If you’re planning to take the SY0-501 version of the Security+ exam, you should understand how remote access authentication mechanisms work. This includes knowing which ports need to be opened for various protocols.
For example, can you answer this question?
Q. A recent update to your organization’s security policy mandated that all network devices authenticate on the network. Additionally, management wants to record accounting information for these devices. To support this, IT administrators have configured a TACACS+ server for authentication and a RADIUS server for accounting. What port should the network devices use for secure authentication?
A. TCP 49
B. UDP 1813
C. TCP 88
D. UDP 636
E. TCP 389
F. UDP 1812
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
An important step when implementing a VPN is to ensure only authorized entities can access it. Authorization begins with authentication, and VPNs support multiple methods of authentication.
PAP
Password Authentication Protocol (PAP) is used with Point-to-Point Protocol (PPP) to authenticate clients. A significant weakness of PAP is that it sends passwords over a network in cleartext, representing a significant security risk.
PPP was primarily used with dial-up connections. Believe it or not, there was a time when the thought of someone wiretapping a phone was rather remote. Because of this, security was an afterthought with PPP. Today, PPP is only used as a last resort due to passwords being passed in cleartext, or it is used with another protocol that provides encryption.
CHAP
Challenge Handshake Authentication Protocol (CHAP) also uses PPP and authenticates remote users, but it is more secure than PAP. The goal of CHAP is to allow the client to pass credentials over a public network (such as a phone or the Internet) without allowing attackers to intercept the data and later use it in an attack.
The client and server both know a shared secret (similar to a password) used in the authentication process. However, the client doesn’t send the shared secret over the network in plaintext as PAP does. Instead, the client hashes it after combining it with a nonce (number used once) provided by the server. This handshake process is used when the client initially tries to connect to the server, and at different times during the connection.
MS-CHAP and MS-CHAPv2
Microsoft introduced Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) as an improvement over CHAP for Microsoft clients. MS-CHAP supported clients as old as Windows 95. Later, Microsoft improved MS-CHAP with MS-CHAPv2.
A significant improvement of MS-CHAPv2 over MS-CHAP is the ability to perform mutual authentication. Not only does the client authenticate to the server, but the server also authenticates to the client. Mutual authentication provides assurances of the server’s identity before the client transmits data, which reduces the risk of a client sending sensitive data to a rogue server.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication service. Instead of each individual VPN server needing a separate database to identify who can authenticate, the VPN servers forward the authentication requests to a central RADIUS server. RADIUS can also be used as an 802.1X server with WPA2 Enterprise mode.
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is the Cisco alternative to RADIUS. It provides two important security benefits over RADIUS. First, it encrypts the entire authentication process, whereas RADIUS encrypts only the password. Second, TACACS+ uses multiple challenges and responses between the client and the server.
Although CISCO created TACACS+, it can interact with Kerberos. This allows a Cisco VPN concentrator to interact in a Microsoft Active Directory environment. As a reminder, Microsoft Active Directory uses Kerberos for authentication.
Organizations also use TACACS+ as an authentication service for network devices. In other words, you can use it to authenticate users before they are able to access a configuration page for a router or a switch. The network devices must be TACACS+ enabled, and a TACACS+ server provides the authentication services.
Diameter
Diameter is an extension of RADIUS and many organizations have switched to it due to its extra capabilities. Diameter adds several other commands beyond the capabilities of RADIUS, along with adding new commands that can be used with EAP. Diameter uses TCP instead of UDP used by RADIUS. A key benefit is that it is backwards compatible with RADIUS and provides an upgrade path from RADIUS to Diameter.
In geometry, the diameter of a circle is a straight line between the two edges of a circle, whereas the radius is a straight line from the center to an edge. In other words, the diameter of a circle is twice as long as the radius. The designers considered this when naming Diameter to indicate indirectly that it is twice as good as RADIUS.
AAA Protocols
AAA protocols provide authentication, authorization, and accounting. Authentication verifies a user’s identification. Authorization determines if a user should have access. Accounting tracks user access with logs.
As an example, RADIUS, TACACS+, and Diameter are considered AAA protocols because they provide all three services. They authenticate users who attempt remote access, determine if the user is authorized for remote access by checking a database, and then record the user’s activity. TACACS+ uses multiple challenges and responses during a session. Kerberos is sometimes referred to as an AAA protocol, but it does not provide any accounting services.
Q. A recent update to your organizations security policy mandated that all network devices authenticate on the network. Additionally, management wants to record accounting information for these devices. To support this, IT administrators have configured a TACACS+ server for authentication and a RADIUS server for accounting. What port should the network devices use for secure authentication?
A. TCP 49
B. UDP 1813
C. TCP 88
D. UDP 636
E. TCP 389
F. UDP 1812
Answer is A. The network devices should be configured to use TCP port 49 for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) encrypts the entire authentication process and uses TCP port 49 by default.
Remote Authentication Dial-In User Service (RADIUS) uses port 1813 for accounting.
Kerberos uses TCP port 88 but the scenario doesn’t indicate that Kerberos is in use.
Lightweight Directory Access Protocol (LDAP) uses port 389 and LDAP Secure (LDAPS) uses port 636 but there isn’t any indication that LDAP or LDAPS is used in this scenario.
RADIUS uses port 1812 for authentication but the question states that TACACS+ is to be used for authentication.
Chapter 4 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide covers TACACS+. The Security+ Ports blog page (https://blogs.getcertifiedgetahead.com/understanding-ports/) includes a table of common ports.
