Authentication verifies identity before granting network access. CompTIA Network+ N10-009 tests authentication concepts including multi-factor authentication, authentication protocols (RADIUS, TACACS+, 802.1X, LDAP, Kerberos), and certificate-based authentication. Authentication questions appear throughout the Security domain and in wireless and VPN implementation contexts.
Practice this topic
Authentication factors: Something you know (password, PIN, security question — weakest factor). Something you have (smart card, hardware token, phone — second factor). Something you are (biometrics — fingerprint, retina, facial recognition). Somewhere you are (location-based — GPS, IP geolocation). Something you do (behavioral — typing patterns, gait).
Multi-Factor Authentication (MFA): requires two or more factors from different categories. A password + OTP (one-time password) = MFA (something you know + something you have). Password + security question = NOT MFA (both are something you know — same category). 2FA is MFA with exactly two factors. MFA dramatically reduces account compromise risk — even if a password is stolen, the second factor is required.
Single Sign-On (SSO): authenticate once and access multiple systems without re-entering credentials. Examples: Kerberos (enterprise), OAuth/OIDC (web/cloud), SAML (federated identity). SSO improves user experience but makes the authentication system a high-value target.
RADIUS (Remote Authentication Dial-In User Service): UDP 1812 (authentication/authorization), UDP 1813 (accounting). Widely used for network device access control and 802.1X wireless. Encrypts only the password in Access-Request packets. Open standard.
TACACS+ (Terminal Access Controller Access-Control System Plus): Cisco proprietary. TCP 49. Encrypts the entire payload (more secure than RADIUS). Separates authentication, authorization, and accounting into distinct functions — more granular control. Preferred for network device administration (routers, switches) where per-command authorization is needed. RADIUS preferred for network access (802.1X).
LDAP (Lightweight Directory Access Protocol): TCP/UDP 389 (LDAPS: TCP 636). Protocol for accessing and maintaining directory services (user accounts, groups). Active Directory uses LDAP. RADIUS servers often authenticate against LDAP/AD for user validation.
Kerberos: ticket-based SSO authentication used in Windows Active Directory. Users authenticate to the KDC (Key Distribution Center) and receive tickets (TGT — Ticket Granting Ticket). Services exchange tickets rather than passwords. Uses symmetric encryption. Port 88.
Digital certificates use asymmetric cryptography (public/private key pairs) to authenticate without transmitting passwords. PKI (Public Key Infrastructure) manages certificate issuance and verification. CA (Certificate Authority) signs certificates, vouching for the identity of the certificate holder. Common uses: TLS/HTTPS server authentication, client certificate authentication (most secure), Wi-Fi Enterprise (EAP-TLS), VPN authentication.
EAP (Extensible Authentication Protocol): framework for wireless and VPN authentication. EAP-TLS: mutual certificate-based authentication (both client and server have certificates — most secure). EAP-TTLS/PEAP: server certificate only — client authenticates with credentials inside a TLS tunnel. 802.1X uses EAP.
RADIUS and TACACS+ are interchangeable
RADIUS uses UDP, encrypts only the password, and is preferred for network access (802.1X, VPN). TACACS+ uses TCP, encrypts the entire payload, separates AAA functions, and is preferred for network device management where per-command authorization is needed
A password plus a security question is MFA
Both a password and a security question are 'something you know' — the same authentication factor category. MFA requires factors from different categories (know + have, or know + are)
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A network team wants to implement centralized authentication for managing all network devices (routers, switches, firewalls) with the ability to log and control individual commands issued per user. Which AAA protocol is most appropriate?
Explanation: TACACS+ is the preferred protocol for network device administration because it separates authentication, authorization, and accounting into distinct functions, encrypts the entire session payload, and supports per-command authorization (each command can be individually permitted or denied per user). RADIUS is better suited for network access control (802.1X). LDAP is a directory access protocol, not an AAA protocol for device administration.
Authentication (AuthN): verifying who you are — 'prove your identity.' Methods: password, certificate, biometric. Authorization (AuthZ): determining what you are allowed to do after authentication — 'what can you access?' Methods: ACLs, roles, permissions. Accounting: recording what you did — 'what actions were taken?' Logged for audit, compliance, and forensics. All three together = AAA, implemented by RADIUS or TACACS+.
Try free Authentication Methods practice questions with explanations, topic links and progress tracking.