all right. Enterprise Network authentication.
The idea of enterprise network authentication is to have a uniform
authentication system. Uniformed log on system works all the way across your environment. If you do that, then you've got consistent rules. If you got consistent rules, you've got consistent security,
so there's a number of ways to do it. Never Communication
path Password, authentication, protocol
chap eep all this stuff for
one of the oldest authentication message
and the problem with path as it works. But it passes the passwords back and forth in the clear the user names and passwords.
So a chap is an improvement on that one, and that one
uses hashes instead.
Eep extensible authentication protocol is a protocol allows you to write protocols.
basically, it's a It's a vindication framework, and it says,
I've got this plug in that says, if you can write an end system
and you can write the end sister rules for the user database,
plug it into my extensive authentication protocol. Then it can work all the way across your network
kind, like writing printer drivers into Windows.
Windows has this master printer driver is always you can write to that then it could talk to the printers.
Eep is most can be used anywhere if is primarily used in ah Enterprise Wireless
those air protocols that can be used again, anywhere primarily used in network management.
NT Land manager in T l m Anybody know where that's from?
as old Windows programming. And the funny thing is,
the new systems all the way up to Windows 2012 still have the option of going being backward compatible within. Tell him
and I will go to the curb. Rose.
Anyone know a curb? Roses?
That's why he had the three headed dog here. Three of the dog that guards the entrance to Haiti's
So M. I. T. Developed in authentication system. They called her Burrows
guarding the three of the dog guarding right,
and in P k I public he infrastructure.
So password authentication protocol. Everything's in the clear. That bad
uses hashes that's better.
Rainbow tables have made Chap somewhat dicey
because rainbow tables allow you to reverse
ah hash and figure out what the password waas
or extensible authentication protocols. Most of them are certificate based
and that's the most secure way to do it.
Radius, remote, authentication, dialling user service.
Anybody want to guess how old this protocol is?
Yeah. Ever since dialling modems, right?
It still gets used today. Doesn't have to be the island modem. We use it over network. Still
Ah, window supports. Radius by default is actually a radius server built into windows. Most other systems support radius
uh, you can think it with shared secret or or encrypted passwords,
but most of it's just north. Indication,
you can do authorization, but a lot of its authentication only attack axe attack acts, plus
the difference in tak acts attack acts. Plus
is he uses TCP instead of UDP. It can be encrypted.
And if you're using to support network authentication gear and network here,
one of the things is difficult to do with network equipment like routers and switches is to give people granular access.
What about me? Like granular access,
access control. What level of access for things like cannon, right.
If you use tact X plus
you can actually enlist the commands they're committed to use. And those are the only commands that work,
so you can set up accounts with tak acts and give people either help that's mobile access or engineering level access or root access, depending on what command you allow them to run through tak acts.
Tak acts wouldn't be as popular as it is if it weren't for that feature. But because of that feature, Tak Ax Plus gets used a lot to manage network devices.
Now we'll people will d'oh it for radius and Tak acts is they'll have a radio server or attack act server. And rather than make accounts for everybody,
you can actually take those servers and point them to another server
like an L DAP server.
Anybody know when l'd APP Server
Windows Active directory, Right.
So the concept is, if you want to use tak acts and give people
just certain privileges or just certain commands, they can run.
But you don't wanna have a tack ACS database and a separate user database. What you do instead is you create all the user accounts over here.
Let the tack acts machine query,
and then by group here,
you group all the same people together with the same privileges and you only give them certain commands. They can run
that way. They use their windows log on,
They get filtered by tak acts who are commands, they can run, and you haven't enterprise white system that does it.
New Technology and Land Man's used in Windows 90 95 98 T when those 2000 networks,
The reason this week is because
what it did was they took a password and broke it into seven character chunks.
So you maxim password Link could be 14.
But is it easy to break to seven character
passwords or 1 14 character password
to seven? Some lot fewer options, a lot fewer possibilities to run to seven character passwords?
when I was in right, It's not anymore. But for years when I was in
in the 19 nineties, up to around 4000 and something,
the military required eight character passwords.
I think about that for a second.
If you broke the 1st 1 into seven
and then you had the eighth character to the eighth character had any complexity to the password at all?
No, because he ate character. One. Run through the hash and you're done right
It's gotta be one of the 255 characters,
UH, 127 character options.
So eight character passwords were really silly for Intel M.
Ah, and tell him the Navy wanted to be, too, and telling me to is the one still being used
now infused backward compatibility
And they were actually even up through Windows 2003.
They were actually enabled by default and Windows 2008.
They're not enabled by default but can be turned on in Windows 2012 not enabled by default but can be turned on,
and people were turned them on because they were running older operating systems.
They only supported the earlier versions of authentication.
and even today, some systems were still running using very, very old operating systems X, p or even earlier.
If you're running those systems, you're running X, p or even something earlier. If you have to run it,
your best solutions to create two domains.
One domain can run the really, really old system so you can turn on and tell em with an occasion for those
25 or 50 or 100 machines, whatever it is and then another domain to support everybody that you're forcing into the more secure stuff
because it's crazy can lower the standards and security standards for an entire base for the entire Air Force.
Just a sport, a handful of old systems
doesn't mean that it works that way. It doesn't work that way because I'm not sure what post the Air Force has taken, but that's definitely an option.
So anti LM user request a section with server
step to the server issues a random string of bites called a challenge to the client.
The client encrypts to challenge with hash of the passwords, send the encryption back of the response
server, decrypt the response with the official, has word
and seize every matches
so long as they matched the user. The panic.
So this is Intel and authentication
and curb Roses indication in terms of how it passes things back and forth.
One of the tricks on this one is
it incorporates a number of elements into the password. One of the password elements is time.
It's important in Windows devices to have everybody running on the same clock. Every domain.
Every domain has a built in time server.
It's part of building a domain to build the time server automatically.
The reason it's important to have a time server is if you're more than five minutes off from the domain control you're trying to authenticate to your passwords Conf Ale.