Directory Authentication Protocols
Directory authentication protocols allow systems to centrally manage and verify user credentials, typically in enterprise environments where secure and scalable identity management is essential.
Protocol |
Description |
Use Case |
|---|---|---|
LDAP (Lightweight Directory Access Protocol) |
A lightweight protocol used to access and maintain distributed directory services over IP networks. LDAP is widely used in enterprise environments for centralized authentication and directory lookups. Commonly used with Active Directory and OpenLDAP. |
Enterprise SSO, directory lookups, centralized authentication |
Kerberos |
A secure ticket-based authentication protocol that uses symmetric key cryptography to validate users and services. Developed at MIT, it’s used to provide strong authentication across insecure networks. Used heavily in Microsoft Active Directory. |
Secure login, enterprise SSO, identity validation |
RADIUS (Remote Authentication Dial-In User Service) |
A client-server protocol used for AAA (Authentication, Authorization, Accounting). Often used by ISPs and network devices to authenticate users connecting to the network. Supports centralized login for VPNs, WiFi, etc. |
Network access control, VPN authentication |
TACACS+ (Terminal Access Controller Access-Control System Plus) |
A Cisco-developed protocol used for centralized AAA functions in networking environments. Unlike RADIUS, it separates authentication, authorization, and accounting. Secure communication over TCP, commonly used in Cisco environments. |
Device administration, granular command authorization |
RFC: RFC 4511
Main Features:
Lightweight protocol for accessing and maintaining directory information
Runs over TCP/IP (commonly on port 389)
Optimized for read-heavy operations
Hierarchical structure using DN (Distinguished Names)
Widely supported in enterprise applications and systems
Supports user and group queries, authentication info, email directories, etc.
Use Cases:
Centralized authentication in enterprise environments
Directory lookups for users, groups, devices, or services
Integration with Active Directory or OpenLDAP
Enterprise Single Sign-On (SSO) and role-based access control
Alternative Protocols:
Kerberos – For secure authentication and SSO
RADIUS – For AAA with network access devices
TACACS+ – For device-level admin access and AAA
SCIM – System for Cross-domain Identity Management (modern identity APIs)
Let us learn more about LDAP:
RFC: RFC 4120
Main Features:
Secure authentication protocol using ticket-based system
Relies on symmetric key cryptography
Operates over an insecure network without transmitting passwords
Authenticates both users and services (mutual authentication)
Used extensively in Active Directory environments
Use Cases:
Secure login across enterprise systems
Enterprise Single Sign-On (SSO)
Secure service-to-service authentication
Microsoft Active Directory authentication backbone
Alternative Protocols:
LDAP – For directory queries and account information
RADIUS – For user authentication and authorization over networks
NTLM – Legacy authentication protocol (less secure than Kerberos)
SAML / OAuth – For web-based federated identity management
Let us learn more about Kerberos:
RFC: RFC 2865 (Authentication and Authorization), RFC 2866 (Accounting)
Main Features:
AAA protocol (Authentication, Authorization, Accounting)
Operates over UDP (default ports: 1812 for auth, 1813 for accounting)
Centralizes user authentication for network access
Supports dynamic IP assignment, session tracking, and policy enforcement
Commonly used in ISPs, Wi-Fi networks, and VPNs
Use Cases:
VPN user authentication
Wi-Fi login with central credential validation
ISP subscriber management
Network access control for switches and firewalls
Alternative Protocols:
TACACS+ – More control over authorization; used in enterprise environments
Kerberos – For secure ticket-based authentication
LDAP – For directory-based user lookup and authentication
Diameter – A modern, more extensible replacement for RADIUS
Let us learn more about RADIUS:
RFC: Informational – Cisco proprietary (documented in IETF drafts)
Main Features:
AAA protocol focused on device administration
Encrypts the entire packet (unlike RADIUS, which only encrypts the password)
Offers granular command-level authorization
Uses TCP (typically port 49)
Separates Authentication, Authorization, and Accounting into distinct functions
Use Cases:
Centralized login for administrators on network devices
Command-level access control for routers, switches, firewalls
Secure auditing of administrative access
Enterprise access management for infrastructure
Alternative Protocols:
RADIUS – For centralized AAA on end-user access systems
LDAP – For authentication integrated with user directories
Kerberos – For secure authentication across applications
Local device credentials – In environments without centralized control
Let us learn more about TACACS+: