Localized Authentication Technologies
There are several types of technologies for authenticating a user to a local area network. Examples that are software-based include LDAP and Kerberos, whereas an example that includes physical characteristics would be 802.1X. Keep in mind that there is a gray area between localized and remote authentication technologies. I’ve placed each technology in the category that it is used the most commonly.
+ 802.1X and EAP
802.1X is an IEEE standard that defined port-based Network Access Control (PNAC). Not to be confused with 802.1x WLAN standards, 802.1X is a Data Link Layer authentication technology used to connect hosts to a LAN or WLAN. It all starts with the central connecting device such as a switch or wireless access point. These devices must be first enable 802.1X connections, they must have the 802.1X protocol installed. Next, the client computer needs to have an operating system, or additional software, that supports 802.1X . Linux computer can use Open 1X to enable client access to networks that require 802.1X authentication.
802.1X encapsulates the Extensible Authentication Protocol (EAP) over wired or wireless connection. EAP is not an authentication mechanism in itself. 802.1X is the authentication mechanism and defines how EAP is encapsulated with message.
Following are three components to an 802.1X connection:
- Supplicant- A software client running on a workstation
- Authenticator- A wireless access point or switch
- Authentication server- An authentication database, most likely a RADIUS server.
The typical 802.1X authentication procedure has four steps:
- Initialization- IF a swithc or wireless access point detects a new supplicant, the port connection enables port 802.1X traffic, other type of traffic are dropped.
- Initiation- The authenticator periodically sends EAP requests to a MAC address on the network. The supplicant listens for this address and send an EAP response that might include a user ID or other similar information. The authenticator encapsulates this response and sends it to the authentication server.
- Negotiation- The authentication server then sends a reply to the authenticator. The authentication server specifies which EAP method to use. Then the authenticator transmits that request to the supplicant.
- Authentication- If the supplicant and the authentication server agree on an EAP method, the two transmit until there is either success or faulure to authenticate the supplicant computer.
Following are several type os EAP authentication:
- EAP-MD5- This is a challenge-based authentication providing basic EAP support. It enables only one-way authentication and not mutual authentication.
- EAP-TLS- This version use Transport Layer Security, which is a certificate-based system that dose enable mutual authentication. This does not work well in enterprise scenarios because certificates must be configured or managed on the client-and server side.
- EAP-TTLS- This version is Tunneled Transport Layer Security and is basically the same as TLS expect that it is done through an encrypted channed, and it requires only server-side certificates.
- EAP-FAST- This uses a protected access credential instead of a certificate to arichieve mutual authentication. FAST stand for flexible authentication via security tunneling.
- PEAP- This is the protected extensible authentication protocol. It competes with TTLS and includes legacy password-based protocols.
Although 802.1X is often used for port-based network access control on the LAN, especially VLANs, it can also be used with VPNs as a way of remote authentication.
A Microsoft werver that has Active Directory and LDAP running will have inbound port 389 open by default. To protect Active Directory from being temered with, Secured LDAP can be use, which brings into play SSL ( Secured Sockets Layer) on top of LDAP and uses inbound port 636 by default. Other implementations of LDAP use TLS (Transport Layer Security) over LDAP.
A common implementation of Kerberos occurs when a user logs on to a Microsoft domain. The domain controller in the Microsoft domain is known as KDC (Key Distribution Center). The server works with tickets that prove the identity of users. The KDC is composed of two logical parts: the authentication server and the ticket grant server. Basically, a clietn computer attempts to authenticate itself to the authentication server portion of the KDC. When done, the client receive a ticket. THis is actually a ticket to get other tickets. The client uses this preliminary ticket to desmonstrate its identity to a ticket granting server in the hopes of ultimately getting access to a service.
The domain controller running Kerberos will have inbound port 88 open to the service log on requests from clients.
Kerberos is designed to protect against relay attacks and eavesdropping. One of the drawback of Kerberos is that it reles on a centralized server such as a domain controller. This can be a signle point of failure. To alleviate this problem, secondary and tertiary domain controllers can be installed that keep a copy of the Active Directory and are available with no downtime in the case the first domain controller fails. Time betwwen the clients and the domain controller must be synchronized for Kerberos to work properly.+ Terminal Services
The Terminal Services appliaction is in charge of authentication terminal users and will do so fi the user has been configured properly. Terminal services authentication intergrates directory with standard Windows Server authentication.
The terminal server will have inbound port 3389 open to accept connections from remote clients. Their sessions are stored at the terminal server, enabling for disconnections and later reuse. Terminal server is now referred to as Remote Desktop Service in newer versions of Windows.