Directory Authentication Protocols ==================================== .. toctree:: :maxdepth: 1 :hidden: :includehidden: LDAP Kerberos RADIUS TACACS+ Directory authentication protocols allow systems to centrally manage and verify user credentials, typically in enterprise environments where secure and scalable identity management is essential. .. list-table:: :widths: 20 60 20 :header-rows: 1 * - Protocol - Description - Use Case * - LDAP (Lightweight Directory Access Protocol) - A lightweight protocol used to access and maintain distributed directory services over IP networks. LDAP is widely used in enterprise environments for centralized authentication and directory lookups. *Commonly used with Active Directory and OpenLDAP.* - Enterprise SSO, directory lookups, centralized authentication * - Kerberos - A secure ticket-based authentication protocol that uses symmetric key cryptography to validate users and services. Developed at MIT, it's used to provide strong authentication across insecure networks. *Used heavily in Microsoft Active Directory.* - Secure login, enterprise SSO, identity validation * - RADIUS (Remote Authentication Dial-In User Service) - A client-server protocol used for AAA (Authentication, Authorization, Accounting). Often used by ISPs and network devices to authenticate users connecting to the network. *Supports centralized login for VPNs, WiFi, etc.* - Network access control, VPN authentication * - TACACS+ (Terminal Access Controller Access-Control System Plus) - A Cisco-developed protocol used for centralized AAA functions in networking environments. Unlike RADIUS, it separates authentication, authorization, and accounting. *Secure communication over TCP, commonly used in Cisco environments.* - Device administration, granular command authorization .. tab-set:: .. tab-item:: LDAP (Lightweight Directory Access Protocol) **RFC:** RFC 4511 **Main Features:** - Lightweight protocol for accessing and maintaining directory information - Runs over TCP/IP (commonly on port 389) - Optimized for read-heavy operations - Hierarchical structure using DN (Distinguished Names) - Widely supported in enterprise applications and systems - Supports user and group queries, authentication info, email directories, etc. **Use Cases:** - Centralized authentication in enterprise environments - Directory lookups for users, groups, devices, or services - Integration with Active Directory or OpenLDAP - Enterprise Single Sign-On (SSO) and role-based access control **Alternative Protocols:** - Kerberos – For secure authentication and SSO - RADIUS – For AAA with network access devices - TACACS+ – For device-level admin access and AAA - SCIM – System for Cross-domain Identity Management (modern identity APIs) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Let us learn more about LDAP:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`LDAP Version&IEEE Details ` * :ref:`LDAP Basic Setup on Ubuntu using IPv4 ` * :ref:`LDAP Basic Setup on Ubuntu using IPv6 ` * :ref:`LDAP Protocol Packet Details ` * :ref:`LDAP Usecases ` * :ref:`LDAP Basic Features ` * :ref:`LDAP Feature : Hirerarchical Structure ` * :ref:`LDAP Feature : Standard Protocol ` * :ref:`LDAP Feature : Centralized Authentication ` * :ref:`LDAP Feature : Scalability ` * :ref:`LDAP Feature : Flexible Schema ` * :ref:`LDAP Feature : Access Control ` * :ref:`LDAP Feature : Replication ` * :ref:`LDAP Feature : Search Capabilities ` * :ref:`Reference links ` .. button-link:: ./LDAP.html :color: primary :shadow: :expand: Jump to "LDAP" .. tab-set:: .. tab-item:: Kerberos **RFC:** RFC 4120 **Main Features:** - Secure authentication protocol using ticket-based system - Relies on symmetric key cryptography - Operates over an insecure network without transmitting passwords - Authenticates both users and services (mutual authentication) - Used extensively in Active Directory environments **Use Cases:** - Secure login across enterprise systems - Enterprise Single Sign-On (SSO) - Secure service-to-service authentication - Microsoft Active Directory authentication backbone **Alternative Protocols:** - LDAP – For directory queries and account information - RADIUS – For user authentication and authorization over networks - NTLM – Legacy authentication protocol (less secure than Kerberos) - SAML / OAuth – For web-based federated identity management .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Let us learn more about Kerberos:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`Kerberos FAQs ` * :ref:`Kerberos Version&IEEE Details ` * :ref:`Kerberos Basic Setup on Ubuntu using IPv4 ` * :ref:`Kerberos Basic Setup on Ubuntu using IPv6 ` * :ref:`Kerberos Protocol Packet Details ` * :ref:`Kerberos Usecases ` * :ref:`Kerberos Basic Features ` * :ref:`Reference links ` .. button-link:: ./Kerberos.html :color: primary :shadow: :expand: Jump to "Kerberos" .. tab-set:: .. tab-item:: RADIUS (Remote Authentication Dial-In User Service) **RFC:** RFC 2865 (Authentication and Authorization), RFC 2866 (Accounting) **Main Features:** - AAA protocol (Authentication, Authorization, Accounting) - Operates over UDP (default ports: 1812 for auth, 1813 for accounting) - Centralizes user authentication for network access - Supports dynamic IP assignment, session tracking, and policy enforcement - Commonly used in ISPs, Wi-Fi networks, and VPNs **Use Cases:** - VPN user authentication - Wi-Fi login with central credential validation - ISP subscriber management - Network access control for switches and firewalls **Alternative Protocols:** - TACACS+ – More control over authorization; used in enterprise environments - Kerberos – For secure ticket-based authentication - LDAP – For directory-based user lookup and authentication - Diameter – A modern, more extensible replacement for RADIUS .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Let us learn more about RADIUS:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`RADIUS FAQs ` * :ref:`RADIUS Version&IEEE Details ` * :ref:`RADIUS Basic Setup on Ubuntu using IPv4 ` * :ref:`RADIUS Basic Setup on Ubuntu using IPv6 ` * :ref:`RADIUS Protocol Packet Details ` * :ref:`RADIUS Usecases ` * :ref:`RADIUS Basic Features ` * :ref:`Reference links ` .. button-link:: ./RADIUS.html :color: primary :shadow: :expand: Jump to "RADIUS" .. tab-set:: .. tab-item:: TACACS+ (Terminal Access Controller Access-Control System Plus) **RFC:** Informational – Cisco proprietary (documented in IETF drafts) **Main Features:** - AAA protocol focused on device administration - Encrypts the entire packet (unlike RADIUS, which only encrypts the password) - Offers granular command-level authorization - Uses TCP (typically port 49) - Separates Authentication, Authorization, and Accounting into distinct functions **Use Cases:** - Centralized login for administrators on network devices - Command-level access control for routers, switches, firewalls - Secure auditing of administrative access - Enterprise access management for infrastructure **Alternative Protocols:** - RADIUS – For centralized AAA on end-user access systems - LDAP – For authentication integrated with user directories - Kerberos – For secure authentication across applications - Local device credentials – In environments without centralized control .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Let us learn more about TACACS+:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`TACACS+ FAQs ` * :ref:`TACACS+ Version&IEEE Details ` * :ref:`TACACS+ Basic Setup on Ubuntu using IPv4 ` * :ref:`TACACS+ Basic Setup on Ubuntu using IPv6 ` * :ref:`TACACS+ Protocol Packet Details ` * :ref:`TACACS+ Usecases ` * :ref:`TACACS+ Basic Features ` * :ref:`Reference links ` .. button-link:: ./TACACS+.html :color: primary :shadow: :expand: Jump to "TACACS+"