ACCESS CONTROL PROTOCOLS

Bangladesh University of Professionals

LT COL JAHANGIR
18 FEB 2022
 Outline
 Identity Management Protocols
 Single-Sign-On (SSO)
 Dial-In SSO
 RADIUS
 TACACS+
 AAA Protocols
 RADIUS vs TACACS+
 DIAMETER
 SESAME
 KERBEROS
2
 Identity and Access Management (IAM) Protocols
 Identity and Access Management (IAM) protocols are designed
specifically for the transfer of authentication information and consist of
a series of messages in a preset sequence designed to protect data as it
travels through networks or between servers.

 Identity management protocols vary based on what type of assets need

to be authenticated (for example, web assets or operating systems). The
market has a variety of standard identity management protocols. Most-
common protocols are:

• LDAP.
SAML. ...SCIM. ...OAuth. ...OpenID. ...XACML. ...RADIUS. ...Kerberos,
TACACS etc
 Identity and Access Management (IAM) protocols
LDAP
The Lightweight Directory Access Protocol (LDAP) is an open-source protocol, although
it does provide the basis for Microsoft’s Active Directory. LDAP is among the oldest
identity and access management protocols. It runs above the TCP/IP stack and is most
often used in modern organizations as a tool to handle authentication for on-premise
applications.

SAML
The Security Assertion Markup Language (SAML) protocol is most often used in systems
employing the Single Sign-On (SSO) method of access control. SAML is an open
standard, and it can’t be used to authenticate or authorize device connections and isn’t
popular for supporting access to internal applications.

OpenID
Like SAML, OpenID is used for web applications and can be seen in practice when
interacting with products from Google and Yahoo! Implementation of this protocol is less
 Identity and Access Management (IAM) protocols
OAuth
OAuth is an open standard for access delegation, commonly used as a way for Internet
users to grant websites or applications access to their information on other websites but
without giving them the passwords. This mechanism is used by companies such
as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share
information about their accounts with third-party applications or websites.

SCIM is an acronym for “system for cross-domain identity management”. Although

when it was first envisaged it stood for something else – “simple cloud identity
management”. The SCIM specification is designed to make managing user identities in
cloud-based applications and services easier.

XACML (eXtensible Access Control Markup Language) is used to promote

interoperability and common terminology for access control implementations, where
access attributes associated with a user are used to decide whether a user may have
access to a specific resource.
 Identity and Access Management (IAM) protocols
RADIUS
Once used to authenticate users on dialup connections, the Remote Authentication Dial-In
User Service (RADIUS) is now employed mostly for network services, such as wireless
connections, VPNs and network infrastructure.
RADIUS works by encrypting authentication credentials within a packet and is sometimes
used with a LDAP server to increase the level of security and provide a greater degree of
access control.

TACACS
Terminal Access Controller Access Control System (TACACS) is owned by Cisco. It was
originally developed for the U.S. Department of Defense as a protocol to simplify the
process of authentication and authorization so that users could move between machines
within a complex infrastructure without the need for multiple logins.
Using TCP, user credentials are sent from a remote access server to a central
authentication server to complete the authentication process. Authentication packets
are fully encrypted to protect the information as it travels between devices and servers.
 Identity and Access Management (IAM) protocols

Diameter
Diameter evolved out of RADIUS and is now replacing the older protocol with a
message-based authentication system. Diameter works over TCP and Stream Control
Transmission Protocol (SCTP) to exchange positive and negative messages between the
user and the system, resulting in access being granted to authorized users and denied those
without proper credentials.
Diameter is built on peer-to-peer architecture and functions

Kerberos
This free open protocol was developed at the Massachusetts Institute of Technology
(MIT) and uses a system of tickets and authenticators to verify user identities. Kerberos
isn’t in wide usage except by Microsoft Windows applications, in which is aids in the
automatic sign-in process for Microsoft products and resources.
 Single Sign-On (SSO)

SSO, or Single Sign-On, is a service

which allows a user to log into one
application or network domain, and then
be authenticated and logged in
automatically to other associated
applications or domains. The user
therefore only needs one set of identity-
verifying user credentials (e.g.
username/password) for authentication
and to securely access multiple
applications, services, and even different
service providers.
Single Sign-On (SSO)
 Single Sign-On (SSO)

The technology behind SSO can vary. A single sign-on can be executed via several
protocols. The most common protocols are LDAP, Kerberos, SAML etc

One very popular single sign-on is a Google account. When you are logged into a
Google account, you get automatic access to other Google products connected to that
account. The central account service will give you access to YouTube, Analytics, Drive,
Maps, and the rest of the products that are Google-serviced. Even if you only signed up
for Gmail, the account will store the cookies and use them for further validation with
the rest of the services.
Single Sign On (SSO)
Single Sign On (SSO)-BUP
Single Sign-On (SSO)
Dial-In SSO Solutions

Centralizes and Extends Authentication Capabilities for Remote Access to

Network Resources and Network Access Control

•RADIUS (802.1x Standard ) IEEE Standard

- Remote Authentication Dial-In User Service
•TACACS (Cisco Proprietary)
- Terminal Access Controller Access Control System
•TACACS+
•DIAMETER (IETF replacement for RADIUS)
•SESAME (Secure European System for Applications in a Multi-vendor Environment)
 RADIUS

•Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol

that authenticates and authorizes users
•Handshaking protocol that allows the RADIUS server to provide authentication and
authorization information to network server (RADIUS client)
•Users usually dial in to an access server (RADIUS client) that communicates with
the RADIUS server
•RADIUS server usually contains a database of users and credentials
•Communication between the RADIUS client and server is protected
Steps to RADIUS Authentication
 RADIUS Messages
There are four types of messages involved in a RADIUS authentication exchange:
1. Access-Request: Contains AV pairs for the username, password (this is the only
information that is encrypted by RADIUS), and additional information such as
the NAS port
2. Access-Challenge: Necessary for challenge-based authentication methods such
as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP
(MS-CHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-
MD5)
3. Access-Accept: The positive answer if the user information is valid
4. Access-Reject: Sent as a negative reply if the user information is invalid

17
Steps to RADIUS Authentication
 RADIUS Features
 Radius is an IETF standard protocol - RFC 2865
 Standard attributes can be augmented by proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+ attribute to be used over
RADIUS
 Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by
default)
 It includes only two security features:
1.Encryption of passwords (MD5 encryption)
2.Authentication of packets (MD5 fingerprinting)
 Authorization is only possible as part of authentication

19
 RADIUS AV Pairs
 RADIUS messages contain zero or more AV-pairs such as User-Name, User-
Password (this is the only encrypted entity in RADIUS),CHAP-Password,
Service-Type, Framed-IP-Address
 There are approximately 50 standard-based attributes (RFC 2865)
 Basic attributes are used for authentication purposes
 Most other attributes are used in the authorisation process
 Cisco has added several vendor-specific attributes on the server side. Cisco
IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can
be configured to use only IETF attributes for standard compatibility
 Accounting information is sent within special RADIUS accounting messages

20
TACACS+

Terminal Access Controller Access Control System (TACACS) is also

an authentication protocol used to authenticate remote users

Splits authentication, authorization, and auditing features

Cisco proprietary protocol

 TACACS+ Attributes and Features
• The TACACS+ protocol is much more flexible than the RADIUS
communication. TACACS+ protocol permits the TACACS+ server to use
virtually arbitrary dialogs to collect enough information until a user is
authenticated.
• TACACS+ messages contain AV-pairs, such as ACL, ADDR, CMD, Interface-
Config, Priv-Lvl,Route.
• TACACS+ uses TCP on well-known port number 49.
• TACACS+ establishes a dedicated TCP session for every AAA action.
• Cisco Secure ACS can use one persistent TCP session for all actions.
• Protocol security includes authentication and encryption of all TACACS+
datagrams.

22
 TACACS+ Authentication

The example shows how TACACS+ exchange starts before the user is
prompted for username and password.
The prompt text can be supplied by the TACACS+ server.

23
 TACACS+ Network Authorization

The example shows the process of network authorization that

starts after successful authentication.

24
 AAA Protocols: RADIUS and TACACS+
• The best-known and best-used types of AAA protocols are TACACS+ and RADIUS
• TACACS+ and RADIUS have different features that make them suitable for different situations

25
 Configuring the AAA Server

• These are the first steps in configuring the network access server:
• Globally enable AAA to allow the use of all AAA elements. This
step is a prerequisite for all other AAA commands.
• Specify the Cisco Secure ACS (if being used, or other server if
not) that will provide AAA services for the network access server.
• Configure the encryption key that will be used to encrypt the
data transfer between the network access server and the Cisco
Secure ACS.

26
Configuring the AAA Server

27
28
 Configuring the AAA Server(cont…)

TACACS+

RADIUS

29
 DIAMETER

Diameter is an AAA protocol for computer networks. It evolved from the earlier
RADIUS protocol.
Diameter is a next-generation industry-standard protocol for Long-
Term Evolution (LTE) and IP Multimedia Systems (IMS) networks.

RADIUS is limited to authenticating users via SLIP (Serial Line

Internet Protocol) and PPP dial-up modem connections

Move between service provider networks and change their points of

attachment to the Internet Including better message transport, proxying,
session control, and higher security for AAA transactions
DIAMETER Authentication
DIAMETER Authentication
DIAMETER Authentication
RADIUS vs DIAMETER
 SESAME - Single Sign-On (SSO)

SESAME provides authentication and authorization services for all incoming HTTP
traffic. It uses asymmetric cryptography. The following process is used with SESAME:

1.The user authenticates to an authentication server. The server grants the user a token
that proves identity.
2.The user presents the token to a privilege attribute server, which gives the user
a Privilege Attribute Certificate (PAC).
3.When the user attempts to access an application or a resource, the PAC is presented.
The application uses the information in the PAC along with an access control list to
allow or deny access.
4.Dialog keys are used to provide data integrity and confidentiality in communications
(if desired).
Because SESAME is similar to Kerberos, SESAME designers have supported some
Kerberos data structures. SESAME goes beyond the functionality of Kerberos in that it
supports access control through ACL), asymmetric keys, PKI systems, auditing, and
improved manageability
Kerberos
Kerberos was originally developed for Project
Athena at MIT. The name Kerberos was taken
from Greek mythology; Kerberos (Cerberus)
was a three-headed dog who guarded the gates
of Hades. The three heads of the Kerberos
protocol represent a client, a server and a Key
Distribution Center (KDC), which acts as
Kerberos' trusted third-party authentication
service.
“Guarding the gates of the Network”
 Kerberos

Kerberos is a computer network security protocol that authenticates

service requests between two or more trusted hosts across an untrusted
network, like the internet
Kerberos is a trusted third-party authentication protocol for SSO using DES
(Data Encryption Standard) and symmetric keys
Kerberos is built into all major operating systems, including Microsoft
Windows, Apple OS , and Linux.
Kerberos is authentication NOT authorization
Kerberos Elements
•Key Distribution Center (KDC) - trusted server
o consists of a ticket granting service (TGS) and authentication
server(AS)
o holds user’s and services’ keys
• Authentication service (AS)
o provides the service of authentication of principals (users, apps
or services)
• Ticket-Granting Service (TGS)
o supplies temporary session keys and tickets to authorized users
or services
 Kerberos Processes

1. A request is made to the

authenticating server
2. The AS replies with a TGT
and a session key
3. The TGT is submitted to the
TGS along with an
authenticator generated by the
client and encrypted with the
session key
 Kerberos Processes
4. The TGS replies with a Ticket which is
encrypted with the secret key of the service
and a service session key which is, in turn,
encrypted with the session key from step 2.
This Ticket expires in 5 minutes by default.

5. The Ticket is submitted to the resource

server along with a new authenticator
encrypted with the resource server session
key.

6. The resource server replies to the client

with a packet that proves the server is the one
requested (providing that mutual
authentication was requested)
Kerberos Weaknesses
•The KDC can be a single point of failure.
o If the KDC goes down, resources cannot be accessed
o Redundancy is required
•The KDC must be able to handle lots of requests in a timely manner.
o Since the KDC is a centralized key store, it must handle all requests for tickets.
•Secret and Session Keys are temporarily stored on the user’s workstation and could
be compromised.
•Authentication vulnerable to password guessing
o The KDC cannot detect if a dictionary or brute force attack is in progress.
•Network traffic is not protected by Kerberos
o Encryption must be enabled
•User changing password, changes secret key and KDC database to update
Questions?
ThankYou
 RFC 2865

The Access-Request is submitted to the RADIUS server via the

network. If no response is returned within a length of time, the
request is re-sent a number of times. The client can also forward
requests to an alternate server or servers in the event that the primary
server is down or unreachable.

Once the RADIUS server receives the request, it validates the

sending client. A request from a client for which the RADIUS
server does not have a shared secret MUST be silently discarded. If
the client is valid, the RADIUS server consults a database of users to
find the user whose name matches the request. The user entry in the
database contains a list of requirements which must be met to allow
access for the user. This always includes verification of the
password, but can also specify the client(s) or port(s) to which the
user is allowed access.
46
 RFC 2865

If any condition is not met, the RADIUS server sends an "Access-

Reject" response indicating that this user request is invalid. If
desired, the server MAY include a text message in the Access-Reject
which MAY be displayed by the client to the user. No other
Attributes (except Proxy-State) are permitted in an Access-Reject.

If all conditions are met and the RADIUS server wishes to issue a
challenge to which the user must respond, the RADIUS server sends
an "Access-Challenge" response. It MAY include a text message to
be displayed by the client to the user prompting for a response to the
challenge, and MAY include a State attribute.

47
 RFC 2865
If the client receives an Access-Challenge and supports
challenge/response it MAY display the text message, if any, to the
user, and then prompt the user for a response. The client then re-
submits its original Access-Request with a new request ID, with the
User-Password Attribute replaced by the response (encrypted), and
including the State Attribute from the Access-Challenge, if any.

If all conditions are met, the list of configuration values for the user
are placed into an "Access-Accept" response. These values include
the type of service (for example: SLIP, PPP, Login User) and all
necessary values to deliver the desired service. For SLIP and PPP,
this may include values such as IP address, subnet mask, MTU,
desired compression, and desired packet filter identifiers. For
character mode users, this may include values such as desired
protocol and host.

48