SecurityNetwork+

Authentication Methods for CompTIA Network+ N10-009

Authentication verifies identity before granting network access. CompTIA Network+ N10-009 tests authentication concepts including multi-factor authentication, authentication protocols (RADIUS, TACACS+, 802.1X, LDAP, Kerberos), and certificate-based authentication. Authentication questions appear throughout the Security domain and in wireless and VPN implementation contexts.

8 min

3 sections · 7 exam key points

1 practice questions

Authentication Factors

Authentication factors: Something you know (password, PIN, security question — weakest factor). Something you have (smart card, hardware token, phone — second factor). Something you are (biometrics — fingerprint, retina, facial recognition). Somewhere you are (location-based — GPS, IP geolocation). Something you do (behavioral — typing patterns, gait).

Multi-Factor Authentication (MFA): requires two or more factors from different categories. A password + OTP (one-time password) = MFA (something you know + something you have). Password + security question = NOT MFA (both are something you know — same category). 2FA is MFA with exactly two factors. MFA dramatically reduces account compromise risk — even if a password is stolen, the second factor is required.

Single Sign-On (SSO): authenticate once and access multiple systems without re-entering credentials. Examples: Kerberos (enterprise), OAuth/OIDC (web/cloud), SAML (federated identity). SSO improves user experience but makes the authentication system a high-value target.

AAA Protocols

RADIUS (Remote Authentication Dial-In User Service): UDP 1812 (authentication/authorization), UDP 1813 (accounting). Widely used for network device access control and 802.1X wireless. Encrypts only the password in Access-Request packets. Open standard.

TACACS+ (Terminal Access Controller Access-Control System Plus): Cisco proprietary. TCP 49. Encrypts the entire payload (more secure than RADIUS). Separates authentication, authorization, and accounting into distinct functions — more granular control. Preferred for network device administration (routers, switches) where per-command authorization is needed. RADIUS preferred for network access (802.1X).

LDAP (Lightweight Directory Access Protocol): TCP/UDP 389 (LDAPS: TCP 636). Protocol for accessing and maintaining directory services (user accounts, groups). Active Directory uses LDAP. RADIUS servers often authenticate against LDAP/AD for user validation.

Kerberos: ticket-based SSO authentication used in Windows Active Directory. Users authenticate to the KDC (Key Distribution Center) and receive tickets (TGT — Ticket Granting Ticket). Services exchange tickets rather than passwords. Uses symmetric encryption. Port 88.

Certificate-Based Authentication

Digital certificates use asymmetric cryptography (public/private key pairs) to authenticate without transmitting passwords. PKI (Public Key Infrastructure) manages certificate issuance and verification. CA (Certificate Authority) signs certificates, vouching for the identity of the certificate holder. Common uses: TLS/HTTPS server authentication, client certificate authentication (most secure), Wi-Fi Enterprise (EAP-TLS), VPN authentication.

EAP (Extensible Authentication Protocol): framework for wireless and VPN authentication. EAP-TLS: mutual certificate-based authentication (both client and server have certificates — most secure). EAP-TTLS/PEAP: server certificate only — client authenticates with credentials inside a TLS tunnel. 802.1X uses EAP.

Key exam facts — Network+

MFA = two or more factors from different categories; same category ≠ MFA
RADIUS: UDP 1812/1813; encrypts only password; used for 802.1X and network access
TACACS+: TCP 49; encrypts entire payload; Cisco; better for device administration
LDAP: directory access protocol; port 389/636 (LDAPS); used by Active Directory
Kerberos: ticket-based SSO; KDC issues TGT; port 88; used in Windows AD
EAP-TLS: mutual certificate auth (most secure); PEAP: server cert + credential tunnel
Certificate = asymmetric key pair; CA signs to vouch for identity

Common exam traps

RADIUS and TACACS+ are interchangeable

RADIUS uses UDP, encrypts only the password, and is preferred for network access (802.1X, VPN). TACACS+ uses TCP, encrypts the entire payload, separates AAA functions, and is preferred for network device management where per-command authorization is needed

A password plus a security question is MFA

Both a password and a security question are 'something you know' — the same authentication factor category. MFA requires factors from different categories (know + have, or know + are)

Practice questions — Authentication Methods

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network team wants to implement centralized authentication for managing all network devices (routers, switches, firewalls) with the ability to log and control individual commands issued per user. Which AAA protocol is most appropriate?

A.RADIUS

B.TACACS+

C.LDAP

D.Kerberos

Explanation: TACACS+ is the preferred protocol for network device administration because it separates authentication, authorization, and accounting into distinct functions, encrypts the entire session payload, and supports per-command authorization (each command can be individually permitted or denied per user). RADIUS is better suited for network access control (802.1X). LDAP is a directory access protocol, not an AAA protocol for device administration.

Frequently asked questions — Authentication Methods

What is the difference between authentication, authorization, and accounting?

Authentication (AuthN): verifying who you are — 'prove your identity.' Methods: password, certificate, biometric. Authorization (AuthZ): determining what you are allowed to do after authentication — 'what can you access?' Methods: ACLs, roles, permissions. Accounting: recording what you did — 'what actions were taken?' Logged for audit, compliance, and forensics. All three together = AAA, implemented by RADIUS or TACACS+.

Practice this topic

Network+practice questions

Test yourself on Authentication Methods

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime