Skip to content

Page252

Diameter

Diameter is RADIUS’ successor, designed to provide an improved Authentication, Authorization, and Accounting (AAA) framework. RADIUS provides limited accountability, and has problems with flexibility, scalability, reliability, and security. Diameter also uses Attribute Value Pairs, but supports many more: while RADIUS uses 8 bits for the AVP field (allowing 256 total possible AVPs), Diameter uses 32 bits for the AVP field (allowing billions of potential AVPs). This makes Diameter more flexible, allowing support for mobile remote users, for example.

Diameter uses a single server to manage policies for many services, as opposed to RADIUS which requires many servers to handle all of the secure connection protocols. Like RADIUS, Diameter provides AAA functionality, but in addition it is made more reliable by using the Transmission Control Protocol (TCP). Diameter is described by RFC 6733 (https://datatracker.ietf.org/doc/html/rfc6733).

TACACS and TACACS+

The Terminal Access Controller Access Control System (TACACS) is a centralized access control system that requires users to send an ID and static (reusable) password for authentication. TACACS uses UDP port 49 (and may also use TCP). Reusable passwords are a vulnerability: the improved TACACS+ provides better password protection by allowing two-factor strong authentication.

It is important to note that TACACS+ is not backward compatible with TACACS. TACACS+ uses TCP port 49 for authentication with the TACACS+ server. The actual function of authentication is very similar to RADIUS, but there are some key differences.

RADIUS only encrypts the password (leaving other data, such as username, unencrypted). TACACS+, on the other hand, encrypts all data below the TACACS+ header. This is an improvement over RADIUS and is more secure.

PAP and CHAP

The Password Authentication Protocol (PAP) is defined by RFC 1334 (https://datatracker.ietf.org/doc/html/rfc1334#section-22) and is referred to as being, “not a strong authentication method” [15]. A user enters a password and it is sent across the network in cleartext. When received by the PAP server, it is authenticated and validated. Sniffing the network may disclose the plaintext passwords. Sniffing refers to monitoring network communications and capturing the raw TCP/IP traffic.

The Challenge Handshake Authentication Protocol (CHAP) is defined by RFC 1994 (https://datatracker.ietf.org/doc/html/rfc1994) and provides protection against playback attacks. It uses a central location that challenges remote users. As stated in the RFC, “CHAP depends upon a ‘secret’ known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual authentication” [16].

The advantage of using CHAP over PAP is the additional security provided by the shared secret used during the challenge and response: a sniffer that views the entire challenge/response process will not be able to determine the shared secret.

Microsoft Active Directory Domains

Microsoft Windows Active Directory uses the concept of domains as the primary means to control access. For authentication purposes, Microsoft bases its authentication of trust relationships on RFC 1510, the Kerberos Authentication Protocol, and it has been integrated into Microsoft Windows operating systems since Windows 2000. Each domain has a separate authentication process and space. Each domain may contain different users and different network assets and data objects. Because Microsoft Windows also uses the concept of groups to control access by users to data objects, each group may be granted access to various domains within the system. If a two-way trust between domains is created, then groups belonging to either domain may access data objects from each domain.

As stated by Microsoft, “How a specific trust passes authentication requests depends on how it is configured; trust relationships can be one-way, providing access from the trusted domain to resources in the trusting domain, or two-way, providing access from each domain to resources in the other domain. Trusts are also either nontransitive, in which case trust exists only between the two trust partner domains, or transitive, in which case trust automatically extends to any other domains that either of the partners' trust” [17].

Exam Warning
Microsoft trust relationships fall into two categories: non-transitive and transitive. Non-transitive trusts only exist between two trust partners. Transitive trusts exist between two partners and all of their partner domains. For example: if A trusts B, in a transitive trust, A will trust B and all of B’s trust partners.