WEBVTT

00:00.260 --> 00:03.180
A long time ago back in the days of dial up.

00:03.270 --> 00:08.940
Now I'm talking about even before PCs we would have big mainframe systems like CompuServe and stuff

00:08.940 --> 00:13.890
like that and people would want to access these services so what they would do is they would sit at

00:13.890 --> 00:18.840
their house with a terminal or whatever it might be and using dial up they would connect to these big

00:18.840 --> 00:24.200
services now that worked fine and they had authentication for example within the system.

00:24.270 --> 00:28.910
You would have usernames and passwords and it could do authentication like chap and stuff like that.

00:29.040 --> 00:30.380
And life was good.

00:30.390 --> 00:35.850
The problem was is that over time we began to have thousands of people tens of thousands hundreds of

00:35.850 --> 00:38.790
thousands of people accessing these systems.

00:38.790 --> 00:45.420
And what you end up having were these big banks of modems that all had to do authentication and that

00:45.420 --> 00:48.530
was a big problem when you had 10000 of these people.

00:48.600 --> 00:53.020
So we needed to come up with a better way to do authentication for the masses.

00:53.040 --> 00:55.350
First of all obviously it had to be centralized.

00:55.350 --> 00:59.420
So what we would do is we'd have some really aligned this up a little bit better.

00:59.430 --> 01:01.470
So here's a person dialing in.

01:01.560 --> 01:03.260
Here's how they're getting into the system.

01:03.270 --> 01:06.630
And then there would be some server back here with all the usernames and passwords.

01:06.630 --> 01:11.720
So didn't matter where the people were connecting they would have one centralized place for the usernames

01:11.730 --> 01:12.390
and passwords.

01:12.390 --> 01:13.440
That's good.

01:13.440 --> 01:18.900
The second thing is we had to handle authorisation better in these types of situations you're just letting

01:18.900 --> 01:24.120
people have access to a system but once they have access to a system what can they do within the system

01:24.450 --> 01:27.950
and with pure authentication you didn't even have that feature.

01:27.960 --> 01:29.780
Third was accounting.

01:29.820 --> 01:35.220
We had to keep track of what people were doing and when in order to understand what was taking place

01:35.370 --> 01:37.130
in order to stand to deal with problems.

01:37.170 --> 01:45.360
So we needed to come up with a complete system that took care of authentication authorization and accounting.

01:45.360 --> 01:47.830
And those are known generically as triple-A.

01:47.850 --> 01:51.120
Now there are two very different ways to do that well not that different.

01:51.120 --> 01:55.840
We have a lot of similarity and they're called radius and to Cacace.

01:55.860 --> 01:57.570
So let's take a look at both.

01:57.600 --> 02:05.330
First let's talk about remote authentication dial in user service better known as radius.

02:05.350 --> 02:08.400
Now this is a radius setup.

02:08.420 --> 02:15.570
Now keep in mind that radius based on its name was designed to support dial in networking so the main

02:15.570 --> 02:17.600
parts of radius are going to look like this.

02:17.610 --> 02:19.920
First of all you're going to have a radius server.

02:19.920 --> 02:25.700
Now this radius server is sitting inside whatever network or system you're trying to get to on this

02:25.700 --> 02:28.790
system are going to be a bunch of usernames and passwords.

02:28.800 --> 02:30.870
Now these can be stored by themselves.

02:30.870 --> 02:34.220
These could be a sequel database.

02:34.260 --> 02:37.920
This could be a Active Directory domain.

02:37.920 --> 02:41.850
It doesn't really matter where the usernames and passwords are in fact they don't even have to physically

02:41.850 --> 02:42.970
sit on the server.

02:43.080 --> 02:48.600
The server himself simply has to be able to get to that stack of usernames and passwords and then he

02:48.600 --> 02:51.380
can go ahead and authenticate on that.

02:51.480 --> 02:57.540
The next part is going to be what we call the radius client the radius client is not really the person

02:57.540 --> 03:03.000
who's trying to get authenticated the radius client is really the gateway that separates that which

03:03.000 --> 03:07.890
we want to get authenticated from from those who are trying to get authenticated way on the end.

03:07.890 --> 03:13.890
Here is the radius supplicant a supplicant is the person the system whatever it is that's actually trying

03:13.890 --> 03:15.180
to get authenticated.

03:15.360 --> 03:17.670
So this is the basic setup for radio.

03:17.670 --> 03:24.000
So what will happen is that this device will go to the radius client and then the radius client knows

03:24.000 --> 03:29.280
the IP address of the radius server sends the credentials over and the radius server decides whether

03:29.280 --> 03:31.790
that person can be authenticated or not.

03:32.040 --> 03:34.610
Now dialups long dead no doubt about that.

03:34.620 --> 03:38.950
But radious lives on well in the world of wireless networks.

03:39.030 --> 03:44.460
If you want serious authentication in a wireless network I'm not talking about WPA to personal shared

03:44.460 --> 03:48.130
key and stuff like that you would use a radius server.

03:48.480 --> 03:54.360
Every wireless network in the world is designed to support radious servers so to do this you end up

03:54.360 --> 03:56.680
having to buy a radius server.

03:56.760 --> 03:59.300
Juniper cell steel belted radius.

03:59.470 --> 04:03.290
Microsoft sells Internet authorisations server.

04:03.360 --> 04:06.770
You can get open radious which is a Linux based tool.

04:06.810 --> 04:08.030
Configure this.

04:08.130 --> 04:13.170
You then go into your wireless access points and pretty much every wireless access point in existence

04:13.470 --> 04:18.600
has a setting in there that says yes I want to use radius and all you do here is type in the IP address

04:18.780 --> 04:23.810
for this guy it then these guys don't even really see any of this happening.

04:23.830 --> 04:29.830
They would have to enter a username and password which could be done automatically but they do have

04:29.830 --> 04:31.320
to go through that process.

04:31.330 --> 04:34.510
So when you're talking about radious there's two things I want you to remember.

04:34.630 --> 04:40.480
Number one radius is really used more for network access than anything else.

04:40.480 --> 04:47.650
Secondly you need to remember that radious can use up to four different UDP ports 1 8 1 2 1 8 1 3 1

04:47.650 --> 04:50.610
6 4 5 and 1 6 4 6.

04:50.620 --> 04:53.030
Now I want to add one more thing while I'm at it.

04:53.140 --> 04:59.220
The downside if you want to call it that radius is radious doesn't really handle authorization.

04:59.230 --> 05:01.120
It gets you authenticated just fine.

05:01.120 --> 05:06.010
But the whole idea behind accessing the network is that it lets you get in and then there's other stuff

05:06.010 --> 05:10.700
later like Domain Controllers and stuff like that that will actually decide what you get to do.

05:10.930 --> 05:14.760
But we're going to see with the next one that that can sometimes be an issue.

05:14.920 --> 05:22.260
Next let's talk about terminal access control or access control system better known as to Cacace.

05:22.260 --> 05:29.760
Plus now to Cacace Plus is also a form of Triple A but it does a few things that are very different.

05:29.770 --> 05:35.510
In particular to Kaka's plus is really really good at managing a bunch of devices.

05:35.530 --> 05:40.300
So if you've got a bunch of routers and switches and stuff all over the place and people have to log

05:40.300 --> 05:44.860
into them to be able to do stuff with them to Cacace Plus is where you go.

05:44.860 --> 05:51.100
Now in this situation what I have are a bunch of Cisco devices these are different Cisco switches and

05:51.100 --> 05:57.240
routers and I've got somebody over here who wants to access these remotely so he's going to use S-sh

05:57.250 --> 05:59.860
or something like that to get into them.

06:00.040 --> 06:06.820
Now the challenge you have in these types of situations is that authentication isn't that bad and to

06:06.820 --> 06:12.740
Cacace has to hack a server but we're Cacace really shines over radios.

06:12.760 --> 06:20.560
Is that to Cacace really takes care of the authorization aspect really well see if you talk about what's

06:20.560 --> 06:25.900
happening on these little switches and routers is that it really depends on who you are that you want

06:25.900 --> 06:27.710
to determine what they can do.

06:27.970 --> 06:35.920
So to Cacace we say decouples the authentication from the authorization with radius it's all kind of

06:35.920 --> 06:37.420
done in one big lump.

06:37.420 --> 06:43.000
You're either you're in or you're not in but with the Cacace not only are you in but it also defines

06:43.180 --> 06:47.330
in real time what you can do with these individual devices.

06:47.330 --> 06:53.560
Here I have tens of thousands of unique individual commands that I can send to them.

06:53.620 --> 06:58.360
But the trick is is that I may not want everybody to view certain groups or commands that I want to

06:58.360 --> 07:04.210
have certain groups to do certain stuff and that is where to Kaka's plus really shines because it decouples

07:04.540 --> 07:07.730
the authorization from the authentication.

07:07.750 --> 07:13.660
Oh and by the way for the security plus make sure you know that to Cacace Plus uses TZP port 49.

07:14.020 --> 07:20.250
So those are the two big differences between the two most popular versions of Triple A radius and to

07:20.250 --> 07:21.470
Cacace plus.

07:21.490 --> 07:25.940
Now the one thing that they both do really really well is auditee.

07:26.140 --> 07:28.620
They can actually go through auditing accounting.

07:28.620 --> 07:33.940
Really the last days the same either way they can go through and keep track of who's doing what when

07:33.940 --> 07:34.480
they're doing it.

07:34.480 --> 07:36.110
They generate log files.

07:36.280 --> 07:39.630
And that's really what the third part of Triple-A is all about.

07:39.640 --> 07:43.000
Make sure you know all this stuff because you know what it's on security plus.