CompTIA Network+ | Microsoft MTA Networking: Methods of User Authentication

User authentication is the verification of an active human-to-machine transfer of credentials required for confirmation of a user’s authenticity; the term contrasts with machine authentication, which involves automated processes that do not require user input.

Source mc mcse Certification Resources

  • PKI (Public Key Infrastructure) – A public key infrastructure (PKI) is the combination of software, encryption technologies, processes, and services that enable an organization to secure its communications and business transactions.
    PKI uses a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.
  • Kerberos – Invented by MIT, this protocol has been evolving in the Unix world for over a decade and has become a standard in Windows operating systems. Kerberos is a network authentication protocol which utilizes symmetric cryptography to provide authentication for client-server applications. The core of a Kerberos architecture is the KDC (Key Distribution Server) that serves as the trusted third party and is responsible for storing authentication information and using it to securely authenticate users and services. In order for this security method to work, it is paramount that the KDC is available and secure. The clocks of all hosts involved must be synchronized as well.
  • AAA – AAA commonly stands for “authentication, authorization and accounting”.
    • RADIUS (Remote Authentication Dial In User Service) – RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management and provides a method that allows multiple dial-in Network Access Server (NAS) devices to share a common authentication database. RADIUS is often used by ISPs and enterprises to manage access to the Internet or internal networks, and wireless networks. Microsoft’s answer to corporate wireless security is the use of RADIUS authentication through its Internet Authentication Services (IAS) product.
    • TACACS+ (Terminal Access Controller Access-Control System) – TACACS+ is a proprietary Cisco security application that provides centralized validation of users attempting to gain access to a router or network access server. The TACACS+ protocol provides authentication between the network access server and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between a network access server and a TACACS+ daemon are encrypted. Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations. Another difference is that TACACS+ uses the Transmission Control Protocol (TCP) while RADIUS uses the User Datagram Protocol (UDP).
  • 802.1X – 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). This standard is designed to enhance the security of wireless local area networks (WLANs) by providing an authentication framework that allows a user to be authenticated by a central authority. It is used for securing wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP).
  • CHAP (Challenge Handshake Authentication Protocol) – A type of authentication protocol used on PPP connections. CHAP uses a 3-way handshake in which the authentication agent sends the client program a key to be used to encrypt the user name and password. CHAP not only requires the client to authenticate itself in the beginning, but sends challenges at regular intervals to make sure the client hasn’t been replaced by an intruder.
  • MS-CHAP (MicroSoft Challenge Handshake Authentication Protocol) – This is Microsoft’s version of CHAP and is a one-way encrypted password, mutual authentication process used in Windows operating systems. Like the standard version of CHAP, MS-CHAP is used for PPP authentication, but is considered by some to be more secure. MS-CHAPv2 was released to solve many of the problems and deficiencies of the first version.
  • EAP (Extensible Authentication Protocol) – EAP is an extension to the Point-to-Point Protocol (PPP) was developed in response to an increasing demand to provide an industry-standard architecture for support of additional authentication methods within PPP. EAP is an authentication framework, not a specific authentication mechanism that is typically used on wireless networks. It provides some common functions and negotiation of authentication methods, called EAP methods. There are roughly 40 different methods defined. Commonly used methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, PEAP, LEAP and EAP-TTLS. When EAP is invoked by an 802.1X enabled Network Access Server (NAS) device such as an 802.11 Wireless Access Point, modern EAP methods can provide a secure authentication mechanism and negotiate a secure Pair-wise Master Key (PMK) between the client and NAS. The PMK can then be used for the wireless encryption session which uses TKIP or CCMP (based on AES) encryption. Strong EAP types such as those based on certificates offer better security against brute-force or dictionary attacks and password guessing than password-based authentication protocols, such as CHAP or MS-CHAP.

Want more information on how to become CompTIA Net+ Certified? Learn more!


Also published on Medium.

Exit mobile version