DOCSLIB.ORG

CIS 3500 1 Identity and Access Services

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CIS 3500 1 Identity and Access Services . Chapter Objectives n Learn how to install and configure identity and access services n Understand how to compare and contrast the different Chapter #19: identity and access services Identity and Access Management Identity and Access Services 2 Identity and Access Services Identity and Access Services LDAP n To use a system, one must identify themselves with the n A directory is a data storage mechanism system in some form or fashion n It is designed and optimized for reading data n Identity and access services are comprised of hardware, n A directory offers a static view of data - easy to change software, and protocol elements n The Lightweight Directory Access Protocol (LDAP) is used to handle user authentication and authorization and to control access to Active Directory objects n To enable interoperability, the X.500 standard was created n Works over TCP 3 Identity and Access Services 4 Identity and Access Services CIS 3500 1 . Kerberos Kerberos n Kerberos is a network authentication protocol designed for a n The user presents credentials and requests a ticket from the Key client/server environment Distribution Server (KDS) n It is built around a trusted third party – key distribution center (KDC), n The KDS verifies credentials and issues a TGT (ticket-granting ticket) which has two logically separate parts: n The user presents a TGT and request for service to the KDS n an authentication server (AS) and n The KDS verifies authorization and issues a client-to-server ticket n The user presents a request and a client-to-server ticket to the n a ticket- granting server (TGS) n Kerberos communicates via “tickets” that proves the identity of users; desired service knows all the users IDs and has shared secrets with other services n If the client-to-server ticket is valid, service is granted to the client n Kerberos uses strong encryption so that the players can check each other’s identity 5 Identity and Access Services 6 Identity and Access Services TACACS+ TACACS+ n The Terminal Access Controller Access Control System+ n Typically operating over TCP port 49 (both TCP and UDP are reserved) n AAA protocol – with separated optional functions for each n Client/server protocol 7 Identity and Access Services 8 Identity and Access Services CIS 3500 2 . TACACS+ Authentication TACACS+ Authorization n Allows arbitrary le n g th a n d co n te n t in th e a u th e n tica tio n enabling many n TACACS+ authorization – determining permission associated different mechanisms to be used with a user action; site specific, can be optional n Authentication is o p tio n a l – site- configurable option n Default state is “unknown user” n Supports Point- to- Point Protocol (PPP) with Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or n Authorization follows the authentication process (optional) and Extensible Authentication Protocol (EAP), token cards, and Kerberos uses the confirmed user identity n T hree different packet types: START, CONTINUE, and REPLY n It is using two message types: REQUEST and RESPONSE START and CONTINUE packets originate from the client and are directed The client issues an authorization REQUEST message to the TA C A C S + server The RESPONSE message is not a simple yes or no: can include The REPLY packet is used to com m unicate from the TACACS+ server to qualifying information, such as a user time limit or IP restrictions the client 9 Identity and Access Services 10 Identity and Access Services TACACS+ Accounting CHAP n When utilized, it typically follows the other services n Challenge Handshake Authentication Protocol (CHAP) provides authentication n Records what a user or process has done across a point- to- point link using PPP n Purpose: n A fter the link has been established authentication is not mandatory n account for services, possibly for billing purposes n CHAP provides authentication periodically through the use of a challenge/response system n generating security audit trails n It has inform ation from authentication and authorization n The initial challenge (a randomly generated number) is sent to the client n The client uses a one-way hashing function to calculate what the response should be and then n T hree types of records: START, STO P, and UPDATE sends this back n T hese are record types, not message types n The server compares the response to what it calculated the response should be START records the tim e and user or process that began n If they match, communication continues STOP records the stop tim es for specific actions n If the two values don’t match, then the connection is terminated n This mechanism relies on a shared secret between the two entities so that the correct values can UPDATE records in term ed iary n o tices th at a p articu lar task is still b ein g 11 Identity and Access Services 12 be calculated Identity and Access Services performed CIS 3500 3 . PAP MSCHAP n Password Authentication Protocol (PAP) authentication n Microsoft Challenge Handshake Authentication Protocol (MSCHAP) involves a two-way handshake is the Microsoft variant of CHAP n The username and password are sent across the link in n MSCHAPv1, defined in RFC 2433, has been deprecated and dropped in Windows Vista clear text n MSCHAPv2, RFC 2759, which was introduced with Windows 2000 n PAP authentication does not provide any protection against n It offers mutual authentication, verifying both users in an playback and line sniffing exchange n PAP is now a deprecated standard n It also offers improved cryptographic support including separate cryptographic keys for transmitted and received data 13 Identity and Access Services 14 Identity and Access Services RADIUS RADIUS n Remote Authentication Dial-In User Service (RADIUS) is an AAA protocol n Connectionless protocol utilizing UDP port 1812 for authentication and authorization and 1813 for accounting functions n RADIUS is a client/server protocol n The RADIUS client is typically a network access server (NAS) n The RADIUS server is a process or daemon running on a UNIX or Wi ndows Server machi ne n Communications between a RADIUS client and RADIUS server are encrypted using a shared secret 15 Identity and Access Services 16 Identity and Access Services CIS 3500 4 . RADIUS Authentication RADIUS Authentication n Remote Authentication Dial-In User Service (RADIUS) is an n It can support PPP, PAP, CHAP, or UNIX login AAA protocol n A user initiates PPP authentication to the NAS n Connectionless protocol utilizing User Datagram Protocol n The NAS prompts for username and password (if PAP), port 1812 for authentication and authorization and 1813 for or challenge (if CHAP) accounting functions n User replies with credentials. n RADIUS client sends username and encrypted password to the n RADIUS is a client/server protocol RADIUS server n RADIUS server responds with Accept, Reject, or Challenge n The RADIUS client acts upon services requested by user 17 Identity and Access Services 18 Identity and Access Services RADIUS Authorization RADIUS Accounting n Authentication and authorization steps are performed n It is performed independently together in response to a single Access-Request message – n Functions are designed to allow data to be transmitted at although they are sequential steps the beginning and end of a session n Authorization parameters include n It can indicate resource utilization, such as time, bandwidth n the service type allowed (shell or framed), n When RADIUS was first designed, the role of ISP NASs was n the protocols allowed, relatively simple n the IP address to assign to the user (static or dynamic), and n Today, the Internet and its access methods have changed, n the access list to apply or static route to place in the NAS and so have the AAA requirements routing table 19 Identity and Access Services 20 Identity and Access Services CIS 3500 5 . SAML OAUTH n Security Assertion Markup Language (SAML) is a single sign- on (SSO) capability used n OAuth (Open Authorization) is an open protocol for secure, for w eb applications token-based authorization on the Internet from web, mobile, n It defines standards for exchanging authentication and authorization data between and desktop applications security domains n Im portant with cloud- based solutions and with Software- as- a - Service (SaaS) n Users can share information about their accounts with third- applications party applications or websites n It is an XM L- based protocol that uses security tokens and assertions to pass inform ation about a “principal” (typically an end user) w ith a SAM L authority (an n OAuth 1.0 was a Twitter OpenID implementation “identity provider” or IdP) and the service provider (SP) n OAuth 2.0 (not backward compatible) – main strength is that it n The principal requests a service from the SP, which then requests and obtains an identity assertion from the IdP can be used by an external partners without having to re- n The SP can then grant access or perform the requested service for the principal authenticate the user - instead submit a token 21 Identity and Access Services 22 Identity and Access Services OpenID Connect Shibboleth n OpenID Connect is a simple identity layer on top of the OAuth n Shibboleth – single sign-on and federated identity-based 2.0 protocol authentication and authorization across networks n Allows clients of all types, including mobile, JavaScript, and n It is a web-based technology that is built using SAML web-based clients, to request and receive information about n Shibboleth uses the HTTP/POST to push profiles of SAML, authenticated sessions and end users including both identity provider (IdP) and service provider n OpenID is commonly paired with OAuth 2.0 (SP) components n Federated authentication that lets a third party authenticate n It is included by many services that use SAML for identity users using accounts that they already have management 23 Identity and Access Services 24 Identity and Access Services CIS 3500 6 .
Load more

Recommended publications
  • Raw Slides (Pdf)
    2550 Intro to cybersecurity L5: Distributed Authentication abhi shelat/Ran Cohen Agenda • The problem of distributed authentication • The Needham-Schroeder protocol • Kerberos protocol • Oauth So far: authenticating to a server Mallory Alice Bob Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Distributed authentication • Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption Alice Bob 푚 푚 Eve Basic tool: symmetric encryption • Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption • Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice Alice Bob 푘퐴퐵 푘퐴퐵 Eve Attempt #1 Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 I am Alice Eve Attempt #2: use the key Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 푘퐴퐵 I am Alice 푘퐴퐵 Replay attack Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 푘퐴퐵 Nonce: a random number for a one-time use Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 −
    [Show full text]
  • Glossary.Pdf
    Glossary Note: Terms in italics are described in their own glossary entries. 3DES. See Data Encryption Standard. A A RR. Type identifier for a DNS Address resource record. Active Directory (AD). The directory service for Windows 2000. A hierarchical, object-oriented database that stores distributed data for Windows 2000 domains, trees, and forests. Active Directory-integrated zones. DNS zones for which zone data are stored in Active Directory. All copies of an Active Directory-integrated zone are peers and can accept changes to the zone. Zone data are replicated through Active Directory. Zone transfers are required only when importing data from a primary zone or exporting data to a secondary zone. AD. Abbreviation for Active Directory. address class. See IP address class. address resolution protocol (ARP). A protocol used by IP to discover the hardware address of the device to which a datagram is being sent. Address resource record. A DNS resource record that maps a FQDN to an IP address. Referred to as Host resource records when administering Windows 2000 DNS. Referred to as Host Address resource records in this book. AH. See authentication header. ARP. See address resolution protocol. asymmetric cryptography. A cryptography method that uses one key for encryption and another key for decryption. Also called public key cryptography. attribute. A characteristic of an object in an object- oriented database such as Active Directory; often called a property in Windows 2000. authentication. The ability of one entity to reliably determine the identity of another entity. authentication header (AH). A security protocol used by IPSec that provides authentication and message integrity.
    [Show full text]
  • The Essential Oauth Primer: Understanding Oauth for Securing Cloud Apis
    THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS WHITE PAPER TABLE OF CONTENTS 03 EXECUTIVE OVERVIEW 03 MOTIVATING USE CASE: TRIPIT 05 TERMINOLOGY 06 INTRODUCTION 07 THE OAUTH 2.0 MODEL 07 OAUTH 2.0 OVERVIEW USING A TOKEN TOKEN TYPE 09 RELATIONSHIP TO OTHER STANDARDS 11 USE CASES TRIPIT REVISITED TOKEN EXCHANGE MOBILE WORKFORCE 13 RECENT DEVELOPMENT 14 SUMMARY 2 WHITE PAPER ESSENTIAL OAUTH PRIMER EXECUTIVE OVERVIEW A key technical underpinning of the cloud and the Internet of Things are Application Programming Interfaces (APIs). APIs provide consistent methods for outside entities such as web services, clients and desktop applications to interface with services in the cloud. More and more, cloud data will move through APIs, but the security and scalability of APIs are currently threatened by a problem call the password anti-pattern. This is the need for API clients to collect and replay the password for a user at an API in order to access information on behalf of that user via that API. OAuth 2.0 defeats the password anti-pattern, creating a consistent, flexible identity and policy architecture for web applications, web services, devices and desktop clients attempting to communicate with cloud APIs. MOTIVATING USE CASE: TRIPIT Like many applications today, TripIt (http://tripit.com) is a cloud-based service. It’s a travel planning application that allows its users to track things like flights, car rentals, and hotel stays. Users email their travel itineraries to TripIt, which then builds a coordinated view of the users’ upcoming trips (as well as those of their TripIt friends—the inevitable social aspect).
    [Show full text]
  • OK: Oauth 2.0 Interface for the Kerberos V5 Authentication Protocol
    OK: OAuth 2.0 interface for the Kerberos V5 Authentication Protocol James Max Kanter Bennett Cyphers Bruno Faviero John Peebles [email protected] [email protected] [email protected] [email protected] 1. Problem Kerberos is a powerful, convenient framework for user authentication and authorization. Within MIT, Kerberos is used with many online institute services to verify users as part of Project Athena. However, it can be difficult for developers unfamiliar with Kerberos development to take advantage of its resources for use in third-party apps. OAuth 2.0 is an open source protocol used across the web for secure delegated access to resources on a server. Designed to be developer-friendly, OAuth is the de facto standard for authenticating users across sites, and is used by services including Google, Facebook, and Twitter. Our goal with OK Server is to provide an easy way for developers to access third-party services using Kerberos via OAuth. The benefits of this are twofold: developers can rely on an external service for user identification and verification, and users only have to trust a single centralized server with their credentials. Additionally, developers can request access to a subset of Kerberos services on behalf of a user. 2. Implementation overview Our system is composed of two main components: a server (the Kerberos client) to retrieve and process tickets from the MIT KDC, and an OAuth interface (the OAuth server) to interact with a client app (the app) wishing to make use of Kerberos authentication. When using our system, a client application uses the OAuth protocol to get Kerberos service tickets for a particular user.
    [Show full text]
  • Authentication, Authorization and Accounting (AAA) Protocols
    Authentication, Authorization and Accounting (AAA) Protocols Agententechnologien in der Telekommunikation Sommersemester 2009 Babak Shafieian [email protected] A O T Agententechnologien in betrieblichen Anwendungen 10.06.2009 und der Telekommunikation Overview A O T Agententechnologien in der Telekommunikation - 2 TU Berlin Motivation (Why AAA?) Ö Telecommunications services are a global market worth over US$ 1.5 trillion in revenue. Home Entertainment Voice over IP (VoIP) Multimedia Conference Messaging/ Presence A O T Agententechnologien in der Telekommunikation - 3 TU Berlin Authentication (Who is [email protected]) Ö Authentication is the process of verifying user’s identity using credentials like username, password or certificates. Ö After the successful match of user’s authentication credentials with the credentials stored in the database of the service provider, the user is granted access to the network, otherwise the access is denied. A O T Agententechnologien in der Telekommunikation - 4 TU Berlin Authorization Ö Is the process of enforcing policies. It determines what types or qualities of network resources or specific services the user is permitted. Ö By using the access policy defined for a specific user, the service provider grants or rejects the access requests from the user. Ö Access policy could be applied on a per user or group basis. A O T Agententechnologien in der Telekommunikation - 5 TU Berlin Accounting Ö Is the process of keeping track of what the user is doing. Ö It includes: Amount of the time spent in the network (duration of session) Number of packets(or bytes) transmitted during a session. The accessed services during a session.
    [Show full text]
  • Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access
    Managing User Authentication Methods in VMware Workspace ONE Access JAN 2020 VMware Workspace ONE Access 20.01 Managing User Authentication Methods in VMware Workspace ONE Access You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Configuring Authentication in VMware Workspace ONE Access 5 2 User Auth Service Authentication Methods in Workspace ONE Access 8 Configuring Password (Cloud) Authentication in Workspace ONE Access 9 Configure Password (Cloud) Authentication with Your Enterprise Directory 10 Configuring RSA SecurID (Cloud) For Workspace ONE Access 13 Prepare the RSA SecurID Server 13 Configure RSA SecurID Authentication in Workspace ONE Access 14 Configuring RADIUS for Workspace ONE Access 16 Prepare the RADIUS Server 16 Configure RADIUS Authentication in Workspace ONE Access 16 Enable User Auth Service Debug Logs In Workspace ONE Access Connector 19 3 Configuring Kerberos Authentication In Workspace ONE Access 21 Configure and Enable Kerberos Authentication in Workspace ONE Access 21 Configuring your Browser for Kerberos 23 Configure Internet Explorer to Access the Web Interface 23 Configure Firefox to Access the Web Interface 24 Configure the Chrome Browser to Access the Web Interface 25 Kerberos Initialization Error in Workspace ONE Access 26 4 Associate Workspace ONE Access Authentication Methods
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Operations T. Dahm Internet-Draft A. Ota Intended Status: Informational Google Inc Expires: July 30, 2020 D
    Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc Expires: July 30, 2020 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant January 27, 2020 The TACACS+ Protocol draft-ietf-opsawg-tacacs-17 Abstract This document describes the Terminal Access Controller Access-Control System Plus (TACACS+) protocol which is widely deployed today to provide Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 30, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Dahm, et al. Expires July 30, 2020 [Page 1] Internet-Draft The TACACS+ Protocol January 2020 carefully, as they describe your rights and restrictions with respect to this document.
    [Show full text]
  • Centralised Authentication
    Centralised Authentication Fabian Alenius Guerreiro Jo~ao Uwe Bauknecht March 3, 2009 Contents 1 Introduction 2 2 LDAP 3 2.1 History of LDAP . 3 2.2 Directory servers . 3 2.3 Distinguished Names . 3 2.4 Directory Information Trees . 3 2.5 LDAP Authentication . 4 2.6 SASL binding . 4 3 Authentication Methods [5] 5 3.1 Kerberos . 5 3.1.1 Protocol draft 1.0 . 5 3.1.2 Analysis of Protocol draft 1.0 . 6 3.1.3 Protocol draft 2.0 . 6 3.1.4 Analysis of Protocol draft 2.0 . 7 3.1.5 Kerberos Version 4 . 7 3.1.6 Kerberos Conclusion . 8 3.2 X.509 certificates . 8 4 RADIUS 9 4.1 Introduction . 9 4.2 Functionality . 9 4.2.1 Authentication and Authorization . 9 4.2.2 Accounting . 10 4.2.3 Realms and Proxies . 10 4.3 Usage . 10 References 11 1 1 Introduction When a user wants to login to a computer system he has to go through the process of authentication. If the same user wants to authenticate against two computer systems he needs to authenticate twice. This becomes unpractical very fast as the number of systems grow, especially if the user has to remember separate usernames and passwords for each system. Another problem with this is that the management of the user accounts becomes complicated as we need several user accounts for each user. So, if we for example want to remove one user completely, we need to update all our systems. The solution to this problem is to use a centralized authentication server.
    [Show full text]
  • Cisco Products Quick Reference Guide December 2004
    Cisco SYSTEMS pII Cisco Product Quick Reference Guide December 2004 Table of Contents Introduction Routing Switching Wireless LAN Voice and IP Communications VPN and Security Content Networking Broadband and Dial Access Optical Networking lOS Software and Network Management 10 Storage Networking Cicro SYsTEr Cisco Products Quick Reference Guide December 2004 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 951 34-1706 USA http//wvvw.cisco.com Tel 408 526-4000 800 553-NETS 6387 Customer Order Number 78-5983-13 Text Part Number 78-5983-13 Gisco Products Quick Reference Guide Copyright 2005 Cisco Systems Inc All rights reserved Gener Discbimer Although Cisco has attempted to provide accurate information in this Guide Cisco assumes no responsibility for the accuracy of the information Cisco may change the programs or products mentioned at any time without prior notice Mention of non-Cisco products or services is for information purposes only and constitutes neither an endorsement nor recommendation of such products or services or of any company that develops or sells such products or services ALL INFORMATION PROVIDED ON THIS WEB SITE IS PROVIDED AS IS WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR PARTICULAR PURPOSE AND NONINFRJNGEMENT OR ARISING FROM COURSE OF DEALING USAGE OR TRADE PRACTICE CISCO AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY INDIRECT
    [Show full text]
  • Cloudvision As-A-Service (Cvaas) Quick Start Guide
    CloudVision as-a-Service (CVaaS) Quick Start Guide Arista Networks www.arista.com September 2021 Headquarters Support Sales 5453 Great America Parkway +1 408 547-5502 +1 408 547-5501 Santa Clara, CA 95054 +1 866 476-0000 +1 866 497-0000 USA [email protected] [email protected] +1 408 547-5500 www.arista.com © Copyright 2021 Arista Networks, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of Arista Networks in the United States and other countries. Use of the Marks are subject to Arista Network’s Term of Use Policy, available at www.arista.com/en/terms-of-use. Use of marks belonging to other parties is for informational purposes only. ii Contents Contents 1 CloudVision as-a-Service....................................................................1 1.1 Onboarding at a Glance.........................................................................................................1 1.2 User Onboarding Prerequisites.............................................................................................. 3 1.2.1 Invitation URL........................................................................................................... 3 1.2.2 Authentication Details............................................................................................... 3 1.3 User Onboarding Workflow.................................................................................................... 4 1.3.1
    [Show full text]
  • Leveraging the Kerberos Credential Caching Mechanism for Faster Re-Authentications in Wireless Access Networks
    UBICOMM 2010 : The Fourth International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies EAP-Kerberos: Leveraging the Kerberos Credential Caching Mechanism for Faster Re-authentications in Wireless Access Networks Saber Zrelli Yoichi Shinoda Nobuo Okabe Center for Information Science Corporate R&D Headquarters Japan Advanced Institute of Science and Technology Yokogawa Electric Corporation Ishikawa, Japan Tokyo, Japan [email protected] saber.zrelli,[email protected] Abstract—Although the wireless technology nowadays provides support cross-domain authentication that enables an access satisfying bandwidth and higher speeds, it still lacks improve- network to authenticate a roaming client that belongs to a ments with regard to handoff performance. Existing solutions remote domain. The cross-domain authentication requires for reducing handoff delays are specific to a particular network technology or require expensive upgrades of the whole infras- message exchange between the AAA server of the visited tructure. In this paper, we investigate performance benefits of network and the AAA server of the roaming station’s home leveraging the Kerberos ticket cashing mechanism for achieving network. Because these inter-domain exchanges occur over the faster re-authentications in IEEE 802.11 wireless access networks. Internet, they are subject to degradations such as packet loss For this purpose, we designed a new EAP authentication method, and network delays which increases the overall authentication EAP-Kerberos, and evaluated re-authentication performance in different scenarios. time. When a roaming station changes of access point, the same authentication procedure takes place again, disrupting Keywords-Wireless; Authentication; Handoff; Performance the user traffic at each handoff. I.
    [Show full text]