Friday, November 27, 2015

Important Concepts around Authentication

Multi-Factor Authentication

Systems with higher level of authentication needs multiple credentials to be presented for user validation. Such process of authentication is referred to as multi-factor authentication. Each one of the supplied credential can fall in one of the three categories:

  • Something you know (e.g passwords, pin)
  • Something you are (e.g Bio-metrics such as finger prints, picture, retina)
  • Something you have (e.g. Security token, Mobile number for OTP, Debit Card)
When only two credentials (each from different category) are provided then it is referred to as two-factor authentication.

Different Supplicants

  • One which comes integrated with OS - Works with most hardware
    • Windows XP Wireless Zero Configuration (WZC)
    • Windows 7 Supplicant
    • Apple's Airport Client
  • Chipset Vendor Supplicant
    • Atheros
    • Broadcom
    • Intel's PROSet Client
  • WLAN vendor Supplicant: Works only with vendor radios.
    • Ones which are provided by Netgear, DLink etc
  • Third Party Supplicant - works with different chipsets & OS
    • Commercial Supplicants: 
      • Juniper Networks's OAC
      • Cisco's SSC

Different Authentication Servers

  • Cisco ACS [RADIUS based]
  • Juniper Steel Belted RADIUS  [RADIUS based]
  • Microsoft IAS (Windows Server 2003)  [RADIUS based]
  • Microsoft NAP (Windows Server 2008)  [RADIUS based]
  • Microsoft Active Directory 2003 and higher  [Kerberos and LDAP]
  • FreeRADIUS (open source)  [RADIUS based]

Configuring RADIUS and Access Points

  • Authenticator needs to know RADIUS server's IP address & UDP port along with a shared secret (required to validate & encrypt the communication link between authenticator and authentication server)
  • Normally, authenticator is provided with a prioritized list of authentication servers. Usually, up to three RADIUS servers are configured for redundancy purpose.
  • Authentication server needs to know the authenticator's IP address and shared secret in order to communicate with the authenticator.
  • RADIUS uses UDP port 1812 for authentication and 1813 for accounting. Prior to this official assignment by IANA 1645 & 1646 respectively were used by most vendors.

RADIUS assigned VLAN

Helps to assign VLAN to different users hence, no need to have separate SSIDs for segregation of different users.


Here both username and password can be filled with MAC address

Realm & NAS Identifier

Username & password can be accompanied by a domain name or realm that might tell the RADIUS server which master database to use.

Options while using Digital Certificates

  • Public Key Infrastructure [PKI]
  • Private PKI
    • You maintain your private PKI
  • Self Signed Certificates
    • Server certificate needs to be deployed to each client
    • Recommended, if distributing server certificate is not a problem then self signed certificates is the best option.

Note: List of "trusted root authorities" s sometimes referred to as a "Certified Trust List". Verisign is one of the trusted root authority.

User Database: Windows Active Directory & LDAP Server

No comments:

Post a Comment