Glossary
802.1X
802.1X is a networking protocol that enables secure AAA control. When a device (called a supplicant) first contacts a NAS (called an authenticator), it is only allowed to authenticate. The NAS sends the device’s authentication information to a RADIUS server (called an authentication server) that verifies the credentials provided by the device. If the credentials are valid, the authentication server responds to the authenticator, which then lets the supplicant connect to the network. The authentication server can also suggests that the authenticator uses a specific VLAN to connect the supplicant.
802.1X operates at the data link layer and supports multiple EAP authentication methods. It prevents unauthorized devices from accessing the network by enforcing authentication before network access is granted. The protocol is commonly used in wired and wireless LANs for port-based network access control.
AAA: Authentication, Authorization, and Accounting
Accounting
Accounting lets you collect information locally on a network device and send it to the server for billing, auditing, and reporting. It lets you track and keep a log of every management session used for access.
Accounting records details such as session start and stop times, duration, data usage, and actions performed. This data helps in monitoring network usage, detecting anomalies, and generating usage reports for compliance and operational analysis.
Agentless
Agentless is a common industry term that means checking endpoint compliance without installing a special software agent. This method uses existing tools or built-in features on the device to gather information.
In Portnox Cloud, the term agentless means no Portnox AgentP is installed on the device. Instead, compliance data is collected through built-in agents like the Windows Intune agent or agents from other UEM or MDM software. These existing agents provide the necessary information without needing an extra agent.
Authentication
Authentication is the process of verifying the identity of the person or device accessing your network. It involves validating credentials such as usernames and passwords, digital certificates, or cryptographic tokens. Authentication ensures that only authorized users or devices can gain access, providing the first layer of security before authorization and access control are applied.
Authorization
CIDR (Classless Inter-Domain Routing)
Classless Inter-Domain Routing (CIDR) is a method of allocating and managing IP addresses more efficiently. Instead of using traditional class-based addressing, CIDR allows for flexible allocation of address space by using a slash notation (e.g., /24) to indicate the number of network bits in an IP address, allowing for better utilization of available addresses and easier routing.
CIDR notation combines the IP address with a prefix length to define network and host portions. It supports aggregation of multiple IP ranges into a single routing entry, reducing the size of routing tables and improving routing efficiency across the internet and private networks.
EAP (Extensible Authentication Protocol)
The Extensible Authentication Protocol (EAP) is an authentication framework. It offers different EAP methods, which are specific authentication protocols, such as EAP-TLS, EAP-PEAP, EAP-MD5, and EAP-TTLS. EAP is used in 802.1X communications. EAP packets are encapsulated in EAPoL (EAP over LAN) messages. EAPoL makes it possible to carry EAP packets between the client device (supplicant), the access point (authenticator), and the authentication server (RADIUS server).
EAP itself does not define authentication mechanisms but provides a standard way to transport authentication information. It supports mutual authentication, dynamic key generation, and flexible use in wired and wireless networks. EAP messages are exchanged during the network access control process before granting network access.
Endpoint compliance
Endpoint compliance is a common industry term that refers to checking if a device meets specific security rules before it is allowed to access a network (security posture assessment). These rules may include having updated software, antivirus protection, and proper configuration. Devices that do not meet these requirements are considered non-compliant.
Compliance checks are typically performed using software agents installed on the device. These agents collect information about the device’s security status, such as operating system updates, installed applications, and security settings. Some devices may use built-in management agents provided by their operating systems to report compliance data. The collected information is compared to policy requirements to determine if the device is compliant.
Fast reconnect
Fast reconnect, also known as EAP session resumption, is a function that lets devices reconnect quickly to the NAS. When fast reconnect is supported by a device and enabled on the RADIUS server, the device sends a session identifier to the RADIUS server via EAP, after it authenticates with the NAS for the first time. If the device then loses connection to the NAS, it sends the recent session identifier. If the RADIUS server recognizes this session identifier, and the session is still valid (depending on session lifetime), it immediately authenticates the device. This reduces the time and resources required for authentication, for example, it eliminates the need to connect to authentication repositories after every reconnection.
Fast reconnect relies on caching session keys and identifiers both on the client and the RADIUS server. It supports quicker re-establishment of encrypted sessions without repeating the full EAP authentication exchange, improving connection speed and reducing authentication server load. Session validity is controlled by configurable timeouts.
IoT (Internet of Things)
The Internet of Things (IoT) is a network that connects physical objects, like devices with sensors and communication abilities, to the Internet. These objects can collect and share data without humans having to control them directly. There is no formal definition of whether the physical device is an IoT device or not. For the purposes of Portnox Cloud, we use the term “IoT device” to refer to any devices that are not directly used by humans, do not have user accounts, but still form part of the network. This includes devices like printers, scanners, surveillance cameras, air conditioners, and any other networked devices in the company offices that might be connected to the company network.
IPSK (Identity Pre-Shared Key)
IPSK (Identity Pre-Shared Key) is a Wi-Fi authentication method supported by major manufacturers’ access points, which allows multiple pre-shared keys (PSKs) on the same SSID. Each key can be linked to a specific device or user and checked against a RADIUS server. For devices using MAB, IPSK improves security by requiring both the MAC address and a PSK to match. This prevents MAC spoofing since just copying the MAC address isn’t enough to connect.
IPSK integrates with RADIUS servers to validate credentials and enforce policies per user or device. It allows centralized management of multiple keys and provides better control over Wi-Fi network access compared to traditional single PSK methods.
Network access layers
Network access layers refer to the different ways devices can connect to a network: wireless, wired, and VPN. These layers define how devices establish communication and access network resources using technologies like Wi-Fi, Ethernet, or virtual private networks (VPNs).
Each access layer has specific protocols and security mechanisms. Wired access typically uses Ethernet with IEEE 802.3 standards. Wireless access uses IEEE 802.11 (Wi-Fi) standards and includes encryption methods like WPA3. VPN access creates secure tunnels over public networks using protocols such as IPsec or SSL/TLS to protect data in transit.
LDAP (Lightweight Directory Access Protocol)
The Lightweight Directory Access Protocol is a protocol used for managing and accessing directory information within a computer network. LDAP organizes information about users, such as names, contact details, and other relevant data. The term is also often used to describe servers that store directory information and make it accessible using this protocol.
LDAP operates over TCP/IP, typically on ports 389 (unencrypted) and 636 (encrypted with SSL/TLS). It uses a hierarchical structure similar to X.500 but simplifies communication by using the simpler LDAP Data Interchange Format (LDIF). LDAP supports searching, modifying, adding, and deleting directory entries and is widely used for authentication and authorization services.
MAB (MAC Authentication Bypass)
MAC Authentication Bypass (MAB) is a workaround method to connect devices to 802.1X networks. In an 802.1X network, devices are typically required to authenticate using a username and password, digital certificates, or other authentication methods before gaining access to the network. However, there may be scenarios where certain devices, such as printers, IP phones, or other IoT devices, do not have the capability to perform the standard 802.1X authentication. To accommodate such devices, network administrators can pre-configure a list of approved MAC addresses for specific devices, allowing them to bypass the usual authentication process and gain network access directly. The NAS devices will then check the MAC address of the connecting device against the pre-approved list, granting access to the devices that match the allowed MAC addresses. Note that the NAS devices must support MAB authentication for this to be possible.
MAB operates by sending the device’s MAC address as a username to the RADIUS server for authentication. It provides limited security compared to 802.1X because MAC addresses can be spoofed. MAB is often used as a fallback method when 802.1X authentication fails or is unsupported by the device.
MAC address (Media Access Control)
A MAC address is a unique identifier assigned to network interfaces for communication within a local network. It is a 48-bit address expressed in hexadecimal format and is typically associated with Ethernet or Wi-Fi devices. The MAC address is used by the Address Resolution Protocol (ARP) to map IP addresses to physical MAC addresses in order to make it possible for devices to communicate on the network.
MAC addresses consist of two parts: the first 24 bits identify the device manufacturer (OUI), and the last 24 bits are assigned by the manufacturer as a unique device identifier. MAC addresses operate at the data link layer (Layer 2) of the OSI model and are essential for local network traffic delivery.
NAS (network access server)
In the context of RADIUS, the network access server is a device or software component that provides a point of entry for users to access a network. It acts as a gateway between the user’s device and the network infrastructure. The NAS is responsible for receiving and processing user authentication requests, forwarding them to the RADIUS server, and relaying the server’s response back to the user. Typically, NAS devices include network equipment such as routers, switches, wireless access points, VPN servers, or even dedicated NAS devices. They are responsible for controlling user access to network resources, enforcing security policies, and managing network connections.
OUI (organizationally unique identifier)
An OUI is the first part of the MAC address, specifying the manufacturer of the device. OUIs are controlled by the IEEE, who assign unique codes to manufacturers. They are also called MAC prefixes or Ethernet prefixes.
An OUI consists of 24 bits (three bytes) written as the first six hexadecimal digits of a MAC address. It is used by network tools and monitoring systems to identify device vendors and can be looked up in public IEEE registration databases.
Policy enforcement
Policy enforcement is the process of defining and applying rules that control network access based on factors such as user roles, device types, location, and time. These rules determine what resources a user or device can access.
For example, a policy might restrict a contractor’s laptop to only connect to the guest Wi-Fi network and block access to internal company resources. Enforcement ensures that network access follows the organization’s security requirements.
RADIUS (Remote Authentication Dial-In User Service)
RADIUS is a network protocol that lets you manage access to your networks. Network devices such as switches and access points can use RADIUS to authenticate and authorize devices trying to connect to the network such as computers, mobiles, and IoT.
RADIUS works over UDP and combines authentication, authorization, and accounting in a single process. It uses a client server model where the network device acts as a client and forwards user credentials to a central RADIUS server.
RadSec (RADIUS secure)
RadSec is a security extension for the RADIUS protocol, adding a layer of encryption. This is achieved by encapsulating RADIUS messages within a TLS (Transport Layer Security) tunnel. RadSec is a standard defined in RFC 6614, but is currently supported by a limited number of NAS devices.
RadSec uses TCP as transport instead of UDP and provides server authentication, confidentiality, and integrity for RADIUS traffic. It is commonly used across untrusted networks such as the public internet to secure communication between RADIUS clients and servers.
SCEP (Simple Certificate Enrollment Protocol)
The Simple Certificate Enrollment Protocol (SCEP) is a commonly used communication protocol that allows devices to seek and obtain digital certificates from a certificate authority (CA). It secures and simplifies the process of enrolling for and managing certificates. SCEP is used by integrated endpoint management solutions to distribute Portnox Cloud certificates as part of automatic device onboarding.
SCEP is an HTTP-based protocol defined in an IETF draft. It supports certificate signing requests, certificate retrieval, and certificate renewal. It uses shared secrets for initial authentication and is supported by many network devices, mobile device management systems, and public key infrastructure products.
TACACS+ (Terminal Access Controller Access-Control System Plus)
TACACS+ is a Cisco extension to the TACACS network protocol that centrally manages authentication, authorization, and accounting for network devices like switches and routers, ensuring secure access control and administrative control. It is often compared to RADIUS. The main difference between RADIUS and TACACS lies in their functionalities, where RADIUS focuses on authentication and accounting, while TACACS+ provides additional features like granular access control and command authorization for enhanced network security and administrative control.
TACACS+ uses TCP as transport on port 49 and encrypts the entire payload of each packet. It separates authentication, authorization, and accounting into distinct processes. It is commonly deployed on network access servers and device consoles for centralized administrator login and auditing.
Tenant (software)
A tenant is an instance of a software application or service that is used by a specific group or organization. Each tenant has its own isolated environment and is logically separated from other tenants, so the organization data is private and secure.
A tenant can exist in cloud platforms and SaaS products. For example, an Entra ID tenant is a dedicated and isolated instance in Microsoft Entra ID used for identity, access, and resource management and is linked to a company domain and subscriptions. A Portnox Cloud tenant is a separate cloud instance where an organization manages network policies, connected devices, and user authentication independently from other organizations.
X.500 Directory Specification
The X.500 Directory Specification is a standardized protocol used in IT to structure and manage information within a directory service. This specification follows a hierarchical model where data is stored in a tree-like structure. For instance, an entry like "CN=Kosh Naranek, O=Vorlon Corp, C=US" would be organized within this structure, containing attributes such as Common Name (CN) representing the person’s name, Organization (O) detailing the company name, and Country (C) indicating the United States. X.500 is the basis for modern directory services like LDAP, ensuring orderly data storage and easy information management in networks.
X.500 defines the directory information tree, distinguished names, schema for object classes and attributes, replication of directory data between servers, and distributed directory access using the Directory Access Protocol and Directory System Protocol. It is standardized in ITU-T recommendations X.500 to X.599 and operates over OSI protocols.
ZTNA (zero trust network access)
Zero trust network access is a common industry term for a security framework that requires verification of user and device identity before granting access to network resources, including for example web applications and other services. It enforces access based on least-privilege principles and continuous authentication, regardless of network location. ZTNA replaces traditional perimeter-based security with strict access control using user identity, device posture, and contextual information.
Portnox ZTNA is a product that implements this framework by enforcing access policies through continuous verification of device compliance and user credentials. It integrates with network infrastructure and authentication systems to apply dynamic, context-based access controls. Access is granted only when devices and users meet predefined security requirements.