As one of the most important parts of the authentication network, the authentication server is responsible for the users' login information, usually the combination of username and password, verification. It can be said the authentication server is the most important barrier to keep illegal users from accessing. In this article, the most widely used authentication server, including RADIUS, LDAP, HWTACACS, and TACACS+, will be discussed.
Figure 1: Authentication protocol selection
RADIUS
The RADIUS is a standard protocol that uses UDP 1812 for authentication and authorization, and UDP 1813 for accounting. As the most used authentication protocol, the most advantage of RADIUS is its standardization. RADIUS is normalization in RFC 2865, as the OSPF does, the RFC document restricts the vendors to use the unified communication mechanism for the protocol programming so that the RADIUS can be used between various vendors' devices. In other words, users are able to make a choice between different vendors, rather than binding with the specific vendor.
RADIUS uses the TLV packet structure to carry the information. For example, RADIUS uses the attribute User-Name, which length ranges from 1 byte to 253 bytes, to deliver the login user's account. Due to this TLV packet structure, RADIUS provides a flexible packet encapsulation, that allows the vendors to extend the protocol themselves. For example, Huawei extends the standard RADIUS attributes Vendor-Specific to deliver more private information, such as HW-Policy-Route, it specifies the next-hop address in the policy-based routing.
Figure 2 The RADIUS attributes
As we introduced, RADIUS uses the UDP 1812 for the authentication and authorization, in other words, RADIUS is not able to implement the authorization and authentication in different servers, this is totally different from the HWTACACS or TACACS+.
Despite the RADIUS advantages, the most disadvantage of RADIUS is the password field encryption only in the packets, which would lead to the user's information leakage.
LDAP
Before discussing the LDAP authentication, we'll introduce the LDAP firstly.
LDAP, short for Lightweight Directory Access Protocol, is an open, standard, and platform-crossing application protocol that is used for the distributed directory information service maintenance. It is transmitted through the HTTPS. The LDAP server which stores the data is quite different from the traditional database, unlike a table, the LDAP server stores the data in a tree structure, which is similar to the MIB and OID. Simply, the DN, distinguished name, marks the entrance of the query operation. When the DN is specified, the LDAP server will search the LDAP database according to the OU, organization unit, to get the wanted data.
Figure 3: LDAP directory tree structure
In this kind of store, the data querying could be much faster than the other database. On the contrary, the data insertion is not the advantage of the LDAP server, actually, the data insertion is not a key index that the authentication service requires.
The same as the RADIUS, LDAP is also a standard protocol. On the other hand, since the LDAP is based on HTTPS, that means the transferring data could be encrypted and this makes the LDAP much safer than the RADIUS does.
When using the LDAP server for the authentication, the network device delivers the username and password to the LDAP server, and the server will search the LDAP directory tree for verification.
HWTACACS
HWTACACS is a private authentication protocol released by Huawei, Unlike the RADIUS, HWTACACS separates the authentication and authorization, which means authentication, authorization, and accounting can be implemented on different servers. But the private protocol limits the other vendors and manufacturers from using this protocol. On the other hand, HWTACACS supports the command recording to record the executed commands on the HWTACACS server for the accounting.
TACACS+
As one of the most important vendors, Cisco optimizes its TACACS and published the TACACS+. The TACACS+ is a private authentication protocol, which uses TCP 49 for transmission. And the most important disadvantage of this protocol is the protocol privateness, which means it can not be used by other vendors and manufacturers. The same as the HWTACACS, TACACS+ also provides independent authentication, authorization, and accounting.
If you have other questions about Huawei or Cisco switch, you can contact our supports@thunder-link.com.
More related:
No comments:
Post a Comment