CompTIA Security+ SY0-601 – 3.8 Implement authentication and authorization solutions. Part 1

1. Authentication management

In this video, I’m going to be talking about authentication management and some things we can do in managing authentication. So before we get into this, don’t forget there is identification and authentication. Identification is basically your username saying, hey, I’m Bob, but authentication is being able to prove that you really are Bob. Generally with a password or a smartphone smart card or certificate or some kind of biometrics. Let’s take a look at some terms here. So, the first thing I have up is password keys and vaults. So where do we store our passwords? Well, most of the time we store passwords in the actual computer and in our heads. Storing passwords in your head is generally not a good idea. And it’s very difficult as passwords can become complex.

Most of us just tend to reuse the same passwords on the same website over and over and over, decreasing the actual security of passwords. This is where password vaults come in. Password vaults are basically software that stores passwords for you, so you don’t need to memorize them. For example, I’ll show you guys a good one. LastPass. Okay, LastPass is going to be a very good password vault. So let’s take a look. So I like LastPass. I think it’s a great password vault. You guys can get this, it’s free to use. And what this does is that it basically stores password for you. And what it’s going to do is that it’s going to be able to memorize the password for you and retype it into the application for you so you don’t have to type it in.

This is a great way to create and store complex passwords without having to memorize them. And now you don’t need to use the same password for all your different websites. When LastPass generates or these password vaults generates passwords for you to put an application, they’re big 1620 characters and then they store it. And then something like LastPass allows you. By the way, this video is not endorsed by LastPass, but if you want to endorse, of course, I mean, it would be good if LastPass is listening. What it does is that you can then install apps on your phones, on your browsers, on your laptops, and it’s basically seamless across all your devices when trying to log in. So this is a good in addition to having a good password vault, I mean, the other option is storing passwords to make a text file called passwords TXT and putting on your desktop.

That would be a really bad idea, but I’ve seen it quite a lot, so I don’t recommend ever doing that. Okay. The other way that we can manage authentication is with TPM chips. We talked about this earlier. TPM chip trusted platform modules with stored cryptographic keys in order to do this based encryption. Also we talked about HSM’s hardware security module that creates, manages and processes cryptographic keys for application. The other thing that we want to talk about is knowledge based authentication. This should see quite a lot, the static and dynamic knowledge based authentication. So knowledge based authentication, you see this when you log into an application and it’s like, what’s your mother’s midname? What middle school did you attend? What was your childhood best friend? Or something like that.

These are going to be knowledge things that you know in order to log in. And this is mostly used to reset your password to prove your identity. Static ones are ones that where you fill out a question, where it’s going to say, hey, what was your childhood best friend? What was the name of your first pet? Or something like that. And then there’s dynamic knowledge based authentication, which they’re going to use, which credit scores or credit bureaus use when they would ask you questions like, oh, have you ever lived on this street? Or which of the following companies have you ever worked for? So it’s not information that you’re going to provide to them.

They’re going to find it in different forms and different types of credit monitoring system. They’re going to find information about you, and then they’re going to ask you randomized question about information from your path, and you got to be able to answer those questions correct. We’re which one of the former addresses have you lived in? Which one of these former businesses did you work in? So you’d have to know something about the person, okay? So these are different types of different ways of managing authentication, whether you’re using a password vault, you can store them in TPM chips, or you can even use knowledge based authentication.

2. Authentication Protocols

In this video we’re going to be talking about different forms of authentication protocols that you should be familiar, I should say you must be familiar with for your exam. Your exam loves testing these different authentication protocols. You have to know when to use what protocol. Now where these protocols are basically going to be used is on VPN or different types of remote access. You could have used this in dial up access, but most of the time they’re used in VPN access and also with wireless access. For example, EAP authentication with a radio server. We talked about, we went over this when we talked about wireless authentication. So we’re going to be going through this and I’m going to be taking a look at my sonic wall here. If you guys watched the video where I set up a VPN, we were able to have a user connected at VPN that was an L, two Tpvpn and that was using with IPsec, but it was using what is known as Chap, Ms. Chap, in order to transport that username and password.

So think about this. When I had set up the VPN, I wanted to connect my home to my workplace. So that means I had to type in a username and password and it basically was able to send the password across the Internet. Now was that encrypted? Well, yes, it was because we were using Chap Challenge Handshake authentication protocol in order to do that. So there’s some terms here we need to know. I’m going to be referring back to my sonic wall and I’ll show you how to configure it. Now I’m showing you how to configure it on this device, right? This sonic wall. Remember, it’s going to be different for all the networking device that we have out there. This sonic wall is a very particular device and it’s not the same for everyone. Everyone has a different one. Every networking device or VPN concentrator you’re going to have. So I’m just showing it to you how it’s done on a sonic wall.

It’s going to be different for you. Configuring it on an ASA or a checkpoint and so on. Let’s get into it. So here we go with a variety of different protocols here that I want to talk about. So the three ways to authenticate, especially if you’re using a VPN, is going to be either with a password authentication protocol, challenge Handshake Authentication Protocol or Chap and PAP and EAP extensible authentication protocol. Now just in case you guys forgot, EAP is part of the framework of 821 x. 821. X is the framework is a type of a framework that specifies basically port authentication and it’s used in wireless and wired network in order to authenticate users when plugging into a network or trying to gain access to wireless network. It does use the EAP authentication extensible authentication protocol that allows you to use smart card certificates and biometrics.

Part of that EAP authentication is to be able to, in order to do that EAP authentication, you need an authenticator or a device that basically authenticates the system, which is the Radius or the Tacass server. So just for your exam now we talked about Radius server in another part of this class. So Radius servers and Tacas are basically service that centralizes authentication. Radius is more of an open standard Microsoft based thing. More people uses it. Tacas and Tagas plus servers are basically Cisco. So this if you use a Cisco solution, this is what you’re going to be using for your exam. Radius and Tacass is basically the same thing. Okay, so before I get into EAP authentication with a Radius server, let’s talk about how we can do it just using passwords instead of using smart cards and certificates to log in.

Let’s say we’re just using passwords. Now the way to do password authentication would be either with Chap or PAP. Now let’s start with this one here. Password authentication protocol. Password authentication protocol is when you would send your username and password in clear text to the server. You never want to use password authentication protocol. It does not encrypt your password. So this here is in clear text, in which case anyone can see it. The other one, this one is fully encrypted. All right. In this one it’s fully encrypting your password. So you want to use Chap, not Tap. Now I do want to show you this on my VPN configurations that I have. Let’s log into the sonic wall here. So I’m going to log in here to my sonic wall and okay, I am in the VPN configuration. Give this a second. Let this load up. So I want to show you.

So right now the VPN that’s used on a sonic wall is an L two Tpvpn, which we talked about in the VPN section here’s, the L two Tpvpn. I’m going to go to Configure right now. It’s enabled. And you notice that if I go to PPP point to point protocol right now, it’s set to chat and notice how higher up that is. So if I decide to do a very bad thing and I said, you know what, I want all my password to be in clear text because I’m crazy, I would put Chap on top of it. So it could use Chap, not Chap tap instead of Chaps. You never want that, right? You just want to cancel that because that’s not the way. But this is where you would select what type you want. So right now this server is configured to use password authentication for the VPN and it’s going to be using Ms Chap. So Ms Chap is basically the Microsoft version of it. There’s two. There’s chap one and chap two.

This is using chap two. It’s using Chap to encrypt my password, which is exactly what I want. Now the other thing is when you set up a VPN, do you really want just passwords. I mean, for me to log into your organization, all I need is a password. You know, passwords are easy to crack and they’re not the most secure thing. So what we should do is we should have another factor of authentication, like having a certificate installed on somebody’s computer, having smart cards that they would have to have in order to log in. For that, we’re going to have to have a Radius server. So the Radius server, in order to do a Radius Server, we need to enable the able to one X framework which is EAP authentication. So an EAP authentication would be able to utilize a Radius server. So you have to configure that Radius server.

Now if you guys remember, I had configured a Radius server when we had done wireless. So we can still use that same Radius server. So let’s go back here and I’ll show you how to do that. Now again, I’m showing it to you on a sonic wall. It’s going to be different for all different. Firewalls ASA’s checkpoints are going to have different setups in different ways. Principles are the same, configuration is different. So if I go in here right now to the base settings, I’m going to have a VPN policy. So this is the policy on the device that’s allowing the VPN to work. So I’m going to click on Configure and I am going to make the screen a little bit bigger so we could see. And I’m going to go here to advance. And right now it says require authentication of VPN by using Xauthentication. So we’re going to go in here and right now it says Trusted Users. So basically only the trusted users can join my VPN.

All right? So I’m just going to leave it as that and say, okay, so I’m showing you that right now the VPN is done by trusted users. So what we want to do is we want to tell the VPN that you know what, those trusted users have to authenticate using a Radius server. So you would have to have a Radius Server in your land in order to authenticate the VPN. So for this I’m going to go down here to users. And right in here you notice how it says User authentication method. Right now it’s local users. But you know what we could do? We could say local Radius plus local users. And then I could say configure radius. So by configuring the Radius now, I could say, you know what, I’m going to go to settings here and we’re going to add a Radius server. So we’re going to give it a Radius server. So basically like this Windows server that I had set up as a Radius server, let’s see if it’s still there.

Okay, so if I go to tools on, this is my Windows server that we had set up as a network policy server when we had done the wireless. So right now it says Radius for dial up or VPN. We had configured one for 821 X wireless or wireless. So we can actually go in here and configure it now for VPN. So we could say, hey, we want a VPN connections to this Radius Server right now if you guys remember I had configured this so that this is a Radius Server’s IP address. We’re going to put it back to the Sonic Wall. They’ve given it a name. So we’re going to allow this device to use this Radius Server. The secret is just secret and we are going to be allowing extensible authentication protocol with this Radius Server. So we’re going to tell this radio server, you know what, let’s use smart card. If they don’t have smart cards, we’re not going to allow it.

Now we can add in groups. Maybe we can add in domain users in here and we don’t need any type of filtering and we’re going to click on next if we don’t any type of security. You know what, we just keep it as Microsoft point to point encryption and nope, we don’t need a realm there and we’re going to finish this. So right now this Radius Server, that’s it, it’s now configured to accept, this Radius Server is now configured to accept VPN users. So when I go back to my sonic wall, I click configure the radius. I can add this radius server in. So the IP address of that server was 85 and the secret was password. I click on Save and now I got to go in right in here to Default Users Group. So we’re going to say those trusted users.

Remember, the VPN policy is a trusted user. So we’re going to say these trusted users are going to have to use this Radius Server in order to authenticate to it. And that is it.  So now what happens is when people want to, when they want to connect to the VPN, basically the VPN is going to say, hey, you’re a trusted user. Okay. So what you need to do is you need to authenticate to that Windows server, VPN radio server and the radio servers. Do you have a certificate? Are you part of the domain user group? This is the EAP authentication that we want. Now remember guys, I keep emphasizing this. I’m showing you these things so you can understand how it’s done and how it’s configured. What I’m not showing you is a lot of behind the work scenes of how to set up a Windows server, how to configure Active Directory, how to configure the Radius policies that you’re going to have to take in another class.

This is just an introduction so you can see how it’s done. Hopefully by seeing these screens, watching the demonstration, it’s making you understand it a lot better. I just didn’t want to talk about it. I really wanted to show you guys this. But remember, this course does not substitute an entire MCSC class. MCSA class and of course configuring a Firewall class. There’s certifications on how to configure a sonic pole. Okay, so let’s move on here. So other things here I want to talk about is single sign on. What exactly is single sign on? So single sign on is when you’re going to log in once and you’re basically finished logging in. You log in once, it gives you access to everything. So one login gives you access to everything. You see this in your Active Directory and your network is at work.

When you log in once with your username and password to your Active Directory network, that one username and password is used to access resources throughout the entire network. This is good. This is basically what single sign on is. With that single username and password, you can authenticate to your email server, you can authenticate to your database server, you can authenticate to your file server and your print server. No more need to memorize 100 passwords. I wish there was single sign on for the entire internet. Or maybe there is. We’ll talk about that though in a second. So single sign on within your network, within the Active Directory domain itself. So what that uses in the Active Directory domain, we’re going to use something called Kerberos.

Kerberos is the single sign on system that is built into the Microsoft, integrates with LDAP into their Active Directory that allows single sign on. Now, Kerberos is known remember this for your exam, is known as a ticketing system. All right? So when you log into Active Directory, it’s going to give you what is known as a ticket grant and ticket. And you then use that ticket to request session of service tickets to resources. So let me give you an example. In Active Directory, the way Kerberos works is when you log into Active Directory for username and password, the server gives you what’s known as a ticket grant and ticket. Now, that ticket doesn’t give you access to any resources, but it does give you the ability to access for all the tickets.

So you get this ticket grant and ticket in your hand. So let’s say this blue mouse here is my ticket grant ticket and I want to access that file server. So what I do is I give back the server to ticket granted ticket and says, hey, I like access to that file server. That server then gives me another ticket. Let’s say this USB stick here. So then, because I gave it this ticket granted ticket, it gives me back this session ticket that I give to that file server. If I want to access that database, I give them back the ticket grant ticket and it says, hey, can I have access to that? It gives me another ticket to give to that server. Kerberos is basically a ticketing system that you’re going to use in order to access all your resources. So basically you get a ticket, granted ticket that gives you access, that gives you access to other tickets to get resources. Now I don’t think your exam is really going to go in depth into this.

Why? Because basically it’s a very complex process and it’s more of an active directory thing. But for your but for you guys at this level of knowledge, you just need to know what it is to be familiar to hey, Active Directory runs on Kerberos and it’s a ticketing system for single sign on. Now the other thing here I mentioned is hey, we need some single sign on to the internet. So the one thing I want to mention is something called SAML security assortment. Markup language. SAML is basically used notice term for your exam, federated Services. What is Federated Services? Sharing of username and passwords within an organization, different websites and to other organizations websites. How do we create single sign on between websites? So we got single sign on with Active Directory, where the active Directory using a password used to access many of the different Windows resources like database and email and so on.

But let’s say you have some web applications. You have a web application for sales, you have a web application for inventory, you have a web application for accountant. You want to have one username and password be used across all of these application. So what you would do is you would implement SAML. So SAML basically allows you to pass the authentication credential. Now SAML is not on Authenticators, but allows you to pass this authentication amongst these different applications within the network. And you can also do it even outside of the network. Samuel is mostly used in networks, corporate networks. Now the other one that we mentioned here that you might see appear on your exam is open Authentication and open ID. Open authentication is really popular.

Open authentication gives you access to resources and files by giving permission to another system. So let me give you an example where you use this. Open Authentication is used a lot on websites. So let’s say you go to a website and you try to do a checkout and it’s like, hey, would you like to use your Facebook to check out? So then there’s a pop up, not Facebook, I’m sorry, PayPal to check out. So then you basically have a link, click here to play with PayPal. You click it, you log into your PayPal, give you some money along with your PayPal. PayPal then looks at the data and says, okay, you’re trying to buy this sonic wall for $10. Okay, so I’m going to allow that. I see it, okay, I allow it. And then PayPal tells the website. So this is open authentication or auth? Basically what this is doing is that it’s allowing the confirmation of resources between that website and PayPal.

Now the thing is with open authentication, it has really nothing to do with your user ID the website. When you allow the open Authentication to work, it doesn’t know who you are. And that’s where open ID comes in. So Open ID builds off of Open Authentication, allowing to do authentication actually, and provide an identity management. So you see this quite a lot nowadays. You go to some websites and you try to log in and it’s like, hey, would you like to use your Gmail to log in here? Would you like to use your Facebook to log in here? That’s open ID. So this is providing your ID, basically your username and password that you use to log into Google. Now, Google is basically given an ID to that website saying, hey, yeah, I’m Google, I trust this guy.

You should trust them too. That’s open ID. And then Open Authentication comes in to give access to the different resources. Okay, in this video, guys, we covered a lot of stuff. Make sure to review this video. Watch it. You should watch this video at least one more time. Make some notes as you’re going through this. These terms are very popular for your exam. For example, never use PAP because it’s in plain text. Chap is good if you just want to use password. If you want to use things beyond password, like smart cards and certificate, use EAP authentication with a radius server. And don’t forget, when it comes to single sign on for the web, you can use SAML Open ID to get authentication to resources. Use Open Authentication and then Kerberos is what’s used in Active Directory in order to provide single sign on services.