Authenticating RAS Clients *
AAA protocols provide ____, ____, and ____.
AAA protocols provide authentication, authorization, and accounting. TACACS + uses multiple challenges and responses during a session.
____ tracks user access with logs.
Accounting
_____ is sometimes referred to as an AAA protocol, but it does not provide any accounting services.
Kerberos
___ implementation of CHAP, which is used only by Microsoft clients.
MS-CHAP
What does XTACACS for?
Means Extended TACACS
What does MS-CHAP stand for?
Microsoft Challenge Handshake Authentication Protocol
How does mutual authentication reduce risks?
Mutual authentication provides assurances of the server's identity <b>before</b> the client transmits data. It reduces the risk of a client sending sensitive data to a rogue server.
Is PPP more secure than CHAP?
No. Challenge Handshake Authentication Protocol (CHAP) uses PPP and authenticates remote users, but it is more secure than PAP.
What is a nonce?
Number Used Once
PAP authentication uses a ___ or a PIN.
PAP authentication uses a password or a PIN.
Challenge Handshake Authentication Protocol (CHAP) uses ___ (a protocol) and authenticates remote users.
PPP
What does PAP stand for?
Password Authentication Protocol
What does PPP stand for?
Point-to-Point Protocol
Password Authentication Protocol (PAP) is used with ____ (a protocol) to authenticate clients.
Point-to-Point Protocol (PPP) PPP was primarily used with dial-up connections. PPP replaced Serial Line Interface Protocol (SLIP) as a more efficient method of connecting to remote servers such as Internet Service Providers (ISPs).
TACACS + is the Cisco alternative to_____ and is a recommended replacement for XTACACS.
RADIUS
____ (Radius, TACACS+) only encrypts the password, whereas ___ encrypts the entire authentication process.
RADIUS (UDP) TACACS+ (TCP)
____ and ____ are both considered AAA protocols because they provide all three services (authentication, authorization and accounting). They authenticate users who attempt remote access, determine if the user is authorized for remote access by checking a database, and then record the user's activity.
RADIUS and TACACS+
What does RAS stand for?
Remote Access Service
What is RAS?
Remote Access Service (RAS) provides access to an internal network from an outside source. Clients access a RAS server via either dial-up or a virtual private network (VPN). A VPN allows a client to access a private network over a public network, such as the Internet. Remote access methods are useful for personnel who need access to the private network from remote locations. This includes users who travel frequently and telecommuters who work from home. However, no matter which remote access method you use, you still need to ensure that only authorized clients can access the network remotely.
What does RADIUS stand for?
Remote Authentication Dial-In User Service
What is RADIUS?
Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication service. Instead of each individual RAS server needing a separate database to identify who can authenticate, authentication requests are forwarded to a central RADIUS server. Think AOL.
In CHAP the nonce is provided by the ____.
The server
Why is RADIUS beneficial?
Think AOL. It alleviates the database of user's to be replicated to each RAS server in the company.
Microsoft Active Directory uses Kerberos for <b>authentication</b>. (True or False)
True
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is an improvement over CHAP for Microsoft clients. (True or False)
True
Organizations can use TACACS + as an <b>authentication</b> service for network devices. (True or False)
True
PAP, CHAP, MS-CHAP, RADIUS, DIAMETER, XTACACS, TACACS+, AAA Protocols different <b>authentication</b> mechanisms you can use with RAS. (True or False)
True
RADIUS only encrypts the password; not the entire process. (True or False)
True
The centralized RADIUS server is configured with a shared secret (similar to a password) to the other servers in different cities. (True or False)
True
You can use TACACS+ to authenticate users to a network device <b>before</b> they are able to access a configuration page for a router or a switch. (True or False)
True As a reminder, Microsoft Active Directory uses Kerberos for authentication. Organizations also use TACACS + as an authentication service for network devices. In other words, you can use it to authenticate users before they are able to access a configuration page for a router or a switch. The network devices must be TACACS + enabled, and a TACACS + server provides the authentication services.
RADIUS uses (UDP or TCP).
UDP
RADIUS uses the ______ (protocol), which uses a best-effort delivery mechanism.
User Datagram Protocol (UDP)
MS-CHAP supported clients as old as ____ (looking for Windows version).
Windows 95
____ verifies a user's identification.
Authentication
_____ determines if a user should have access.
Authorization
The goal of ____ (a protocol) is to allow the client to pass credentials over a public network (such as a phone or the Internet) without allowing attackers to intercept the data and later use it in an attack. The client hashes a secret after combining it with a nonce (number used once) provided by the server. This handshake process is used when the client initially tries to connect to the server, and at different times during the connection. The client and server <b>both</b> know a shared secret (similar to a password) used in the authentication process. However, the client doesn't send the shared secret over the network in plaintext as PAP does. Instead, the <b>client hashes it after combining it with a nonce (number used once) provided by the server<b>. This handshake process is used when the client initially tries to connect to the server, and at different times during the connection.
CHAP
____ (PAP, PPP, or CHAP) uses a handshake process where the server challenges the client. The client then responds with appropriate authentication information.
CHAP
What does CHAP stand for? What is it associated with?
Challenge Handshake Authentication Protocol RAS Clients
Extended TACACS (XTACACS) is an older ____ (looking for company) proprietary authentication protocol that is rarely used today.
Cisco
_____ is an <b>extension</b> of RADIUS and many organizations have switched to **** as a replacement for RADIUS due to its extra capabilities.
Diameter
One significant improvement of Diameter over Radius is the support of the ____ (protocol) and ____ (protocol), which significantly enhances the security of Diameter.
EAP and TCP
What does EAP stand for?
Extensible Authentication Protocol
TACACS + is proprietary to Cisco, it cannot interact with Kerberos or Active Directory. (True or False)
False Although TACACS + is proprietary to Cisco, it can interact with Kerberos. This allows a Cisco RAS server (or VPN concentrator) to interact in a Microsoft Active Directory environment.
RADIUS uses multiple challenges and responses between the client and the server. (True or False)
False TACACS + uses multiple challenges and responses between the client and the server.
TACACS + provides two important security benefits over RADIUS. Name them.
First, it encrypts the entire authentication process, whereas RADIUS encrypts only the password. Second, TACACS + uses multiple challenges and responses between the client and the server.
What does SLIP stand for?
Serial Line Interface Protocol
The biggest weakness of PAP is _____.
Sniffing Attacks
DIAMETER uses (UDP or TCP).
TCP
TACACS+ uses (UDP or TCP).
TCP
User Datagram Protocol (UDP) uses a best-effort delivery mechanism. TACACS+ uses ____ (protocol) that provides guaranteed delivery.
TCP
Diameter adds several other commands beyond the capabilities of RADIUS. Diameter uses ___ (protocol) instead of UDP used by RADIUS.
TCP In geometry, the diameter of a circle is a straight line between the two edges of a circle, whereas the radius is a straight line from the center to an edge. In other words, the diameter of a circle is twice as long as the radius. The designers considered this when naming Diameter to indicate indirectly that it is twice as good as RADIUS.
What does TACACS+ stand for?
Terminal Access Controller Access-Control System Plus
Most organizations use either RADIUS, Diameter, or TACACS +, instead of ____.
XTACACS
A significant improvement of MS-CHAPv2 over MS-CHAP is the ability to perform ______.
mutual authentication
In _____, not only does the client authenticate to the server, but the server also authenticates to the client.
mutual authentication
In addition to using TACACS + for remote access, you can also use it for authentication with ___ and ___.
routers and other network devices.
