Kerberos
port 88
- ticket granting system
- mutual authentication (client & server)
- no need to re-authenticate (SSO)
–> protection vs. man-in-the-middle / replay attacks
! domain controller can be a single point of failure –> mitigation: primary and secondary domain controller
RADIUS
- udp 1812 (auth), 1813 (accounting)
- open standard, AAA server
- used for VPN concentrators
does not support remote access protocol, NetBIOS
TACAS+
- port 49 (tcp, more reliable but a bit slower than radius)
Cisco proprietary for N administration, supports all N protocols
provides separate authentication and authorisation functions
LDAP
L7 prot for accessing directory services data
RADIUS vs TACACS+
RADIUS TACACS+
open standard Cisco only
network access & wifi device administration
UDP 1812/1813 TCP 49
Auth & authorisation are combined A / A / A are separated - more granular control
only pass is encrypted (username is plaintext) // everything is encrypted
-
802 standards13
-
cloud18
-
network security5
-
networking16
-
ROUTING19
-
Network attacks19
-
network availability15
-
troubleshooting19
-
QoS12
-
SNMP16
-
VPN / IPSEC10
-
cables56
-
troubleshooting11
-
DNS8
-
network services11
-
WAN27
-
WiFi18
-
ethernet14
-
technologies/ standards2
-
network hardening28
-
authentication5
-
tricky questions23
-
final revision24
-
T225
-
T410
