Okay. This next section is about, um, means of administrating means of administration, for access control or administering access control. And when we're talking about administration, generally we have two choices we can administer from a central location. Or we can do this
in a decentralized fashion.
Now the idea isn't that one is right in the other's wrong. It's about they both have their pros and cons now. Centralization. When we talk about centralization, what we generally get is easier control, easier administration and greater security. You know those air pretty big benefits,
you know? Think about group policy. Do I want to go through every computer and create a policy drama? What users tow walk onto the domain and that policy be pushed out
much easier. Administration, much better consistency. Greater security backups. Do I want people to back up on a central server back up on their own desktops? Right? So centralization is easier for administrators and a lot of ways it's easier for users as well.
But what I trade off is a trade off flexibility and granularity.
So, um, if we're doing everything centralized,
I may have very different needs in the branch offices than I do friendships from headquarters, and every branch office may have their own needs, their own policies, whatever. So I would trade that off in that environment of decentralized administration would probably be better.
You know, the phrase that I think is used frequently when we're looking at BYU centralization or decentralization?
Ah, for decentralization and easier alignment with business objectives. Usually, decentralization gives me that because I could be his granular is I want.
for most things are for many things were gonna want centralization, at least as part of it. You know, a lot of times will have centralization for the major policies and the major issues and elements,
and then we'll allow some decentralization as we need for granularity sake. So, hybrids, you know, like most everything, the truth is somewhere in the middle.
All right, So when we talk about centralized access control technologies, the big one here is radius and radio stands for remote authentication dial in user service. So, for instance, I might be an environment where we have lots of access points for wireless devices, maybe, um,
watch of VP and servers for connectivity, you know, from home.
Maybe I even still have some remote access servers for certain service is, you know, again they're not obsolete
when I have all of these elements to connect into my network. The problem is there isn't a way to create policy once and replicate it toe all these devices.
So instead, what we do is we take these devices and we point them to the radius server. So rather than creating a policy for security and authentication policy 15 different times on 15 different devices,
you know, or 4 15 different devices we point all the devices to radius and would create our authentication strategy and our policies there. So what is radius? It's a central authentication server. Remote authentication, dialling user surfaces. And that was originally what radius was for,
uh, radius was for dialling clients. Now, radius has kind of evolved, obviously, and you can use radius for
VPN for WiFi. You can also use it for unmanaged devices switches on your network. Thio. You know, control access is well, so radius has really expanded beyond what it used to be. Radius uses the UT key protocol. Where is Tak ax plus
in diameter used TCP that could detestable as well,
But the bottom line is Radius is all about providing central authentication. It's a single central point of authentication for my devices. Like my remote access mechanisms. I would also know that Radius follows the 802.1 x standard
and with 802.1 x, we have three main elements. We have a supplicant,
which would be the original system trying to connect into the land. We would have the authenticator, which would be the access point, or the VP and server.
And then we would have the central authentication server, which would be radius. But again, could be radius. Could be diameter could be cack ax. Plus they all, ultimately, our central authentication servers. Radius, though, is open. It's been around a lot. There's a lot of, um, there's a lot of vendor support,
so you know it's very popular, is very widely used.
There are some some issues with. It doesn't provide a strong encryption with the initial handshaking process as tech ax. Plus, you know, the fact that it uses UDP not being connection oriented could be a problem. But Ultimately, Radius released the most frequently used mechanism.
I want you to associate radius with a doe 2.1 X
um, and by the way, 8021 X is officially eat
over Ethernet extensible authentication protocol over Ethernet So extensive authentication protocol is obviously an authentication protocol. But originally we had something called cap
password authentication protocol, and it only worked with passwords, and it put the credentials on the network in plain text. So pat
dead to us. We don't need his path. Then we have chap Challenge handshake authentication protocol, which uses passwords. But it uses that challenge response so I can on Lee respond to the challenge if I'd entered the password correctly. But again, that's password driven. So extensible authentication protocol
extends beyond just passwords.
And so Radius uses E AP, which can work with tokens or smart cards, biometrics or any of those other means. So associate radius
eep and really specifically eep o l
extensive authentication protocol over the land because the, uh, access point of VPN server will Ford. There's authentication requests across the land. There's, you know, a lot of little bit. I don't think Radius is hugely testable, but it certainly is significant in controlling access into my network.