Access Control Administration
Access control administration can be done in two ways.
Centralized Access Control
- Here one entity (dept or an individual) is responsible for overseeing access to all corporate resources.
- This type of administration provides a consistent and uniform method of controlling users access rights.
- Example: RADIUS, TACACS and Diameter
- It is a c/s authentication protocol that authenticates and authorizes remote users.
- The access server houses the users credentials
- It is an open standard protocol developed by Livingston enterprises.
- TACACS has been through three generations: TACACS, Extended TACACS (XTACACS), and TACACS+.
- TACACS combines its authentication and authorization processes,
- XTACACS separates authentication, authorization, and auditing processes and
- TACACS+ is XTACACS with extended two-factor user authentication.
- TACACS uses fixed passwords for authentication and TACACS+ allows users to use dynamic (one-time) passwords, which provides more protection.
- TACACS+ provides basically the same functionality as RADIUS with a few differences in some of its characteristics.
- TACACS+ uses TCP as its transport protocol, while RADIUS uses UDP.
- RADIUS encrypts the user's password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in clear text. This is an open invitation for attackers to capture session information for replay attacks. TACACS+ encrypts all of this data and thus does not have the vulnerabilities that are inherent in the RADIUS protocol
- The RADIUS protocol combines the authentication and authorization functionality whereas TACACS+ uses a true AAA architecture, which separates the authentication, authorization, and accounting functionalities thus giving the ability to authenticate remote users. TACACS+ also enables to define more granular user profiles, which can control the actual commands that users can carry out
Note: RADIUS is the appropriate protocol when simplistic username/password authentication can take place and users only need an Accept or Deny for obtaining access, as in ISPs. TACACS+ is the better choice for environments that require more sophisticated authentication steps and tighter control over more complex authorization activities, as in corporate networks
- Diameter is a protocol that has been developed to build upon the functionality of RADIUS and overcome many of its limitations. The creator of this protocol decided to call it Diameter as a play on the term RADIUS, as in the diameter is twice the radius.
- Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today's complex and diverse networks where we want our wireless devices and smart phones to be able to authenticate themselves to our networks and we use roaming protocols, Mobile IP, PPPoE and etc.
- Diameter provides a base protocol, which defines header formats, security options, commands, and AVPs (Attribute Value Pairs). This base protocol allows for extensions to tie in other services, such as VoIP, FoIP, Mobile IP, wireless, and cell phone authentication. So Diameter can be used as an AAA protocol for all of these different uses.
- RADIUS and TACACS+ are client/server protocols, which mean that the server portion cannot send unsolicited commands to the client portion. The server portion can only speak when spoken to. Diameter is a peer-based protocol that allows either end to
- This functionality allows the Diameter server to send a message to the access server to request the user to provide another authentication credential if she is attempting to access a secure resource.
- This functionality also allows the Diameter server to disconnect the user if necessary for one reason or another.
- Diameter is backward compatible with RADIUS, uses UDP and AVPs, and provides proxy server support.
- It has better error detection and correction functionality and failover properties than RADIUS, thus provides better network resilience.
- Diameter also provides end-to-end security through the use of IPSec or TLS, which is not available in RADIUS.
- Diameter has the functionality and ability to provide the AAA functionality for other protocols and services because it has a large AVP set. RADIUS has 28 (256) AVPs and Diameter has 232. So, more AVPs allow for more functionality and services to exist and communicate between systems.
- Diameter provides the following AAA function
- PAP, CHAP, EAP
- End-to-end protection of authentication information
- Replay attack protection
- Redirects, secure proxies, relays, and brokers
- State reconciliation
- Unsolicited disconnect
- Reauthorization on demand
- Reporting, ROAMOPS accounting, event monitoring
Decentralized Access Control
- A decentralized access control administration method gives control of access to the people closer to the resources
- In this approach, it is often the functional manager who assigns access control rights to employees.
- Changes can happen faster through this type of administration because not just one entity is making changes for the whole organization.
- There is a possibility for conflicts to arise that may not benefit the organization as because different managers and departments can practice security and access control in different ways.
- There is a possibility of certain controls to overlap, in which case actions may not be properly proscribed or restricted.
- This type of administration does not provide methods for consistent control, as a centralized method would.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.