Kerberos

KERBEROS

• Kerberos is an authentication protocol
• Kerberos provides SSO (Single Sign-On)
• Uses Port 88 TCP or UDP
• KDC (Key Distribution Center) uses 2 services: Authentication Service and a Ticket Granting Service
• Authentication Service handles authenticating user login requests
• The AS issues a TGT (Ticket Granting Ticket)
• To access any resource within the domain the client quests a Service Ticket
• The TGS (Ticket Granting Service) issues the Service Ticket to the client so they can access the resource
• TGT's are uniques to Kerberos only
• By default, the client and the Kerberos server have to be within a 5-minute window of each other for authentication to succeed. 
• Kerberos provides mutual authentication as the server authenticates to the client.
• Kerberos prevents eavesdropping and MITM attacks. (Man-In-The-Middle)

AAA Services (Authentication, Authorization, and Accounting)

AAA Services

RADIUS: Remote Authentication Dial-in User Service

• Port 1812 UDP for authentication
• Port 1813 TCP for accounting
• WPA Enterprise / WPA2 Enterprise both require a RADIUS server.
• RADIUS clients are also referred to as 802.1x clients.
• RADIUS is a client/server protocol.
• Communication between the client and the RADIUS server uses UDP
• RADIUS is vendor-neutral
• Only encrypts the passwords

Diameter

• Uses TCP for communication between client and server.
• Considered to be an improvement over RADIUS.
• Diameter also works with VoIP
• Used for both local and remote access

TACACS+: Terminal Access Controller Access-Control System Plus

• TACACS+ provides a more advanced AAA
• Three different servers, Authentication, Authorization, Accounting
• Communicates over TCP
• Uses Port 49 TCP
• Manages routers and switches (Network infrastructure devices)
• Encrypts the entire packet
• TACACS+ is a proprietary protocol