Glossary
802.1X
802.1X is a networking protocol that enables secure AAA control. When a device (called a supplicant)
first contacts a NAS (called an authenticator), it is only allowed to authenticate. The NAS sends the
device’s authentication information to a RADIUS server (called an authentication server) that verifies
the credentials provided by the device. If the credentials are valid, the authentication server responds to the authenticator, which
then lets the supplicant connect to the network. The authentication server can also suggests that the authenticator uses a specific
VLAN to connect the supplicant.
Note: In spoken language, 802.1X is often pronounced as “dot-one-ex”.
AAA: Authentication, Authorization, and Accounting
Accounting
Accounting lets you collect information locally on a network device and send it to the server for billing, auditing, and
reporting. It lets you track and keep a log of every management session used for access.
Authentication
Authentication is the process of verifying the identity of the person or device accessing your network.
Authorization
CIDR (Classless Inter-Domain Routing)
Classless Inter-Domain Routing (CIDR) is a method of allocating and managing IP addresses more efficiently. Instead of using
traditional class-based addressing, CIDR allows for flexible allocation of address space by using a slash notation (e.g., /24) to
indicate the number of network bits in an IP address, allowing for better utilization of available addresses and easier
routing.
EAP (Extensible Authentication Protocol)
The Extensible Authentication Protocol (EAP) is an authentication framework. It offers different EAP methods, which are
specific authentication protocols, such as EAP-TLS, EAP-PEAP, EAP-MD5, and EAP-TTLS. EAP is used in 802.1X communications. EAP packets are encapsulated in EAPoL (EAP over LAN) messages. EAPoL makes it possible to carry
EAP packets between the client device (supplicant), the access point (authenticator), and the authentication server (RADIUS
server).
Fast reconnect
Fast reconnect, also known as EAP session resumption, is a function that lets devices reconnect
quickly to the NAS. When fast reconnect is supported by a device and enabled on the RADIUS server, the
device sends a session identifier to the RADIUS server via EAP, after it authenticates with the NAS for the first time. If the
device then loses connection to the NAS, it sends the recent session identifier. If the RADIUS server recognizes this session
identifier, and the session is still valid (depending on session lifetime), it immediately authenticates the device. This reduces
the time and resources required for authentication, for example, it eliminates the need to connect to authentication repositories
after every reconnection.
IoT (Internet of Things)
The Internet of Things (IoT) is a network that connects physical objects, like devices with sensors and communication
abilities, to the Internet. These objects can collect and share data without humans having to control them directly. There is no
formal definition of whether the physical device is an IoT device or not. For the purposes of Portnox Cloud, we use the
term “IoT device” to refer to any devices that are not directly used by humans, do not have user accounts, but still form part of
the network. This includes devices like printers, scanners, surveillance cameras, air conditioners, and any other networked devices
in the company offices that might be connected to the company network.
IPSK (Identity Pre-Shared Key)
IPSK (Identity Pre-Shared Key) is a Wi-Fi authentication method supported by major manufacturers’ access points, which allows
multiple pre-shared keys (PSKs) on the same SSID. Each key can be linked to a specific device or user and checked against a RADIUS server. For devices using MAB, IPSK improves security by requiring both
the MAC address and a PSK to match. This prevents MAC spoofing since just copying the MAC address isn’t enough to
connect.
Network access layers
Network access layers refer to the different ways devices can connect to a network: wireless, wired, and VPN. These layers
define how devices establish communication and access network resources using technologies like Wi-Fi, Ethernet, or virtual private
networks (VPNs).
LDAP (Lightweight Directory Access Protocol)
The Lightweight Directory Access Protocol is a protocol used for managing and accessing directory information within a
computer network. LDAP organizes information about users, such as names, contact details, and other relevant data. The term is also
often used to describe servers that store directory information and make it accessible using this protocol.
MAB (MAC Authentication Bypass)
MAC Authentication Bypass (MAB) is a workaround method to connect devices to 802.1X networks. In
an 802.1X network, devices are typically required to authenticate using a username and password, digital certificates, or other
authentication methods before gaining access to the network. However, there may be scenarios where certain devices, such as
printers, IP phones, or other IoT devices, do not have the capability to perform the standard 802.1X authentication. To accommodate
such devices, network administrators can pre-configure a list of approved MAC addresses for specific
devices, allowing them to bypass the usual authentication process and gain network access directly. The NAS devices will then check the MAC address of the connecting device against the pre-approved list, granting access to the
devices that match the allowed MAC addresses. Note that the NAS devices must support MAB authentication for this to be
possible.
MAC address (Media Access Control)
A MAC address is a unique identifier assigned to network interfaces for communication within a local network. It is a 48-bit
address expressed in hexadecimal format and is typically associated with Ethernet or Wi-Fi devices. The MAC address is used by the
Address Resolution Protocol (ARP) to map IP addresses to physical MAC addresses in order to make it possible for devices to
communicate on the network.
NAS (network access server)
In the context of RADIUS, the network access server is a device or software component that
provides a point of entry for users to access a network. It acts as a gateway between the user’s device and the network
infrastructure. The NAS is responsible for receiving and processing user authentication requests, forwarding them to the RADIUS
server, and relaying the server’s response back to the user. Typically, NAS devices include network equipment such as routers,
switches, wireless access points, VPN servers, or even dedicated NAS devices. They are responsible for controlling user access to
network resources, enforcing security policies, and managing network connections.
Note: The NAS acronym also stands for network-attached storage, but we never use it in this context in Portnox Cloud and its documentation.
OUI (organizationally unique identifier)
An OUI is the first part of the MAC address, specifying the manufacturer of the device. OUIs are
controlled by the IEEE, who assign unique codes to manufacturers. They are also called MAC prefixes or Ethernet prefixes.
RADIUS (Remote Authentication Dial-In User Service)
RADIUS is a network protocol that lets you manage access to your networks. Network devices such as switches and access points
can use RADIUS to authenticate and authorize devices trying to connect to the network such as computers, mobiles, and
IoT.
RadSec (RADIUS secure)
SCEP: Simple Certificate Enrollment Protocol
The Simple Certificate Enrollment Protocol (SCEP) is a commonly used communication protocol that allows devices to seek and
obtain digital certificates from a certificate authority (CA). It secures and simplifies the process of enrolling for and managing
certificates. SCEP is used by integrated endpoint management solutions to distribute Portnox Cloud certificates as part of
automatic device onboarding.
TACACS+ (Terminal Access Controller Access-Control System Plus)
TACACS+ is a Cisco extension to the TACACS network protocol that centrally manages authentication, authorization, and
accounting for network devices like switches and routers, ensuring secure access control and administrative control. It is often
compared to RADIUS. The main difference between RADIUS and TACACS lies in their functionalities, where RADIUS focuses on
authentication and accounting, while TACACS+ provides additional features like granular access control and command authorization for
enhanced network security and administrative control.
Tenant (software)
A tenant is an instance of a software application or service that is used by a specific group or organization. Each tenant has
its own isolated environment and is logically separated from other tenants, so the organization data is private and
secure.
X.500 Directory Specification
The X.500 Directory Specification is a standardized protocol used in IT to structure and manage information within a directory
service. This specification follows a hierarchical model where data is stored in a tree-like structure. For instance, an entry like
"CN=Kosh Naranek, O=Vorlon Corp, C=US" would be organized within this structure, containing attributes such as Common Name (CN)
representing the person’s name, Organization (O) detailing the company name, and Country (C) indicating the United States. X.500 is
the basis for modern directory services like LDAP, ensuring orderly data storage and easy information management in
networks.