Need help understanding Authentication Services

GeekyChickGeekyChick Member Posts: 323 ■■■■□□□□□□
I'm having a hard time trying to figure out how LDAP, RADIUS, TACACS+, Active Directory and PEAP work together.

Just to break it down, this is the way I understand it.

The following are protocols:
EAP, LEAP, PEAP, CHAP (authentication protocols)
LDAP (protocol for access to Active Directory)

The following are authentication servers:
RADIUS
TACACS+

Active Directory is the database of users and passwords. Am I right so far?

This is when it all gets confusing to me. I'm not exactly sure how these all work together. So if I'm a remote user and I want to login via a VPN I connect to the RADIUS(or TACACS+) server using PEAP(LEAP, EAP, CHAP). From there the RADIUS server uses the Active Directory to login using LDAP. The RADIUS server is just allowing access to the network but the AD allows access to the services. Ok, I guess that's as far as I got and I'm not even sure if that's right. :D Can anyone point me to maybe some more information on how this works? TIA

Comments

  • Thoth_DhwtyThoth_Dhwty Member Posts: 96 ■■■□□□□□□□
    Good question! I would love a good explanation on this as well.

    I think LDAP and AD provide the database services with usernames and RADIUS is the intermediary/authenticator between the client and LDAP

    Something like this:

    Wi-Fi AP uses EAP variation --> RADIUS --> LDAP/AD

    EDIT: I've been told just now that both RADIUS and LDAP are protocols used for authentication and generally you use either one or the other.. o_o

    EDIT 2:

    So I asked Professor Messer same thing becuz on wikipedia it says the following:

    "[FONT=&quot]Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources — commonly SQL, Kerberos, LDAP, or Active Directory servers — to verify the user's credentials."[/FONT]

    So I was wondering in which situation does the RADIUS use LDAP for lookup ?
    And Prof Messer offered following example:

    Users connecting to a VPN concentrator over the Internet, but the VPN only knows how to authenticate users using AAA server through RADIUS so you point the VPN to the RADIUS server's IP address.
    But you would like your users who connect to the VPN to use their Windows AD credentials, info which is not on the RADIUS server so in that case you configure RADIUS to speak to the Active Directory using LDAP protocol.

    Hope that makes more sense now.
  • GeekyChickGeekyChick Member Posts: 323 ■■■■□□□□□□
    Thank you Thoth_Dhwty! So, RADIUS could use Active Directory or it's own server database to authenticate? After doing some more research it seems like AD is more for internal users and RADIUS is for external users and devices trying to connect to the network. Seems like you would want to protect your AD more since it's mostly internal AAA.

    It's also confusing when I try to think of the protocols that go along with this. Like when to use EAP, PEAP for example and LDAP. I'm going to research that too.

    Anyway, it seems like you and I are in the same place study-wise. Are you studying for Sec+?
  • PCTechLincPCTechLinc Member Posts: 646 ■■■■■■□□□□
    AD is definitely for internal uses. It can be "segmented" to provide external authentication via LDS, but only in special circumstances.

    RADIUS/TACACS+ are better thought of METHODS to authenticate. You can have RADIUS within an AD environment.

    End station = Supplicant
    RADIUS/TACACS server = Authentication client
    AD or similar database = Authentication server

    End station sends request to connect to network --> RADIUS/TACACS server sends end station's credentials to Authentication server --> Authentication server sends reply back to Authentication client --> End station granted or denied access to network

    As far as EAP and PEAP, that is asking how you want the messages protected between the Authentication client and server. Certificates, usernames and passwords, PINs, etc...

    Obviously I'm paraphrasing the process, but that is a BASIC translation on how it all works.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • PCTechLincPCTechLinc Member Posts: 646 ■■■■■■□□□□
    Also worth mentioning that RADIUS and TACACS can provide a local database for local authentication instead of using AD.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • GeekyChickGeekyChick Member Posts: 323 ■■■■□□□□□□
    Thank you PCTechLinc! I thought that was what you were referring to in your first post, using TACACS or RADIUS as internal AAA without needing AD. That explanation helps.

    Also, I get it now with the EAP and PEAP. I was thinking that was the protocol you used to authenticate from the supplicant to the authentication client. That makes more sense that it's the protocol between authentication client and server. Thanks again!
  • PCTechLincPCTechLinc Member Posts: 646 ■■■■■■□□□□
    You are very welcome, glad I could help!
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • GeekyChickGeekyChick Member Posts: 323 ■■■■□□□□□□
    I appreciate it! I'm glad you offered to help a newbie like me.
  • PCTechLincPCTechLinc Member Posts: 646 ■■■■■■□□□□
    Haha, no worries... I was an IT Security newbie until I went through my MSISA degree. I may not be a newbie anymore, but I still have a lot to learn!
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • Thoth_DhwtyThoth_Dhwty Member Posts: 96 ■■■□□□□□□□
    GeekyChick wrote: »
    Anyway, it seems like you and I are in the same place study-wise. Are you studying for Sec+?

    Yes I am. I started about 2-3 weeks ago but so far it didn't go so well as I am having problems receiving Gibson's book in the Caribbeans.. so I am using another e-book which is very scrambled and all over the place with it's material. I am thinking of buying Gibson's e-book since that is going to be delivered instantly to my kindle but I am wondering if it's a big difference between paper book and e-book. I have to do some research.

    Anyway, I have two months to learn for it so I am confident enough to get it done. That's plenty time.
    When do you have your exam ? Should be soon if I remember correctly.
  • Nik 99Nik 99 Member Posts: 154 ■■■□□□□□□□
    Nice thread. I might have passed, but I still don't feel I have the best grasp on a lot of concepts.
  • Thoth_DhwtyThoth_Dhwty Member Posts: 96 ■■■□□□□□□□
    Nik 99 wrote: »
    Nice thread. I might have passed, but I still don't feel I have the best grasp on a lot of concepts.

    Yeah mate, got to keep researching and learning even after passing exams otherwise you'll forget all that.. unless you work in the field.
Sign In or Register to comment.