Time
1 hour 7 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

This section discusses centralized access control administration and its advantages and disadvantages. We then explore the RADIUS (Remote Authentication Dial-in User Services) standard which is one type of centralized access control administration. We also look at how RADIUS has evolved from the early days of dial-up usage. Centralized access control administration provides an easier method of control and administration along with enhanced security. Examples of this in action are the use of a domain to handle backups to a central server. The disadvantages of such a method are decreased granularity and less flexibility in aligning business objectives with access control management. Solutions that provide an acceptable compromise combine both a centralized and decentralized implementation in a hybrid solution. Next, we discus RADIUS and how it handles centralized access control administration. Originally designed for use with remote access servers, RADIUS simplifies admin by replicating access control policies to a server. This has since evolved from supporting dial-in clients to use with VPN, Wi-Fi, switches, UDP, TCP, and more. RADIUS follows the 801.x standard which consists of three elements: the supplicant, the authenticator, and a central authentication server. It's an open standard which has been around for a while and has a great deal of support. One of its weaknesses, however, is that it doesn't provide strong encryption during the initial handshake phase. It is then noted the EAP over LAN (Ethernet) is more commonly used with RADIUS to mitigate this shortcoming. We conclude with discussing PAP and its replacement, CHAP. CHAP has the security advantage of using a password-driven challenge/response sequence for authentication. Finally, it's noted that these last two protocols are not hugely testable, but you should be aware that they are important for controlling network access.

Video Transcription

00:04
Okay. This next section is about, um, means of administrating means of administration, for access control or administering access control. And when we're talking about administration, generally we have two choices we can administer from a central location. Or we can do this
00:22
in a decentralized fashion.
00:24
Now the idea isn't that one is right in the other's wrong. It's about they both have their pros and cons now. Centralization. When we talk about centralization, what we generally get is easier control, easier administration and greater security. You know those air pretty big benefits,
00:42
you know? Think about group policy. Do I want to go through every computer and create a policy drama? What users tow walk onto the domain and that policy be pushed out
00:52
much easier. Administration, much better consistency. Greater security backups. Do I want people to back up on a central server back up on their own desktops? Right? So centralization is easier for administrators and a lot of ways it's easier for users as well.
01:07
But what I trade off is a trade off flexibility and granularity.
01:11
So, um, if we're doing everything centralized,
01:15
I may have very different needs in the branch offices than I do friendships from headquarters, and every branch office may have their own needs, their own policies, whatever. So I would trade that off in that environment of decentralized administration would probably be better.
01:32
You know, the phrase that I think is used frequently when we're looking at BYU centralization or decentralization?
01:38
Ah, for decentralization and easier alignment with business objectives. Usually, decentralization gives me that because I could be his granular is I want.
01:49
But
01:51
for most things are for many things were gonna want centralization, at least as part of it. You know, a lot of times will have centralization for the major policies and the major issues and elements,
02:02
and then we'll allow some decentralization as we need for granularity sake. So, hybrids, you know, like most everything, the truth is somewhere in the middle.
02:12
All right, So when we talk about centralized access control technologies, the big one here is radius and radio stands for remote authentication dial in user service. So, for instance, I might be an environment where we have lots of access points for wireless devices, maybe, um,
02:30
watch of VP and servers for connectivity, you know, from home.
02:35
Maybe I even still have some remote access servers for certain service is, you know, again they're not obsolete
02:42
when I have all of these elements to connect into my network. The problem is there isn't a way to create policy once and replicate it toe all these devices.
02:53
So instead, what we do is we take these devices and we point them to the radius server. So rather than creating a policy for security and authentication policy 15 different times on 15 different devices,
03:06
you know, or 4 15 different devices we point all the devices to radius and would create our authentication strategy and our policies there. So what is radius? It's a central authentication server. Remote authentication, dialling user surfaces. And that was originally what radius was for,
03:23
uh, radius was for dialling clients. Now, radius has kind of evolved, obviously, and you can use radius for
03:30
VPN for WiFi. You can also use it for unmanaged devices switches on your network. Thio. You know, control access is well, so radius has really expanded beyond what it used to be. Radius uses the UT key protocol. Where is Tak ax plus
03:50
in diameter used TCP that could detestable as well,
03:53
But the bottom line is Radius is all about providing central authentication. It's a single central point of authentication for my devices. Like my remote access mechanisms. I would also know that Radius follows the 802.1 x standard
04:12
and with 802.1 x, we have three main elements. We have a supplicant,
04:17
which would be the original system trying to connect into the land. We would have the authenticator, which would be the access point, or the VP and server.
04:29
And then we would have the central authentication server, which would be radius. But again, could be radius. Could be diameter could be cack ax. Plus they all, ultimately, our central authentication servers. Radius, though, is open. It's been around a lot. There's a lot of, um, there's a lot of vendor support,
04:47
so you know it's very popular, is very widely used.
04:51
There are some some issues with. It doesn't provide a strong encryption with the initial handshaking process as tech ax. Plus, you know, the fact that it uses UDP not being connection oriented could be a problem. But Ultimately, Radius released the most frequently used mechanism.
05:11
I want you to associate radius with a doe 2.1 X
05:15
um, and by the way, 8021 X is officially eat
05:19
over Ethernet extensible authentication protocol over Ethernet So extensive authentication protocol is obviously an authentication protocol. But originally we had something called cap
05:33
password authentication protocol, and it only worked with passwords, and it put the credentials on the network in plain text. So pat
05:43
dead to us. We don't need his path. Then we have chap Challenge handshake authentication protocol, which uses passwords. But it uses that challenge response so I can on Lee respond to the challenge if I'd entered the password correctly. But again, that's password driven. So extensible authentication protocol
06:01
extends beyond just passwords.
06:04
And so Radius uses E AP, which can work with tokens or smart cards, biometrics or any of those other means. So associate radius
06:15
eight or 2.1 x
06:16
eep and really specifically eep o l
06:20
extensive authentication protocol over the land because the, uh, access point of VPN server will Ford. There's authentication requests across the land. There's, you know, a lot of little bit. I don't think Radius is hugely testable, but it certainly is significant in controlling access into my network.

Up Next