Main menu


What are network authentication protocols?

A network authentication protocol is a way for a network device to prove its identity to a remote network resource. It is a way of assuring that the network device is genuinely who it claims to be and that it did not forge its identity through impersonation. It does this by sending a credential over a public network that the remote network resource can verify is legitimate.

network authentication protocols explained

What are network authentication protocols?

RADIUS protocol

The RADIUS protocol is one of the most widely used authentication, authorization, and accounting protocols. The Remote Authentication Dial-in User Service (RADIUS) is an acronym for Remote Authentication Dial-in User Service.

RADIUS is commonly used on a local area network or a wide area network, even though it bears the word "dial-in" in its name. This is a relatively frequent method of centralizing user authentication. So, whether someone is trying to get into the network, a VPN concentrator, or a switch or router, they can utilize RADIUS to authenticate the login and password.

This is a fairly popular authentication method. RADIUS services are available for nearly any operating system, which is why RADIUS is likely to be present in most enterprise networks.

TACACS protocol

TACACS can be used as an alternative to RADIUS. The Terminal Access Controller Access-Control System is abbreviated as TACACS. It's a protocol for remote authentication. This was a sort of authentication that was created while we were still utilizing dial-up lines.

Cisco discovered that this was a very valuable authentication technique and modified it into a new version known as Extended TACACS, which added accounting and auditing features. When you see TACACS in an environment today, it's most likely TACACS+, the most recent version of TACACS. This was a 1993 open standard that was published. TACACS+ is still widely used for authentication by Cisco equipment, although it is no longer a Cisco-specific protocol.

Kerberos protocol

Kerberos is a more complicated but more reliable authentication technique. This is a form of authentication system that allows users to log in with just one click.

This means we can only authenticate once and the system will trust us after that. This means we can access multiple file shares throughout the day, print to different printers during the day, and access other network resources without having to constantly enter our account and password.

Kerberos remembers that we authenticated correctly at the start and can authenticate us automatically throughout the day.

Unlike RADIUS or TACACS, Kerberos also supports mutual authentication, which means that you not only authenticate to the server, but the server also authenticates to you, ensuring that both parties are aware of who they're communicating with. We can avoid any form of replay attack, as well as any type of on-path or man-in-the-middle assault, using mutual authentication.

Kerberos has existed for quite some time. It was developed by MIT in the 1980s. Kerberos has been included in Windows since the year 2000, as well. This is based on Kerberos 5.0, an open standard that works with not only Microsoft Windows but any other operating system that adheres to this open standard.

Kerberos is frequently referred to be a ticketing system. Because the cryptography is referred to as a cryptographic ticket, this is the case. When you authenticate to a ticket-granting service, such as your Centralized Authentication server, that service will issue you a service ticket. Instead of having to enter a username and password each time you access a different resource, you can simply show the service ticket to the device, which will recognize that you were properly authenticated by the ticket-granting service and grant you access to those services without requiring you to re-enter a username and password.

This saves you time throughout the day because you won't have to type in a login and password every time you access a new resource. However, it only works if the devices are Kerberos-compatible. Because not everything is compatible with Kerberos, you might discover that some of the devices you're authenticating to aren't able to use it.

There are alternative techniques for providing single sign-on, such as SAML, smart cards, or cloud-based single sign-on services, but Kerberos is unquestionably the most common.

Which network authentication protocol should you use?

What it sounds like we have three alternative ways to authenticate, all of which are pretty similar in functionality with only small changes. So you might be wondering, which of these should you use? Is it better to use RADIUS, TACACS+, or Kerberos? The answer is usually dependent on what you're connected to and what the device you're connecting to supports. You might have a VPN concentrator that can only authenticate to a RADIUS server, for example. As a result, RADIUS might be used for that service.

Other network administrators may be authenticating to a Cisco switch or router, and they may want their own authentication procedures apart from those used elsewhere on the network. As a result, they may set up a TACACS+ server solely for Cisco authentication.

If you're on a Microsoft network, Kerberos is the default authentication method. And, depending on the service you're using, you might find that you're using all of these different methods throughout the day.

Network Access Control is another sort of access control. This implies you can restrict users from connecting to the network until they've completed this particular authentication process. This is known as 802.1X, sometimes known as port-based Network Access Control or just NAC. Although 802.1X is most commonly associated with wireless network authentication, it can also be used for wired authentication.

We frequently combine 802.1X and EAP. The Extensible Authentication Protocol is a framework that may be used to create a variety of authentication protocols. We probably have a RADIUS server, an LDAP server, a TACACS+ server, a Kerberos server, or some other form of authentication service on the back end.

When a user attempts to connect to the network for the first time, 802.1X will terminate the connection, prompt the user for credentials, and the user will provide the username, password, and any other authentication credentials, which will then be checked against these databases on the back end to ensure that the user has the appropriate access. If everything checks out, the user will be able to connect to the network.