Skip to content

Read: Class 08 RADIUS Authentication

Jump to bottom
Sérgio Charruadas edited this page Mar 3, 2023 · 15 revisions

What is RADIUS?

  • RADIUS (Remote Authentication Dial-In User Service) authentication is a widely used protocol for managing authentication, authorization and accounting (AAA) in computer networks.
  • RADIUS authentication is primarily used in remote access networks, such as VPN networks and wireless networks, to authenticate users connecting to the network from outside the organization.
  • RADIUS authentication allows network administrators to control who has access to the network by defining access policies based on roles, users, groups, and other variables.
  • RADIUS authentication provides a high level of security, using strong encryption and two-factor authentication to protect the network from malicious attacks.
  • RADIUS authentication is scalable and flexible, allowing organizations to manage large numbers of users and network devices.

Why does RADIUS Authentication Matter?

  • RADIUS authentication is important because it helps ensure that only authorized users have access to the network.
  • RADIUS authentication is also important for compliance with cybersecurity regulations such as PCI-DSS, which requires strong authentication to protect credit card data.
  • In short, RADIUS authentication is important because it helps ensure that only authorized users have access to the network, protecting the network from internal and external threats and ensuring regulatory compliance.

AAA (Authentication, Authorization and Accounting)

  • Authentication is the process of verifying the identity of the user before allowing access to system resources.
  • Authorization is the process of verifying that the user has permission to access the specific system resources they have requested.
  • Accounting is the process of tracking the use of system resources by users in order to monitor and control access to resources.
  • AAA is a security model used to protect the resources of a system, such as servers, routers and firewalls.
  • AAA can be implemented using a variety of techniques, such as passwords, cryptographic keys and two-factor authentication.
  • AAA is an important part of network security and is used in many technologies, including VPNs, RADIUS and TACACS+.

RADIUS Concepts

Authentication Methods

  • Authentication is a process of verifying the identity of a user requesting access to a system or resource.
  • There are several types of authentication methods, including knowledge-based authentication (what you know), possession-based authentication (what you have), and authentication based on physical characteristics also known as biometric authentication (what you are).
  • Knowledge-based authentication requires the user to provide information that only they should know, such as passwords, security phrases, or answers to personal questions.
  • Possession-based authentication requires the user to present a physical object, such as a smart card, token, or mobile device, that contains authentication information.
  • Authentication based on physical characteristics uses the user's biological features, such as facial recognition, fingerprint, voice recognition, or iris, to verify their identity.
  • Each authentication method has its own pros and cons in terms of security, ease of use and cost.
  • The choice of authentication method depends on the security requirements of the system and the convenience of the user.
  • Multi-factor authentication combines two or more authentication methods to enhance system security.

Defense in Depth

  • Defense in Depth is a cyber security strategy that involves implementing multiple layers of defense on a computer system.
  • The goal of Defense in Depth is to provide more robust protection against cyber attacks by preventing attackers from bypassing all security layers.
  • Defense in Depth layers can include firewalls, antivirus, intrusion detection systems, user authentication and encryption.
  • Defense in Depth can also include physical security measures, such as installing security cameras and access control systems to limit physical access to computing resources.
  • An effective Defense in Depth approach requires a careful analysis of system risks and vulnerabilities, as well as an assessment of the most common threats and attack methods.
  • Defense in Depth is an important part of cyber security strategy and is widely used in corporate, military and government environments.

https://assets.website-files.com/5ff66329429d880392f6cba2/622073c95144e3164625c6c3_Defense%20in%20Depth%20Layer.jpg

Source: Wallarm.com

RADIUS and TACACS

  • RADIUS (Remote Authentication Dial-In User Service) and TACACS (Terminal Access Controller Access-Control System) are authentication, authorization and accounting (AAA) management protocols used to control access to computer networks.
  • Both protocols are used to authenticate and authorize users and network devices, but differ in how they are implemented and used.
  • RADIUS is an older protocol that was originally designed to authenticate users for remote access to telephone networks.
  • RADIUS is an open and widely used network protocol that is implemented by many network hardware and software vendors.
  • TACACS was developed by Cisco Systems as a more secure and flexible alternative to RADIUS.
  • TACACS uses a cryptographic key-based authentication system to authenticate users and network devices.
  • TACACS separates the authentication, authorization and accounting functions on three separate servers, while RADIUS combines these functions on a single server.
  • TACACS offers more granular control over user access permissions, while RADIUS is simpler and offers fewer access control options.
  • TACACS is primarily used in enterprise and managed service provider (MSP) environments, while RADIUS is more commonly used in remote access networks.
  • The choice between RADIUS and TACACS depends on the security, scalability and flexibility needs of each organization.

RADIUS uses UDP port 1812 or 1645 for authentication and port 1813 or 1646 for accounting.

TACACS uses TCP port 49 to communicate between the client and server.

Kerberos

  • Kerberos is a network authentication protocol that was developed by MIT in the 1980s.
  • The goal of Kerberos is to provide strong and secure authentication in a distributed network environment.
  • Kerberos uses a "trusted third party" approach to authentication, where a central Kerberos server acts as a trusted arbiter to authenticate users and services on a network.
  • Kerberos uses a system of encrypted authentication tokens to protect communication between clients and servers.
  • Kerberos also uses a system of "tickets" to authorize users to access specific network resources.
  • Kerberos is widely used in enterprise network environments and on operating systems such as Microsoft Windows, macOS, and Linux.
  • Kerberos requires careful configuration and a reliable public key infrastructure to ensure authentication security.
  • Kerberos is an important component of many cyber security systems, including VPNs, SSH, and directory services such as Microsoft's Active Directory.

Things I want to know more about

Clone this wiki locally