, you are not granted access.

Ultimately there are a lot of different ways by which you can implement access control and you can certainly implement several of them and in fact, it is recommended to do so because the more layers you have, the more secure the environment will be.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

# END JUPYTER NOTEBOOK