Glossary

802.1X

802.1X is a networking protocol that enables secure AAA control. When a device (called a supplicant) first contacts a NAS (called an authenticator), it is only allowed to authenticate. The NAS sends the device’s authentication information to a RADIUS server (called an authentication server) that verifies the credentials provided by the device. If the credentials are valid, the authentication server responds to the authenticator, which then lets the supplicant connect to the network. The authentication server can also suggests that the authenticator uses a specific VLAN to connect the supplicant.
Note: In spoken language, 802.1X is often pronounced as “dot-one-ex”.

Accounting

Accounting lets you collect information locally on a network device and send it to the server for billing, auditing, and reporting. It lets you track and keep a log of every management session used for access.

Authentication

Authentication is the process of verifying the identity of the person or device accessing your network.

Authorization

Authorization is the process of checking what the user is authorized to do. For example, RADIUS and TACACS+ authorize users for specific rights by associating attribute/value pairs, which define the rights and the appropriate users.

CIDR (Classless Inter-Domain Routing)

Classless Inter-Domain Routing (CIDR) is a method of allocating and managing IP addresses more efficiently. Instead of using traditional class-based addressing, CIDR allows for flexible allocation of address space by using a slash notation (e.g., /24) to indicate the number of network bits in an IP address, allowing for better utilization of available addresses and easier routing.

EAP (Extensible Authentication Protocol)

The Extensible Authentication Protocol (EAP) is an authentication framework. It offers different EAP methods, which are specific authentication protocols, such as EAP-TLS, EAP-PEAP, EAP-MD5, and EAP-TTLS. EAP is used in 802.1X communications. EAP packets are encapsulated in EAPoL (EAP over LAN) messages. EAPoL makes it possible to carry EAP packets between the client device (supplicant), the access point (authenticator), and the authentication server (RADIUS server).

Fast reconnect

Fast reconnect, also known as EAP session resumption, is a function that lets devices reconnect quickly to the NAS. When fast reconnect is supported by a device and enabled on the RADIUS server, the device sends a session identifier to the RADIUS server via EAP, after it authenticates with the NAS for the first time. If the device then loses connection to the NAS, it sends the recent session identifier. If the RADIUS server recognizes this session identifier, and the session is still valid (depending on session lifetime), it immediately authenticates the device. This reduces the time and resources required for authentication, for example, it eliminates the need to connect to authentication repositories after every reconnection.

IoT (Internet of Things)

The Internet of Things (IoT) is a network that connects physical objects, like devices with sensors and communication abilities, to the Internet. These objects can collect and share data without humans having to control them directly. There is no formal definition of whether the physical device is an IoT device or not. For the purposes of Portnox Cloud, we use the term “IoT device” to refer to any devices that are not directly used by humans, do not have user accounts, but still form part of the network. This includes devices like printers, scanners, surveillance cameras, air conditioners, and any other networked devices in the company offices that might be connected to the company network.

IPSK (Identity Pre-Shared Key)

IPSK (Identity Pre-Shared Key) is a Wi-Fi authentication method supported by major manufacturers’ access points, which allows multiple pre-shared keys (PSKs) on the same SSID. Each key can be linked to a specific device or user and checked against a RADIUS server. For devices using MAB, IPSK improves security by requiring both the MAC address and a PSK to match. This prevents MAC spoofing since just copying the MAC address isn’t enough to connect.

Network access layers

Network access layers refer to the different ways devices can connect to a network: wireless, wired, and VPN. These layers define how devices establish communication and access network resources using technologies like Wi-Fi, Ethernet, or virtual private networks (VPNs).

LDAP (Lightweight Directory Access Protocol)

The Lightweight Directory Access Protocol is a protocol used for managing and accessing directory information within a computer network. LDAP organizes information about users, such as names, contact details, and other relevant data. The term is also often used to describe servers that store directory information and make it accessible using this protocol.

MAB (MAC Authentication Bypass)

MAC Authentication Bypass (MAB) is a workaround method to connect devices to 802.1X networks. In an 802.1X network, devices are typically required to authenticate using a username and password, digital certificates, or other authentication methods before gaining access to the network. However, there may be scenarios where certain devices, such as printers, IP phones, or other IoT devices, do not have the capability to perform the standard 802.1X authentication. To accommodate such devices, network administrators can pre-configure a list of approved MAC addresses for specific devices, allowing them to bypass the usual authentication process and gain network access directly. The NAS devices will then check the MAC address of the connecting device against the pre-approved list, granting access to the devices that match the allowed MAC addresses. Note that the NAS devices must support MAB authentication for this to be possible.

MAC address (Media Access Control)

A MAC address is a unique identifier assigned to network interfaces for communication within a local network. It is a 48-bit address expressed in hexadecimal format and is typically associated with Ethernet or Wi-Fi devices. The MAC address is used by the Address Resolution Protocol (ARP) to map IP addresses to physical MAC addresses in order to make it possible for devices to communicate on the network.

NAS (network access server)

In the context of RADIUS, the network access server is a device or software component that provides a point of entry for users to access a network. It acts as a gateway between the user’s device and the network infrastructure. The NAS is responsible for receiving and processing user authentication requests, forwarding them to the RADIUS server, and relaying the server’s response back to the user. Typically, NAS devices include network equipment such as routers, switches, wireless access points, VPN servers, or even dedicated NAS devices. They are responsible for controlling user access to network resources, enforcing security policies, and managing network connections.
Note: The NAS acronym also stands for network-attached storage, but we never use it in this context in Portnox Cloud and its documentation.

OUI (organizationally unique identifier)

An OUI is the first part of the MAC address, specifying the manufacturer of the device. OUIs are controlled by the IEEE, who assign unique codes to manufacturers. They are also called MAC prefixes or Ethernet prefixes.

RADIUS (Remote Authentication Dial-In User Service)

RADIUS is a network protocol that lets you manage access to your networks. Network devices such as switches and access points can use RADIUS to authenticate and authorize devices trying to connect to the network such as computers, mobiles, and IoT.

RadSec (RADIUS secure)

RadSec is a security extension for the RADIUS protocol, adding a layer of encryption. This is achieved by encapsulating RADIUS messages within a TLS (Transport Layer Security) tunnel. RadSec is a standard defined in RFC 6614, but is currently supported by a limited number of NAS devices.

SCEP: Simple Certificate Enrollment Protocol

The Simple Certificate Enrollment Protocol (SCEP) is a commonly used communication protocol that allows devices to seek and obtain digital certificates from a certificate authority (CA). It secures and simplifies the process of enrolling for and managing certificates. SCEP is used by integrated endpoint management solutions to distribute Portnox Cloud certificates as part of automatic device onboarding.

TACACS+ (Terminal Access Controller Access-Control System Plus)

TACACS+ is a Cisco extension to the TACACS network protocol that centrally manages authentication, authorization, and accounting for network devices like switches and routers, ensuring secure access control and administrative control. It is often compared to RADIUS. The main difference between RADIUS and TACACS lies in their functionalities, where RADIUS focuses on authentication and accounting, while TACACS+ provides additional features like granular access control and command authorization for enhanced network security and administrative control.

Tenant (software)

A tenant is an instance of a software application or service that is used by a specific group or organization. Each tenant has its own isolated environment and is logically separated from other tenants, so the organization data is private and secure.

X.500 Directory Specification

The X.500 Directory Specification is a standardized protocol used in IT to structure and manage information within a directory service. This specification follows a hierarchical model where data is stored in a tree-like structure. For instance, an entry like "CN=Kosh Naranek, O=Vorlon Corp, C=US" would be organized within this structure, containing attributes such as Common Name (CN) representing the person’s name, Organization (O) detailing the company name, and Country (C) indicating the United States. X.500 is the basis for modern directory services like LDAP, ensuring orderly data storage and easy information management in networks.