In today's connected world, securing network access is more important than ever. You've already learned the basics of networking, how data travels, what IP addresses are, and how devices communicate. Now we're taking the next step: learning how to control WHO can access WHAT in a network.

This room will introduce you to authentication protocols: the digital gatekeepers that verify identities before granting network access. Think of them as the security guards of your network, checking IDs before letting anyone in.

What You'll Learn:

• What authentication is and why it matters
• How RADIUS secures remote access
• How TACACS+ manages network devices
• How LDAP organizes user information
• How to choose the right protocol for different situations

Prerequisites:

• Basic understanding of networking concepts
• Familiarity with IP addresses and protocols
• Knowledge of client-server communication

How to Approach This Room:

1. Take it step by step. Each task builds on previous ones
2. Use the analogies to visualize abstract concepts
3. Pay attention to real-world scenarios
4. Complete the knowledge checks to reinforce learning

Optional Video

This optional video covers the fundamental concepts of authentication protocols. It's helpful but not required to complete the room.

Authentication is the process of verifying someone's identity. In the digital world, it's how computers confirm that you are who you say you are. Think of it like showing your passport at an airport, you prove your identity before being allowed to board a plane.

Why Authentication Matters:

Without authentication, anyone could access any network resource. Authentication creates digital boundaries, ensuring only authorized users can access sensitive information or systems.

Key Authentication Concepts:

1. Username and Password: The most common method. Like having a key to your house.
2. Multi-Factor Authentication (MFA): Adding extra verification steps. Like needing both a key and a fingerprint to enter.
3. Authentication vs Authorization:
   • Authentication: "Who are you?" (Verifying identity)
   • Authorization: "What are you allowed to do?" (Granting permissions)

Where Authentication Happens:

• Logging into your computer
• Accessing company Wi-Fi
• Connecting to a VPN
• Logging into email or websites
• Using mobile banking apps

Below is a visual demonstration of how authentication takes place.

Common Authentication Challenges:

• Forgotten passwords
• Stolen credentials
• Weak password policies
• Security vs convenience balance

Real-World Scenario:

Sarah is a new employee at TechCorp. On her first day, she needs to:

1. Authenticate to join the company Wi-Fi
2. Authenticate to access her company email
3. Authenticate to use internal applications

Each system checks her identity before allowing access. This ensures that only Sarah (not someone pretending to be Sarah) can access company resources.

RADIUS stands for Remote Authentication Dial-In User Service. Originally developed in the 1990s for dial-up internet access, it's now widely used for many types of network access, especially Wi-Fi and VPN connections.

How RADIUS Works:

RADIUS uses a client-server model with three main components:

1. Network Access Server (NAS): The device requesting authentication (like a Wi-Fi access point)
2. RADIUS Server: The central server that verifies credentials
3. Authentication Database: Where user information is stored (often separate from RADIUS server)

Below is a visual of RADIUS Authentication Flow

Common RADIUS Uses:

• Enterprise Wi-Fi authentication
• VPN access control
• DSL and dial-up connections
• Network device administration

RADIUS Port Numbers:

Port	Protocol	Purpose
1812	UDP	Authentication
1813	UDP	Accounting
1645	UDP	Old authentication port
1646	UDP	Old accounting port

RADIUS Attributes:

Attribute	Example	Purpose
User-Name	"jsmith"	Identifies the user
User-Password	(encrypted)	User's password
NAS-IP-Address	"192.168.1.10"	NAS device address
Framed-IP-Address	"10.0.0.5"	IP assigned to user

Real-World Scenario:

TechCorp wants to secure their office Wi-Fi. They:

1. Set up a RADIUS server
2. Configure all Wi-Fi access points to use RADIUS
3. Employees enter username/password to connect
4. RADIUS server checks credentials against Active Directory
5. Approved users get Wi-Fi access; others are denied

Strengths of RADIUS:

• Widely supported by many devices
• Centralized authentication management
• Can work with various authentication databases
• Good for large-scale deployments

Weaknesses of RADIUS:

• Limited encryption (only passwords)
• Single points of failure possible
• Complex to set up initially

TACACS+ stands for Terminal Access Controller Access-Control System Plus. It's a Cisco-developed protocol specifically designed for network device administration. Unlike RADIUS, TACACS+ completely separates authentication, authorization, and accounting, often called the "AAA" framework.

Key Feature: AAA Separation

TACACS+ treats these as three separate processes:

1. Authentication: Who are you? (Verifies identity)
2. Authorization: What can you do? (Sets permissions)
3. Accounting: What did you do? (Logs activities)

Below is a visual demonstration of TACACS+ AAA Separation

How TACACS+ Works:

• Uses TCP (port 49) for reliable communication
• Encrypts the entire packet, not just passwords
• Allows granular control over commands users can execute
• Supports command logging for audit trails

TACACS+ vs RADIUS Comparison:

Feature	TACACS+	RADIUS
Protocol	TCP	UDP
Port	49	1812/1813
Encryption	Entire packet	Only password
AAA	Separated	Combined
Best for	Network devices	Network access
Vendor	Cisco proprietary	Open standard

Common TACACS+ Uses:

• Router and switch administration
• Firewall management access
• Network infrastructure device control
• Command-level authorization for engineers

Security Advantages:

• Full packet encryption
• Granular command authorization
• Detailed accounting logs
• Session timeout controls

Real-World Scenario:

Network administrators at TechCorp need to manage 50 routers and switches. With TACACS+:

1. Engineers authenticate once to the TACACS+ server
2. Server authorizes which commands each engineer can run
3. Every command executed is logged for security auditing
4. Junior engineers might only view configs; seniors can make changes

When to Choose TACACS+:

• Managing Cisco network devices
• Need granular command-level control
• Require detailed audit trails
• Enterprise environments with many administrators

When RADIUS Might Be Better:

• Wi-Fi or VPN user authentication
• Mixed-vendor environments
• Simpler deployments
• When UDP is preferred over TCP

LDAP stands for Lightweight Directory Access Protocol. Unlike RADIUS and TACACS+ which focus on authentication, LDAP is primarily a directory service protocol, think of it as a digital phonebook or organizational chart for your network.

What is a Directory Service?

A directory service organizes information in a hierarchical structure, making it easy to find and manage data about users, devices, and resources. It's like a company's employee directory that shows department structures, job titles, and contact information.

Directory Information Tree (DIT):

LDAP organizes data in a tree structure:

• Root: The top level (like company name)
• Organizational Units (OUs): Departments or groups
• Entries: Individual items (users, computers, printers)
• Attributes: Details about each entry (name, email, phone)

Below is the visual representaiton of LDAP Directory Structure

Common LDAP Attributes:

Attribute	Example	Purpose
cn	"John Smith"	Common Name
uid	"jsmith"	User ID
mail	"jsmith@company.com"	Email address
telephoneNumber	"555-0123"	Phone number
department	"IT Support"	Department
title	"Network Admin"	Job title

How LDAP is Used for Authentication:

While LDAP itself is a directory protocol, it's often used as a backend for authentication systems:

1. User tries to authenticate (e.g., log into computer)
2. System queries LDAP directory
3. LDAP checks credentials against user entry
4. Returns authentication result

Active Directory (The Most Common LDAP Implementation):

Microsoft's Active Directory (AD) is essentially an LDAP directory with extra features:

• Central user management
• Group policies
• Single sign-on capabilities
• Integrated with Windows systems

Common LDAP Uses:

• Centralized user management
• Email address lookup
• Single sign-on systems
• Application authentication backend
• Device inventory management

Real-World Scenario:

TechCorp uses LDAP through Active Directory to manage 500 employees:

1. Each employee has an LDAP entry with attributes
2. When employees log into computers, systems check LDAP
3. Email clients use LDAP to look up colleague addresses
4. Applications use LDAP to authenticate users
5. HR system updates employee information in LDAP

LDAP vs RADIUS/TACACS+:

• LDAP: Directory service that can be used for authentication
• RADIUS/TACACS+: Authentication protocols that can use LDAP as backend
• Often work together: RADIUS server queries LDAP directory

Now that you understand RADIUS, TACACS+, and LDAP individually, let's compare them side-by-side. This will help you decide which protocol to use in different situations and understand how they often work together in real networks.

Comprehensive Protocol Comparison:

Feature	RADIUS	TACACS+	LDAP
Primary Purpose	Network access authentication	Network device administration	Directory services
Protocol	UDP	TCP	TCP (usually)
Ports	1812/1813	49	389/636 (LDAPS)
Encryption	Password only	Entire packet	Varies (simple/SSL)
AAA Support	Combined	Separated	Not AAA protocol
Vendor	Open standard	Cisco proprietary	Open standard
Best For	Wi-Fi, VPN, dial-up	Routers, switches, firewalls	User directories, SSO
Speed	Faster (UDP)	Slower (TCP)	Medium
Scalability	Excellent	Good	Excellent

Below is a visual demonstration of Protocol Decision Flowchart

Decision Guide: When to Use Which Protocol?

Choose RADIUS when:

• Securing Wi-Fi access for employees/guests
• Setting up VPN authentication
• Need broad device compatibility
• Managing large numbers of network access points

Choose TACACS+ when:

• Administering Cisco network devices
• Need granular command-level control
• Require detailed audit logs of commands
• Managing network engineer access

Choose LDAP when:

• Creating centralized user directory
• Implementing single sign-on (SSO)
• Applications need user authentication
• Managing organizational information structure

How Protocols Work Together:

In enterprise networks, these protocols rarely work alone. Here's a common integration:

1. LDAP stores all user information centrally
2. RADIUS handles Wi-Fi/VPN authentication by checking with LDAP
3. TACACS+ manages network device access, also checking with LDAP
4. One password change in LDAP updates access everywhere

Real-World Deployment Scenario:

Enterprise Corp uses all three protocols together:

Infrastructure:

• LDAP (Active Directory): Central user database for 1000 employees
• RADIUS Server: Authenticates Wi-Fi and VPN connections
• TACACS+ Server: Controls access to 200 network devices

User Experience:

1. Employee Jane logs into her Windows computer (authenticates with LDAP)
2. Jane connects to office Wi-Fi (RADIUS checks her credentials with LDAP)
3. Jane needs to fix a network issue (TACACS+ authorizes her specific commands)
4. All authentication events are logged for security audits