What are the characteristics of TACACS+ protocol?

(transport, AAA mechanism, auth protocols, encryption)

TCP port 49

Separates each of the mechanisms of AAA

Supports PAP/CHAP, IPX, X.25

Encrypts entire body of packets between user and server using MD5-HMAC

1. Client connects to Network Access Server/NAS

2. NAS contacts AAA server for username prompt displayed to user. User enters username. NAS forwards username.

3.  NAS gets password prompt displayed to user. User enters password. NAS forwards login info to AAA

(2-3) User can pass login info via PAP/CHAP

4. TACACS+ returns ACCEPT / RADIUS returns Access-Accept

5. Authorization phase, if enabled for TACACS+

6. Accounting takes place, if enabled for TACACS+

ACCEPT - user is authenticated and service allowed

REJECT - user fails to authenticate

ERROR - error occured during authentication; NAS will typically try an alternative authentication method.

CONTINUE - user prompted for additional authentication information

REJECT - user is not authorized

ACCEPT - user is authorized; response contains data in the form of attributes determining what services user can access.

What are the characteristics of RADIUS protocol?

(transport, encryption)

Pre-RFC: UDP ports 1645, 1646

RFC 2138: UDP ports 1812, 1813

Password info is encrypted w/ MD5; remainder of packet not encrypted (including username, authorization, accounting)

aaa new-model

aaa authentication ... (define method lists)

radius-server host <ip> auth-port <port> key <secret>

(default port is 1645; not used for auth if set to 0)

ACCESS-ACCEPT - user is authenticated

ACCESS-REJECT - user failed/not authenticated

CHALLENGE - additional data requested of user

CHANGE-PASSWORD - user asked to select new password

UDP vs. TCP

encrypt password only vs. encrypt entire packet

combines authentication/authorization vs. separates AAA mechanisms

TACACS offers multiprotocol support; provides per-user/per-group authorization of commands

Secure Sockets Layer

Standard for authenticated/encrypted communication between web clients & servers. Maintains security & integrity of transmission channel.

Application dependent - allows application protocols (HTTP, FTP, Telnet) to be layered on top.

1. server authentication

2. optional client authentication

1. Server responds to client request by sending certificate and cipher preferences.

2. Client generates & sends master key encrypted with server's public key.

3. Server retrieves master key. Server authenticates to client using return message encrypted with master key.

1. Server sends challenge to client.

2. Client authenticates to server with client's digital signature and public key certificate.

Hierarchical framework for managing digital security attributes.

Resolves key management issues and offers nonrepudiation (sender cannot back out of claim of sending a message)

Protects against identity theft, eavesdropping, man-in-the-middle attacks

Public Key Infrastructure

Certificate can be issue by 3rd party Certificate Authority (CA) server trusted by both peers

Peers must be in same organizational unit; both peers much generate public+private key pairs.

1. Host generates a public/private key pair; obtains CA server's public key and certificate

2. Host sends its ID info & public key to CA server, encrypted with CA's public key

3. CA authenticates/approves the enrollment request; signs certificate with peer's info encrypted using CA private key

4. Host decrypts with CA's public key and saves certificate

What are the characteristics of EAP?

What is the the IEEE standard?

How is it configured?

Extensible Authentication Protocol

standard for authenticating hosts on L2 switches. (non-authorized users put in Guest VLAN/denied)

IEEE 802.1x

aaa authentication dot1x

supplicant - client; host accessing LAN

AAA server - eg. ACS, Radius, etc.

authenticator - network device; initiates authentication process; relay between supplicant and AAA server

optional: PAE / Port Access Entity - daemon for functionality of 802.1 standard

Simple Certificate Enrollment Protocol

Lightweight, HTTP-based protocol for enrollment of VPN devices to a certificate authority

How does PKI resolve the problem of compromised keys?

What are its downsides?

Certificate Revocation Lists (CRLs) - contain all certificates that are no longer valid

All hosts must check for fresh CRL after the old one expires and compare any certificate with most recently updated list

Cons: Refreshing process can take several hours.

1. CA administrator requested to revoke certificate (additional authentication may be needed)

2. CA administrator places certificate on the CRL

3. New CRL published for CA server

4. End users check CA for a new CRL after their old CRL has expired

What is the radius attribute for vendor specific values?

What data does it contain?

What value is used to identify Cisco?

Attribute 26 is for Vendor Specific Attribtues (VSA)

Contains vendor-id, vendor-type, vendor-length, vendor-data. The format of vendor-data is defined by the vendor.

Vendor-ID = 9 for Cisco

1. Probe request from client to AP (specifying SSID)

2. Probe response from AP in infrastructure BSS to client

3. Client decides on AP and sends authentication request.

4. (Authentication takes place.) Authentication response from AP to client

5-6. Association request/response

What kind of security does WEP involve?

What are its vulnerabilities?

uses a static preshared key

cons: administratively difficult to change keys for entire network/clients; weak encryption

Dynamic Key Exchange - key dynamically agreed on by devices instead of statically preshared

User Authentication with EAP/802.1x - login information (user/pwd, radius, etc) required to connect

Unique Key per Packet - encryption key for packets changes with every packet

War Driving - connecting to unsecured APs for free wireless access

War Chalking - marking areas where there is free or unsecured wireless access for others to use

What are the characteristics of PEAP?

(What is its purpose and how does it work)

Protected Extensible Authentication Protocol

Method for securely transferring authentication information (NOT encryption protocol) over wireless

1. Uses server side public key certificates to authenticate the AAA server.

2. Creates encrypted SSL/TLS connection to AAA

3. Authentication takes place inside tunnel

Transport Layer Security

Successor to SSL. Encrypts network connections at Transport layer end-to-end.

RSA security with 1024 and 2048 bit strengths.

Additionally performs mutual authentication, requiring certificate at client side also.

Temporal Key Integrity Protocol

Replacement for WEP; Part of WPA

- key mixing secret root key to RC4 cipher

- anti-replay sequence counter

- 64-bit message integrity check (MICHAEL)

- every packet with unique encryption key

In 802.1x, what is the purpose of the command "device authorize"?

Where is it configured?

Statically authorizes (or unauthorizes) a supplicant  if the supplicant does not "understand" 802.1X.

Configured on IOS or NAC for Cat Switch