Hook: Picture your network as an airport. What guards it: boarding passes, security lanes, or staff-only doors?

• Kerberos = boarding pass system (one pass, many gates).
• RADIUS = passenger security lane (get into the secure area).
• TACACS+ = staff-only doors (crew actions checked and recorded).

---

Why It’s Needed (Context)

Modern networks are crowded airports: many people (users), many gates (apps), and busy back rooms (devices).
AAA—Authentication, Authorization, Accounting—keeps order: who gets in, what they can do, and what gets logged. Strong AAA stops intruders, limits damage, and proves what happened.

---

Core Concepts Explained Simply

Kerberos — SSO + Tickets + KDC

• Technical definition: Ticket-based login managed by a KDC (Key Distribution Center). You sign in once, get a TGT (Ticket-Granting Ticket), then request service tickets for each app—no more passwords.
• Airport example: Check in at the airline desk, get a boarding pass, use it at multiple gates and lounges.
• Technical example: User logs into Active Directory, then reaches file shares and databases using tickets—no extra prompts.

RADIUS — Network Access + UDP + Harden with TLS

• Technical definition: Central AAA for VPN/Wi-Fi/802.1X. Usually over UDP/1812–1813. Legacy RADIUS only hides the password; fix this with EAP-TLS (certificates) and/or RadSec (RADIUS over TLS). Avoid MSCHAPv2.
• Airport example: Passenger security lane—fast check to enter the secure side.
• Technical example: VPN device asks RADIUS to verify a user’s certificate (EAP-TLS) and assign policy (e.g., VLAN).

TACACS+ — Device Admin + TCP + Full Encryption

• Technical definition: AAA for router/switch/firewall admin over TCP/49 with full message encryption and per-command authorization + logging.
• Airport example: Staff-only doors—every entry is checked; tasks allowed by role; all actions recorded.
• Technical example: Engineer SSHs to a switch; TACACS+ approves identity and each command (show, deny conf t), logging everything.

---

Real-World Case Study

Failure (RADIUS used for admin):

• Situation: Company used legacy RADIUS (no TLS, shared secrets reused) for Wi-Fi and device admin.
• Impact: Attacker inside watched RADIUS details and reached management networks. No per-command logs.
• Lesson: Keep RADIUS for access (VPN/Wi-Fi) and harden it (EAP-TLS/RadSec). Use TACACS+ for admin.

Success (right tool, right zone):

• Setup: Kerberos for app SSO; RADIUS + EAP-TLS (or RadSec) for Wi-Fi/VPN; TACACS+ for device admin. Logs to SIEM.
• Result: Stolen helpdesk login triggered TACACS+ command denies and clear audit. Fast containment.
• Lesson: Split duties: Kerberos (apps), RADIUS (access), TACACS+ (admin).

---

Action Framework — Prevent → Detect → Respond

Prevent

• Kerberos: Use AES; disable RC4; NTP time sync; short ticket lifetimes; clean SPNs.
• RADIUS: Enforce EAP-TLS; prefer RadSec (or IPsec/DTLS); unique shared secrets; allow-list NAS clients.
• TACACS+: Put on management network; require MFA; define roles; per-command policies; send logs to SIEM.

Detect

• Kerberos: Spikes in TGT/TGS failures; weird SPN requests; time-skew errors.
• RADIUS: Access-Reject storms; unknown NAS; EAP or TLS (RadSec) errors.
• TACACS+: Command-deny spikes; sudden privilege jumps; commands outside change windows.

Respond

• Kerberos: Purge tickets; disable accounts; fix SPNs/time; review delegation.
• RADIUS: Quarantine bad NAS; rotate secrets; enforce EAP-TLS/RadSec.
• TACACS+: Freeze risky roles; pull command logs; revert configs; review with change control.

---

Key Differences to Keep in Mind

1. Where used: Kerberos = gates/apps; RADIUS = entering airport; TACACS+ = staff doors.
2. Transport: RADIUS = UDP/1812–1813 (optionally RadSec/TLS); TACACS+ = TCP/49; Kerberos = ticket exchanges.
3. Encryption: Kerberos = tickets protected; RADIUS = password only unless EAP-TLS/RadSec; TACACS+ = full payload.
4. Authorization: Kerberos = app decides; RADIUS = session attributes; TACACS+ = per-command.
5. Common pitfalls: Kerberos = clock/SPN issues; RADIUS = MSCHAPv2, reused secrets, no TLS; TACACS+ = flat “admin-all” roles, missing logs.

---

Summary Table

Concept	Definition	Airport Example	Technical Example
Kerberos	Ticket-based SSO via KDC; TGT + service tickets.	One boarding pass, many gates.	AD login → tickets to SMB/SQL.
RADIUS	AAA for VPN/Wi-Fi over UDP; use EAP-TLS/RadSec; avoid MSCHAPv2.	Passenger security lane.	VPN checks cert with RADIUS; policy assigned.
TACACS+	AAA for device admin over TCP/49; full encryption; per-command control.	Staff-only doors with action logs.	Switch allows show, denies conf t, logs all.

---

Visual: Airport Decision Tree

                 What are you securing?
                      /             \
            End-user/App SSO     Network & Device
                  |                 /         \
              KERBEROS        Access (VPN/Wi-Fi)   Admin (CLI)
                                  RADIUS           TACACS+
                             UDP/1812–1813 + TLS     TCP/49

---

What’s Next

“802.1X Made Simple: Rolling Out EAP-TLS (and RadSec) Without Drama.”
We’ll cover cert automation, common supplicant issues, and clean controller configs.

---

🌞 The Last Sun Rays…

• Boarding passes moving you between gates = Kerberos.
• Security lanes letting you into the airside = RADIUS (use EAP-TLS/RadSec).
• Staff-only doors with full checks = TACACS+.

KPI quick targets: Kerberos TGS failures < 0.5%; RADIUS reject rate alerts > 5%/15min; TACACS+ command denies baseline per role (alert on 3× normal).

Reflection: Which single metric would make you catch trouble fastest tomorrow—Kerberos failures, RADIUS rejects, or TACACS+ command denies?