CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass
Showing posts sorted by relevance for query aaa. Sort by date Show all posts
Showing posts sorted by relevance for query aaa. Sort by date Show all posts

Tuesday, September 2, 2025

Understanding TACACS+: Features, Operation, and Benefits

 TACACS+ (Terminal Access Controller Access-Control System Plus)

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol developed by Cisco that provides centralized authentication, authorization, and accounting (AAA) for users who access network devices. It is widely used in enterprise environments to manage access to routers, switches, firewalls, and other network infrastructure.

Here’s a detailed breakdown of TACACS+:

What Is TACACS+?
TACACS+ is an AAA protocol that separates the three functions—Authentication, Authorization, and Accounting—into distinct processes. It communicates between a network access server (NAS) and a centralized TACACS+ server.

It is an enhancement of the original TACACS and XTACACS protocols, offering more robust security and flexibility.

Key Features
1. Full AAA Support:
  • Authentication: Verifies user identity (e.g., username/password).
  • Authorization: Determines what actions the user is allowed to perform.
  • Accounting: Logs user activities for auditing and billing.
2. Encryption:
  • TACACS+ encrypts the entire payload of the packet (not just the password, like RADIUS), providing better security.
3. TCP-Based:
  • Uses TCP (port 49 by default), which offers reliable delivery compared to RADIUS, which uses UDP.
4. Command Authorization:
  • Allows granular control over which commands a user can execute on a device.
5. Modular Design:
  • Each AAA function can be handled independently, giving administrators more control.
How TACACS+ Works
1. Authentication Process
  • A user attempts to access a network device.
  • The device (NAS) sends the credentials to the TACACS+ server.
  • The server verifies the credentials and responds with success or failure.
2. Authorization Process
  • After authentication, the server checks what the user is allowed to do.
  • It sends back a list of permitted commands or access levels.
3. Accounting Process
  • The server logs session details, including login time, commands executed, and logout time.
  • These logs can be used for auditing and compliance purposes.
TACACS+ vs RADIUS


Use Cases
  • Network Device Management: Control who can access routers/switches and what they can do.
  • Auditing and Compliance: Track user activity for security and regulatory purposes.
  • Role-Based Access Control: Assign different permissions to admins, operators, and auditors.
Benefits
  • Enhanced security through full encryption.
  • Fine-grained access control.
  • Centralized management of user access.
  • Reliable communication via TCP.

Posted by at No comments:

Wednesday, April 17, 2019

AAA Services (Authentication, Authorization, and Accounting)

AAA Services

RADIUS: Remote Authentication Dial-in User Service
  • Port 1812 UDP for authentication
  • Port 1813 TCP for accounting
  • WPA Enterprise / WPA2 Enterprise both require a RADIUS server.
  • RADIUS clients are also referred to as 802.1x clients.
  • RADIUS is a client/server protocol.
  • Communication between the client and the RADIUS server uses UDP
  • RADIUS is vendor-neutral
  • Only encrypts the passwords

Diameter
  • Uses TCP for communication between client and server.
  • Considered to be an improvement over RADIUS.
  • Diameter also works with VoIP
  • Used for both local and remote access

TACACS+: Terminal Access Controller Access-Control System Plus
  • TACACS+ provides a more advanced AAA
  • Three different servers, Authentication, Authorization, Accounting
  • Communicates over TCP
  • Uses Port 49 TCP
  • Manages routers and switches (Network infrastructure devices)
  • Encrypts the entire packet
  • TACACS+ is a proprietary protocol


Posted by at No comments:

Tuesday, November 24, 2020

WIRELESS AUTHENTICATION METHODS

WIRELESS AUTHENTICATION METHODS

These authenticate the device only. These devices do not use TLS, which is only used with certificates. Do not use a username; only use a password (PSK).

 WEP (Wired Equivalent Privacy)

·       Built on RC4 – uses a 24-bit IV – PSK (Pre-Shared Key)

·       Prone to IV (Initialization Vector) attack

 WPA (Wi-Fi Protected Access)

·       Built on RC4 – uses TKIP (Temporal Key Integrity Protocol)

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

 WPA2 (Wi-Fi Protected Access 2)

·       Built on AES – uses CCMP

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

·       AES replaced RC4, CCMP replaced TKIP

 WPA3 (Wi-Fi Protected Access 3)

  • Built on GCMP-256 (Galois/Counter Mode Protocol)
  • Replaces PSK with SAE (Simultaneous Authentication of Equals)

 WPS (Wi-Fi Protected Setup)

  • Connection is generally used with a pushbutton
  • If there is no push button, use the 8-digit PIN at the bottom of the AP
  • Prone to a brute force attack, can be broken in less than 11,000 attempt
  • Tools used for cracking WPS: Reaver, Wifite, Wash 

 The following authenticate the user and require certificates. When using certificates, you must use TLS.

 Enterprise Mode / 802.1x Authentication

  • Using this method requires a RADIUS server
  • Authentication can be accomplished with a username & password, smart card, or token
  • Authentication is used against an enterprise directory service / AAA server / RADIUS
  • 802.1x requires a Supplicant, Authenticator, and Authentication server (AAA / RADIUS) 

 EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

  • Certificates are needed on both the server and wireless device (Supplicant)
  • Provides mutual authentication
  • Authenticates the user – uses an enterprise directory service

 EAP-TTLS (Extensible Authentication Protocol – Tunneled Transport Layer Security)

  • Certificate on the server only
  • Authenticates the user - uses an enterprise directory service
  • End-to-end protection of authentication credentials

 PEAP (Protected Extensible Authentication Protocol)

  • Certificate on the server only
  • Uses TLS
  • Authenticates the user – uses an enterprise directory service
  • End-to-end protection of authentication credentials

 The following authenticates the user and do not use certificates

 LEAP (Lightweight Extensible Authentication Protocol)

  • Does not require certificates
  • Replaced with EAP-FAST

 EAP-FAST (Flexible Authentication via Secure Tunneling)

  • Do not use certificates
  • Replaced LEAP

 The following is the RADIUS federation

 Multiple organizations allow access to one another’s users

Uses the native 802.1x client (Supplicant)

Each organization has a RADIUS server and joins a mesh

Posted by at No comments:

Friday, April 12, 2024

Access Protocol by Network Type

 Kerberos, RADIUS, & SAML


Kerberos
  • Inside a network such as an office
  • Domain environment

RADIUS (AAA)
  • VPNs
  • Wireless (Enterprise mode)
  • Keywords: AAA, PKI, 802.1x

SAML (Security Assertion Markup Language)
  • Accessing a third-party website, web domain, webpage, CSP
  • Uses federation for authentication
  • Provides SSO (Single Sign-on)
  • Uses username & password from a popular website such as Google as the identity provider



Posted by at No comments:
Subscribe to: Comments (Atom)