Single Sign-On (SSO)

Questions and Answers

Which of the following is a primary benefit of implementing Single Sign-On (SSO) in an organization?

• Elimination of the need for unique usernames and passwords.
• Enhanced security through mandatory periodic password changes.
• Reduced number of usernames and passwords for users to remember. (correct)
• Increased complexity in managing user accounts.

Federation in Single Sign-On (SSO) refers to the practice of restricting user authentication to a single network owned by one organization.

False (B)

What is the main function of a RADIUS server in network authentication?

The RADIUS server validates user credentials and authorizes network access.

In the RADIUS authentication process, the device requesting network access is known as the ________.

supplicant

Match the following RADIUS process steps with their description

Supplicant = Requests network access from an access point. Authenticator = Accepts or rejects wireless device based on authentication. RADIUS Server = Validates requests and decrypts data packets. Accounting Database = Records network usage for billing and statistics

What is the role of the 'authenticator' in the RADIUS authentication process?

The access point that accepts or rejects the user. (C)

In RADIUS, the Access Point (AP) sends the user's password to the RADIUS server in plain text for validation.

False (B)

What critical step does the RADIUS server perform after receiving an authentication request?

The RADIUS server validates the request and decrypts the data packet.

If a username and password are not correct during RADIUS authentication, the RADIUS server sends an ________ message to the AP.

authentication reject

Match the following Kerberos terms with their descriptions:

Kerberos = An authentication system that uses tickets for identity verification. Ticket = A secure credential issued by the Kerberos authentication server. Key Distribution Center (KDC) = Issues the Ticket Granting Ticket (TGT). Ticket Granting Service (TGS) = Provides access tokens for specific resources using the TGT.

What is the primary function of Kerberos in a networked environment?

To verify the identity of networked users accessing services. (C)

In Kerberos, once a user is granted a ticket, it remains valid indefinitely, providing continuous access to network services.

False (B)

What entity issues a ticket to a user in Kerberos?

Kerberos authentication server

In Kerberos authentication, a _______ is a secure credential that is similar to a driver's license.

ticket

Which characteristic do Kerberos tickets share with a driver's license?

Contains specific user information and restrictions. (D)

The process of issuing and submitting tickets in Kerberos is manually handled by the user for each network service they access.

False (B)

In Kerberos, what is the purpose of the Key Distribution Center (KDC)?

To issue Ticket Granting Tickets (TGTs) for user authentication.

The ___________ server in Kerberos provides access tokens for specific resources based on the TGT.

Ticket Granting Service (TGS)

Match the following Terminal Access Controller Access-Control System (TACACS) versions with their descriptions:

TACACS = Original version of the protocol. XTACACS = Extended version introduced in 1990. TACACS+ = Current version of the protocol; a Cisco proprietary protocol providing AAA services.

Which of the following best describes TACACS+?

An authentication service commonly used on UNIX devices. (C)

TACACS+ is an open-standard protocol supported by all network device vendors.

False (B)

What is the function of TACACS+ in network access control?

To provide AAA (Authentication, Authorization, and Accounting) services.

TACACS+ communicates by forwarding user authentication information to a ________ server.

centralized

When would a network administrator likely choose TACACS+ over RADIUS or Kerberos?

When needing to authenticate to a Cisco switch or router. (A)

The decision to use either RADIUS, TACACS+, or Kerberos is solely based on the preference of the network administrator.

False (B)

Flashcards

Identity management

Using a single authentication credential shared across multiple networks.

Federation

Using ONE authentication credential to access multiple accounts/applications for different organizations.

RADIUS

An authentication service developed in 1992 for remote dial-in access, now widely used beyond remote connections.

Supplicant

Device that sends a request to an access point (AP) for network access permission.

Authenticator

The AP's role when accepting/rejecting wireless devices, creates a data packet called authentication request.

Kerberos

A protocol for verifying the identity of networked users, using encrypted tickets for secure access.

Ticket Granting Ticket (TGT)

A user authentication token issued by the KDC used to request access tokens.

TACACS

An authentication service commonly used on UNIX devices, communicates by forwarding user authentication information to a centralized server.

What services does TACACS+ provide?

AAA model

Study Notes

• Several technologies enhance secure authentication, including single sign-on and authentication services.

Single Sign-On (SSO)

• Users face the problem of managing numerous accounts across multiple platforms, each requiring a unique username and password.
• Managing different authentication credentials can be difficult, so users often compromise security by selecting easy passwords and reusing them.
• SSO offers a solution by allowing access to all accounts with a single username and password.
• Identity management uses a single authentication credential shared across different networks
• Federation employs one authentication credential to access multiple accounts or applications across different organizations, sometimes called federated identity management or FIM.
• SSO can reduce multiple usernames and passwords down to one.
• A Google user can log in to various Google features with a single Google account username and password.
• Microsoft offers a similar SSO service through its Microsoft Account.
• Settings can be synced across devices and act as an advantage of SSO.
• SSOS are often proprietary and restricted to specific applications and aren't federated with other organizations, like with Google and Microsoft.

Authentication Services

• A system that requires users to present authentication credentials or identification for logging in.
• Authentication services can be provided by RADIUS, Kerberos, Terminal Access Controller Access-Control System(TACACS), directory services, Security Assertion Markup language and authentication framework protocols.

RADIUS

• Remote Authentication Dial-In User Service (RADIUS) was developed in 1992 and became an industry standard for remote dial-in access to corporate networks
• RADIUS authentication is used more for connecting to remote networks, and with IEEE 802.1x enhances security for wired and wireless LANs.
• A wireless device (supplicant) sends a request to the AP to join the Wireless LAN (WLAN).
• The Access Point (AP) initiates a prompt for the User ID and password.
• An AP as an authenticator creates a data packet called an authentication request from the collected user information.
• The authentication request packet contains the user name, identification of the specific AP and the password.
• For security, the AP, acting as a RADIUS client, encrypts the entire password and sends it to the RADIUS server.
• The authentication request is sent from the AP to the RADIUS server through a local or wide area network.
• This allows the RADIUS clients to be remotely located from the RADIUS server.
• If the main server is unreachable, the AP can redirect the request to an alternate server.
• The RADIUS server validates the request from from a valid AP and then decrypts the data packet to access login information.
• Username and password information is sent to the proper security database.
• The database may be a UNIX password file, a text file, security system or a custom database.
• If the credentials are correct, the server sends an authentication acknowledgment with network and service requirements information.
• The acknowledgement can contain filtering data for limiting a user's access to specific resources on the network.
• An authentication key is added to the authentication reject message to ensure requests are not intercepted and responded to by unauthorized devices.
• If accounting is utilized by the RADIUS server, an entry is started in the account database.
• Centralized servers can share user profiles and increases security.
• RADIUS enables policy setting at a single administered network point, with easier tracking of usage for billing and network statistics.

Kerberos

• Developed by MIT in the 1980's as an authentication system used to verify the identity of networked users.

• Named after the three-headed dog in Greek mythology that guarded the gates of Hades, where Kerberos uses encryption and authentication for security.

• Operates on macOS, Windows, and Linux.

• It is like a driver's license, containing specific information, restrictions and expiration date.

• When a user attempts to access a network service requiring authentication, Kerberos is used.

• User gets a ticket issued by Kerberos authentication server.

• This ticket contains the information that links it to the user.

• Service then examines ticket to verify user's identity.

• Kerberos tickets contain specific user information and restrictions, similar to a driver's license, and expire after a set time.

• Kerberos tickets are difficult to copy because of encryption system

• Issuing and submitting tickets in Kerberos is handles automatically.

• A Ticket Granting Ticket (TGT) is a user token, issued by the Key Distribution Center (KDC) for requesting access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain

• The TGT designed to avoid regularly asking the user for password

Terminal Access Controller Access-Control System (TACACS)

• It is an authentication service used on UNIX devices.
• Communicates by forwarding user authentication information to a centralized server.
• The server is either a TACACS database or a Linux/UNIX password file.
• Originally it was called TACACS, but in 1990 it was Extended, and is currently TACACS1.
• A Cisco proprietary protocol for controlling access to network devices through centralized servers.
• TACACS uses Authentication, Authorization and Accounting (AAA) services for server access.
• The connection request is initiated by the user.
• The start packet (containing username) is sent to the AAA server.
• The REPLY packet is sent back from the AAA server, requesting the username.
• The server then asks for the password after username verification.
• The authentication outcome (pass/fail) is indicated in a subsequent reply packet

Choosing a Protocol

• The choice depends on the connection type and supported devices.

• For example, utilizing RADIUS might be best if you have a VPN concentrator that only understands how to authenticate to a RADIUS server might require the use of it.

• If on a Microsoft network, Kerberos is typically used by default.

• Network admins with Cisco switches may prefer TACACS+ for their own authentication needs.

• Different ways to communicate to authentication server.

• More than a simple login process

• Often determined by what is at hand

• If there we have a RADIUS server, VPN concentrator can talk to a RADIUS server

• Probably a Cisco device will use TACACS+

• Kerberos is probably a Microsoft network