Speaking of identity Authentication, we will think of AAA. AAA stands for Authentication, Authorization, and Accounting, which means Authentication, Authorization, and Accounting. Its main purpose is to manage which users can access the server, what services can a user with access rights obtain and how to charge for users who are using network resources.
1. Authentication: Verify that the user can obtain the access permission-"Who are you ?"
2. Authorization: Which resources can be used by authorized users-"What can you do ?"
3. Accounting: record users' usage of network resources-"What have you done ?"
Authentication: authentication refers to the process of verifying the identity of an end user or a device pc route. Authorization refers to the process of granting access permissions to users, user groups, or specific systems, authorization and accounting are performed after authentication. Authentication is used to prove the device or client technology. (Local control) and third-party trusted third party). Only the following protocols are supported:
The 1. S/Key one-time password system is a one-time password generation scheme based on MD4 and MD5. He can perform comprehensive verification on the identity and device of the visitor. The S/Key protocol is based on the Client/Server mode. The client can be any device, such as a normal PC or mobile phone with mobile commerce functions. The servers generally run Unix systems.
2. ppp authentication protocols include pap chap eap
The pap Password Authentication Protocol provides a simple authentication method for the two-way handshake to establish an identity for the authentication server,
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T6325P0-0.png "/>
Pap is not a force authentication. It only authenticates the terminal password to be sent in plain text mode and is only executed once. It cannot prevent replay attacks or error attacks, and has the frequency and time of the endpoint control.
CHAP (Challenge-Handshake verification Protocol Challenge-Handshake Authentication Protocol) is an encrypted Authentication method that prevents the user's real password from being transmitted when a connection is established. NAS sends a challenge Password challenge to remote users, including the session ID and an arbitrary challenge string arbitrary challengestring ). The remote client must use the MD5 one-way hashing algorithm one-way hash algorithm to return the user name and the challenge password for encryption, session ID, and user password. The user name is sent in non-Hash mode.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T6323G3-1.png "/>
CHAP improves PAP and does not directly send plaintext passwords through links. Instead, it uses challenge passwords to encrypt passwords using hash algorithms. Because the server contains the client's plaintext password, the server can repeat the operations performed by the client and compare the results with the password returned by the user. CHAP generates a challenge string for each verification to prevent replay attacks. replay attack ). Throughout the connection process, CHAP repeatedly sends the challenge password to the client from time to prevent attacks by impersonating remote client impersonation by the 3rd party.
Eap:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T6322035-2.png "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T632J42-3.png "/>
The authentication mechanism protocol used:
1. TACACS + provides independent authentication, authorization, and accounting services. Although RADIUS integrates authentication and authorization in the user configuration file, TACACS + separates these two operations, the difference is that TACACS + uses the Transmission Control Protocol (TCP) while RADIUS uses the user Message Protocol (UDP ). most administrators recommend using TACACS + because TCP is considered a more reliable protocol. The extension of TACACS + protocol provides more authentication request types and more response code TACACS + uses TCP port 49, including three independent protocols. If necessary, it can be implemented on an independent server. TACACS + provides multi-protocol support, such as IP and AppleTalk. generally, all data packets are encrypted to provide more secure communication. This is a proprietary improvement of Cisco for the original TACACS protocol.
Authentication includes three packets
1. START is always sent by a client
2. CONTINUE is always sent by a client
3. REPLY is always sent by the server, and three results are included. 1. ACCEPT 2. REJECT 3. ERROR)
Process: first, the client initiates the authentication START message. After the server receives the message, it feels that the authentication is not over. Then, it sends the reply message and the client sends the continue message.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T6322Z6-4.png "/>
1. the user initiates a ppp request to NAS
2. NAS sends the start packet to TACACS +
3. TACACS + sends a getuser message to NAS, prompting you to enter the password pap) or chap
4. NAS returns to a remote pc
5. The pc responds to NAS
6. NAS sends encrypted packets to TACACS +
7. TACACS + authentication result for NAS respond
8. nas and tacaca exchange image
9. MAS takes action based on authorization
2. RAUIDS Protocol
RADIUS is a C/S-structured Protocol. Its client is initially a NASNet Access Server) Server. Now, any computer running the RADIUS client software can become a RADIUS client. The RADIUS Authentication mechanism is flexible and supports multiple methods, such as PAP, CHAP, and Unix logon authentication. RADIUS is an extensible protocol that performs all the work based on the vector of Attribute-Length-Value. RADIUS also allows the vendor to expand the manufacturer's proprietary attributes.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T63263G-5.png "/>
Using udp as the transmission protocol, the client to the radius client is not encrypted.
3. kerberos protocol
Kerberos is a network authentication protocol designed to provide powerful authentication services for client/server applications through the key system. The authentication process does not depend on the host operating system authentication, and does not require host address-based trust and physical security of all hosts on the network, it is assumed that data packets transmitted over the network can be read, modified, and inserted at will. In the above cases, Kerberos, as a trusted third-party authentication service, implements the authentication service through traditional cryptographic technologies such as shared keys. The authentication process is AS follows: the client sends a request to the authentication server AS) to obtain the certificate of a server, and the response of the AS includes the certificates encrypted with the client key. Certificate composition: 1) server "ticket"; 2) a temporary encryption key, also known as the session key "). The client transmits the ticket to the server, including the client identity encrypted with the server key and a copy of the session key. The session key can now be shared between the client and the server. It is used to authenticate the client or the server, and can also be used to provide encryption services for future communications between the communication parties, or exchange an independent sub-session key to provide further communication encryption services for both parties.
This article is from the cisco network blog, please be sure to keep this source http://liangrui.blog.51cto.com/1510945/525028