Authentication refers to verifying the identity of a user or computer. When a user logs on to the network, whether on a LAN or thru a remote access connection, she will need to provide a username and password, a smartcard, certificate, or other means of proving that she is who she claims she is. Several authentication protocols are developed to allow a secure exchange of authentication information over network connections and are described in the following paragraphs.
The Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol that is primarily used for remote access PPP connections. CHAP is the successor of the Plain Authentication Protocol (PAP), which transmits the username and password in clear text over the network media. CHAP uses a more secure method; when a client logs on, the server sends a challenge request to the client, the client replies with a challenge response that is a hashed (one-way encrypted) value based on the username/password-combination and a random number. The server performs the same encryption and if the resulting value matches the response from the client, the client is authenticated. The actual password is not transmitted across the network.
MS-CHAP is the Microsoft version of CHAP and provides the technology from CHAP combined with Microsoft authentication and encryption. MS-CHAP is available on Microsoft Windows 95, NT, 2000 and later versions. Windows 2003 includes MS-CHAP v2, which provides stronger security for the handshake process and mutual authentication. The latter means the client authenticates itself to the server, and the server authenticates itself to the client. While CHAP requires the password to be stored in plain text on the authentication server, an MS-CHAP password can be the user’s Windows password stored on a domain controller. This allows centralized management of the username and password and offers a ‘single sign-on’ to connect to the remote access server and access resources in the remote network.
EAP (Extensible Authentication Protocol)
The Extensible Authentication Protocol (EAP) was created as an extension to PPP to provide an interface for different authentication methods. Nowadays EAP is also commonly used with the 802.1x Data Link layer authentication protocol. Instead of choosing PAP, CHAP, or MS-CHAP for example, the client and server agree to use EAP as the authentication protocol. The actual authentication method used by EAP varies a lot, and new methods can be developed and implemented without focusing on the underlying remote access technology.
RADIUS (Remote Authentication Dial-In User Service)
The Remote Authentication Dial-In User Service (RADIUS) provides authentication to clients that connect to a remote access server by using a SLIP or PPP dialup connection and an authentication protocol such as PAP, CHAP, or EAP. It allows a Network Access Server (NAS), which can be a remote access server, router, or wireless access point for example, to delegate the task of authenticating clients to a centralized RADIUS server. When a user dials in to a remote access server, the remote access server acts as a RADIUS client and forwards the access request to the RADIUS server. The RADIUS server is usually a service running on a Windows or UNIX server and uses its local user database or contacts another server, such as a Windows domain controller or LDAP directory, to authenticate the client’s logon information. If the remote client is successfully authenticated, the RADIUS server replies to the RADIUS client (the NAS), which in turn accepts the connection of the remote client.
In addition to centralized authentication, user and permissions management, RADIUS provides accounting, which refers to tracking when and what network resources are accessed by a particular client. The accounting information is exchanged between the NAS and the RADIUS server using the RADIUS protocol. Port 1812 is used for the RADIUS authentication protocol and 1813 for the RADIUS accounting protocol.
Kerberos is a very popular and advanced authentication protocol developed by MIT. Version 4 still runs in many networks, but V5 is considered to be standard Kerberos. It is the default authentication protocol in Windows 2000/2003 environments. In a Kerberos environment, a centralized authorization server called the Key Distribution Center (KDC) issues a ticket to a client when it successfully logs on to the network. This ticket is used to grant the client (system or user) access to network resources such as shares, printers, intranet applications, databases; anything that support Kerberos. The main advantage is that Kerberos provides single sign-on functionality for users in large heterogeneous network environments. Once users are authenticated by the KDC, a Windows 2003 domain controller for example, they will automatically be authorized when they try to access another network resource, without having to enter a username and password again and again.
Kerberos is partly so secure because it uses encrypted timestamps in authentication messages that are sent over the network. This prevents a malicious individual from capturing the messages and resending it to log on gaining unauthorized access. To make sure the client, server, and network resources all share the exact same time and date, the Network Time Protocol (NTP) must be configured to automatically synchronize the time throughout the network. Kerberos uses TCP and UDP port 88.