Authentication, Authorization, and Accounting server.-(Authentication, authorization, and accounting is pronounced "triple-A." An AAA server is the central server that aggregates one or more authentication, authorization, or both decisions into a single system-authorization decision, and maps this decision to a network-access profile for enforcement on the NAD.
Response packet from the RADIUS server notifying the access server that the user is authenticated. This packet contains the user profile, which defines the specific AAA functions assigned to the user.
Response packet from the RADIUS server requesting that the user supply additional information before being authenticated.
Request packet that the access server sends to the RADIUS server requesting authentication of the user.
Accounting in network management subsystems is responsible for collecting network data relating to resource usage.
Agentless host processing
A method that ACS uses to process authentication requests from hosts that do not have an authentication agent installed, such as Cisco Trust Agent.
Access Control List-Each ACL consists of a set of ACL entries.
Access Control Entry-An ACL Entry contains a type, a qualifier for the user or group to which the entry refers, and a set of permissions. For some entry types, the qualifier for the group or users is undefined.
Application Posture Token-The result of a posture validation check for a given vendor's application.
A server that can determine the posture credentials of a host without relying on the presence of a PA on the host. The server must be able to determine the posture credentials of a host and act as a posture-validation server.
In network management security, the verification of the identity of a person or a process.
Attribute-value pair-Encoding that the RADIUS protocol uses to specify an action that the host performs when a condition represented by the attribute value is met.
Cisco Trust Agent
Cisco Trust Agent. The Cisco implementation of the PA.
Extensible Authentication Protocol-Provides the ability to deploy RADIUS into Ethernet network environments. EAP is defined by Internet Engineering Task Force (IETF) RFC 2284 and the IEEE 802.1x standards.
Extensible Authentication Protocol-Transport Layer Security-Uses the TLS protocol (RFC 2246), which is the latest version of the Secure Socket Layer (SSL) protocol from the IETF. TLS provides a way to use certificates for user and server authentication and for dynamic session key generation.
Any machine that attempts to connect to or use the resources of a network. Also referred to as a host.
External Posture Validation Server
A Cisco or third-party server used to perform posture validation. A posture-validation server acts as an application-specific policy decision point in NAC for authorizing a set of posture credentials against a set of policy rules.
GAME group feedback
Generic Authorization Message Exchange-A Cisco protocol that is used in the Cisco Network Admission Control (NAC) environment. GAME group feedback provides an added security check for MAC address authentication by checking the device type categorization that ACS determines by associating a MAC address with a user group against information stored in a database on an audit server
Health Registration Authority
A Microsoft certificate server that obtains health certificates on behalf of NAP clients from a public key infrastructure (PKI).
Cisco Host Credentials Authorization Protocol. A protocol that ACS uses to communicate with a Microsoft NPS.
Another name for an endpoint device.
Lightweight Directory Access Protocol-A set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler.
MAC authentication bypass-An authentication method that uses the MAC address of a device to authenticate the device, instead of using an IP address.
Network Admission Control-NAC is a Cisco-sponsored industry initiative that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources; thereby limiting damage from viruses and worms. NAC is part of the Cisco Self-Defending Network, an initiative to increase network intelligence in order to enable the network to automatically identify, prevent, and adapt to security threats.
Applications that integrate with the NAC client. Examples of such applications are Cisco Security Agent and antivirus programs that provide the NAC client with attributes about themselves, such as the version number of a virus definition file.
Network Access Device-A network access device acts as a policy-enforcement point for the authorized network-access privileges that are granted to a host.
Network Access Filter-A NAF is a named group of any combination of one or more of the following network elements: IP addresses, AAA clients (network devices), and network device groups (NDGs).
Using a NAF to specify a downloadable IP ACL or Network Access Restriction based on the AAA clients by whom the user may access the network saves you the effort of listing each AAA client explicitly.
A process running on a NAP client that sends SoHs or health certificates to ACS.
A computer running Windows Vista or Windows Server 2008. NAP clients send their health credentials as Statements of Health (SoHs) or a health certificate.
Network Device Group-A collection of network devices that act as a single logical group.
Network Policy Server. A Microsoft server that validates health certificates from NAP clients and provides remediation instructions if needed.
Posture Agent-An application that serves as the single point of contact on the host for aggregating posture credentials from potentially multiple posture plug-ins and communicating with the network.
Protected Access Credential-A security credential that is used with EAP-FAST (Flexible Authentication via Secure Tunneling). With EAP-FAST, instead of using a certificate, mutual authentication is achieved by using a PAC, which can be managed dynamically by the authentication server. The PAC can be provisioned (distributed one time) to the client either manually or automatically. Manual provisioning is delivery to the client via disk or a secured network distribution method. Automatic provisioning is an in-band, over the air, distribution.
Policy Decision Point-Provides facilities for policy management and conditional filters.
Policy Enforcement Point-ACS acts as the policy enforcement point for policy management.
Protected Extensible Authentication Protocol-An 802.1x authentication type for wireless LANs (WLANs). PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. PEAP is based on an Internet Draft that Cisco Systems, Microsoft, and RSA Security submitted to the IETF.
State information of a network endpoint at a given point in time that represents hardware and software (OS and application) information.
A third-party DLL that provides host posture credentials to a posture agent on the same endpoint for endpoint posture validation and network authorization.
Posture Validation-Posture validation validates the collection of attributes that describe the general state and health of the user's machine (the "host").
Posture Validation Server-A posture-validation server acts as an application-specific policy-decision point in NAC for authorizing a set of posture credentials against a set of policy rules.
RADIUS Attribute Component.
A widely deployed protocol enabling centralized authentication, authorization, and accounting for network access.
Statement of Health. A message that a NAP client sends to an NPS indicating the health of the client.
Vendor Specific Attribute-Most vendors use the VSA to support value-added features.