Duration: 2 days

Back to course list Home
Synopsis A two-day seminar dealing with the myriad protocols making up Authentication, Authorization and Accounting: Focusing on the common protocols and implementations of Active Directory (LDAP/Kerberos), NIS, RADIUS, Diameter, as well as legacy methods likely to be supported in various enterprise deployments. A primer on encryption is discussed as well, along with packet level dumps and analyses.
Target Audience Developers wishing to understand how authentication protocols work; Network engineers who need to debug protocols at the packet level.
  • Explain the evolution of AAA mechanisms, from local authentication to distributed authentication
  • Explain the leading authentication schemes, notably Active Directory
  • Explain how encryption integrates into AAA schemes to provide security
Exercises This course is an instructor-led presentation. Instructor provides many demonstrations, though generally there are no exercises.
1. AAA(A): Introduction
2 hours
Explanation of the key tenets of AAA, as well as the elusive fourth "A": Auditing. Topics covered include:
  • AAA - broken down to its constituents
    • Auditing
      • AAA deployments: Push
        • AAA deployments: Pull
          • AAA in roaming deployments
            • Single Sign On
              • Multi-Factor Authentication
                • AAA elements and building blocks
                  2. Cryptography: A primer
                  2 hours
                  Basic foundations of cryptogrpahy used in AAA - symmetric and assymetric encryption and authentication
                  • Encryption algorithms: Stream and Block ciphers
                    • Hash functions
                      • Symmetric Encryption algorithms as authenticators
                        • Asymmetric (PKI) Encryption - Diffie Hellman and RSA
                          • Asymmetric encryption algorithms as authenticators
                            3. Legacy Authentication: UNIX
                            1 hours
                            Discussing the evolution of UNIX authentication, from the venerable /etc/passwd file, through the shadow file, culminating in NIS and PAM. Topics include:
                            • /etc/passwd - world readable, DES encryption
                              • /etc/shadow - better security, better encrypion
                                • Distributed authentication through YP and NIS
                                  • Pluggable Authentication Module
                                    • PAM Modules - deployment and configuration
                                      4. Legacy Authentication: Windows
                                      1 hours
                                      Discussing the evolution of Windows authentication, from the old and insecure protocols of LAN Manager to NTLMv2.
                                      • Windows Security Accounts Manager (SAM) database
                                        • The Windows Registry
                                          • Encrypting passwords
                                            • The Lan Manager Hash
                                              • NTLM and NTLMv2
                                                • NTLM over HTTP
                                                  Day 2
                                                  5. Kerberos
                                                  1 hours
                                                  Explaining the ideas behind Kerberos (RFC1534) and its Windows implementation. Topics include:
                                                  • Centralized security
                                                    • Kerberos Authentication Servers
                                                      • Tokens and Tickets
                                                        • Kerberos at the packet level
                                                          6. LDAP
                                                          2 hours
                                                          Explaining the need for centralized directories, and the implementations of DAP and LDAP, down to the packet level
                                                          • LDAP fundamentals
                                                            • RFCs: 4510 through 4518 and X.500
                                                              • Accessing directories
                                                                • LDAP Tools
                                                                  • LDAP at the packet level
                                                                    • LDAP + Kerberos = AD
                                                                      6. RADIUS and Diameter
                                                                      2 hours
                                                                      Explaining the authentication frameworks of the Remote Authentication Dial-In Users Service (RADIUS) and its successor, DIAMETER
                                                                      7. EAP
                                                                      1 hours
                                                                      The Extensible Authentication Protocol, and its various sub protocols:
                                                                      • Extending Authentication
                                                                        • EAP-MD5
                                                                          • EAP-TLS
                                                                            • EAP and RADIUS interoperability
                                                                              • PEAP
                                                                                • EAPoL: 802.1x