VAULT — Authentication Methods Simulator

Module 01 — Foundations

Authentication Protocol Library

Click any protocol card to expand its full architecture, components, and real-world use cases directly from the IBM reading.

📡

RADIUS

Remote Authentication Dial-In User Service

Widely used network protocol for centralized authentication, permission, and accounting. Enables remote access servers to communicate with a central RADIUS server for user authentication.

Centralized AuthAAA ProtocolVPN

🖧

TACACS+

Terminal Access Controller Access Control System

Separates authentication, permission, and accounting into distinct processes. TACACS+ provides more robust security with encryption and extended permission options for managing network devices.

Separate AAAEncryptionNetwork Devices

🎫

Kerberos

Network Authentication Protocol (MIT)

Robust network authentication protocol providing secure authentication across untrusted networks. Uses symmetric key cryptography, preventing eavesdropping and unauthorized access.

Ticket-BasedSymmetric KeyKDC/AS/TGS

🔑

SSO

Single Sign-On with Kerberos

Authentication method using a single set of login credentials to access various applications. In Windows environments, Kerberos issues a ticket used to access resources without re-entering credentials.

Single LoginActive DirectoryUser Experience

📡

RADIUS Protocol

Remote Authentication Dial-In User Service

RFC 2865

How It Works

A remote access client sends credentials to a RADIUS server. The RADIUS server stores user credentials and verifies the user's identity before granting access. The server communicates back to the remote access server with Accept, Reject, or Challenge. All sessions are centrally logged for accounting.

Core Components

RADIUS Client — Router, VPN gateway, NAS device

RADIUS Server — Central authentication authority

User Database — Credentials and permissions store

Accounting Log — Session records: start, stop, usage data

Use Cases

VPN remote access · Dial-up ISP authentication · Wi-Fi 802.1X network access control · Remote network resource access

Key Characteristics

Centralized authentication · Combines auth + authorization · Ports 1812/1813 · UDP transport protocol

🖧

TACACS+ Protocol

Terminal Access Controller Access Control System Plus

Cisco Standard

How It Works

TACACS+ separates each AAA function into independent processes — unlike RADIUS which combines them. A network admin's login request is separately authenticated (who are you?), authorized (what can you do?), and every command is accounted for. Full packet encryption protects all data in transit.

The AAA Triad (Separated)

Authentication — Verifies identity: "Who are you?"

Permission/Authorization — "What can you do?"

Accounting — Logs all actions performed

Full Encryption — Entire packet body is encrypted

Use Cases

Router management · Switch configuration · Firewall access · Network device administration in Cisco environments

TACACS+ vs RADIUS

TCP vs UDP · Full body encryption vs password-only · Separated AAA vs combined · Better suited for device admin

🎫

Kerberos Protocol

Named for the three-headed guardian of the Underworld (KDC + AS + TGS)

RFC 4120 v5

How It Works

Kerberos uses a trusted third party (the KDC) to issue time-stamped encrypted tickets. Clients prove identity using tickets — passwords never travel across the network. This prevents eavesdropping and replay attacks across untrusted networks using symmetric key cryptography.

Architecture Components

KDC — Key Distribution Center (trusted authority)

AS — Authentication Server — issues TGT

TGS — Ticket-Granting Service — issues service tickets

TGT — Ticket-Granting Ticket (user's "passport")

Use Cases

Windows Active Directory domains · Unix/Linux Kerberos realms · Google internal systems · MIT campus networks

Security Features

Symmetric key cryptography · Time-stamped tickets prevent replay · No passwords over network · Mutual authentication

🔑

SSO with Kerberos

Single Sign-On via Active Directory + Kerberos Integration

Windows AD

How It Works

When a user logs into a Windows workstation that is part of an Active Directory domain, the workstation contacts the Active Directory domain controller. Kerberos issues a Ticket-Granting Ticket (TGT) that silently authenticates the user to all domain resources — no re-entering credentials required.

Active Directory Integration

Domain Controller — Hosts the KDC + user directory

Group Policy — Enforces security configurations

Account Lockout — Auto-disables on failed attempts

Seamless SSO — One TGT unlocks all domain resources

Benefits

Reduced password fatigue · Consistent security policies · Centralized user management · Simplified account administration

Group Policy Examples

Password minimum length · Account lockout thresholds · Login hour restrictions · Audit logging · MFA enforcement

Module 02 — RADIUS Protocol

RADIUS Authentication Flow

Step through a VPN dial-in authentication sequence. Watch packets travel between the user client, RADIUS client (VPN gateway), and the central RADIUS server — exactly as described in the IBM reading.

Step 0 / 6

👤

USER CLIENT

Remote Access

Connection Req

🔀

VPN GATEWAY

RADIUS Client

Access-Request

🗄️

RADIUS SERVER

Central Auth

DB Query

💾

USER DATABASE

Credentials Store

// RADIUS Authentication Simulation
// Based on IBM Authentication Methods reading
// Press "Next Step" to begin VPN login sequence
vault@sim:~$ █

01

User Connection Request — User attempts to connect to corporate VPN with credentials

02

Access-Request Forwarded — VPN Gateway (RADIUS Client) forwards credentials to central RADIUS Server

03

Database Credential Lookup — RADIUS Server queries user database to verify username and password hash

04

Access-Accept Returned — RADIUS Server returns Access-Accept with session attributes and policy

05

VPN Session Established — Gateway applies policy, opens encrypted tunnel for the user

06

Accounting Starts — RADIUS logs session: username, IP, timestamp, data transferred (centralized accounting)

Module 03 — Kerberos Protocol

Kerberos Ticket Exchange Lab

Simulate how the KDC, AS, and TGS issue encrypted tickets to authenticate a user without passwords ever crossing the network — the core innovation of Kerberos.

Step 0 / 6

💻

Client

WORKSTATION

User's machine
requesting access

🔐

Auth Server

AS

Issues TGT.
Part of KDC

🎟️

Ticket-Granting

TGS

Issues service tickets.
Part of KDC

🗄️

File Server

SERVICE

Target resource
being accessed

// Kerberos Ticket Exchange — Step through to observe each ticket
// Key insight: passwords are never transmitted over the network!

01

AS-REQ — Client sends username and encrypted timestamp to Authentication Server (no password over network)

02

TGT Issued — AS verifies user exists, issues encrypted Ticket-Granting Ticket (TGT) + session key

03

TGS-REQ — Client presents TGT to the Ticket-Granting Service to request access to the file server

04

Service Ticket Issued — TGS validates TGT and issues a Service Ticket encrypted for the target service

05

AP-REQ to Service — Client presents Service Ticket to the file server for access

06

Access Granted — File server decrypts ticket, verifies session key, grants access — no password ever sent!

Module 04 — Single Sign-On

SSO with Kerberos Simulation

Login once to your workstation. Then click each domain resource — watch SSO in action. Kerberos silently authenticates you to every service using your TGT, so you never re-enter credentials.

● Not authenticated

👤

Sarah Chen

sarah.chen@techsolutions.local

No active Kerberos ticket — login first

Domain Controller Response Log

// Active Directory domain controller log

Domain Resources — Click any resource after login

📧

Exchange Email Server

🔒 Requires authentication

📁

File Server (\\DC01\shares)

🔒 Requires authentication

👥

HR Information System

🔒 Requires authentication

🌐

SharePoint Intranet

🔒 Requires authentication

🗄️

Project Database

🔒 Requires authentication

Why SSO Improves User Experience

✓ Single login — one set of credentials for all resources

✓ No re-entry — Kerberos ticket handles auth silently

✓ Fewer passwords — reduces management burden

✓ Strong security — encrypted tickets, not plaintext passwords

✓ Centralized control — revoke access from one location

Module 05 — Kerberos + Active Directory

Active Directory Integration

Explore how integrating Kerberos with Active Directory enables seamless SSO, simplifies user account management, and enforces consistent security policies through Group Policy.

🏛️ DOMAIN CONTROLLER — DC01.TECHSOLUTIONS.LOCAL

🔐

Kerberos KDC (AS + TGS)

● Idle

🗂️

Active Directory Database

● Idle

📋

Group Policy Engine

● Idle

📝

Security Audit Logs

● Idle

Domain Event Log

// Domain Controller event log — Activate Domain to begin

Group Policy — Enforced Security Configurations

🔒

Password Policy

Minimum 12 chars · Complexity required · 90-day expiry

🚫

Account Lockout

Lock after 5 failed attempts · 30-min lockout duration

🕐

Logon Hours

Permitted Mon–Fri 7AM–8PM · Denied outside hours

📊

Audit Logging

All login events, failures, and access logged

🔐

MFA Enforcement

Smart card or TOTP required for privileged accounts

Benefits of Kerberos + AD Integration

✓ Seamless authentication across Windows-based systems and services

✓ Simplifies management of user accounts centrally

✓ Ensures consistent security policies via Group Policy

✓ Enables SSO capabilities across all network resources

✓ Comprehensive framework for authentication, permission, and access control

Module 06 — Knowledge Assessment

Authentication Methods Quiz

Test your understanding of RADIUS, TACACS+, Kerberos, SSO, and Active Directory. Questions drawn directly from the IBM reading.