Authentication

Feb 22, 2025

Authentication and the AAA Framework

Introduction to Authentication

  • Authentication is a process familiar to many: involves username, password, and possibly a second authentication factor.
  • Behind the scenes, authentication uses the AAA framework.

The AAA Framework

  • Authentication: Prove you are who you say you are, often via a password or private information.
  • Authorization: Ensure access to the appropriate files, directories, or network areas based on user identity.
  • Accounting: Track logins/logouts and document successful/unsuccessful authentication attempts.

Authentication Process

  • Starts with public identification info (e.g., username, email).
  • A common scenario includes logging into a VPN concentrator using a username, password, or other factors.
  • Information is sent to a AAA server, which validates credentials.

Single Sign-On (SSO)

  • Provides access with one-time authentication per day, after which access continues without re-entry of credentials.
  • Typically has a 24-hour validity period.

Protocols and Standards

RADIUS

  • Remote Authentication Dial-in User Service.
  • Supported across many systems and devices.
  • Used for VPN concentrators, server logins, and wireless networks.

LDAP

  • Lightweight Directory Access Protocol.
  • Offers a centralized directory similar to a phone book for users, departments, etc.
  • Allows additional context via X.500 standard, adding attributes to users/devices.

SAML

  • Security Assertion Markup Language.
  • An open standard for authentication and authorization.
  • Involves resource server, client, and authorization server.

TACACS

  • Terminal Access Controller Access Control System.
  • Used in Cisco devices, now an open standard (TACACS Plus).

Multi-Factor Authentication

  • Involves additional factors besides username and password.
  • Common factors:
    • Something you know: Password.
    • Something you have: Mobile phone app.
    • Something you are: Biometric (e.g., fingerprint).
    • Somewhere you are: GPS location.
  • TOTP: Time-based one-time password algorithm.
    • Syncs via network time protocol.
    • Used widely by Google, Facebook, Microsoft.

Conclusion

  • Authentication involves a complex interplay of protocols and systems.
  • Ensures secure access to resources and tracks user interaction with systems.