Authentication Protocols — Kerberos, NTLM, RADIUS, TACACS+

Why Authentication Protocols Matter

Authentication protocols define how a system proves that a user or device is who they claim to be. Different environments use different protocols depending on the scale, the type of access being controlled, and the vendor ecosystem involved. CompTIA tests authentication protocols across all three exams — A+ focuses on Windows domain authentication (Kerberos, NTLM), Network+ adds network access protocols (RADIUS, 802.1X), and Security+ expects understanding of the security properties and weaknesses of each protocol.

Kerberos — Windows Domain Authentication

Kerberos is the default authentication protocol for Windows Active Directory domains (and modern Linux/macOS in enterprise environments). It uses a ticket-based system that allows users to prove their identity without sending their password across the network repeatedly. Three components: the KDC (Key Distribution Centre) — runs on every domain controller and issues tickets; the TGT (Ticket Granting Ticket) — a time-limited credential issued after initial login that proves identity; and service tickets — issued by the KDC in exchange for the TGT to grant access to specific services.

The Kerberos flow: a user logs in → their client requests a TGT from the KDC (Authentication Service) using their password hash → the KDC issues a TGT valid for typically 10 hours → when the user accesses a file server, their client presents the TGT to the KDC's Ticket Granting Service → the KDC issues a service ticket for that specific server → the client presents the service ticket to the file server → access granted. The user's password never traverses the network after initial TGT acquisition. Kerberos uses port 88 (TCP and UDP). Mutual authentication: both the client and server prove identity to each other, preventing man-in-the-middle attacks.

Key weakness: Kerberos requires both parties to trust the KDC and requires network access to the KDC for ticket issuance. Kerberoasting is a modern attack where an attacker requests service tickets for service accounts and attempts to crack them offline — service account passwords are often weak and rarely rotated, making this attack highly effective.

NTLM — Legacy Windows Authentication

NTLM (NT LAN Manager) is the predecessor to Kerberos, used when Kerberos is unavailable — when a client authenticates using an IP address instead of a hostname, when accessing resources in untrusted domains, or in older environments. NTLM uses a challenge-response mechanism: the server sends a random challenge → the client encrypts the challenge with their password hash and sends the response → the server (or a domain controller) verifies the response. The password itself never traverses the network, but the hash is used, which introduces vulnerability.

Pass-the-Hash is the critical NTLM attack: if an attacker captures an NTLM hash (from memory using Mimikatz, from a captured network authentication, or from a compromised SAM database), they can use that hash directly to authenticate as that user without knowing the plaintext password. This is a fundamental design weakness of NTLM. Organisations should disable NTLMv1 entirely, restrict NTLMv2, and prefer Kerberos wherever possible. Windows environments still rely on NTLM for legacy compatibility — disabling it entirely often breaks something.

RADIUS — Network Access AAA

RADIUS (Remote Authentication Dial-In User Service) provides centralised AAA — Authentication, Authorisation, and Accounting — for network access. Originally designed for dial-up modem authentication, RADIUS is now the standard protocol for: WiFi authentication (WPA2/3-Enterprise with 802.1X), VPN authentication, wired 802.1X port authentication on switches, and remote access services. Ports: UDP 1812 for authentication/authorisation, UDP 1813 for accounting (some legacy systems use 1645/1646).

The RADIUS model: a user connects to a network access device (wireless AP, VPN gateway, switch) → the access device acts as a RADIUS client and forwards credentials to the RADIUS server → the RADIUS server checks credentials against its database (or proxies to Active Directory via LDAP) → the server returns Access-Accept, Access-Reject, or Access-Challenge → the access device grants or denies network access. The access device never handles credentials directly — it only forwards them to the central RADIUS server, enabling centralised policy management across all access points.

For the exam: WPA2-Enterprise requires RADIUS. Any scenario involving "per-user authentication for WiFi" or "centralised network access control" points to RADIUS. RADIUS encrypts only the password in the access-request packet — the rest of the packet is unencrypted, which is a known limitation addressed by RADSEC (RADIUS over TLS).

TACACS+ — Cisco AAA

TACACS+ (Terminal Access Controller Access-Control System Plus) is Cisco's proprietary AAA protocol, used primarily for authenticating administrators to network devices — routers, switches, and firewalls. Key difference from RADIUS: TACACS+ separates authentication, authorisation, and accounting into three independent processes that can be handled by different servers. RADIUS combines authentication and authorisation. TACACS+ uses TCP port 49 and encrypts the entire packet body (not just the password, like RADIUS). This makes TACACS+ more appropriate for device administration where the full session needs protection.

When to use TACACS+ vs RADIUS: TACACS+ for authenticating network device administrators (SSH/Telnet to routers and switches), RADIUS for authenticating end users accessing the network (WiFi, VPN, 802.1X). This distinction appears directly on exam questions.

LDAP — Directory Lookup

LDAP (Lightweight Directory Access Protocol) is not an authentication protocol per se — it's a protocol for querying and modifying directory services like Active Directory. When RADIUS needs to verify a user's credentials against Active Directory, it queries AD using LDAP. When an application needs to look up a user's group memberships or email address, it queries AD using LDAP. Port 389 for LDAP (unencrypted), port 636 for LDAPS (LDAP over TLS — encrypted). A third option is LDAP with STARTTLS, which upgrades an unencrypted port 389 connection to encrypted using the STARTTLS command.

802.1X Port-Based Authentication — Where RADIUS Meets the Switch

802.1X is the IEEE standard for port-based network access control — it defines how RADIUS integrates with network devices to authenticate endpoints before allowing network access. Three roles: the supplicant (the device requesting access — a laptop, phone, or IP camera), the authenticator (the network device enforcing access — a switch port or wireless AP), and the authentication server (the RADIUS server that validates credentials). When a device connects to an 802.1X-enabled switch port, the port blocks all traffic except the EAP (Extensible Authentication Protocol) authentication exchange. The supplicant provides credentials, the switch forwards them to the RADIUS server, and if authentication succeeds, the switch opens the port to normal traffic. If authentication fails, the port remains blocked — even a physically connected device gets no network access without valid credentials.

802.1X on wired networks eliminates the risk of someone plugging a laptop into an Ethernet port in a conference room and accessing the corporate network without credentials. On wireless networks, WPA2/3-Enterprise requires 802.1X — connecting to the SSID requires authentication through the RADIUS server rather than a shared password. The EAP methods used within 802.1X vary: EAP-TLS (mutual certificate authentication — the strongest), PEAP (the client authenticates with a username/password, the server authenticates with a certificate — most common in enterprise WiFi), and EAP-TTLS are the most common exam-relevant methods.

Comparison Table

Exam Scenarios

Related Articles