Version 4.1 - 1.9 Authentication and Authorization
If you really want to know Authentication and Authorization (and Accounting), you really need to read some books. I read two books for the SISAS exam (to renew my CCNPs) that really covered this topic inside and out. The first book was AAA Identity Management Security. The second book was Cisco ISE for BYOD and Secure Unified Access. The first book is a bit expensive (get it on a holiday special or read it on Safari), but it's really good. The second book is HUGE (about as thick as the ASA All-in-one book) and takes a lot of effort to get through. But it is very well worth it.
Before I read those books, I knew AAA. I've configured it on switches and routers and knew how to click my way around ACS. After reading those books, I really totally understood Radius, Tacacs, AAA, Identity Management, authentication and authorization policies, ISE and 802.1x. TrustSec was another topic that entered my wheelhouse. It was well worth the effort.
Another reminder that there are only going to be around 14 questions on all of section 1. So I'm going to stick mainly to the subtopics listed in the blueprint. I could probably go on and on about AAA now - but I'm comfortable with the topic and you need to read those books!
So let's start with SSO (Single Sign On). This is simply the idea that you sign on once and those credentials are automatically relayed to other devices that would normally prompt you to log on again. Now this is not any device asking for your credentials - just those within a certain "Circle of Trust." You've been using this concept for years (even if you don't realize it). Active Directory does this. You sign into the domain and the Domain Controller authenticates you. When you go to a folder on the network, you don't get a prompt for each server you use. Your computer sends that information to the server on your behalf. That's basically SSO in a nutshell. Be advised that Cisco also uses "SSO" as an acronym for Stateful Switchover. Use the context of the question to determine which one of these SSO topics is on any particular question.
OTPs are One Time Passwords. Note that this is not something that is native to Cisco devices themselves. You're basically setting up authentication to use some type of OTP authentication. Normally this is with "two-factor" authentication. Relate this to your RSA key fob. All that thing does is help you find your keys and generate a new number every so many seconds. That number is part of a one-time password. [Normally you have to use that number and a PIN.] But that's the concept - you use that password one time. The other related idea is that this is more secure than a simple password. If someone cracks your current password, they're you. By the time they crack your current OTP, it has changed. They can't become you. [At least not that way.]
The next topic is LDAP (Lightweight Directory Access Protocol). It is an Internet standard. RFC 4511 covers the LDAP Protocol. If it pains you to read this RFC, at least look at the table of contents. This is the one that uses a Distinguished Name.
Authentication and authorization can be performed by Active Directory (AD). Like I said - read the books. It covers Active Directory integration into the authentication (and authorization) process. I dare not start talking about Active Directory because I may not stop for a very long time.
RBAC is Role Based Access Control. You will see this in very many places. Basically your access is based upon your role. If you're familiar with Windows (and AD), think about the groups such as Administrators, Domain Administrators and Backup Operators. Users are placed in a group based upon their role and the permissions are applied to the Role rather than to each individual user account.
And with that I am going to end my discussion of topic 1.9. I got this.