This chapter covers three critical authentication protocols for SY0-701 Objective 1.2: LDAP, RADIUS, and TACACS+. These protocols are the backbone of centralized authentication in enterprise networks, enabling secure access control for users and devices. Understanding their differences, use cases, and security implications is essential for the exam and for real-world network administration. We'll explore how each protocol works, where it is deployed, and common attack vectors.
Jump to a section
Imagine a large international airport with multiple airlines. Each airline has its own check-in counter where passengers present their tickets and IDs. The counter agents verify the passenger's identity and check them into the system. This is like LDAP, where each application (airline) directly queries a central directory (the airport's database) to authenticate users. Now, consider a single security checkpoint that all passengers must pass through before reaching the gates. A TSA agent checks IDs and boarding passes, then issues a stamped pass that is valid for all gates. This is RADIUS: a centralized authentication server that validates credentials and grants access to network resources. Finally, think of a VIP lounge with its own separate security. A dedicated guard verifies each guest's membership, logs every action, and controls access to specific areas. This is TACACS+, which provides granular authorization and full accounting for administrative access to network devices. The key difference: LDAP is like each airline checking your ID separately, RADIUS is like a single TSA checkpoint for all gates, and TACACS+ is like a private security team for the VIP lounge, controlling exactly what each guest can do inside.
What They Are and the Threats They Address
LDAP (Lightweight Directory Access Protocol), RADIUS (Remote Authentication Dial-In User Service), and TACACS+ (Terminal Access Controller Access-Control System Plus) are all protocols used for authentication, authorization, and accounting (AAA). However, they serve different purposes and operate at different layers.
LDAP is a directory service protocol used to query and modify directory information, such as user accounts in Active Directory. It is primarily used for authentication and authorization in a centralized directory. The threat it addresses is the need for a single source of truth for user identities, preventing password sprawl and enabling centralized management.
RADIUS is a networking protocol that provides AAA for network access. It is commonly used for VPN, wireless (802.1X), and dial-up connections. The threat it addresses is unauthorized network access by enforcing authentication before granting network connectivity.
TACACS+ is a Cisco-proprietary AAA protocol that separates authentication, authorization, and accounting. It is used for administrative access to network devices (routers, switches, firewalls). The threat it addresses is the need for granular control over who can execute specific commands on network infrastructure.
How They Work Mechanically
LDAP Authentication Process: 1. A user attempts to log in to an application (e.g., email, file server). 2. The application sends a BIND request to the LDAP directory server (e.g., Active Directory) with the user's DN (Distinguished Name) and password. 3. The LDAP server verifies the password against its database and returns a success or failure message. 4. If successful, the application may perform an LDAP search to retrieve group memberships or attributes for authorization. 5. The application grants or denies access based on the returned data.
Key ports: LDAP uses TCP/UDP 389; LDAPS (secure) uses TCP 636. LDAPv3 is defined in RFC 4511.
RADIUS Authentication Process: 1. A user connects to a Network Access Server (NAS) such as a wireless access point or VPN concentrator. 2. The NAS sends an Access-Request packet to the RADIUS server containing the username, password (hashed), and NAS identifier. 3. The RADIUS server checks its database (or forwards to an external identity source like LDAP) and responds with an Access-Accept, Access-Reject, or Access-Challenge (for MFA). 4. On Access-Accept, the server includes attributes like IP address, session timeout, and VLAN assignment. 5. The NAS allows the connection and starts accounting by sending Accounting-Start and Accounting-Stop packets.
Key ports: RADIUS uses UDP 1812 for authentication and UDP 1813 for accounting. Older implementations use UDP 1645/1646. RADIUS is defined in RFC 2865 and 2866.
TACACS+ Authentication Process: 1. A user attempts to log in to a network device (e.g., Cisco router) via SSH or console. 2. The device sends a TACACS+ authentication packet to the TACACS+ server containing the username and password. 3. The server responds with an ACCEPT, REJECT, or ERROR. 4. If accepted, the device then sends an authorization request for the specific command the user wants to execute. 5. The server responds with PERMIT or DENY based on the user's privilege level or command set. 6. All actions are logged via accounting packets.
Key ports: TACACS+ uses TCP 49. It is a Cisco proprietary protocol (RFC 1492 defines the original TACACS, but TACACS+ is not an IETF standard).
Key Components, Variants, and Standards
LDAP: Directory Information Tree (DIT), entries, attributes, DNs, LDAP Data Interchange Format (LDIF). Variants: OpenLDAP, Microsoft Active Directory (which uses LDAP with Kerberos). Security: LDAPS (LDAP over SSL) or StartTLS (upgrades plain LDAP to TLS).
RADIUS: RADIUS client (NAS), RADIUS server, shared secret for packet integrity. Variants: FreeRADIUS, Microsoft NPS. Extensions: RADIUS over TLS (RadSec) for secure transport. Common attributes: User-Name, User-Password (RADIUS encrypts only the password, not the entire packet).
TACACS+: TACACS+ client (network device), TACACS+ server (e.g., Cisco ACS, ISE). It encrypts the entire packet body (except the header), providing better confidentiality than RADIUS. It separates AAA functions, allowing independent control.
How Attackers Exploit or Defenders Deploy
LDAP Attacks: - LDAP Injection: Attackers inject LDAP filter strings into user input fields to manipulate queries. Mitigation: input validation, parameterized queries. - Anonymous LDAP BIND: If allowed, attackers can enumerate users. Mitigation: disable anonymous binds. - Man-in-the-Middle: Without LDAPS, credentials can be intercepted. Mitigation: enforce LDAPS or StartTLS.
RADIUS Attacks: - Shared Secret Cracking: The shared secret between NAS and RADIUS server can be brute-forced if weak. Mitigation: use strong secrets and rotate them. - Replay Attacks: RADIUS uses a Request Authenticator (random number) to prevent replay, but older implementations may be vulnerable. Mitigation: use RadSec or IPsec. - RADIUS Accounting Spoofing: Attackers can send fake accounting packets to disrupt billing or logging. Mitigation: validate source IP and use shared secret.
TACACS+ Attacks: - Packet Sniffing: Though encrypted, if an attacker gains network access, they may attempt to decrypt if weak encryption is used. TACACS+ uses a shared secret for encryption. Mitigation: use strong secrets and consider IPsec. - Session Hijacking: If an attacker intercepts a TACACS+ session, they could inject commands. Mitigation: use SSH for device access, not plaintext.
Real Command/Tool Examples
LDAP Query Example (using ldapsearch):
ldapsearch -x -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=jdoe)"This performs an anonymous search for user jdoe.
RADIUS Configuration Snippet (FreeRADIUS users file):
jdoe Cleartext-Password := "securepass123"
Reply-Message = "Welcome!",
Framed-IP-Address = 192.168.1.100,
Session-Timeout = 3600TACACS+ Configuration on Cisco Device:
tacacs server TACACS_SERVER
address ipv4 10.1.1.1
key mysecretkey
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+LDAP Authentication Sequence
Step 1: User initiates login to an application that supports LDAP authentication. The application constructs an LDAP BIND request containing the user's DN (e.g., cn=jdoe,ou=users,dc=example,dc=com) and password. Step 2: The LDAP server receives the request on port 389 (or 636 for LDAPS). It verifies the DN exists and the password matches. If using SASL (Simple Authentication and Security Layer), the process may involve Kerberos or other mechanisms. Step 3: The server returns a BIND response: success (resultCode 0) or failure (e.g., invalidCredentials). Step 4: On success, the application may perform an LDAP SEARCH to retrieve the user's group memberships or other attributes. The search uses a filter like (&(objectClass=user)(memberOf=cn=admins,ou=groups,dc=example,dc=com)). Step 5: The application uses the returned attributes to make authorization decisions (e.g., allow access to certain files). Logs: the LDAP server logs all BIND attempts, including success/failure and source IP.
RADIUS Access-Request to Access-Accept
Step 1: A user connects to a NAS (e.g., wireless access point). The NAS sends an Access-Request UDP packet to the RADIUS server (port 1812). The packet includes the username, password (encrypted with the shared secret), NAS IP, and a Request Authenticator (random number). Step 2: The RADIUS server checks the shared secret and decrypts the password. It authenticates the user against its local database or an external source (e.g., LDAP). Step 3: The server responds with Access-Accept (includes attributes like IP address, session timeout), Access-Reject, or Access-Challenge (for MFA). Step 4: The NAS applies the attributes from Access-Accept (e.g., assigns VLAN) and allows the connection. Step 5: The NAS sends Accounting-Start (port 1813) to begin logging, and Accounting-Stop when the session ends. Logs: RADIUS server logs authentication attempts and accounting records (session ID, start/stop times, bytes transferred).
TACACS+ Authentication and Authorization
Step 1: A user attempts to log in to a Cisco router via SSH. The router sends a TACACS+ authentication packet (TCP 49) containing the username and password. The entire packet body is encrypted using the shared secret. Step 2: The TACACS+ server verifies credentials and responds with ACCEPT, REJECT, or ERROR. Step 3: If ACCEPT, the router then sends an authorization request for the user's shell (exec) access. The server responds with attributes like privilege level (e.g., priv-lvl=15). Step 4: When the user types a command (e.g., configure terminal), the router sends an authorization request for that command. The server checks if the user is permitted and responds PERMIT or DENY. Step 5: The router logs all commands via accounting packets sent to the TACACS+ server. Logs: TACACS+ server records authentication, authorization, and accounting events with timestamps and source IPs.
LDAP Injection Exploit
Step 1: An attacker finds a web application that uses LDAP for authentication and does not sanitize input. For example, a login form that constructs an LDAP filter like (&(uid=USER)(userPassword=PASS)). Step 2: The attacker enters a malicious username like admin)(|(uid=*)) to bypass authentication. The filter becomes (&(uid=admin)(|(uid=*))(userPassword=anything)). Step 3: The LDAP server processes the filter: the outer AND matches if the uid is admin AND the OR condition (which matches any uid) is true AND the password matches. But due to LDAP filter logic, the injection may cause the filter to always return true. Step 4: The application receives a successful BIND and grants access. Step 5: The attacker gains unauthorized access. Logs: The LDAP server logs a successful BIND from the attacker's IP, but the injection may not be obvious without detailed query logging. Mitigation: use parameterized LDAP queries and input validation.
RADIUS Shared Secret Brute Force
Step 1: An attacker captures RADIUS packets (Access-Request and Access-Accept) using a network sniffer. The password is encrypted, but the shared secret is used in the encryption. Step 2: The attacker knows the Request Authenticator (random number) and the encrypted password. They can attempt to brute-force the shared secret offline by trying keys and checking if the decrypted password makes sense. Step 3: If the shared secret is weak (e.g., 'cisco'), the attacker recovers it quickly. Step 4: With the shared secret, the attacker can forge Access-Accept packets, granting unauthorized access to any NAS. Step 5: The attacker can also decrypt accounting data. Logs: The RADIUS server may not log failed brute-force attempts if the attacker is offline. Mitigation: use strong shared secrets (long, random) and rotate them regularly.
Scenario 1: Enterprise Wireless Network with RADIUS
A large corporation uses RADIUS (Microsoft NPS) to authenticate employees connecting to corporate Wi-Fi via 802.1X. An analyst notices repeated failed authentication attempts from a specific MAC address. Using the NPS logs, the analyst sees the RADIUS server returning Access-Reject with reason 'Invalid credentials'. The analyst checks the user account and finds it is locked due to multiple failures. The correct response is to investigate the source: the MAC belongs to an old device with a cached wrong password. The common mistake is to immediately blame the RADIUS server or assume a brute-force attack without checking the user's account status.
Scenario 2: Administrative Access with TACACS+
A network engineer configures TACACS+ on all Cisco routers and switches to control admin access. One day, a junior admin accidentally enters a wrong command that causes a routing loop. The senior engineer uses TACACS+ accounting logs to identify exactly which user executed the command and when. The logs show the command 'router ospf 1' and 'network 0.0.0.0 255.255.255.255 area 0' from IP 10.1.1.50 at 14:32. The correct response is to revert the change and retrain the junior admin. A common mistake is to rely on syslog alone, which may not capture the username associated with each command.
Scenario 3: LDAP Integration for Single Sign-On
An organization uses Active Directory with LDAPS for SSO across multiple applications. A security audit reveals that one legacy application still uses plain LDAP (port 389) without TLS. An attacker on the same subnet could capture LDAP BIND requests and steal credentials. The correct response is to reconfigure the application to use LDAPS (port 636) or enable StartTLS. The common mistake is assuming that because the application is internal, it is safe. The auditor recommends using a service account with limited privileges for the LDAP bind instead of allowing anonymous queries.
Exactly What SY0-701 Tests
Objective 1.2 covers AAA protocols, focusing on their differences and use cases. The exam expects you to know:
LDAP is a directory service protocol (not a full AAA protocol) used for authentication and authorization queries. It does not provide accounting.
RADIUS combines authentication and authorization in one packet and is used for network access (VPN, wireless). It uses UDP and encrypts only the password.
TACACS+ separates authentication, authorization, and accounting, encrypts the entire packet, and uses TCP. It is used for device administration.
Common Wrong Answers and Why Candidates Choose Them
Choosing RADIUS for device administration: Candidates think RADIUS is the default AAA protocol, but TACACS+ is specifically designed for controlling admin commands on network devices.
Saying LDAP provides accounting: LDAP is a directory protocol; it does not log user sessions or commands. Accounting is a feature of RADIUS and TACACS+.
Confusing RADIUS and TACACS+ ports: RADIUS uses UDP 1812/1813; TACACS+ uses TCP 49. Candidates often swap them.
Believing TACACS+ is an open standard: It is Cisco proprietary, though widely adopted. The exam may test that RADIUS is an IETF standard.
Specific Terms and Acronyms
NAS: Network Access Server (e.g., wireless AP, VPN concentrator).
Shared Secret: Pre-shared key used to encrypt RADIUS passwords and TACACS+ packets.
802.1X: Port-based network access control that often uses RADIUS for authentication.
EAP: Extensible Authentication Protocol, used with RADIUS for wireless authentication.
LDAPS: LDAP over SSL/TLS (port 636).
StartTLS: A command to upgrade a plain LDAP connection to TLS on port 389.
Common Trick Questions
A question may describe a scenario where a user needs to authenticate to a network device and then execute commands. The correct answer is TACACS+ because it separates auth and authorization. RADIUS would not provide command-level authorization.
Another question may ask which protocol is used to authenticate users connecting to a VPN. The answer is RADIUS, because it is designed for network access.
A trick question might describe LDAP as providing 'single sign-on' — while LDAP can be part of SSO, the exam may want you to know that Kerberos is the typical SSO protocol in Windows environments.
Decision Rule for Eliminating Wrong Answers
When you see a scenario question about AAA, ask: Is this for network access (VPN, wireless, dial-up) or device administration? If network access, eliminate TACACS+ and consider RADIUS. If device administration, eliminate RADIUS and consider TACACS+. If the question mentions 'directory' or 'user attributes', consider LDAP. Also, if the question mentions 'accounting' or 'command authorization', TACACS+ is the only one that separates these functions.
LDAP is a directory protocol for querying user attributes; it does not provide accounting.
RADIUS uses UDP 1812 for authentication and 1813 for accounting; it encrypts only the password.
TACACS+ uses TCP 49, encrypts the entire packet, and separates AAA functions.
RADIUS is used for network access (e.g., 802.1X wireless, VPN).
TACACS+ is used for administrative access to network devices.
LDAPS uses port 636; StartTLS upgrades port 389 to secure.
The shared secret in RADIUS and TACACS+ must be strong to prevent offline brute-force attacks.
TACACS+ provides command-level authorization, which RADIUS does not.
These come up on the exam all the time. Here's how to tell them apart.
RADIUS
Uses UDP (ports 1812/1813)
Combines authentication and authorization in one packet
Encrypts only the password
IETF standard (RFC 2865)
Used for network access (VPN, wireless, dial-up)
TACACS+
Uses TCP (port 49)
Separates authentication, authorization, and accounting
Encrypts the entire packet body
Cisco proprietary
Used for device administration (routers, switches)
Mistake
LDAP is a full AAA protocol like RADIUS and TACACS+.
Correct
LDAP is a directory access protocol. It can be used for authentication and authorization queries, but it does not natively support accounting. It is not considered a full AAA protocol.
Mistake
RADIUS encrypts the entire packet, including the username.
Correct
RADIUS encrypts only the password attribute using the shared secret. The rest of the packet, including the username, is sent in plaintext (though the shared secret is used for integrity via an MD5 hash).
Mistake
TACACS+ uses UDP for faster performance.
Correct
TACACS+ uses TCP (port 49) because it requires reliable delivery for command authorization and accounting. RADIUS uses UDP because it is stateless and fast for network access.
Mistake
RADIUS and TACACS+ can be used interchangeably.
Correct
They serve different purposes. RADIUS is for network access (user to network), while TACACS+ is for device administration (admin to device). They are not interchangeable.
Mistake
LDAP always uses port 389 for secure connections.
Correct
Port 389 is used for plain LDAP. Secure LDAP (LDAPS) uses port 636. Alternatively, StartTLS can upgrade a plain connection on port 389 to secure.
RADIUS is an IETF standard AAA protocol used for network access (VPN, wireless). It uses UDP, combines authentication and authorization in one packet, and encrypts only the password. TACACS+ is a Cisco proprietary protocol used for device administration. It uses TCP, separates authentication, authorization, and accounting, and encrypts the entire packet body. For the exam, remember: RADIUS for network access, TACACS+ for device management.
No, LDAP is a directory access protocol, not a full AAA protocol. It can be used for authentication and authorization by querying directory entries, but it does not natively support accounting (logging of user sessions or commands). Accounting is a feature of RADIUS and TACACS+. If a question mentions accounting, the answer is likely RADIUS or TACACS+.
LDAP uses TCP/UDP port 389 for plaintext connections. LDAPS (LDAP over SSL/TLS) uses TCP port 636. Alternatively, StartTLS can be used on port 389 to upgrade to a secure connection. For the exam, know that 389 is unencrypted and 636 is encrypted.
Technically yes, but it is not designed for that purpose. RADIUS does not support command-level authorization or separate accounting for individual commands. TACACS+ is the preferred protocol for device administration because it provides granular control over which commands an admin can execute. On the exam, if the scenario is about controlling admin commands on a router, choose TACACS+.
The shared secret is a pre-shared key configured on both the RADIUS client (NAS) and the RADIUS server. It is used to encrypt the password in the Access-Request packet and to compute an MD5 hash for packet integrity. The shared secret must be kept confidential and should be strong (long and random) to prevent offline brute-force attacks. On the exam, know that the shared secret is used for encryption and integrity.
802.1X is a port-based network access control standard that prevents unauthorized devices from connecting to a network. It uses EAP (Extensible Authentication Protocol) for authentication, and RADIUS is often the backend protocol that carries EAP messages between the authenticator (e.g., wireless access point) and the authentication server. For the exam, know that 802.1X typically relies on RADIUS for centralized authentication.
No, TACACS+ is a proprietary protocol developed by Cisco. While the original TACACS (RFC 1492) is an IETF standard, TACACS+ is not. This is a common exam point: RADIUS is an open standard, TACACS+ is proprietary. However, TACACS+ is widely supported in Cisco environments.
You've just covered LDAP, RADIUS, and TACACS+ for Auth — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?