Security+ Identity and Access Management Notes

---- Access Control Process ----

3 Steps of the Access Control Process
  1. Identification - Claim of identity - provides appropriate credentials (assertion only) - nothing is presented
  2. Authentication - Proof of Identity - Identity gets verified
  3. Authorization - What you can access

---- Authentication ----

Authentication, Authorization & Accounting (AAA) includes 5 different authentication factors, namely:
  1. Something you Know → Mannually configured Username & Password, PIN or answers to some security questions
  2. Something you Are → Finger print, Iris scan, Retinal scan, voice print, facial recognition or some combination thereof
  3. Something you Have → Smart card, Security badge, an autogenerated temporary PIN or One Time Password (OTP)
  4. Something you Do → Picture password (involves drawing lines or shapes on a picture) or gestures
  5. Somewhere you Are → GPS Location or Location via a public IP subnet address
Multi-factor Authentication
The authetication processes must come from different factors (above) to be considered Multi-Factor Authentication (MFA). For example:
Authentication Process CombinationMFA?Why or Why not?
Password + PINNoSomething you know + Something you knowSame Factors
Finger Print + Draw a PatternYesSomething you Are + Something you DoDifferent Factors
Facial Recognition + Smart CardYesSomething you Are + Something you HaveDifferent Factors
GPS Location + User CredentialsYesSomewhere you Are + Something you KnowDifferent Factors
Voice Print + Retinal ScanNoSomething you Are + Something you AreSame Factors
Iris Scan + Finger Print + PINYes2 x Something you Are + Something you KnowDifferent factor on the last process than on the first two processes
Voice Recognition + Facial Recognition + Finger PrintNo3 x Something you AreSame Factors
User Credentials + Finger Print + Credit CardYesSomething you Know + Somthing you Are + Something you HaveDifferent Factors on all three processes
The major components of AAA are:

Authentication Error and Vulnerability Management

Authentication Methods


Authentication Protocols

ProtocolTCP or UDPPort #Description
Password Authentication Protocol (PAP)TCP3666A simple authentication protocol in which the user credentials are sent in plain text (unencrypted) - Insecure
Challenge Handshake Authentication Protocol (CHAP)NAruns at Data Link LayerA protocol that sends usernames in plain text, but uses Message Digest version 5 (MD5) encryption to send passwords to an authenticator via Point-to-Point Protocol (PPP) to provide on-demand authentication with on-going data transmission - Secure
MicroSoft - CHAP (MS-CHAP)NAruns at Data Link LayerMicrosoft's version of CHAP which came with version 1 and version 2 - both versions are insecure.
However, MS-CHAP can be used with the following protocols to enhance security:
Extensible Authentication Protocol (EAP)NAruns at Data Link LayerAn authentication framework which supports multiple authentication methods
Remote Authentication Dial In User Service (RADIUS)TCP and UDP1812 - Athentication ProcessAn access server authentication and accounting protocol that manages a single "database" of users, which allows for authentication (verifying user name and password) as well as configuration information detailing the type of service to deliver to the user (for example, SLIP, PPP, telnet, rlogin). RADIUS uses UDP.
1645 - Authentication Request
1813 - Accounting Process
1646 - Accounting Request
Terminal Access Controller Access-Control System (TACACS)TCP49A security application that provides centralized validation of users attempting to gain access to a router or network access server
KerberosTCP and UDP88Designed to provide strong authentication for client/server applications by using a symmetric secret-key cryptography which is Ticket-based (see below)
Kerberos Process
Please review the Kerberos authentication process for more information.
Light weight Directory Protocol (LDAP)TCP and UDP389 (unencrypted)Insecure protocol for authentication that uses BIND to authenticate users, except the connection is unencrypted
636 (encrypted)Secure protocol for authentication that uses BIND to authenticate users
New Technology Login Management (NTLM)UDP137 - NetBIOS NameNot secure (Microsoft recommends disabling) - This was widely used on older Windows systems before Kerberos and LDAP became widely available - Uses the Security Account Manager (SAM) to validate users
UDP138 - NetBIOS Netlogon and Browsing
TCP139 - NetBIOS Session

 * IANA assigns TCP/UDP port numbers to the protocols that operate at the Transport layer of the OSI model and are listed on IANA's Service Name and Trasport Protocol Port Number Registry.

Kerberos Authentication Process

---- Access Management ----

The navigation options for this page are: