Network+ 2012 and CCNA Security Exam Training:
Intro To CHAP, PAP, MS-CHAP, TACACS, And RADIUS
By Chris Bryant, CCIE #12933
In this Network+ and CCNA Security exam tutorial, you'll be introduced to CHAP, PAP, and MS-CHAP. You'll also get a brief but important introduction to AAA, TACACS, and RADIUS.
All three of these are security protocols that run over the Point-to-Point Protocol (PPP). The Password Authentication Protocol (PAP) has a major security issue in that the password is sent over the connection in clear text, making it easy to read if a packet is successfully intercepted.
The Challenge Handshake Authentication Protocol (CHAP) prevents this by choosing a random number to run a hash algorithm against the password. The random number and the result of that hash are then sent to the remote router, so the password itself is never exposed.
If someone with a network sniffer managed to pick a packet off the cable between the endpoints, the only thing they'd be able to see is an unrecognizable and undecipherable bunch of numbers, letters, and symbols.
Password before hashing: "password"
Password after hashing: "y7riu3i&32"
The hash result shown there is a possible result, not the result. Hashing a password makes it virtually impossible to decipher.
In our discussion of TCP, you learned that TCP uses a three-way handshake. The "handshake" in CHAP is also a three-way handshake, but the "challenge" part makes this process just a bit different. Let's walk through a sample CHAP process.
A client wants to connect to a server, so the client sends a logon request. Instead of just saying "okay", the server will respond with a challenge.
The client will now run an algorithm against the challenge value, and sends the result of that hash back to the server.
The server will take that response value and match it against its own hash calculation. If the values match, the client will be authenticated. If the values do not match, the client's authentication attempt is denied.
As you progress in your career and your studies, you'll find that companies such as Microsoft and Cisco occasionally like to make their own versions of popular services and protocols. Microsoft did just that with MS-CHAP, and I'm sure I don't have to tell you what the MS stands for!
RADIUS (Remote Authentication Dial-In User Service) and TACACS (Terminal Access Controller Access Control System) are both AAA protocols, bringing Authentication, Authorization, and Accounting to networks. Before we examine RADIUS and TACACS, let's define each of the "three As".
We'll hit those right after this important announcement for all Network+ 2012 certification candidates!
Coming in Summer 2012:
My Network+ 2012 Video Boot Camp and Ebook Study Guides!
-- Free Network+ exam tutorials beginning January 2012
-- Video Previews in March 2012
-- Fully Downloadable Video Boot Camp: $25
(That's right. $25. Make your plans now!)
-- Full Network+ Study Guide: $9.99
Study guide available on TBA website,
Amazon.com, and other leading ebook sites!
Now let's get to those three As..
Authentication simply asks the question, "Should I let you into the network in the first place?"
Authorization is the process of denying or permitting a client permission to do something on the network, such as accessing a file.
Accounting is the process of tracking a user's time, possibly for internal billing purposes. For example, if a user from the Security department is accessing servers or bandwidth allocated to the Accounting department, the Security user's activities could be tracked to allow the Accounting department to bill the Security department for the time that user was using the Accounting department's resources.
TACACS is rarely if ever seen anymore - it's been replaced largely by RADIUS and TACACS+. TACACS+ is not compatible with TACACS.
There are some key differences between TACACS+ and RADIUS:
There's a lot more to AAA, RADIUS, and TACACS+ than you see here. These are all very important security protocols in today's networks, so once you earn your Network + certification, I recommend you learn more about these protocols -- they're an important part of network security!
|
