1

For example I'm reading something right now that says: "The authentication server is a RADIUS server, which authenticates virtual machines through a Lightweight Directory Access Protocol (LDAP) database."

I thought that to authenticate you either use Radius OR LDAP, not both. Can someone straighten my head?

User104163
  • 409
  • 2
  • 6
  • 11
  • Sift through the answers here: http://security.stackexchange.com/questions/130095/what-is-the-difference-between-a-radius-server-and-active-directory/130101#130101 may be some good tidbits you can pick out.. – HashHazard Jul 15 '16 at 19:06

1 Answers1

1

LDAP is a database with user information (including passwords). Radius is a protocol for authentication (and other things) but does not contain any user information by itself. This means you could use Radius to authenticate against various kinds of password storage, including an LDAP database.

Support for Radius can be found in lots of devices and with simple interface any authentication protocol can be used which is supported by the Radius server. Depending on the radius server this can be simple password storage, LDAP, 2FA... . Thus if a specific system directly supports LDAP authentication you can use it, if it supports only Radius (more common) than you could use a Radius server with LDAP support and this way get the LDAP authentication to the system.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Ah so if LDAP is supported then you should only use LDAP and not Radius? i.e. Radius is not needed? – User104163 Jul 15 '16 at 19:50
  • 1
    @ponglenis: if your system all have LDAP support and all you need is LDAP and you don't need any of the additional features of Radius (like accounting) then there is no need to make the system more complex by adding Radius. – Steffen Ullrich Jul 15 '16 at 20:00
  • Sorry for late reply. Isn't Radius more secure and less taxing on the network bandwidth? – User104163 Jul 16 '16 at 17:18
  • @ponglenis: no it isn't and I have no idea why you think it would. – Steffen Ullrich Jul 16 '16 at 17:21
  • https://cdn.selinc.com//assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?v=20150916-130419: "Network resources used by the two protocols are also quite different (see Table 2). – User104163 Jul 16 '16 at 17:44
  • LDAP sessions often require multiple transactions between the server and the client, which can cause significant delays during user authentication attempts. RADIUS can cache user information from the directory server to decrease login times. RADIUS is a simpler, less verbose protocol than LDAP, which increases the speed of authentication transactions for large databases of users. However, because RADIUS uses UDP, requests may time out and have to be retried if the network quality is poor. – User104163 Jul 16 '16 at 17:47
  • Authentication client load is reduced when using RADIUS because the network load is minimized and there is no need for complex settings or directory searches to take place between the user and the directory service. " – User104163 Jul 16 '16 at 17:48
  • @ponglenis: The article refers to LDAP vs. Radius and not LDAP alone vs. Radius+LDAP which is your question. Less bandwidth might be true if you are using LDAP *or* Radius with some small authentication backend. But if you are comparing Radius+LDAP vs. LDAP w/o Radius you only add additional overhead. Apart from that LDAP can be used with TLS (LDAPS) while Radius assumes a shared secret between radius server and radius client which is less secure because such a shared secret is harder to protect and replace, especially if it is shared with lots of other clients. – Steffen Ullrich Jul 16 '16 at 18:03
  • Sorry for the constant questions, but why is Radius less secure than LDAP with TLS? I know Radius uses a shared secret but doesn't LDAP too? – User104163 Jul 16 '16 at 18:41
  • @ponglenis: no, LDAP does not use a pre-shared secret. LDAP without TLS is not encrypted and [can be sniffed](https://ask.wireshark.org/questions/21902/ldap-simple-bind). LDAPS (LDAP over TLS) instead uses the same encryption layer as HTTPS which does not need any kind of pre-shared secret. For more information see [How does SSL/TLS work?](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work). – Steffen Ullrich Jul 16 '16 at 18:52