1 00:00:00,090 --> 00:00:01,320 In this lesson, we're going to 2 00:00:01,320 --> 00:00:03,090 discuss the different authentication methods 3 00:00:03,090 --> 00:00:05,410 used in our networks, including local authentication, 4 00:00:05,410 --> 00:00:08,940 LDAP, Kerberos, SSO, SAML, 5 00:00:08,940 --> 00:00:12,660 RADIUS, TACACS+ and time-based authentication. 6 00:00:12,660 --> 00:00:15,750 First, let's talk about what authentication is. 7 00:00:15,750 --> 00:00:18,270 Authentication is the process of determining whether someone 8 00:00:18,270 --> 00:00:20,910 or something is in fact who they claim 9 00:00:20,910 --> 00:00:22,590 or what they claim to be. 10 00:00:22,590 --> 00:00:24,900 Now, if you walk into my classroom on the first Monday 11 00:00:24,900 --> 00:00:25,837 of the semester and say, 12 00:00:25,837 --> 00:00:28,560 "Hey, professor Dion, my name is John Smith," 13 00:00:28,560 --> 00:00:30,090 I might ask to see your student ID 14 00:00:30,090 --> 00:00:32,790 or driver's license so I can verify you are who you claim 15 00:00:32,790 --> 00:00:35,700 to be, after all, you and I have never met before 16 00:00:35,700 --> 00:00:37,560 so I need a way to validate your claim 17 00:00:37,560 --> 00:00:40,470 and authenticate you as the person you claim to be. 18 00:00:40,470 --> 00:00:41,790 The same thing is going to happen when you go 19 00:00:41,790 --> 00:00:43,500 to take your certification exam. 20 00:00:43,500 --> 00:00:45,720 Before you take the exam, the proctor's going to look 21 00:00:45,720 --> 00:00:47,670 over your official government identification, 22 00:00:47,670 --> 00:00:49,470 like your driver's license or passport, 23 00:00:49,470 --> 00:00:51,540 and compare that to what you look like, as well 24 00:00:51,540 --> 00:00:53,670 as comparing the name on it to what you registered 25 00:00:53,670 --> 00:00:55,230 to take the exam under. 26 00:00:55,230 --> 00:00:57,330 For example, if you registered to take the exam 27 00:00:57,330 --> 00:00:59,280 as Jason Dion, but your driver's license 28 00:00:59,280 --> 00:01:01,950 says Michael Jordan, they're not going to let you take the exam 29 00:01:01,950 --> 00:01:03,840 because you are not Jason Dion, and 30 00:01:03,840 --> 00:01:06,720 therefore you have failed the authentication process. 31 00:01:06,720 --> 00:01:08,910 Now, the first authentication mechanism we have 32 00:01:08,910 --> 00:01:11,250 is what's known as local authentication. 33 00:01:11,250 --> 00:01:13,020 When you first turn on your personal laptop 34 00:01:13,020 --> 00:01:14,880 and you enter your username and password, 35 00:01:14,880 --> 00:01:18,090 that is using local authentication most of the time. 36 00:01:18,090 --> 00:01:19,260 Whenever you set up your laptop 37 00:01:19,260 --> 00:01:21,900 for the first time, you picked out a username and password, 38 00:01:21,900 --> 00:01:23,640 and that device saved an encrypted version of 39 00:01:23,640 --> 00:01:26,340 that on your hard disk or storage device. 40 00:01:26,340 --> 00:01:28,170 Now, every time you try to log in, 41 00:01:28,170 --> 00:01:30,540 it's going to take wherever you enter, it's going to encrypt it, 42 00:01:30,540 --> 00:01:33,030 and then compare what you entered as an encrypted data 43 00:01:33,030 --> 00:01:35,130 against the stored username and password. 44 00:01:35,130 --> 00:01:37,140 If they match, you've been authenticated 45 00:01:37,140 --> 00:01:39,030 because you've met the single factor authentication 46 00:01:39,030 --> 00:01:40,740 requirements of a standard laptop 47 00:01:40,740 --> 00:01:43,080 by entering a username and password. 48 00:01:43,080 --> 00:01:46,380 The second type of authentication we have is known as LDAP. 49 00:01:46,380 --> 00:01:49,260 LDAP stands for the Lightweight Directory Access Protocol, 50 00:01:49,260 --> 00:01:50,490 and it's essentially a database 51 00:01:50,490 --> 00:01:52,710 that's used centralize information about your clients 52 00:01:52,710 --> 00:01:54,720 and your objects on the network. 53 00:01:54,720 --> 00:01:57,990 LDAP is essentially a simplified version of X.500, 54 00:01:57,990 --> 00:02:00,060 which is considered to be a directory service, 55 00:02:00,060 --> 00:02:02,490 and it contains a hierarchal organization of the users, 56 00:02:02,490 --> 00:02:06,390 groups, servers, and systems located inside of your network. 57 00:02:06,390 --> 00:02:08,550 LDAP will use Port 389 if you're 58 00:02:08,550 --> 00:02:10,949 using the standard plaint text version of LDAP. 59 00:02:10,949 --> 00:02:14,100 If you're using LDAP Secure, known as LDAPS, 60 00:02:14,100 --> 00:02:17,582 then it's going to use Port 636 using either an SSL 61 00:02:17,582 --> 00:02:19,260 or TLS tunnel to protect the data 62 00:02:19,260 --> 00:02:21,360 as it crosses over your network. 63 00:02:21,360 --> 00:02:23,430 Now, LDAP is used for validating a username 64 00:02:23,430 --> 00:02:26,310 and password combination against an LDAP server as a form 65 00:02:26,310 --> 00:02:28,500 of authentication, so this will be very similar 66 00:02:28,500 --> 00:02:30,240 to local authentication except it's 67 00:02:30,240 --> 00:02:31,980 going to happen over the network. 68 00:02:31,980 --> 00:02:33,750 LDAP is considered to be cross-platform 69 00:02:33,750 --> 00:02:35,760 and it works with Unix, Linux, Mac, 70 00:02:35,760 --> 00:02:37,260 and even Windows systems, 71 00:02:37,260 --> 00:02:39,870 but Microsoft also has created their own implementation 72 00:02:39,870 --> 00:02:43,620 of LDAP and they call it AD or Active Directory. 73 00:02:43,620 --> 00:02:45,180 Now, in a Windows domain environment, 74 00:02:45,180 --> 00:02:46,980 active directory is going to be used to organize 75 00:02:46,980 --> 00:02:48,750 and manage everything on your network, 76 00:02:48,750 --> 00:02:51,330 including your clients, your servers, your devices, 77 00:02:51,330 --> 00:02:53,100 your users, and your groups. 78 00:02:53,100 --> 00:02:54,810 Active directory can also be used as part 79 00:02:54,810 --> 00:02:57,330 of your security policies or access control policies 80 00:02:57,330 --> 00:03:00,330 by implementing things like group policies in your domain. 81 00:03:00,330 --> 00:03:02,347 Now, this brings us to our third authentication method, 82 00:03:02,347 --> 00:03:04,890 and this one is known as Kerberos. 83 00:03:04,890 --> 00:03:07,740 Kerberos is focused on authentication and authorization, 84 00:03:07,740 --> 00:03:09,480 but within a Windows domain environment, 85 00:03:09,480 --> 00:03:12,030 and it integrates nicely with active directory. 86 00:03:12,030 --> 00:03:13,200 Kerberos was designed 87 00:03:13,200 --> 00:03:15,060 to provide secure authentication services 88 00:03:15,060 --> 00:03:16,830 over an insecure network. 89 00:03:16,830 --> 00:03:19,650 Kerberos uses a system of tickets to authenticate a user, 90 00:03:19,650 --> 00:03:22,500 and it completely avoids sending passwords over the network 91 00:03:22,500 --> 00:03:24,480 as it relies on Kerberos' ticketing system 92 00:03:24,480 --> 00:03:26,001 within the Windows domain. 93 00:03:26,001 --> 00:03:28,620 Now, Kerberos is an authentication protocol 94 00:03:28,620 --> 00:03:31,320 that's going to provide two-way or mutual authentication. 95 00:03:31,320 --> 00:03:33,000 When a user logs into the domain, 96 00:03:33,000 --> 00:03:34,830 they're first going to contact the domain controller, 97 00:03:34,830 --> 00:03:38,220 which acts as the key distribution center or KDC. 98 00:03:38,220 --> 00:03:40,620 This KDC has two basic functions, 99 00:03:40,620 --> 00:03:42,840 authentication and ticket granting. 100 00:03:42,840 --> 00:03:45,150 So if your client is authenticated properly, 101 00:03:45,150 --> 00:03:47,550 the KDC will issue them a ticket granting ticket 102 00:03:47,550 --> 00:03:49,230 known as a TGT. 103 00:03:49,230 --> 00:03:50,670 This ticket granting ticket is then 104 00:03:50,670 --> 00:03:53,010 provided to the domain controller anytime the user wants 105 00:03:53,010 --> 00:03:54,600 to access a resource on the network, 106 00:03:54,600 --> 00:03:56,850 like a file share or a printer. 107 00:03:56,850 --> 00:03:58,710 The domain controller will also provide the user 108 00:03:58,710 --> 00:04:01,080 with a service ticket or a session key to use, 109 00:04:01,080 --> 00:04:02,220 whichever one's going to be appropriate 110 00:04:02,220 --> 00:04:04,170 for their current needs on the network. 111 00:04:04,170 --> 00:04:06,180 These tickets will be presented to the resource 112 00:04:06,180 --> 00:04:07,890 and the access will then be granted 113 00:04:07,890 --> 00:04:09,000 because the resource always 114 00:04:09,000 --> 00:04:11,520 trusts the domain controllers provided tickets. 115 00:04:11,520 --> 00:04:13,530 If your domain controllers running Kerberos, 116 00:04:13,530 --> 00:04:16,260 port 88 will remain open on your domain controller 117 00:04:16,260 --> 00:04:18,540 so it can receive those inbound service login requests 118 00:04:18,540 --> 00:04:19,740 from your clients. 119 00:04:19,740 --> 00:04:21,899 Because Kerberos relies on the domain controller to serve 120 00:04:21,899 --> 00:04:23,370 as the key distribution center, 121 00:04:23,370 --> 00:04:25,860 this can become a single point of failure in your domain, 122 00:04:25,860 --> 00:04:27,660 so be aware of that as well. 123 00:04:27,660 --> 00:04:29,460 Now, if the domain controller goes down, 124 00:04:29,460 --> 00:04:31,140 your ticket granting services are also 125 00:04:31,140 --> 00:04:32,520 going to be shut down. 126 00:04:32,520 --> 00:04:35,310 To prevent this though, most people will have both a primary 127 00:04:35,310 --> 00:04:38,070 and secondary Windows domain controller in a clustered 128 00:04:38,070 --> 00:04:40,140 or active standby configuration. 129 00:04:40,140 --> 00:04:42,337 This will give you the redundancy to ensure that Kerberos 130 00:04:42,337 --> 00:04:45,256 and LDAP continue to run effectively in your environment. 131 00:04:45,256 --> 00:04:47,340 Our fourth authentication method that we need 132 00:04:47,340 --> 00:04:50,760 to discuss is known as Single Sign-On or SSO. 133 00:04:50,760 --> 00:04:52,590 Now, due to the large number of resources 134 00:04:52,590 --> 00:04:54,150 and websites that the average employee needs 135 00:04:54,150 --> 00:04:56,430 to access on a daily basis, these days, 136 00:04:56,430 --> 00:04:57,870 most organizations have started 137 00:04:57,870 --> 00:05:00,240 adopting a single sign-on environment. 138 00:05:00,240 --> 00:05:01,830 When adopted, the organization 139 00:05:01,830 --> 00:05:04,620 establishes a default user profile for each user, 140 00:05:04,620 --> 00:05:05,760 and then they link that profile 141 00:05:05,760 --> 00:05:07,380 to all the different resources that 142 00:05:07,380 --> 00:05:09,690 that user needs to have access to. 143 00:05:09,690 --> 00:05:12,118 Under this kind of an SSO system, the user's able 144 00:05:12,118 --> 00:05:14,220 to have a single long, strong password 145 00:05:14,220 --> 00:05:16,350 that they can memorize, or even better, 146 00:05:16,350 --> 00:05:19,110 they can use a multifactor authentication system. 147 00:05:19,110 --> 00:05:20,400 This will then replace the 30 148 00:05:20,400 --> 00:05:22,020 or 40 different logging credentials 149 00:05:22,020 --> 00:05:23,670 that the average person is currently, 150 00:05:23,670 --> 00:05:26,460 and this allows 'em to just memorize one set of credentials. 151 00:05:26,460 --> 00:05:28,530 This makes accessing new resources much quicker 152 00:05:28,530 --> 00:05:30,510 and easier too, and it simplifies user 153 00:05:30,510 --> 00:05:32,160 and password management. 154 00:05:32,160 --> 00:05:33,360 Now, the one major drawback 155 00:05:33,360 --> 00:05:35,550 to using single sign-on is your environment, is 156 00:05:35,550 --> 00:05:37,680 that if your user's credentials get compromised, 157 00:05:37,680 --> 00:05:40,470 the attacker will now have every resource accessible to them 158 00:05:40,470 --> 00:05:42,870 that the user already had access to. 159 00:05:42,870 --> 00:05:45,030 I like to think about it like a master key. 160 00:05:45,030 --> 00:05:47,190 Let's assume you have a single key that opens your office, 161 00:05:47,190 --> 00:05:48,570 your car, and your house, 162 00:05:48,570 --> 00:05:51,120 but as you went to the mall, you dropped it and lost it. 163 00:05:51,120 --> 00:05:53,460 Unfortunately, for you, an evil person named Jason 164 00:05:53,460 --> 00:05:55,290 found that key, and now they have access 165 00:05:55,290 --> 00:05:56,910 to all three things of yours, 166 00:05:56,910 --> 00:05:59,070 your office, your car, and your house. 167 00:05:59,070 --> 00:06:01,740 Well, that's the big drawback to using single sign-on, 168 00:06:01,740 --> 00:06:03,940 but again, if you're using multifactor authentication, 169 00:06:03,940 --> 00:06:06,150 you're going to be able to help keep it more secure, 170 00:06:06,150 --> 00:06:08,010 and this is actually more secure than using usernames 171 00:06:08,010 --> 00:06:09,802 and passwords because now somebody has 172 00:06:09,802 --> 00:06:11,580 to have both factors in order 173 00:06:11,580 --> 00:06:13,486 to compromise all of your accounts. 174 00:06:13,486 --> 00:06:16,320 Single sign-on works by creating trust relationships 175 00:06:16,320 --> 00:06:17,520 between various applications 176 00:06:17,520 --> 00:06:20,790 and resources that you as a user might want to have access to, 177 00:06:20,790 --> 00:06:23,430 and then when you try to log into one of your accounts, 178 00:06:23,430 --> 00:06:25,590 it's going to leverage that existing trust relationship 179 00:06:25,590 --> 00:06:28,950 between all the accounts, so the user's going to authenticate 180 00:06:28,950 --> 00:06:30,480 with only one service provider, 181 00:06:30,480 --> 00:06:31,920 but all the other resources that they want 182 00:06:31,920 --> 00:06:34,110 to access have a trust relationship with 183 00:06:34,110 --> 00:06:35,820 that service provider, and this allows 'em 184 00:06:35,820 --> 00:06:38,010 to authenticate a user's identity on behalf 185 00:06:38,010 --> 00:06:39,690 of those resources. 186 00:06:39,690 --> 00:06:42,540 Our fifth authentication method is known as SAML. 187 00:06:42,540 --> 00:06:45,240 Now, SAML is an XML based data format that's used 188 00:06:45,240 --> 00:06:47,040 to exchange authentication information 189 00:06:47,040 --> 00:06:48,990 between a client and a service. 190 00:06:48,990 --> 00:06:51,150 This is going to be used to send things like our authentication 191 00:06:51,150 --> 00:06:53,100 for the user, the entitlement to the user, 192 00:06:53,100 --> 00:06:54,930 and the attributes of that user, 193 00:06:54,930 --> 00:06:57,930 and often we'll pair up this with SOAP, which is a protocol 194 00:06:57,930 --> 00:06:59,857 that we can use to transfer the SAML information, 195 00:06:59,857 --> 00:07:01,890 and that way we can pair them together 196 00:07:01,890 --> 00:07:04,560 and get authorization and authentication. 197 00:07:04,560 --> 00:07:06,090 Now, when we're dealing with SAML, 198 00:07:06,090 --> 00:07:07,470 this is often going to be used to provide 199 00:07:07,470 --> 00:07:10,470 that single sign-on service or SSO that I talked about, 200 00:07:10,470 --> 00:07:13,770 or using a federated identity management system. 201 00:07:13,770 --> 00:07:15,690 This will allow a service provider to establish 202 00:07:15,690 --> 00:07:18,210 that trust relationship with the identity provider, 203 00:07:18,210 --> 00:07:20,250 and this way the identity of the user, 204 00:07:20,250 --> 00:07:22,410 which we call the principal, can be trusted 205 00:07:22,410 --> 00:07:24,780 by the service provider without the user ever having 206 00:07:24,780 --> 00:07:27,570 to authenticate directly with that service provider. 207 00:07:27,570 --> 00:07:30,030 With SAML, we have three main roles. 208 00:07:30,030 --> 00:07:32,220 We have the service provider, the user agent, 209 00:07:32,220 --> 00:07:33,990 which will usually be your web browser, 210 00:07:33,990 --> 00:07:35,940 and then we have the identity provider. 211 00:07:35,940 --> 00:07:37,710 Let's pretend I'm the service provider 212 00:07:37,710 --> 00:07:39,540 and you want to log into my website, 213 00:07:39,540 --> 00:07:41,250 but I don't own the identities. 214 00:07:41,250 --> 00:07:42,300 Instead, I'm going to allow you 215 00:07:42,300 --> 00:07:44,400 to sign on using your Google account. 216 00:07:44,400 --> 00:07:47,220 Now, in this example, Google is the identity provider, 217 00:07:47,220 --> 00:07:49,290 so the first step is for you to go to my website 218 00:07:49,290 --> 00:07:51,450 and you're going to request the Target resource, so you go 219 00:07:51,450 --> 00:07:53,910 to diontraining.com and you click on login. 220 00:07:53,910 --> 00:07:55,470 When that happens, your computer 221 00:07:55,470 --> 00:07:57,660 and my website are going to do a little handshake 222 00:07:57,660 --> 00:07:59,730 where they discover the identity provider. 223 00:07:59,730 --> 00:08:02,287 For example, my site may tell your web browser, 224 00:08:02,287 --> 00:08:04,320 "Hey, I support Google as a login. 225 00:08:04,320 --> 00:08:05,550 Do you want to use Google?" 226 00:08:05,550 --> 00:08:08,130 And you'd say, "Sure, I support Google. Let's do it." 227 00:08:08,130 --> 00:08:09,630 And then you click on that login button 228 00:08:09,630 --> 00:08:12,150 and you'll get redirected to the SSO service. 229 00:08:12,150 --> 00:08:14,430 The single sign on service here will then go back 230 00:08:14,430 --> 00:08:16,260 to your browser, and your browser will make the request 231 00:08:16,260 --> 00:08:18,780 to Google Service as the identity provider. 232 00:08:18,780 --> 00:08:20,684 Now, Google will do the identification with you 233 00:08:20,684 --> 00:08:23,640 and make sure that your username and password are correct. 234 00:08:23,640 --> 00:08:26,039 Then they'll take all the information they know about you 235 00:08:26,039 --> 00:08:29,820 and provide it inside of what's known as an XHTML form. 236 00:08:29,820 --> 00:08:31,830 This will be sent back to your web browser. 237 00:08:31,830 --> 00:08:33,870 Now, your web browser can take that 238 00:08:33,870 --> 00:08:35,549 and it will then do a request assertion 239 00:08:35,549 --> 00:08:37,110 for consumer service. 240 00:08:37,110 --> 00:08:39,059 Essentially, you're going to send the information you got 241 00:08:39,059 --> 00:08:41,700 from the identity provider, that XHTML file, 242 00:08:41,700 --> 00:08:43,679 which tells me about the person who's been authorized 243 00:08:43,679 --> 00:08:45,540 and the permissions they have, and then you're going to send 244 00:08:45,540 --> 00:08:47,100 that over to my website. 245 00:08:47,100 --> 00:08:48,840 Now, once I get that as a service provider, 246 00:08:48,840 --> 00:08:50,640 I say, "Ah, this is John. 247 00:08:50,640 --> 00:08:53,250 I know John, John's allowed to access my videos. 248 00:08:53,250 --> 00:08:54,810 Let's get John to login, and he 249 00:08:54,810 --> 00:08:56,490 can the videos, and here you go. 250 00:08:56,490 --> 00:08:58,650 Here's the first video," and you'll start watching it. 251 00:08:58,650 --> 00:09:00,810 Then you'll say, "Okay, I finished watching this video. 252 00:09:00,810 --> 00:09:01,950 Show me the next one." 253 00:09:01,950 --> 00:09:03,660 And because you're already authorized, 254 00:09:03,660 --> 00:09:04,560 I'm going to respond back 255 00:09:04,560 --> 00:09:07,200 with that requested resource, which is video number 2, 256 00:09:07,200 --> 00:09:10,260 and then video number 3 and then video number 4 and so on. 257 00:09:10,260 --> 00:09:11,910 So you only had to log in once 258 00:09:11,910 --> 00:09:14,100 and you never actually logged in me directly 259 00:09:14,100 --> 00:09:15,480 with your username and password. 260 00:09:15,480 --> 00:09:17,460 You did all that through your identity provider, 261 00:09:17,460 --> 00:09:19,320 which in this case was Google. 262 00:09:19,320 --> 00:09:22,470 Now, our sixth authentication method is known as RADIUS. 263 00:09:22,470 --> 00:09:25,770 RADIUS is the remote authentication dial in user service, 264 00:09:25,770 --> 00:09:28,200 and RADIUS provides us with a centralized administration 265 00:09:28,200 --> 00:09:30,627 for dial up VPN and wireless authentication, 266 00:09:30,627 --> 00:09:33,120 so you can use it with both 802.1x 267 00:09:33,120 --> 00:09:37,200 and the extensible authentication protocol known as EAP. 268 00:09:37,200 --> 00:09:39,600 RADIUS is considered to be a client server protocol, 269 00:09:39,600 --> 00:09:41,790 and it's used to authenticate users, authorize them 270 00:09:41,790 --> 00:09:44,970 to services and account for their usage of those services. 271 00:09:44,970 --> 00:09:47,190 RADIUS uses the User Datagram Protocol 272 00:09:47,190 --> 00:09:48,420 for making its connections, 273 00:09:48,420 --> 00:09:50,760 and this makes it fairly fast during the authentication 274 00:09:50,760 --> 00:09:52,650 and authorization functions. 275 00:09:52,650 --> 00:09:56,220 RADIUS commonly uses Port 1812 for authentication messages 276 00:09:56,220 --> 00:09:58,830 and Port 1813 for its accounting messages. 277 00:09:58,830 --> 00:10:00,180 Although some proprietary versions 278 00:10:00,180 --> 00:10:04,605 of RADIUS may use ports 1645 and 1646 instead. 279 00:10:04,605 --> 00:10:07,020 Now, it's important to note that RADIUS is considered 280 00:10:07,020 --> 00:10:08,820 to be a cross-platform standard 281 00:10:08,820 --> 00:10:10,770 because our next authentication method we're going to talk 282 00:10:10,770 --> 00:10:12,600 about is not cross-platform, 283 00:10:12,600 --> 00:10:14,910 and it's actually a proprietary protocol. 284 00:10:14,910 --> 00:10:17,250 This brings us to our seventh authentication method, 285 00:10:17,250 --> 00:10:19,410 which is known as TACACS+. 286 00:10:19,410 --> 00:10:21,300 TACACS+ was developed by Cisco, 287 00:10:21,300 --> 00:10:23,640 and it stands for the Terminal Access Controller Access 288 00:10:23,640 --> 00:10:26,160 Control System Plus, which can perform the role 289 00:10:26,160 --> 00:10:29,250 of an authenticator in an 802.1x network. 290 00:10:29,250 --> 00:10:31,260 Now, it's really up to you to determine which one is going to 291 00:10:31,260 --> 00:10:33,240 be best for your organization's needs, whether 292 00:10:33,240 --> 00:10:35,220 that's RADIUS or TACACS+. 293 00:10:35,220 --> 00:10:37,770 Personally, I've used RADIUS almost exclusively 294 00:10:37,770 --> 00:10:39,570 within my organizations, and I found 295 00:10:39,570 --> 00:10:41,760 that TACACS+ is a little bit slower to operate 296 00:10:41,760 --> 00:10:45,000 because it relies on TCP instead of UDP. 297 00:10:45,000 --> 00:10:47,400 But TACACS+ does have some benefits 298 00:10:47,400 --> 00:10:49,290 that you may want to consider since it can provide you 299 00:10:49,290 --> 00:10:50,880 with some additional security features, 300 00:10:50,880 --> 00:10:52,320 and it can be used to independently 301 00:10:52,320 --> 00:10:54,450 conduct its authentication, authorization, 302 00:10:54,450 --> 00:10:56,160 and accounting processes. 303 00:10:56,160 --> 00:10:59,490 TACACS+ does support all major network protocols as well, 304 00:10:59,490 --> 00:11:02,280 and RADIUS doesn't support every protocol out there. 305 00:11:02,280 --> 00:11:03,630 For example, RADIUS doesn't 306 00:11:03,630 --> 00:11:05,430 support the remote access protocol, 307 00:11:05,430 --> 00:11:08,285 NetBIOS Frame Protocol, X.25 PAG connections, 308 00:11:08,285 --> 00:11:09,960 and a few others. 309 00:11:09,960 --> 00:11:12,750 Overall, TACACS+ is an excellent choice if you need 310 00:11:12,750 --> 00:11:14,640 to support these other network protocols, 311 00:11:14,640 --> 00:11:16,860 but remember, if you're going to do this, you have 312 00:11:16,860 --> 00:11:19,740 to be using all Cisco devices across your entire network 313 00:11:19,740 --> 00:11:23,580 because TACACS+ is proprietary to Cisco based networks. 314 00:11:23,580 --> 00:11:25,680 Now, if you're using a mixed network, you're going to have 315 00:11:25,680 --> 00:11:27,600 to choose RADIUS like I did, and this is 316 00:11:27,600 --> 00:11:30,150 because it has that cross-platform capability. 317 00:11:30,150 --> 00:11:32,490 Our eighth and final authentication method is known 318 00:11:32,490 --> 00:11:34,350 as time-based authentication. 319 00:11:34,350 --> 00:11:35,580 Time-based authentication 320 00:11:35,580 --> 00:11:38,820 is most often implemented as time-based one-time passwords, 321 00:11:38,820 --> 00:11:41,700 or TOTP and time-based authentication 322 00:11:41,700 --> 00:11:43,020 is a security mechanism 323 00:11:43,020 --> 00:11:45,000 that will generate a temporary dynamic password 324 00:11:45,000 --> 00:11:48,150 or token that's valid only for a short period of time. 325 00:11:48,150 --> 00:11:49,860 Time-based authentication algorithms 326 00:11:49,860 --> 00:11:51,600 will generate these one-time passwords 327 00:11:51,600 --> 00:11:53,130 by combining a shared secret key 328 00:11:53,130 --> 00:11:54,480 with the current timestamp, 329 00:11:54,480 --> 00:11:56,670 and this current timestamp will usually be routed 330 00:11:56,670 --> 00:11:59,460 to a specific time interval, like every 30 seconds 331 00:11:59,460 --> 00:12:01,080 or every 60 seconds. 332 00:12:01,080 --> 00:12:02,460 This helps to create a password 333 00:12:02,460 --> 00:12:05,190 that will change every time this interval changes. 334 00:12:05,190 --> 00:12:07,200 Now, this method is commonly used as part 335 00:12:07,200 --> 00:12:09,165 of multi-factor authentication systems, so 336 00:12:09,165 --> 00:12:11,490 whenever a user attempts to log into the system, 337 00:12:11,490 --> 00:12:12,990 they'll provide their regular password, 338 00:12:12,990 --> 00:12:15,630 which is something they know, and a TOTP generated 339 00:12:15,630 --> 00:12:17,340 by an app or a hardware token, 340 00:12:17,340 --> 00:12:18,990 which is something they have. 341 00:12:18,990 --> 00:12:20,790 Time-based authentication significantly 342 00:12:20,790 --> 00:12:22,320 enhances the security by ensuring 343 00:12:22,320 --> 00:12:23,790 that even if the password is intercepted 344 00:12:23,790 --> 00:12:25,560 or stolen, it still can't be reused 345 00:12:25,560 --> 00:12:28,830 because it'll expire under that short validity period. 346 00:12:28,830 --> 00:12:31,170 You'll often see TOTP codes are going to be generated 347 00:12:31,170 --> 00:12:33,240 by software tools like Google Authenticator 348 00:12:33,240 --> 00:12:34,650 or Microsoft Authenticator, 349 00:12:34,650 --> 00:12:36,990 or you can use a dedicated hardware device 350 00:12:36,990 --> 00:12:39,600 like an RSA Key Fob or a YubiKey. 351 00:12:39,600 --> 00:12:42,090 Some implementations also rely on sending emails 352 00:12:42,090 --> 00:12:44,610 or text messages that allow you to get a one-time code 353 00:12:44,610 --> 00:12:46,530 that's valid for the next 5 or 10 minutes, 354 00:12:46,530 --> 00:12:48,201 so you can log in that way too. 355 00:12:48,201 --> 00:12:50,280 These time-based authentication systems 356 00:12:50,280 --> 00:12:52,170 do provide security advantages to us 357 00:12:52,170 --> 00:12:53,400 because of the dynamic nature 358 00:12:53,400 --> 00:12:56,310 of the time-based password that allows us to be resistant 359 00:12:56,310 --> 00:12:58,390 to replay attacks, even if the attacker tries 360 00:12:58,390 --> 00:13:00,300 to use a stolen password. 361 00:13:00,300 --> 00:13:01,980 This is because even if the attacker manages 362 00:13:01,980 --> 00:13:04,380 to intercept the time-based one-time password, 363 00:13:04,380 --> 00:13:05,280 it's going to be useless 364 00:13:05,280 --> 00:13:07,731 after that short expiration period anyway. 365 00:13:07,731 --> 00:13:09,630 So remember, there are many ways 366 00:13:09,630 --> 00:13:12,300 to conduct authentication, including local authentication, 367 00:13:12,300 --> 00:13:16,530 LDAP, Kerberos, SSO, SAML, RADIUS, TACACS+ 368 00:13:16,530 --> 00:13:18,480 and time-based authentication. 369 00:13:18,480 --> 00:13:20,880 At its core, authentication is just the process 370 00:13:20,880 --> 00:13:22,320 of determining whether someone 371 00:13:22,320 --> 00:13:25,830 or something is in fact, who they claim themselves to be. 372 00:13:25,830 --> 00:13:27,420 By securing our authentication methods, 373 00:13:27,420 --> 00:13:29,280 though, we're going to be able to ensure our networks 374 00:13:29,280 --> 00:13:31,023 and our systems remain secure.