Glossary

802.1X

802.1X is a networking protocol that enables secure AAA control. When a device (called a supplicant) first contacts a NAS (called an authenticator), it is only allowed to authenticate. The NAS sends the device’s authentication information to a RADIUS server (called an authentication server) that verifies the credentials provided by the device. If the credentials are valid, the authentication server responds to the authenticator, which then lets the supplicant connect to the network. The authentication server can also suggests that the authenticator uses a specific VLAN to connect the supplicant.

802.1X operates at the data link layer and supports multiple EAP authentication methods. It prevents unauthorized devices from accessing the network by enforcing authentication before network access is granted. The protocol is commonly used in wired and wireless LANs for port-based network access control.

Note: In spoken language, 802.1X is often pronounced as “dot-one-ex”.

Accounting

Accounting lets you collect information locally on a network device and send it to the server for billing, auditing, and reporting. It lets you track and keep a log of every management session used for access.

Accounting records details such as session start and stop times, duration, data usage, and actions performed. This data helps in monitoring network usage, detecting anomalies, and generating usage reports for compliance and operational analysis.

Agentless

Agentless is a common industry term that means checking endpoint compliance without installing a special software agent. This method uses existing tools or built-in features on the device to gather information.

In Portnox Cloud, the term agentless means no Portnox AgentP is installed on the device. Instead, compliance data is collected through built-in agents like the Windows Intune agent or agents from other UEM or MDM software. These existing agents provide the necessary information without needing an extra agent.

Authentication

Authentication is the process of verifying the identity of the person or device accessing your network. It involves validating credentials such as usernames and passwords, digital certificates, or cryptographic tokens. Authentication ensures that only authorized users or devices can gain access, providing the first layer of security before authorization and access control are applied.

Authorization

Authorization is the process of checking what the user is authorized to do. For example, RADIUS and TACACS+ authorize users for specific rights by associating attribute/value pairs, which define the rights and the appropriate users.

CIDR (Classless Inter-Domain Routing)

Classless Inter-Domain Routing (CIDR) is a method of allocating and managing IP addresses more efficiently. Instead of using traditional class-based addressing, CIDR allows for flexible allocation of address space by using a slash notation (e.g., /24) to indicate the number of network bits in an IP address, allowing for better utilization of available addresses and easier routing.

CIDR notation combines the IP address with a prefix length to define network and host portions. It supports aggregation of multiple IP ranges into a single routing entry, reducing the size of routing tables and improving routing efficiency across the internet and private networks.

DHCP (Dynamic Host Configuration Protocol)

DHCP is a protocol used to automatically assign IP addresses and other network configuration details (like subnet masks, default gateways, and DNS servers) to devices when they join a network. This removes the need for manual IP configuration, making network management more efficient and less error-prone. DHCP is one of the core services in most enterprise and home networks and is typically handled by routers, dedicated DHCP servers, or wireless controllers.

While DHCP plays a critical role in configuring devices at the network layer (Layer 3), it is not involved in access control decisions. It operates independently of authentication protocols such as 802.1X and RADIUS, which are handled at Layer 2 before IP address assignment. In Portnox Cloud, DHCP is used only after a device has successfully connected – its traffic is analyzed to help fingerprint the device based on patterns typical of specific device types or manufacturers. This post-authentication analysis supports functions like device identification and MAC spoofing detection.

EAP (Extensible Authentication Protocol)

The Extensible Authentication Protocol (EAP) is an authentication framework. It offers different EAP methods, which are specific authentication protocols, such as EAP-TLS, EAP-PEAP, EAP-MD5, and EAP-TTLS. EAP is used in 802.1X communications. EAP packets are encapsulated in EAPoL (EAP over LAN) messages. EAPoL makes it possible to carry EAP packets between the client device (supplicant), the access point (authenticator), and the authentication server (RADIUS server).

EAP itself does not define authentication mechanisms but provides a standard way to transport authentication information. It supports mutual authentication, dynamic key generation, and flexible use in wired and wireless networks. EAP messages are exchanged during the network access control process before granting network access.

Endpoint compliance

Endpoint compliance is a common industry term that refers to checking if a device meets specific security rules before it is allowed to access a network (security posture assessment). These rules may include having updated software, antivirus protection, and proper configuration. Devices that do not meet these requirements are considered non-compliant.

Compliance checks are typically performed using software agents installed on the device. These agents collect information about the device’s security status, such as operating system updates, installed applications, and security settings. Some devices may use built-in management agents provided by their operating systems to report compliance data. The collected information is compared to policy requirements to determine if the device is compliant.

Fast reconnect

Fast reconnect, also known as EAP session resumption, is a function that lets devices reconnect quickly to the NAS. When fast reconnect is supported by a device and enabled on the RADIUS server, the device sends a session identifier to the RADIUS server via EAP, after it authenticates with the NAS for the first time. If the device then loses connection to the NAS, it sends the recent session identifier. If the RADIUS server recognizes this session identifier, and the session is still valid (depending on session lifetime), it immediately authenticates the device. This reduces the time and resources required for authentication, for example, it eliminates the need to connect to authentication repositories after every reconnection.

Fast reconnect relies on caching session keys and identifiers both on the client and the RADIUS server. It supports quicker re-establishment of encrypted sessions without repeating the full EAP authentication exchange, improving connection speed and reducing authentication server load. Session validity is controlled by configurable timeouts.

IAM (identity and access management)

Identity and access management is a framework of policies, processes, and technologies used to manage digital identities and control user access to resources within an organization. IAM ensures that the right individuals have the appropriate access to technology resources at the right times and for the right reasons.

IAM systems handle user authentication (verifying identity), authorization (defining access rights), and account management tasks such as creating, modifying, and deleting user accounts. IAM supports security requirements by enforcing access policies, monitoring user activity, and enabling compliance with regulations. It often integrates with identity providers (IdPs) and supports protocols like SAML and OpenID Connect (OIDC) for single sign-on (SSO).

IdP (identity provider)

An identity provider (IdP) is a system that performs user authentication and provides identity information to other systems or applications. It is a central part of single sign-on (SSO) setups, where users log in once through the IdP and then gain access to multiple services without logging in again.

In SAML-based SSO, the IdP generates and sends a SAML assertion to confirm the user’s identity. In OpenID Connect (OIDC), the IdP handles the login and issues an ID token that includes the user’s identity details. The applications that rely on the IdP to verify users are called service providers (in SAML) or clients (in OIDC). The IdP ensures consistent and secure user authentication across systems. Common identity providers include Microsoft Entra ID, Google Identity Platform, Okta, Ping Identity, and Auth0.

IoT (Internet of Things)

The Internet of Things (IoT) is a network that connects physical objects, like devices with sensors and communication abilities, to the Internet. These objects can collect and share data without humans having to control them directly. There is no formal definition of whether the physical device is an IoT device or not. For the purposes of Portnox Cloud, we use the term “IoT device” to refer to any devices that are not directly used by humans, do not have user accounts, but still form part of the network. This includes devices like printers, scanners, surveillance cameras, air conditioners, and any other networked devices in the company offices that might be connected to the company network.

IoT fingerprinting

Fingerprinting is the process of identifying a device based on unique characteristics it exposes, rather than relying on user-provided credentials or certificates. These characteristics can include network behavior, protocol patterns, hardware identifiers, and other metadata. Fingerprinting is commonly used in security and networking.

Portnox uses fingerprinting to identify and classify IoT devices. This is done by analyzing the MAC address to determine the manufacturer and then examining DHCP traffic patterns. Many devices send DHCP requests in a predictable and characteristic way, based on their operating system or firmware. By matching these patterns to known profiles, Portnox can determine the actual type and identity of a device with high accuracy.

Fingerprinting is also used to detect MAC spoofing attempts. If a device connects using a MAC address that has already been seen on the network, Portnox checks its fingerprint against the one previously associated with that MAC. If the DHCP behavior does not match, the device is assumed to be an impostor, and access is denied. This helps protect against attackers who manually assign a known MAC address to their own device to bypass access controls.

IPSK (Identity Pre-Shared Key)

IPSK (Identity Pre-Shared Key) is a Wi-Fi authentication method supported by major manufacturers’ access points, which allows multiple pre-shared keys (PSKs) on the same SSID. Each key can be linked to a specific device or user and checked against a RADIUS server. For devices using MAB, IPSK improves security by requiring both the MAC address and a PSK to match. This prevents MAC spoofing since just copying the MAC address isn’t enough to connect.

IPSK integrates with RADIUS servers to validate credentials and enforce policies per user or device. It allows centralized management of multiple keys and provides better control over Wi-Fi network access compared to traditional single PSK methods.

Network access layers

Network access layers refer to the different ways devices can connect to a network: wireless, wired, and VPN. These layers define how devices establish communication and access network resources using technologies like Wi-Fi, Ethernet, or virtual private networks (VPNs).

Each access layer has specific protocols and security mechanisms. Wired access typically uses Ethernet with IEEE 802.3 standards. Wireless access uses IEEE 802.11 (Wi-Fi) standards and includes encryption methods like WPA3. VPN access creates secure tunnels over public networks using protocols such as IPSec or SSL/TLS to protect data in transit.

LDAP (Lightweight Directory Access Protocol)

The Lightweight Directory Access Protocol is a protocol used for managing and accessing directory information within a computer network. LDAP organizes information about users, such as names, contact details, and other relevant data. The term is also often used to describe servers that store directory information and make it accessible using this protocol.

LDAP operates over TCP/IP, typically on ports 389 (unencrypted) and 636 (encrypted with SSL/TLS). It uses a hierarchical structure similar to X.500 but simplifies communication by using the simpler LDAP Data Interchange Format (LDIF). LDAP supports searching, modifying, adding, and deleting directory entries and is widely used for authentication and authorization services.

MAB (MAC Authentication Bypass)

MAC Authentication Bypass (MAB) is a workaround method to connect devices to 802.1X networks. In an 802.1X network, devices are typically required to authenticate using a username and password, digital certificates, or other authentication methods before gaining access to the network. However, there may be scenarios where certain devices, such as printers, IP phones, or other IoT devices, do not have the capability to perform the standard 802.1X authentication. To accommodate such devices, network administrators can pre-configure a list of approved MAC addresses for specific devices, allowing them to bypass the usual authentication process and gain network access directly. The NAS devices will then check the MAC address of the connecting device against the pre-approved list, granting access to the devices that match the allowed MAC addresses. Note that the NAS devices must support MAB authentication for this to be possible.

MAB operates by sending the device’s MAC address as a username to the RADIUS server for authentication. It provides limited security compared to 802.1X because MAC addresses can be spoofed. MAB is often used as a fallback method when 802.1X authentication fails or is unsupported by the device.

MAC address (Media Access Control)

A MAC address is a unique identifier assigned to network interfaces for communication within a local network. It is a 48-bit address expressed in hexadecimal format and is typically associated with Ethernet or Wi-Fi devices. The MAC address is used by the Address Resolution Protocol (ARP) to map IP addresses to physical MAC addresses in order to make it possible for devices to communicate on the network.

MAC addresses consist of two parts: the first 24 bits identify the device manufacturer (OUI), and the last 24 bits are assigned by the manufacturer as a unique device identifier. MAC addresses operate at the data link layer (Layer 2) of the OSI model and are essential for local network traffic delivery.

MAC spoofing

MAC spoofing is the act of manually changing the MAC address of a network interface on a device in order to impersonate another device on the network. Since many access control systems rely on MAC addresses for identification, spoofing allows an attacker to potentially bypass security restrictions by mimicking an authorized device. Most operating systems and network cards support changing the MAC address, making this type of attack relatively easy to carry out.

To detect and block MAC spoofing, Portnox Cloud compares additional device-specific indicators beyond the MAC address itself. When a device connects using a known MAC, the system examines its network behavior – specifically, DHCP traffic patterns – and matches it against the expected fingerprint for that MAC. If the fingerprint does not match the previously observed profile, Portnox assumes the device has been spoofed and blocks its access, raising an alert.

NAS (network access server)

In the context of RADIUS, the network access server is a device or software component that provides a point of entry for users to access a network. It acts as a gateway between the user’s device and the network infrastructure. The NAS is responsible for receiving and processing user authentication requests, forwarding them to the RADIUS server, and relaying the server’s response back to the user. Typically, NAS devices include network equipment such as routers, switches, wireless access points, VPN servers, or even dedicated NAS devices. They are responsible for controlling user access to network resources, enforcing security policies, and managing network connections.

Note: The NAS acronym also stands for network-attached storage, but we never use it in this context in Portnox Cloud and its documentation.

OIDC (OpenID Connect)

OpenID Connect is an identity protocol commonly used for single sign-on (SSO). Like SAML, it allows users to authenticate once through a trusted external system and then access multiple applications without repeated logins. OIDC is built on top of the OAuth 2.0 protocol, which is a widely used standard for granting access to resources without sharing user passwords.

OAuth 2.0 is an authorization framework that allows a user to give an application access to specific data or services hosted by another system, without exposing their login credentials. OIDC extends this by adding authentication, confirming who the user is. In OIDC, the application (called the client) redirects the user to an identity provider (IdP), which handles the login. If successful, the IdP returns an ID token containing verified identity information. The client uses this token to establish a secure session with the user.

OUI (organizationally unique identifier)

An OUI is the first part of the MAC address, specifying the manufacturer of the device. OUIs are controlled by the IEEE, who assign unique codes to manufacturers. They are also called MAC prefixes or Ethernet prefixes.

An OUI consists of 24 bits (three bytes) written as the first six hexadecimal digits of a MAC address. It is used by network tools and monitoring systems to identify device vendors and can be looked up in public IEEE registration databases.

Policy enforcement

Policy enforcement is the process of defining and applying rules that control network access based on factors such as user roles, device types, location, and time. These rules determine what resources a user or device can access.

For example, a policy might restrict a contractor’s laptop to only connect to the guest Wi-Fi network and block access to internal company resources. Enforcement ensures that network access follows the organization’s security requirements.

RADIUS (Remote Authentication Dial-In User Service)

RADIUS is a network protocol that lets you manage access to your networks. Network devices such as switches and access points can use RADIUS to authenticate and authorize devices trying to connect to the network such as computers, mobiles, and IoT.

RADIUS works over UDP and combines authentication, authorization, and accounting in a single process. It uses a client server model where the network device acts as a client and forwards user credentials to a central RADIUS server.

RadSec (RADIUS secure)

RadSec is a security extension for the RADIUS protocol, adding a layer of encryption. This is achieved by encapsulating RADIUS messages within a TLS (Transport Layer Security) tunnel. RadSec is a standard defined in RFC 6614, but is currently supported by a limited number of NAS devices.

RadSec uses TCP as transport instead of UDP and provides server authentication, confidentiality, and integrity for RADIUS traffic. It is commonly used across untrusted networks such as the public internet to secure communication between RADIUS clients and servers.

SAML (Security Assertion Markup Language)

SAML is a standard protocol used for single sign-on (SSO). It allows users to log in once through a central system and then access multiple services without needing to log in again. This is commonly used in organizations to manage access to cloud applications and internal systems.

In a SAML setup, the central login system is called the identity provider (IdP). The service the user is trying to access, such as an application or website, is called the service provider (SP). When a user tries to access the service, they are redirected to the IdP to log in. After successful login, the IdP sends a secure message called an assertion back to the service provider. This assertion contains information that proves the user’s identity. The service provider uses this information to decide whether to allow access.

SCEP (Simple Certificate Enrollment Protocol)

The Simple Certificate Enrollment Protocol (SCEP) is a commonly used communication protocol that allows devices to seek and obtain digital certificates from a certificate authority (CA). It secures and simplifies the process of enrolling for and managing certificates. SCEP is used by integrated endpoint management solutions to distribute Portnox Cloud certificates as part of automatic device onboarding.

SCEP is an HTTP-based protocol defined in an IETF draft. It supports certificate signing requests, certificate retrieval, and certificate renewal. It uses shared secrets for initial authentication and is supported by many network devices, mobile device management systems, and public key infrastructure products.

SSO (single sign-on)

Single sign-on is a login method that lets users access multiple systems or applications with one set of credentials. Instead of logging in separately to each service, users authenticate once and gain access to all connected services without needing to enter their username and password again.

SSO works by using a central system, often called an identity provider (IdP), to handle authentication. When a user tries to access a service, the service redirects the user to the IdP. If the user is already logged in, the IdP confirms the user’s identity and sends that information back to the service. This allows the user to access multiple services securely and efficiently using a single login session.

TACACS+ (Terminal Access Controller Access-Control System Plus)

TACACS+ is a Cisco extension to the TACACS network protocol that centrally manages authentication, authorization, and accounting for network devices like switches and routers, ensuring secure access control and administrative control. It is often compared to RADIUS. The main difference between RADIUS and TACACS lies in their functionalities, where RADIUS focuses on authentication and accounting, while TACACS+ provides additional features like granular access control and command authorization for enhanced network security and administrative control.

TACACS+ uses TCP as transport on port 49 and encrypts the entire payload of each packet. It separates authentication, authorization, and accounting into distinct processes. It is commonly deployed on network access servers and device consoles for centralized administrator login and auditing.

Tenant (software)

A tenant is an instance of a software application or service that is used by a specific group or organization. Each tenant has its own isolated environment and is logically separated from other tenants, so the organization data is private and secure.

A tenant can exist in cloud platforms and SaaS products. For example, an Entra ID tenant is a dedicated and isolated instance in Microsoft Entra ID used for identity, access, and resource management and is linked to a company domain and subscriptions. A Portnox Cloud tenant is a separate cloud instance where an organization manages network policies, connected devices, and user authentication independently from other organizations.

X.500 Directory Specification

The X.500 Directory Specification is a standardized protocol used in IT to structure and manage information within a directory service. This specification follows a hierarchical model where data is stored in a tree-like structure. For instance, an entry like "CN=Kosh Naranek, O=Vorlon Corp, C=US" would be organized within this structure, containing attributes such as Common Name (CN) representing the person’s name, Organization (O) detailing the company name, and Country (C) indicating the United States. X.500 is the basis for modern directory services like LDAP, ensuring orderly data storage and easy information management in networks.

X.500 defines the directory information tree, distinguished names, schema for object classes and attributes, replication of directory data between servers, and distributed directory access using the Directory Access Protocol and Directory System Protocol. It is standardized in ITU-T recommendations X.500 to X.599 and operates over OSI protocols.

ZTNA (zero trust network access)

Zero trust network access is a common industry term for a security framework that requires verification of user and device identity before granting access to network resources, including for example web applications and other services. It enforces access based on least-privilege principles and continuous authentication, regardless of network location. ZTNA replaces traditional perimeter-based security with strict access control using user identity, device posture, and contextual information.

Portnox ZTNA is a product that implements this framework by enforcing access policies through continuous verification of device compliance and user credentials. It integrates with network infrastructure and authentication systems to apply dynamic, context-based access controls. Access is granted only when devices and users meet predefined security requirements.