2. Computer Security
In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Refers to confirmation that a user who is requesting a service is a valid user.
Examples of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).
Refers to the granting of specific types of service (including "no service") to a user, based on their authentication.
Examples of services : IP address filtering, encryption, bandwidth control/traffic management.
Refers to the tracking of the consumption of network resources by users.
May be used for management, planning, billing etc.
AAA server provides all the above services to its clients.
3. AAA Protocols
Terminal Access Controller Access Control System (TACACS)
Remote Authentication Dial In User Service(RADIUS)
DIAMETER :Diameter is a planned replacement of RADIUS.
4. RADIUS Server
The Remote Authentication Dial-In User Service (RADIUS) protocol was
developed by Livingston Enterprises, Inc., as an access server
authentication and accounting protocol.
RADIUS is a protocol for carrying authentication, authorization, and
configuration information between a Network Access Server which desires
to authenticate its links and a shared Authentication Server.
Uses PAP, CHAP or EAP protocols to authenticate users.
Look in text file, LDAP Servers, Database for authentication.
After authentication services parameters passed back to NAS.
Communication between a network access server (NAS) and a RADIUS
server is based on the User Datagram Protocol (UDP).
RADIUS server handles issues related to server availability, retransmission,
RADIUS is a client/server protocol
A RADIUS server can act as a proxy client to other RADIUS servers or other
kinds of authentication servers.
The Password Authentication Protocol (PAP) provides a simple method for
a user to authenticate using a 2-way handshake.
PAP is used by Point to Point Protocol to validate users before allowing
them access to server resources.
PAP transmits unencrypted ASCII passwords over the network and is
therefore considered insecure.
Challenge-Handshake Authentication Protocol is a more secure
procedure for connecting to a system than the Password Authentication
It involves a three-way exchange of a shared secret. During link
establishment, CHAP conducts periodic challenges to make sure that the
remote host still has a valid password value.
While PAP basically stops working once authentication is established, this
leaves the network vulnerable to attack.
CHAP provides protection against playback attack by using different
challenge value that is unique and comes in random. Because the
challenge is unique and unpredictable, the resulting hash value is also
unique and random. Which makes it difficult for ‘guessing’.
The use of repeated and different challenges, limits the time of exposure
to any single attack.
14. PAP vs CHAP
PAP is in clear text. It mostly refers to providing a password to an account.
The password gets thru the wire. It is vulnerable to sniffing cause whoever is
listening would know the password.
CHAP, on the other hand, issues a challenge. The password never actually
makes it thru the wire but a question is asked.