+ Reply to Thread
Results 1 to 12 of 12
  1. Senior Member GeekyChick's Avatar
    Join Date
    Sep 2016
    Location
    Colorado
    Posts
    258

    Certifications
    BSCS, CCNA, Sec+, Net+
    #1

    Default Need help understanding Authentication Services

    I'm having a hard time trying to figure out how LDAP, RADIUS, TACACS+, Active Directory and PEAP work together.

    Just to break it down, this is the way I understand it.

    The following are protocols:
    EAP, LEAP, PEAP, CHAP (authentication protocols)
    LDAP (protocol for access to Active Directory)

    The following are authentication servers:
    RADIUS
    TACACS+

    Active Directory is the database of users and passwords. Am I right so far?

    This is when it all gets confusing to me. I'm not exactly sure how these all work together. So if I'm a remote user and I want to login via a VPN I connect to the RADIUS(or TACACS+) server using PEAP(LEAP, EAP, CHAP). From there the RADIUS server uses the Active Directory to login using LDAP. The RADIUS server is just allowing access to the network but the AD allows access to the services. Ok, I guess that's as far as I got and I'm not even sure if that's right. Can anyone point me to maybe some more information on how this works? TIA
    Before I do anything I ask myself, "would an idiot do that?" and if the answer is yes I do not do that thing. Dwight Schrute
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Dec 2016
    Location
    UK
    Posts
    86

    Certifications
    A+ Net+ Sec+
    #2
    Good question! I would love a good explanation on this as well.

    I think LDAP and AD provide the database services with usernames and RADIUS is the intermediary/authenticator between the client and LDAP

    Something like this:

    Wi-Fi AP uses EAP variation --> RADIUS --> LDAP/AD

    EDIT: I've been told just now that both RADIUS and LDAP are protocols used for authentication and generally you use either one or the other.. o_o

    EDIT 2:

    So I asked Professor Messer same thing becuz on wikipedia it says the following:

    "Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources — commonly SQL, Kerberos, LDAP, or Active Directory servers — to verify the user's credentials."

    So I was wondering in which situation does the RADIUS use LDAP for lookup ?
    And Prof Messer offered following example:

    Users connecting to a VPN concentrator over the Internet, but the VPN only knows how to authenticate users using AAA server through RADIUS so you point the VPN to the RADIUS server's IP address.
    But you would like your users who connect to the VPN to use their Windows AD credentials, info which is not on the RADIUS server so in that case you configure RADIUS to speak to the Active Directory using LDAP protocol.

    Hope that makes more sense now.
    Last edited by Thoth_Dhwty; 05-01-2017 at 02:21 PM.
    Reply With Quote Quote  

  4. Senior Member GeekyChick's Avatar
    Join Date
    Sep 2016
    Location
    Colorado
    Posts
    258

    Certifications
    BSCS, CCNA, Sec+, Net+
    #3
    Thank you Thoth_Dhwty! So, RADIUS could use Active Directory or it's own server database to authenticate? After doing some more research it seems like AD is more for internal users and RADIUS is for external users and devices trying to connect to the network. Seems like you would want to protect your AD more since it's mostly internal AAA.

    It's also confusing when I try to think of the protocols that go along with this. Like when to use EAP, PEAP for example and LDAP. I'm going to research that too.

    Anyway, it seems like you and I are in the same place study-wise. Are you studying for Sec+?
    Before I do anything I ask myself, "would an idiot do that?" and if the answer is yes I do not do that thing. Dwight Schrute
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2016
    Location
    King City, CA
    Posts
    380

    Certifications
    A+, Network+, Security+ce, Server+, Project+, MCSA Server 2008, CCENT, CCNA R&S, CEHv8, CHFIv8, CCNA Security
    #4
    AD is definitely for internal uses. It can be "segmented" to provide external authentication via LDS, but only in special circumstances.

    RADIUS/TACACS+ are better thought of METHODS to authenticate. You can have RADIUS within an AD environment.

    End station = Supplicant
    RADIUS/TACACS server = Authentication client
    AD or similar database = Authentication server

    End station sends request to connect to network --> RADIUS/TACACS server sends end station's credentials to Authentication server --> Authentication server sends reply back to Authentication client --> End station granted or denied access to network

    As far as EAP and PEAP, that is asking how you want the messages protected between the Authentication client and server. Certificates, usernames and passwords, PINs, etc...

    Obviously I'm paraphrasing the process, but that is a BASIC translation on how it all works.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jan 2016
    Location
    King City, CA
    Posts
    380

    Certifications
    A+, Network+, Security+ce, Server+, Project+, MCSA Server 2008, CCENT, CCNA R&S, CEHv8, CHFIv8, CCNA Security
    #5
    Also worth mentioning that RADIUS and TACACS can provide a local database for local authentication instead of using AD.
    Reply With Quote Quote  

  7. Senior Member GeekyChick's Avatar
    Join Date
    Sep 2016
    Location
    Colorado
    Posts
    258

    Certifications
    BSCS, CCNA, Sec+, Net+
    #6
    Thank you PCTechLinc! I thought that was what you were referring to in your first post, using TACACS or RADIUS as internal AAA without needing AD. That explanation helps.

    Also, I get it now with the EAP and PEAP. I was thinking that was the protocol you used to authenticate from the supplicant to the authentication client. That makes more sense that it's the protocol between authentication client and server. Thanks again!
    Before I do anything I ask myself, "would an idiot do that?" and if the answer is yes I do not do that thing. Dwight Schrute
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jan 2016
    Location
    King City, CA
    Posts
    380

    Certifications
    A+, Network+, Security+ce, Server+, Project+, MCSA Server 2008, CCENT, CCNA R&S, CEHv8, CHFIv8, CCNA Security
    #7
    You are very welcome, glad I could help!
    Reply With Quote Quote  

  9. Senior Member GeekyChick's Avatar
    Join Date
    Sep 2016
    Location
    Colorado
    Posts
    258

    Certifications
    BSCS, CCNA, Sec+, Net+
    #8
    I appreciate it! I'm glad you offered to help a newbie like me.
    Before I do anything I ask myself, "would an idiot do that?" and if the answer is yes I do not do that thing. Dwight Schrute
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jan 2016
    Location
    King City, CA
    Posts
    380

    Certifications
    A+, Network+, Security+ce, Server+, Project+, MCSA Server 2008, CCENT, CCNA R&S, CEHv8, CHFIv8, CCNA Security
    #9
    Haha, no worries... I was an IT Security newbie until I went through my MSISA degree. I may not be a newbie anymore, but I still have a lot to learn!
    Reply With Quote Quote  

  11. Member
    Join Date
    Dec 2016
    Location
    UK
    Posts
    86

    Certifications
    A+ Net+ Sec+
    #10
    Quote Originally Posted by GeekyChick View Post
    Anyway, it seems like you and I are in the same place study-wise. Are you studying for Sec+?
    Yes I am. I started about 2-3 weeks ago but so far it didn't go so well as I am having problems receiving Gibson's book in the Caribbeans.. so I am using another e-book which is very scrambled and all over the place with it's material. I am thinking of buying Gibson's e-book since that is going to be delivered instantly to my kindle but I am wondering if it's a big difference between paper book and e-book. I have to do some research.

    Anyway, I have two months to learn for it so I am confident enough to get it done. That's plenty time.
    When do you have your exam ? Should be soon if I remember correctly.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    May 2016
    Location
    UK
    Posts
    113

    Certifications
    A+, Network+, Sec+
    #11
    Nice thread. I might have passed, but I still don't feel I have the best grasp on a lot of concepts.
    Reply With Quote Quote  

  13. Member
    Join Date
    Dec 2016
    Location
    UK
    Posts
    86

    Certifications
    A+ Net+ Sec+
    #12
    Quote Originally Posted by Nik 99 View Post
    Nice thread. I might have passed, but I still don't feel I have the best grasp on a lot of concepts.
    Yeah mate, got to keep researching and learning even after passing exams otherwise you'll forget all that.. unless you work in the field.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks