Glossary

Access point

Wireless access point (WAP or AP) is a device that connects wireless communication devices together to form a wireless network. The WAP usually connects to a wired network, and can relay data between wireless devices and wired devices. Several WAPs can link together to form a larger network that allows "roaming".

Authentication

The process of identifying an individual, usually based on a username and password.

Authorization

The process of granting or denying a user access to network resources once the user has been authenticated through the username and password.

Accounting

The process of keeping track of a user's activity while accessing the network resources. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.

ARAP

Short for Apple Remote Access Protocol, an Apple authentication protocol which uses challenges and responses, like CHAP, to avoid sending clear text passwords through the network.

Certificate

A public key certificate (or certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual without exchanging secret keys. The signatures on a certificate are of a certificate authority (CA) and attest that the identity information and the public key belong together.

CA

Certificate authority (CA) is an entity which issues digital certificates for use by other parties. There are many commercial CAs that charge for their services. Companies, institutions and governments may have their own CAs, and there are also free CAs.
A CA issues digital certificates which contain a public key and the identity of the owner. The CA also attests that the public key contained in the certificate belongs to the person/organization/server or other entity noted in the certificate. A CA's obligation is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. If the user trusts the CA and can verify the CA's signature, then they can also verify that a certain public key does indeed belong to whoever is identified in the certificate.

Certificate revocation list

Certificate revocation list (CRL) is a list of certificates (their serial numbers) which have been revoked, are no longer valid, and should not be relied on by any system user.

Certificate signing request

A certificate signing request(CSR) is a message sent from an applicant to a certificate authority (CA) in order to apply for a digital identity certificate. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request. If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.

CHAP

Short for Challenge Handshake Authentication Protocol, a type of authentication in which the authentication agent (typically a network server) sends the client program a random value that is used only once and an ID value. Both the sender and peer share a predefined secret. The peer concatenates the random value (or nonce), the ID and the secret and calculates a one-way hash using MD5. The hash value is sent to the authenticator, which in turn builds that same string on its side, calculates the MD5 sum itself and compares the result with the value received from the peer. If the values match, the peer is authenticated.

Cipher suite

The TLS protocol that underlies PEAP and EAP-TLS is capable of using a variety of cryptographic techniques for authentication and data privacy between client and a RADIUS server. Each of these techniques is called a cipher suite.

Dictionary

Set of known RADIUS attribute names and their types.

Hotspot

A hotspot is a venue that offers Wi-Fi access. Hotspots are often found at restaurants, train stations, airports, libraries, coffee shops, bookstores, fuel stations, department stores, supermarkets and other public places. Many universities and schools have wireless networks in their campus.

IEEE 802.1X

IEEE 802.1X is an IEEE standard for port-based Network Access Control. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP.

Inner identity

The Wi-Fi authentication protocol PEAP works by creating a TLS-encrypted tunnel between the user and a RADIUS server. Authentication credentials are sent inside of the tunnel, and are not visible to the access point. When using these protocols, the username is sent in two places: the "outer identity", which is sent unencrypted outside the TLS channel, and inside the encrypted TLS channel. Inner identity is the name sent inside the channel.

Key

see Secret.

LDAP

Lightweight Directory Access Protocol, the protocol supported by most directory services..

MS-CHAP, MS-CHAPv2

Short for Microsoft Challenge Handshake Authentication Protocol is a Microsoft authentication protocol that, like CHAP, avoids sending passwords in clear text.

NAS

Network Access Server. The device that accepts PPP connections and places clients on the network that the NAS serves. NAS is also called Terminal server.

Packet

A piece of data sent over a network and encapsulating RADIUS message in a well-known format.

PAP

Short for Password Authentication Protocol, the most basic form of authentication, in which a user's name and password are transmitted over a network "in the clear" (that is, in an unencrypted form) and compared to a table of name-password pairs.

PKI

Public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. This is carried out by software at a CA, possibly under human supervision, together with other coordinated software at distributed locations. For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.
Most enterprise-scale PKI systems rely on certificate chains to establish a party's identity, as a certificate may have been issued by a certificate authority computer whose 'legitimacy' is established for such purposes by a certificate issued by a higher-level certificate authority, and so on. This produces a certificate hierarchy composed of, at a minimum, several computers, often more than one organization, and often assorted interoperating software packages from several sources. Enterprise PKI systems are often closely tied to an enterprise's directory scheme, in which each employee's public key is often stored (embedded in a certificate), together with other personal details (phone number, email address, location, department, ...).
Windows 2000 Server and Server 2003 contain a CA software, which is integrated into the Active Directory.

Proxy server

A server that sits between a client application and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

RADIUS

Short for Remote Authentication Dial-In User Service, an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system.

Realm

A set of rules (policies) defining how the server should handle an authentication or accounting request.

Secret (Key, Shared secret)

A string well known to both client and server and used to validate and/or encrypt data, transmitted between them.

Self-signed certificate

A self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy. Such certificates are also termed root certificates.

Server

A process receiving requests from its clients, processing them and replying to a client.

Server Manager

Graphic utility used to manage ClearBox Server, configure and monitor it.

Server certificate

In order to provide trusted network security services to wireless clients, ClearBox Server must be able to cryptographically identify itself to clients. To prove its identity to clients, it sends them its digital certificate during the client login procedure.

State server

Some kind of database maintained by the server where information on users currently logged onto the network is stored.

Supplicant

A supplicant is software that is installed on the client to implement the IEEE 802.1X protocol framework and one or more EAP methods. Supplicants include Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Vista and other operation systems and packages.

TKIP

Temporal Key Integrity Protocol, the part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.

VSA

Vendor Specific Attributes; RADIUS attributes defined by vendors using the provision of attribute 26.

WEP

Wired Equivalent Privacy (WEP) is a scheme to secure IEEE 802.11 wireless networks. WEP was intended to provide confidentiality comparable to that of a traditional wired network. Several serious weaknesses were identified by cryptanalysts; a WEP connection can be cracked with readily available software within minutes. WEP was superseded by Wi-Fi Protected Access (WPA) and WPA2. Despite its weaknesses, WEP provides a level of security that may deter casual snooping.

Wi-Fi

Wi-Fi is a wireless technology brand owned by the Wi-Fi Alliance intended to improve the interoperability of wireless local area network products based on the IEEE 802.11 standards.

WLAN

WLAN, or Wireless Local Area Network, similar to other wireless devices, uses radio instead of wires to transmit data back and forth between computers on the same network.

WPA/WPA2

Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks. It was created in response to several serious weaknesses researchers had found in the previous system, WEP. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 will not work with some older network cards. Both provide good security, with two significant issues: 1) Either WPA or WPA2 must be enabled and chosen in preference to WEP. 2) In the "Personal" (Pre-shared key mode, PSK mode), the most likely choice for homes and small offices, a passphrase is required.
Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK) based security.