AAA framework 0. Identification - Who you say you are - commonly a username or email

1. Authentication - Prove you are who you say you are - commonly via password
2. Authorization - What access do you have based on who you are
3. Accounting - Documenting what you do - login and logout times, data sent and received

AAA Server - Stores usernames, passwords, and other authentication information

• Used for verifying users' login information

Single sign-on (SSO)

• Provide our credentials once and remain logged in for a day (or any time period)
• The underlying authentication infrastructure must support SSO

RADIUS (Remote Authentication Dial-in User Service)

• A common AAA protocol for authentication
• Network devices, server authentication, VPN access
• Available on majority of OS's

LDAP (Lightweight Directory Access Protocol)

• Protocol for reading and writing directories over an IP network
• Allows to store more information than just username and password
• Uses X.500, both made by the ITU
• Used in Active Directory and stuff like that

X.500 - Computer networking standards for directory services

• Lets us assign attributes (fields) to a user or devices
• Example attributes: ST (State), O (Organization)

X.500 Directory Information Tree

• Hierarchy of information about devices and users on a network
• Information in the form of "objects" built in LDAP database
• 2 types of objects
  • Container objects: Examples country, organization, team
  • Leaf objects: Examples users, computers, printers

Security Assertion Markup Language (SAML)

• Standard for authentication and authorization
• Not originally designed for mobile apps

SAML Authentication Flow

3 parts:

1. Resource server
2. Client
3. Authorization server

Process:

1. A user visits an application at the resource server
2. The resource server requests a SAML token, user doesn't have one so server redirects them to the authentication server
3. The user logs into the auth server and receives a SAML token
4. The user presents the SAML token to the resource server
5. The resource server verifies the SAML token and grants the user access

TACACS (Terminal Access Controller Access-Control System)

• Remote authentication protocol created for ARPANET
• Latest version: TACACS+, Cisco-centric but open

MFA Factors:

• Something you know - password
• Something you have - mobile phone
• Something you are - fingerprint
• Somewhere you are - GPS

TOTP (Time-based One-time Password)

• Commonly generated by an MFA app on a mobile device
• Uses a secret key and the time of day to generate pseudo-random code