Need help understanding Authentication Services

I'm having a hard time trying to figure out how LDAP, RADIUS, TACACS+, Active Directory and PEAP work together.

Just to break it down, this is the way I understand it.

The following are protocols:
EAP, LEAP, PEAP, CHAP (authentication protocols)
LDAP (protocol for access to Active Directory)

The following are authentication servers:
RADIUS
TACACS+

Active Directory is the database of users and passwords. Am I right so far?

This is when it all gets confusing to me. I'm not exactly sure how these all work together. So if I'm a remote user and I want to login via a VPN I connect to the RADIUS(or TACACS+) server using PEAP(LEAP, EAP, CHAP). From there the RADIUS server uses the Active Directory to login using LDAP. The RADIUS server is just allowing access to the network but the AD allows access to the services. Ok, I guess that's as far as I got and I'm not even sure if that's right.

Can anyone point me to maybe some more information on how this works? TIA

Find more posts tagged with

Comments

Thoth_Dhwty

Good question! I would love a good explanation on this as well.

I think LDAP and AD provide the database services with usernames and RADIUS is the intermediary/authenticator between the client and LDAP

Something like this:

Wi-Fi AP uses EAP variation --> RADIUS --> LDAP/AD

EDIT: I've been told just now that both RADIUS and LDAP are protocols used for authentication and generally you use either one or the other.. o_o

EDIT 2:

So I asked Professor Messer same thing becuz on wikipedia it says the following:

"[FONT=&quot]Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources — commonly SQL, Kerberos, LDAP, or Active Directory servers — to verify the user's credentials."[/FONT]

So I was wondering in which situation does the RADIUS use LDAP for lookup ?
And Prof Messer offered following example:

Users connecting to a VPN concentrator over the Internet, but the VPN only knows how to authenticate users using AAA server through RADIUS so you point the VPN to the RADIUS server's IP address.
But you would like your users who connect to the VPN to use their Windows AD credentials, info which is not on the RADIUS server so in that case you configure RADIUS to speak to the Active Directory using LDAP protocol.

Hope that makes more sense now.

GeekyChick

Thank you Thoth_Dhwty! So, RADIUS could use Active Directory or it's own server database to authenticate? After doing some more research it seems like AD is more for internal users and RADIUS is for external users and devices trying to connect to the network. Seems like you would want to protect your AD more since it's mostly internal AAA.

It's also confusing when I try to think of the protocols that go along with this. Like when to use EAP, PEAP for example and LDAP. I'm going to research that too.

Anyway, it seems like you and I are in the same place study-wise. Are you studying for Sec+?

PCTechLinc

AD is definitely for internal uses. It can be "segmented" to provide external authentication via LDS, but only in special circumstances.

RADIUS/TACACS+ are better thought of METHODS to authenticate. You can have RADIUS within an AD environment.

End station = Supplicant
RADIUS/TACACS server = Authentication client
AD or similar database = Authentication server

End station sends request to connect to network --> RADIUS/TACACS server sends end station's credentials to Authentication server --> Authentication server sends reply back to Authentication client --> End station granted or denied access to network

As far as EAP and PEAP, that is asking how you want the messages protected between the Authentication client and server. Certificates, usernames and passwords, PINs, etc...

Obviously I'm paraphrasing the process, but that is a BASIC translation on how it all works.

PCTechLinc

Also worth mentioning that RADIUS and TACACS can provide a local database for local authentication instead of using AD.

GeekyChick

Thank you PCTechLinc! I thought that was what you were referring to in your first post, using TACACS or RADIUS as internal AAA without needing AD. That explanation helps.

Also, I get it now with the EAP and PEAP. I was thinking that was the protocol you used to authenticate from the supplicant to the authentication client. That makes more sense that it's the protocol between authentication client and server. Thanks again!

PCTechLinc

You are very welcome, glad I could help!

GeekyChick

I appreciate it! I'm glad you offered to help a newbie like me.

PCTechLinc

Haha, no worries... I was an IT Security newbie until I went through my MSISA degree. I may not be a newbie anymore, but I still have a lot to learn!

Thoth_Dhwty

GeekyChick wrote: »

Anyway, it seems like you and I are in the same place study-wise. Are you studying for Sec+?

Yes I am. I started about 2-3 weeks ago but so far it didn't go so well as I am having problems receiving Gibson's book in the Caribbeans.. so I am using another e-book which is very scrambled and all over the place with it's material. I am thinking of buying Gibson's e-book since that is going to be delivered instantly to my kindle but I am wondering if it's a big difference between paper book and e-book. I have to do some research.

Anyway, I have two months to learn for it so I am confident enough to get it done. That's plenty time.
When do you have your exam ? Should be soon if I remember correctly.

Nik 99

Nice thread. I might have passed, but I still don't feel I have the best grasp on a lot of concepts.

Thoth_Dhwty

Nik 99 wrote: »

Nice thread. I might have passed, but I still don't feel I have the best grasp on a lot of concepts.

Yeah mate, got to keep researching and learning even after passing exams otherwise you'll forget all that.. unless you work in the field.