Professional Documents
Culture Documents
Access Control Protocols: Bangladesh University of Professionals LT Col Jahangir 18 FEB 2022
Access Control Protocols: Bangladesh University of Professionals LT Col Jahangir 18 FEB 2022
Access Control Protocols: Bangladesh University of Professionals LT Col Jahangir 18 FEB 2022
LT COL JAHANGIR
18 FEB 2022
Outline
Identity Management Protocols
Single-Sign-On (SSO)
Dial-In SSO
RADIUS
TACACS+
AAA Protocols
RADIUS vs TACACS+
DIAMETER
SESAME
KERBEROS
2
Identity and Access Management (IAM) Protocols
Identity and Access Management (IAM) protocols are designed
specifically for the transfer of authentication information and consist of
a series of messages in a preset sequence designed to protect data as it
travels through networks or between servers.
• LDAP.
SAML. ...SCIM. ...OAuth. ...OpenID. ...XACML. ...RADIUS. ...Kerberos,
TACACS etc
Identity and Access Management (IAM) protocols
LDAP
The Lightweight Directory Access Protocol (LDAP) is an open-source protocol, although
it does provide the basis for Microsoft’s Active Directory. LDAP is among the oldest
identity and access management protocols. It runs above the TCP/IP stack and is most
often used in modern organizations as a tool to handle authentication for on-premise
applications.
SAML
The Security Assertion Markup Language (SAML) protocol is most often used in systems
employing the Single Sign-On (SSO) method of access control. SAML is an open
standard, and it can’t be used to authenticate or authorize device connections and isn’t
popular for supporting access to internal applications.
OpenID
Like SAML, OpenID is used for web applications and can be seen in practice when
interacting with products from Google and Yahoo! Implementation of this protocol is less
Identity and Access Management (IAM) protocols
OAuth
OAuth is an open standard for access delegation, commonly used as a way for Internet
users to grant websites or applications access to their information on other websites but
without giving them the passwords. This mechanism is used by companies such
as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share
information about their accounts with third-party applications or websites.
TACACS
Terminal Access Controller Access Control System (TACACS) is owned by Cisco. It was
originally developed for the U.S. Department of Defense as a protocol to simplify the
process of authentication and authorization so that users could move between machines
within a complex infrastructure without the need for multiple logins.
Using TCP, user credentials are sent from a remote access server to a central
authentication server to complete the authentication process. Authentication packets
are fully encrypted to protect the information as it travels between devices and servers.
Identity and Access Management (IAM) protocols
Diameter
Diameter evolved out of RADIUS and is now replacing the older protocol with a
message-based authentication system. Diameter works over TCP and Stream Control
Transmission Protocol (SCTP) to exchange positive and negative messages between the
user and the system, resulting in access being granted to authorized users and denied those
without proper credentials.
Diameter is built on peer-to-peer architecture and functions
Kerberos
This free open protocol was developed at the Massachusetts Institute of Technology
(MIT) and uses a system of tickets and authenticators to verify user identities. Kerberos
isn’t in wide usage except by Microsoft Windows applications, in which is aids in the
automatic sign-in process for Microsoft products and resources.
Single Sign-On (SSO)
The technology behind SSO can vary. A single sign-on can be executed via several
protocols. The most common protocols are LDAP, Kerberos, SAML etc
One very popular single sign-on is a Google account. When you are logged into a
Google account, you get automatic access to other Google products connected to that
account. The central account service will give you access to YouTube, Analytics, Drive,
Maps, and the rest of the products that are Google-serviced. Even if you only signed up
for Gmail, the account will store the cookies and use them for further validation with
the rest of the services.
Single Sign On (SSO)
Single Sign On (SSO)-BUP
Single Sign-On (SSO)
Dial-In SSO Solutions
17
Steps to RADIUS Authentication
RADIUS Features
Radius is an IETF standard protocol - RFC 2865
Standard attributes can be augmented by proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+ attribute to be used over
RADIUS
Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by
default)
It includes only two security features:
1.Encryption of passwords (MD5 encryption)
2.Authentication of packets (MD5 fingerprinting)
Authorization is only possible as part of authentication
19
RADIUS AV Pairs
RADIUS messages contain zero or more AV-pairs such as User-Name, User-
Password (this is the only encrypted entity in RADIUS),CHAP-Password,
Service-Type, Framed-IP-Address
There are approximately 50 standard-based attributes (RFC 2865)
Basic attributes are used for authentication purposes
Most other attributes are used in the authorisation process
Cisco has added several vendor-specific attributes on the server side. Cisco
IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can
be configured to use only IETF attributes for standard compatibility
Accounting information is sent within special RADIUS accounting messages
20
TACACS+
22
TACACS+ Authentication
The example shows how TACACS+ exchange starts before the user is
prompted for username and password.
The prompt text can be supplied by the TACACS+ server.
23
TACACS+ Network Authorization
24
AAA Protocols: RADIUS and TACACS+
• The best-known and best-used types of AAA protocols are TACACS+ and RADIUS
• TACACS+ and RADIUS have different features that make them suitable for different situations
25
Configuring the AAA Server
• These are the first steps in configuring the network access server:
• Globally enable AAA to allow the use of all AAA elements. This
step is a prerequisite for all other AAA commands.
• Specify the Cisco Secure ACS (if being used, or other server if
not) that will provide AAA services for the network access server.
• Configure the encryption key that will be used to encrypt the
data transfer between the network access server and the Cisco
Secure ACS.
26
Configuring the AAA Server
27
28
Configuring the AAA Server(cont…)
TACACS+
RADIUS
29
DIAMETER
Diameter is an AAA protocol for computer networks. It evolved from the earlier
RADIUS protocol.
Diameter is a next-generation industry-standard protocol for Long-
Term Evolution (LTE) and IP Multimedia Systems (IMS) networks.
SESAME provides authentication and authorization services for all incoming HTTP
traffic. It uses asymmetric cryptography. The following process is used with SESAME:
1.The user authenticates to an authentication server. The server grants the user a token
that proves identity.
2.The user presents the token to a privilege attribute server, which gives the user
a Privilege Attribute Certificate (PAC).
3.When the user attempts to access an application or a resource, the PAC is presented.
The application uses the information in the PAC along with an access control list to
allow or deny access.
4.Dialog keys are used to provide data integrity and confidentiality in communications
(if desired).
Because SESAME is similar to Kerberos, SESAME designers have supported some
Kerberos data structures. SESAME goes beyond the functionality of Kerberos in that it
supports access control through ACL), asymmetric keys, PKI systems, auditing, and
improved manageability
Kerberos
Kerberos was originally developed for Project
Athena at MIT. The name Kerberos was taken
from Greek mythology; Kerberos (Cerberus)
was a three-headed dog who guarded the gates
of Hades. The three heads of the Kerberos
protocol represent a client, a server and a Key
Distribution Center (KDC), which acts as
Kerberos' trusted third-party authentication
service.
“Guarding the gates of the Network”
Kerberos
If all conditions are met and the RADIUS server wishes to issue a
challenge to which the user must respond, the RADIUS server sends
an "Access-Challenge" response. It MAY include a text message to
be displayed by the client to the user prompting for a response to the
challenge, and MAY include a State attribute.
47
RFC 2865
If the client receives an Access-Challenge and supports
challenge/response it MAY display the text message, if any, to the
user, and then prompt the user for a response. The client then re-
submits its original Access-Request with a new request ID, with the
User-Password Attribute replaced by the response (encrypted), and
including the State Attribute from the Access-Challenge, if any.
If all conditions are met, the list of configuration values for the user
are placed into an "Access-Accept" response. These values include
the type of service (for example: SLIP, PPP, Login User) and all
necessary values to deliver the desired service. For SLIP and PPP,
this may include values such as IP address, subnet mask, MTU,
desired compression, and desired packet filter identifiers. For
character mode users, this may include values such as desired
protocol and host.
48