Authentication vs Authorization on Internal Networks: IAM Part 7

This guide on authentication authorization internal network IAM (Part 7) explains how AuthN and AuthZ work differently inside corporate networks vs the public internet. On internal networks, Kerberos, NTLM, Active Directory, and LDAP control authentication, while authorization is governed by GPOs, RBAC, and PAM systems. For related content, see our IAM Part 6: AuthN vs AuthZ on the Internet and CISSP Domain 5: IAM Guide. External references: Microsoft Kerberos Guide and NIST Identity Management.

Hook: Picture your network as an airport. What guards it: boarding passes, security lanes, or staff-only doors?

• Kerberos = boarding pass system (one pass, many gates).
• RADIUS = passenger security lane (get into the secure area).
• TACACS+ = staff-only doors (crew actions checked and recorded).

Why It’s Needed (Context)

Modern networks are crowded airports: many people (users), many gates (apps), and busy back rooms (devices).
AAA—Authentication, Authorization, Accounting—keeps order: who gets in, what they can do, and what gets logged. Strong AAA stops intruders, limits damage, and proves what happened.

Core Concepts Explained Simply

Kerberos — SSO + Tickets + KDC

• Technical definition: Ticket-based login managed by a KDC (Key Distribution Center). You sign in once, get a TGT (Ticket-Granting Ticket), then request service tickets for each app—no more passwords.
• Airport example: Check in at the airline desk, get a boarding pass, use it at multiple gates and lounges.
• Technical example: User logs into Active Directory, then reaches file shares and databases using tickets—no extra prompts.

RADIUS — Network Access + UDP + Harden with TLS

• Technical definition: Central AAA for VPN/Wi-Fi/802.1X. Usually over UDP/1812–1813. Legacy RADIUS only hides the password; fix this with EAP-TLS (certificates) and/or RadSec (RADIUS over TLS). Avoid MSCHAPv2.
• Airport example: Passenger security lane—fast check to enter the secure side.
• Technical example: VPN device asks RADIUS to verify a user’s certificate (EAP-TLS) and assign policy (e.g., VLAN).

TACACS+ — Device Admin + TCP + Full Encryption

• Technical definition: AAA for router/switch/firewall admin over TCP/49 with full message encryption and per-command authorization + logging.
• Airport example: Staff-only doors—every entry is checked; tasks allowed by role; all actions recorded.
• Technical example: Engineer SSHs to a switch; TACACS+ approves identity and each command (show, deny conf t), logging everything.

Real-World Case Study

Failure (RADIUS used for admin):

• Situation: Company used legacy RADIUS (no TLS, shared secrets reused) for Wi-Fi and device admin.
• Impact: Attacker inside watched RADIUS details and reached management networks. No per-command logs.
• Lesson: Keep RADIUS for access (VPN/Wi-Fi) and harden it (EAP-TLS/RadSec). Use TACACS+ for admin.

Success (right tool, right zone):

• Setup: Kerberos for app SSO; RADIUS + EAP-TLS (or RadSec) for Wi-Fi/VPN; TACACS+ for device admin. Logs to SIEM.
• Result: Stolen helpdesk login triggered TACACS+ command denies and clear audit. Fast containment.
• Lesson: Split duties: Kerberos (apps), RADIUS (access), TACACS+ (admin).

Action Framework — Prevent → Detect → Respond

Prevent

• Kerberos: Use AES; disable RC4; NTP time sync; short ticket lifetimes; clean SPNs.
• RADIUS: Enforce EAP-TLS; prefer RadSec (or IPsec/DTLS); unique shared secrets; allow-list NAS clients.
• TACACS+: Put on management network; require MFA; define roles; per-command policies; send logs to SIEM.

Detect

• Kerberos: Spikes in TGT/TGS failures; weird SPN requests; time-skew errors.
• RADIUS: Access-Reject storms; unknown NAS; EAP or TLS (RadSec) errors.
• TACACS+: Command-deny spikes; sudden privilege jumps; commands outside change windows.

Respond

• Kerberos: Purge tickets; disable accounts; fix SPNs/time; review delegation.
• RADIUS: Quarantine bad NAS; rotate secrets; enforce EAP-TLS/RadSec.
• TACACS+: Freeze risky roles; pull command logs; revert configs; review with change control.

Key Differences to Keep in Mind

1. Where used: Kerberos = gates/apps; RADIUS = entering airport; TACACS+ = staff doors.
2. Transport: RADIUS = UDP/1812–1813 (optionally RadSec/TLS); TACACS+ = TCP/49; Kerberos = ticket exchanges.
3. Encryption: Kerberos = tickets protected; RADIUS = password only unless EAP-TLS/RadSec; TACACS+ = full payload.
4. Authorization: Kerberos = app decides; RADIUS = session attributes; TACACS+ = per-command.
5. Common pitfalls: Kerberos = clock/SPN issues; RADIUS = MSCHAPv2, reused secrets, no TLS; TACACS+ = flat “admin-all” roles, missing logs.

Summary Table

Visual: Airport Decision Tree

                 What are you securing?
                      /             \
            End-user/App SSO     Network & Device
                  |                 /         \
              KERBEROS        Access (VPN/Wi-Fi)   Admin (CLI)
                                  RADIUS           TACACS+
                             UDP/1812–1813 + TLS     TCP/49

What’s Next

“802.1X Made Simple: Rolling Out EAP-TLS (and RadSec) Without Drama.”
We’ll cover cert automation, common supplicant issues, and clean controller configs.

🌞 The Last Sun Rays…

• Boarding passes moving you between gates = Kerberos.
• Security lanes letting you into the airside = RADIUS (use EAP-TLS/RadSec).
• Staff-only doors with full checks = TACACS+.

KPI quick targets: Kerberos TGS failures < 0.5%; RADIUS reject rate alerts > 5%/15min; TACACS+ command denies baseline per role (alert on 3× normal).

Reflection: Which single metric would make you catch trouble fastest tomorrow—Kerberos failures, RADIUS rejects, or TACACS+ command denies?

Surya

By profession, a CloudSecurity Consultant; by passion, a storyteller. Through SunExplains, I explain security in simple, relatable terms — connecting technology, trust, and everyday life.