RADIUS (Remote Authentication in Dial-In User Service) — a client–server protocol used to implement authentication, authorization, and accounting, enabling the exchange of related information between network devices and a central control system.
802.1x (dot1x) — an IEEE 802.1X standard defining a protocol that performs access control and authentication for devices connecting to network equipment.
MAB (MAC Authentication Bypass) — an authentication method based on the device’s MAC address. The MAC address of the connecting device is transmitted as both the login and password. Used for authorizing devices that do not support 802.1X, such as printers, scanners, etc.
LDAP (Lightweight Directory Access Protocol) — an application protocol for accessing X.500 directory services.
Directory service — a mechanism providing a hierarchical representation of resources and information about these resources.
X.500 — a series of ITU-I standards for distributed network directory services.
Active Directory (AD) — a directory service developed by Microsoft for Windows Server OS. It is an LDAP-compatible implementation with the ability to integrate with other authorization services and extended functionality.
TACACS (terminal access controller access control system) — a protocol used for authentication/authorization/accounting of network equipment administrators through one or several centralized servers.
TACACS+ — the next-generation version of the TACACS protocol, defined in RFC 8907
Netlogon — an authentication procedure implemented in Windows Server, used for authenticating users and services within an Active Directory domain.
Account (User Account) — data that defines a user in an information system; required for authentication and authorization.
Identification data — a set of information that enables identification of an individual. This includes personal information (surname, name, date of birth, document numbers), username and password, phone number, email address, and other data allowing user identification within an information system.
Role — a set of privileges that defines an administrator’s access level to system functions.
Privilege — a permission that grants access to a specific system section or function with a defined access level.
Access level — the scope of permitted actions for a privilege. Each privilege can have five access levels: 0/1/2/3/4 = none/read/read-create/read-create-edit/read-create-edit-delete. Each level includes all permissions of the preceding levels.
Authentication — the process of determining the identity of a connecting client device or user by verifying their account credentials (login/password), certificate, or analyzing other parameters (location and time of connection, device MAC address, as well as profiling results). This process allows permitting or denying network access for the device.
Authorization — the process of determining the rights of a connecting client device or user, i.e., assigning specific policies such as VLAN or ACL.
NAC system, authentication/authorization server, authentication server — a system that provides network access control based on administrator-defined policies. Policies allow configuring authentication and authorization based on roles, location, RADIUS attributes of network devices, and user groups. It can use internal user databases or external authentication data sources such as LDAP or MS AD. Interaction with network devices is performed via the RADIUS protocol.
Network device, authenticator (authenticator, NAS (Network Access Server)) — a network device that provides client device connectivity to the network and performs their authentication using the 802.1X, MAB, or portal-based authorization mechanisms.
User, client — an indivdual who uses endpoint equipment (personal computer, laptop, smartphone, etc.) to connect to the network.
Endpoint, supplicant — a terminal network device used to connect to the network through an authenticator device and subject to authentication and authorization. The endpoint’s MAC address is used as its unique identifier.
Authentication sources, user credential source — a service containing the list of network users, their passwords, and their group memberships. It may be implemented as records in a database used by the NAC system or as external services such as LDAP, MS AD, etc.
Identification chain — an ordered list of credential sources used to verify users during authentication and authorization
Captive Portal — a network service implemented as a website that requires a user connected to the network to perform certain actions to obtain network access. Typically, it requires entering a predefined login/password or completing registration with confirmation of identification data. Commonly used when connecting to public Wi-Fi networks.
Web redirect (URL redirection) — a mechanism that automatically redirects a user device from one URL to another when an access attempt is made.
Captive Portal Authorization (Portal-Based Authorization) — a mechanism that intercepts user traffic on an access point or gateway and redirects it to a dedicated web page where the user must complete authentication before being granted network access.
Captive portal detection — a mechanism implemented on the user device side that allows detecting that the device is connected to a network with portal-based authorization and automatically opening the portal page after receiving the redirect URL.
Guest user (Portal user) — an individual who needs temporary, limited access to the network without a permanent user account. Such a user account can be created automatically during registration on the authorization portal with identification data confirmation (typically via a phone number).
Guest endpoint — a terminal network device used by a guest user to connect to a wireless network. It is authenticated through web redirect to the portal. The unique identifier of a guest endpoint is its MAC address combined with the wireless network identifier.
Self-registration (registration) — the process of independently creating a user account associated with specific identification data. One of the available modes of portal-based authorization. Identification data may be confirmed using a phone number, or other methods that allow identifying the user who created the account.
SMS gateway — an interface implemented by a mobile network operator that enables sending SMS messages over the Internet or other communication networks without using a mobile phone. Used by systems that need to send SMS messages, for example, a verification code during portal authorization.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) — a test used to determine whether the user is a human or an automated program. Typically (but not necessarily), it is an image with distorted text that is generated automatically, easily readable by a human, but difficult for automated systems to recognize. Used to prevent malicious actions such as password brute-forcing or automated mass requests that may overload a server.
Wi-Fi — a wireless communication technology that allows devices to connect to a network using radio waves.
WLAN — a wireless local area network.
SSID (Service Set Identifier) — the name identifying a Wi-Fi network.
Logical condition — a structure managed by the administrator of the NAC system that verifies whether specified conditions, defined based on analysis of the received RADIUS request, match certain data. The result of this verification determines whether the RADIUS request meets the defined criteria.
Policy — a set of logical conditions configured by the NAC system administrator within a single entity, allowing RADIUS requests that fall under this policy to be processed in a defined manner.
Policy list — a list created by the administrator to define the order in which RADIUS requests are processed and to assign different procesisng methods for them.
Dictionaries — used when creating authentication and authorization policy conditions to determine which actions must be performed for a specific request.
Library conditions — predefined conditions that have been added to the library and stored in it.
Non-library conditions — conditions created by administrators for specific scenarios; they are single-use.
Attribute — a criterion used for identification or decision-making.
RADIUS attribute — a characteristic used in the RADIUS protocol to exchange information between a network device and a RADIUS server for authentication, authorization, and accounting. Example: NAS-IP-Address — the IP address of the authenticator.
Non-RADIUS attribute — a characteristic not included in the RADIUS standard but used for access control, such as device type or location.
Profiling — the process of dynamically detecting and classifying endpoints based on attributes obtained from various probes. During profiling, the collected attributes are matched against predefined or user-defined conditions, which are then mapped to profiles for assignment to the endpoint.
Probe — a method of collecting endpoint data used in the profiling process.
Data that can be collected:
Class id [DHCP option: 60] — vendor (e.g., MSFT 5.0);
Parameter List [DHCP option: 55] — parameters requested by the client (e.g., 1,3,6,15,31,33,43,44,46,47,119,121,249,252);
Profiling condition — a set of conditions that defines how collected attributes are interpreted for endpoint classification. A profiling condition links specific attribute values to particular actions or profiles. For example, if a device has specific attributes, it may be classified as a printer or a smartphone.
Profiling policy — a set of rules used for automatic endpoint classification and access management based on profiling results. Profiling policy defines which logical profiles are applied to devices and how they are handled within the network (for example, which access rights are granted).
Logical profile — a category that groups devices with common characteristics identified during profiling. Logical profiles are used within the profiling policy to assign appropriate access levels and management parameters to devices that match the profile.
Licensing — the process by which a rights holder grants a user permission to use an intellectual property object (for example, software) under defined terms and conditions. In the context of NAICE documentation, licensing refers to the licensing model implemented for the product.
ELM license server — a system responsible for generating and distributing licenses for Eltex end products.
PLR (Permanent License Request), file-based licensing — a licensing model tied to the physical parameters of the host on which NAICE is installed. A key feature of this licensing type is that no connection to the ELM server is required; however, re-activation is mandatory if the host parameters change.
Licensing parameters, license parameters — a set of parameters specific to each license that define the terms and limitations of NAICE usage. Example: license validity period.
Licensing level, license level, license type — a license parameter that defines the set of NAICE functional capabilities available under a license of a given level. Example: “BASIC” — basic NAICE functionality.
License — a set of license parameter values unique to each NAICE instance. Example: a “BASIC” level license for 1000 unique endpoints with a validity period of 3 years.
Product ID — a license identifier that ensures license uniqueness and allows identification of the NAICE instance using the license.
License activation — the process of applying a license to a NAICE instance, after which the functionality corresponding to the license becomes available.
Product key file, product key — a file containing the product ID and a unique key used to validate the legitimacy of license usage for the specified Product ID. Generated by Eltex upon license purchase. To initiate license activation, this file must be uploaded to the system via the NAICE web interface on the Licensing page.
License activation file, activator file — a file generated on the software side for activation of a file-based (PLR) license.
PLR license file — a file used for file-based (PLR) software licensing, generated by Eltex based on the license activation file. This file is uploaded to the system via the NAICE web interface on the Licensing page as the final step of file-based license activation.
Digital certificate — an electronic document issued by a certification authority that confirms the association of a public key or specific attributes with its owner.
Certification Authority (CA) — a trusted entity (department or organization) whose integrity is assumed and whose public key is widely known. The role of the certification authority is to verify the authenticity of encryption keys by issuing public key certificates.
Public key certificate / digital signature certificate (certificate) — an electronic or paper document containing a public key, information about the key owner, the scope of key usage, and the signature of the issuing certification authority, confirming that the public key belongs to the owner.
Private key of a certificate — a key generated together with the certificate’s public key. It must be kept confidential by the owner and must not be disclosed. It is used to create a digital signature and to decrypt data encrypted with the corresponding public key.
X.509 — an ITU-T standard describing the Public Key Infrastructure (PKI) and the Privilege Management Infrastructure (PMI). It defines data format standards and interaction procedures.
Public key cryptographic system — an encryption and/or digital signature system in which two keys are generated: a public key and a private key. The public key is transmitted over an open (i.e., unsecured and observable) channel and is used to verify a digital signature and encrypt messages. The private key is stored by the owner and does not require distribution. Decryption is possible only with the private key corresponding to the public key used for encryption.
Digital signature (DS) — a data attribute generated as a result of cryptographic transformation of information using a private signing key. It enables verification that the data has not been modified since the signature was created and confirmation that the signature belongs to the owner of the public key or public key certificate (non-repudiation).
EAP-TLS — a protocol providing mutual cryptographic authentication between a remote user and a RADIUS server based on digital signatures, public key certificates, and the TLS protocol.
TLS (Transport Layer Security) — a cryptographic protocol that provides secure communication over a network by encrypting transmitted data. It ensures secure data exchange between a server and a client.
OCSP (Online Certificate Status Protocol) — a protocol used to obtain the revocation status of a digital certificate (whether the certificate has been revoked).
OS (Operating System) — system software designed to manage computer resources, ensure interaction between installed software components, and provide interaction with the user or other operating systems.
VM (Virtual Machine) — a software or hardware-based system that emulates a computer and provides an isolated hardware environment on a physical host.
Guest system — an operating system and applications running on a VM.
Hypervisor — specialized software that enables VM operation and allows multiple different VMs to run on a single hardware platform.
Docker, containerization — an open-source technology that automates application deployment, portability, and execution using containers, providing an isolated runtime environment for each application within a single OS. Requires operating system support for container-based virtualization. Official project website: https://www.docker.com.
Image (container image) — a container template that includes all software components required to run an application using containerization technology.
Container — an isolated environment in which software launched from an image operates as if it were running on a separate computer.
Docker Compose — a tool included in the Docker platform that enables defining and running multi-container applications in a containerized environment. It is used to describe and manage the interaction of multiple containers that form a single software system, using one or more configuration files.
SIEM (Security Information and Event Management) — specialized software that collects, aggregates, and analyzes security events from various sources within the IT infrastructure in order to detect and respond to information security threats.
Syslog — a standard protocol for collecting, transmitting, and storing event messages (logs) from information systems and networks. It enables centralized log collection from various devices such as routers, servers, and applications for subsequent analysis, monitoring, and security purposes. Messages are transmitted over the network, typically via UDP or TCP, and contain information about occurring events.
CEF (Common Event Format) — a standardized log format for representing information and network security events, using the Syslog protocol as the transport mechanism. It is intended for transmitting security event information to a SIEM system.