radius server,pap and chap protocols
TRANSCRIPT
RADIUS Server
PAP & CHAP Protocols
Computer Security
In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Authentication :
Refers to confirmation that a user who is requesting a service is a valid user.
Examples of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).
Authorization :
Refers to the granting of specific types of service (including "no service") to a user, based on their authentication.
Examples of services : IP address filtering, encryption, bandwidth control/traffic management.
Accounting :
Refers to the tracking of the consumption of network resources by users.
May be used for management, planning, billing etc.
AAA server provides all the above services to its clients.
AAA Protocols
Terminal Access Controller Access Control System (TACACS)
TACACS+
Remote Authentication Dial In User Service(RADIUS)
DIAMETER :Diameter is a planned replacement of RADIUS.
RADIUS Server
The Remote Authentication Dial-In User Service (RADIUS) protocol was
developed by Livingston Enterprises, Inc., as an access server
authentication and accounting protocol.
RADIUS is a protocol for carrying authentication, authorization, and
configuration information between a Network Access Server which desires
to authenticate its links and a shared Authentication Server.
Uses PAP, CHAP or EAP protocols to authenticate users.
Look in text file, LDAP Servers, Database for authentication.
After authentication services parameters passed back to NAS.
RADIUS infrastructure components
Functions..
Communication between a network access server (NAS) and a RADIUS
server is based on the User Datagram Protocol (UDP).
RADIUS server handles issues related to server availability, retransmission,
and timeouts.
RADIUS is a client/server protocol
A RADIUS server can act as a proxy client to other RADIUS servers or other
kinds of authentication servers.
Interaction between a user and the
RADIUS client and server
Authentication and Authorization
The RADIUS server can support a variety of methods to authenticate a
user.
PAP
The Password Authentication Protocol (PAP) provides a simple method for
a user to authenticate using a 2-way handshake.
PAP is used by Point to Point Protocol to validate users before allowing
them access to server resources.
PAP transmits unencrypted ASCII passwords over the network and is
therefore considered insecure.
Working of PAP
CHAP
Challenge-Handshake Authentication Protocol is a more secure
procedure for connecting to a system than the Password Authentication
Procedure (PAP).
It involves a three-way exchange of a shared secret. During link
establishment, CHAP conducts periodic challenges to make sure that the
remote host still has a valid password value.
While PAP basically stops working once authentication is established, this
leaves the network vulnerable to attack.
Working of CHAP
Advantages
CHAP provides protection against playback attack by using different
challenge value that is unique and comes in random. Because the
challenge is unique and unpredictable, the resulting hash value is also
unique and random. Which makes it difficult for ‘guessing’.
The use of repeated and different challenges, limits the time of exposure
to any single attack.
PAP vs CHAP
PAP is in clear text. It mostly refers to providing a password to an account.
The password gets thru the wire. It is vulnerable to sniffing cause whoever is
listening would know the password.
CHAP, on the other hand, issues a challenge. The password never actually
makes it thru the wire but a question is asked.
References
http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-
authentication-dial-user-service-radius/12433-32.html
http://www.orbit-computer-solutions.com/Challenge-Handshake-
Authentication-Protocol--CHAP-.php
http://www.orbit-computer-solutions.com/Password-Authentication-
Protocol--PAP-.php
Contact : [email protected]