CompTIA Security+ Authentication Protocols - Zero-Fluff, Hands-On Guide

CompTIA Security+ Authentication Protocols: Zero-Fluff, Hands-On Guide

(LDAP, Kerberos, RADIUS, TACACS+, SAML, OAuth, OpenID Connect)

1. What This Is & Why It Matters

Authentication protocols are the gatekeepers of your network. They decide who gets in, what they can access, and how securely they prove their identity. If you mess this up, you’re one misconfigured firewall away from a breach (e.g., SolarWinds, Colonial Pipeline).

Real-world scenario: You’re a sysadmin at a mid-sized company. Your CISO just mandated MFA for all remote access, and your legacy VPN (RADIUS) doesn’t support modern auth. Meanwhile, your dev team is screaming because their CI/CD pipeline (OAuth) keeps failing with "invalid token" errors. You need to fix this yesterday.

This guide gives you: ? CLI commands to test and debug each protocol. ? Configuration snippets for real-world deployments. ? Exam traps (e.g., "TACACS+ encrypts the entire packet, RADIUS only encrypts the password"). ? Production pitfalls (e.g., "Kerberos fails if your domain controller’s clock drifts >5 minutes").

2. Core Concepts & Components

LDAP (Lightweight Directory Access Protocol)

• What it is: A protocol for querying and modifying directory services (e.g., Active Directory, OpenLDAP).
• Production insight: LDAP is not encrypted by default—always use LDAPS (port 636) or StartTLS (port 389). If you see ldap:// in logs, you’re leaking credentials.
• Key use case: Centralized user authentication (e.g., "Does jdoe exist in AD?").

Kerberos

• What it is: A ticket-based authentication protocol that avoids sending passwords over the network.
• Production insight: Kerberos requires time synchronization (max 5-minute drift). If your DC’s clock is wrong, auth fails silently.
• Key use case: Windows domains (Active Directory), Linux SSO (via kinit).

RADIUS (Remote Authentication Dial-In User Service)

• What it is: A client-server protocol for AAA (Authentication, Authorization, Accounting).
• Production insight: RADIUS only encrypts the password (not the whole packet). Use RADIUS over IPsec or TACACS+ for full encryption.
• Key use case: VPN authentication (e.g., Cisco AnyConnect, Wi-Fi 802.1X).

TACACS+ (Terminal Access Controller Access-Control System Plus)

• What it is: Cisco’s AAA protocol (like RADIUS, but fully encrypted and granular command-level control).
• Production insight: TACACS+ uses TCP 49 (RADIUS uses UDP 1812/1813). If your firewall blocks TCP 49, VPN admins can’t log in.
• Key use case: Network device administration (routers, switches).

SAML (Security Assertion Markup Language)

• What it is: An XML-based SSO protocol for enterprise apps (e.g., "Log in to Salesforce with your AD credentials").
• Production insight: SAML relies on digital signatures—if your IdP’s certificate expires, SSO breaks for all users.
• Key use case: Cloud apps (e.g., Microsoft 365, Google Workspace).

OAuth 2.0

• What it is: A delegation protocol (e.g., "Let this app access my Google Drive without giving it my password").
• Production insight: OAuth does not authenticate users—it authorizes access to resources. For auth, pair it with OpenID Connect.
• Key use case: API access (e.g., "Log in with GitHub").

OpenID Connect (OIDC)

• What it is: An identity layer on top of OAuth 2.0 (e.g., "Prove who you are, then get an access token").
• Production insight: OIDC uses JWTs (JSON Web Tokens)—if your app doesn’t validate the aud (audience) claim, an attacker can replay tokens.
• Key use case: Modern SSO (e.g., "Sign in with Google").

3. Step-by-Step Hands-On

Task: Set Up LDAPS for Active Directory (Windows Server)

Prerequisites: - Windows Server 2019/2022 with Active Directory Domain Services (AD DS) installed. - A valid SSL certificate (from an internal CA or public CA like DigiCert).

Step 1: Install Active Directory Certificate Services (AD CS)

# Install AD CS (run as Administrator)
Install-WindowsFeature AD-Certificate, ADCS-Cert-Authority -IncludeManagementTools

• Verify: Get-WindowsFeature AD-Certificate should show Installed.

Step 2: Request a Certificate for LDAPS

1. Open Certification Authority (certsrv.msc).
2. Right-click Certificate Templates-Manage.
3. Duplicate the Domain Controller Authentication template.
4. Name it LDAPS Certificate and set:
5. Validity period: 2 years.
6. Subject Name: Supply in the request.
7. Extensions-Application Policies: Add Server Authentication.
8. Right-click Certificate Templates-New-Certificate Template to Issue-Select LDAPS Certificate.

Step 3: Enroll the Certificate on the Domain Controller

# Request the certificate (replace DC_NAME with your domain controller)
certreq -submit -attrib "CertificateTemplate:LDAPSCertificate" C:\ldaps.inf

• Verify: Open Certificates MMC (certlm.msc)-Personal-Certificates. You should see a Server Authentication cert.

Step 4: Enable LDAPS

# Restart the AD DS service to apply LDAPS
Restart-Service NTDS -Force

• Verify: Use ldp.exe (built into Windows):
• Open ldp.exe.
• Connection-Connect-Enter server name-Port 636-Check SSL.
• If it connects, LDAPS is working.

Task: Test RADIUS Authentication (Linux)

Prerequisites: - A RADIUS server (e.g., FreeRADIUS on Ubuntu). - A client device (e.g., a laptop or switch).

Step 1: Install FreeRADIUS

sudo apt update && sudo apt install freeradius -y

Step 2: Add a Test User

sudo nano /etc/freeradius/3.0/users

Add:

testuser Cleartext-Password := "P@ssw0rd"
    Service-Type = Framed-User,
    Framed-Protocol = PPP

Step 3: Start FreeRADIUS in Debug Mode

sudo freeradius -X

• Expected output: Ready to process requests.

Step 4: Test RADIUS from a Client

# Install radtest (part of freeradius-utils)
sudo apt install freeradius-utils -y

# Test authentication (replace SECRET with your RADIUS secret)
radtest testuser P@ssw0rd localhost 0 SECRET

• Expected output: Received Access-Accept
• If it fails: Check /var/log/freeradius/radius.log.

Task: Configure SAML SSO (Azure AD + Salesforce)

Prerequisites: - Azure AD tenant (free tier works). - Salesforce org (developer edition).

Step 1: Set Up Azure AD as an IdP

1. Go to Azure Portal-Azure Active Directory-Enterprise Applications-New Application.
2. Search for Salesforce-Add.
3. Under Single sign-on, select SAML.
4. Basic SAML Configuration:
5. Identifier (Entity ID): https://saml.salesforce.com
6. Reply URL: https://yourdomain.my.salesforce.com?so=00D... (get this from Salesforce).
7. Attributes & Claims:
8. Add user.userprincipalname-http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
9. Download the Federation Metadata XML (save as azure-ad-metadata.xml).

Step 2: Configure Salesforce as a Service Provider

1. Log in to Salesforce-Setup-Identity-Single Sign-On Settings.
2. Click New from Metadata File-Upload azure-ad-metadata.xml.
3. SAML Settings:
4. Name: AzureAD_SSO
5. Issuer: https://sts.windows.net/... (from Azure AD metadata).
6. Entity ID: https://saml.salesforce.com
7. Identity Provider Login URL: (from Azure AD metadata).
8. Save.

Step 3: Test SAML SSO

1. Go to https://yourdomain.my.salesforce.com.
2. Click Use Custom Domain-You should be redirected to Azure AD for login.
3. Success: You’re logged into Salesforce without entering credentials.

4.-Production-Ready Best Practices

Security

• LDAP/Kerberos: Always use LDAPS (port 636) or Kerberos (port 88)—never plaintext.
• RADIUS/TACACS+: Use TACACS+ for admin access (full encryption) and RADIUS for user auth (lighter weight).
• SAML/OIDC: Rotate IdP signing certificates at least annually.
• OAuth: Always validate the aud (audience) and exp (expiration) claims in JWTs.

Reliability

• Kerberos: Deploy multiple domain controllers (AD sites) to avoid single points of failure.
• RADIUS: Use redundant RADIUS servers (e.g., radius1:1812,radius2:1812 in client config).
• SAML: Set up fallback authentication (e.g., "If SAML fails, use LDAP").

Observability

• LDAP: Monitor failed bind attempts (Event ID 4771 in Windows Security Log).
• RADIUS: Log Access-Accept/Reject events (/var/log/freeradius/radius.log).
• OAuth/OIDC: Track token issuance/validation (e.g., Azure AD sign-in logs).

5. Common Mistakes & Traps

6.-Exam/Certification Focus (CompTIA Security+)

Typical Question Patterns

1. "Which protocol encrypts the entire packet?"
2. ? RADIUS (only encrypts password)

3. TACACS+ (full encryption)

4. "Which protocol is used for SSO in cloud apps?"

5. ? Kerberos (enterprise, not cloud)

6. SAML (enterprise SSO) or OIDC (modern apps)

7. "Which port does LDAPS use?"

8. ? 389 (plaintext LDAP)

9. 636 (LDAPS)

10. "What’s the difference between OAuth and OpenID Connect?"

11. OAuth = Authorization (e.g., "Let this app access my files").
12. OpenID Connect = Authentication (e.g., "Prove who you are").

Key Trap Distinctions

7.-Hands-On Challenge (with Solution)

Challenge:

You’re setting up a VPN for remote workers. Your boss says:

"We need MFA, but our Cisco ASA only supports RADIUS. How do we make this work?"

Your task:
1. Configure FreeRADIUS to proxy auth to Google Authenticator (TOTP).
2. Test it with radtest.

Solution:

1. Install FreeRADIUS + Google Authenticator PAM module: bash sudo apt install freeradius libpam-google-authenticator -y
2. Edit /etc/freeradius/3.0/users: DEFAULT Auth-Type := PAM
3. Edit /etc/pam.d/radiusd: auth required pam_google_authenticator.so
4. Run google-authenticator as the user and scan the QR code.
5. Test with: bash radtest username 123456 localhost 0 testing123
6. Why it works: FreeRADIUS uses PAM, which checks the TOTP code.

8.-Rapid-Reference Crib Sheet

9.-Where to Go Next

1. FreeRADIUS Docs – Official guide for RADIUS/TACACS+.
2. Microsoft LDAPS Guide – Step-by-step for AD.
3. OAuth 2.0 RFC – The definitive spec.
4. Google’s OIDC Guide – Practical OIDC setup.

Final Tip: Bookmark this guide. The next time your VPN breaks or SSO fails, you’ll know exactly where to look. ?