Access control requirements are varied therefore access control systems can be just as diverse. Generally, access control systems operate in two categories:
- Centralized access control
- Decentralized or distributed access control
Based on the needs and environment of an organization, one system is more befitting than the other. A Centralized Access Control system keeps user IDs, rights, and permissions in a database on a central server.
Remote Authentication Dial-In User Service (RADIUS), TACACS, and DIAMETER are common centralized access control systems.
Remote Authentication Dial-In Service (RADIUS) and DIAMETER
Remote Authentication Dial-In User Service (RADIUS) works using a client to server system that provides authentication, authorization, and accounting (AAA) for remote dial-up access while protecting the system from unwarranted access.
RADIUS runs a centralized user administration by logging all user profiles in a central location that remote services can access. To successfully authenticate to a RADIUS server, users enter their credentials which are sent out in an encryption contained in an Access-Request packet to the RADIUS server. The next step is for the server to receive and accept or deny the entered credentials. If the RADIUS server accepts the credentials it dispatches an Access-Accept packet and the user is authenticated. If RADIUS refuses the credentials, it sends an Access-Reject packet.
There are instances where the RADIUS server challenges the credentials. In this case an Access-Challenge packet is sent, requesting the user provide additional information in order to complete authentication. For users connecting to the service through remote dial-up access, RADIUS provides callback security where the server terminates the connection and finds a new connection by dialing a pre-assigned telephone number to which the user’s modem is attached. This offers another layer of security against unwarranted access via dial-up connections.
Because RADIUS has been a proven success, an upgraded version called DIAMETER was developed. DIAMETER can be used on all forms of remote connectivity, and is not limited to dial-up.
Terminal Access Controller Access Control System
There are three versions of Terminal Access Controller Access Control Systems (TACACS). Each version authenticates users and prohibits access to unauthorized users without a verified username and password.
- TACACS blends the authentication and authorization functions.
- XTACACS uses a segmented arrangement of authentication, authorization, and auditing functions, giving the administrator more control over implementation.
- TACACS+ also allows the division of the authentication, authorization, and auditing but also offers two-factor authentication.
The TACACS authentication process is comparable to RADIUS as it has the same functionality except RADIUS is an open standard while TACACS is Cisco proprietary. This has prevented TACACS from having the same popularity of RADIUS.
Decentralized/Distributed Access Control
A decentralized access-control system keeps user IDs, rights, and permissions in different locations on the network. These locations are often spread out across different subnets by placing them on servers connected to networks contiguous to the user requesting access and utilizing linked or associated databases.