Chapter 4 Glossary of Terms

The 802.1x Advisor is an HTML tutorial/help system in the Server Manager GUI that walks you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA Server.

Abbreviation for Authentication, Authorization, and Accounting.

A software application that performs authentication, authorization, and accounting functions.

Logging session and usage information for session control and billing purposes

The AAA server returns an Access-Accept to the client when an Access-Request is valid. The Access-Accept will contain A-V pairs that specify what services the authenticated user is authorized to use.

The AAA server returns an Access-Challenge to the client when it is necessary to issue a challenge that the user must respond to. The client will resubmit the request with the user-supplied information to the AAA server.

The AAA server returns an Access-Reject to the client when an Access-Request is invalid.

Created by the client, the Access-Request contains A-V Pairs, such as the user’s name, password, and ID of the client. The client submits the Access-Request to an AAA server. If the server can validate the client, the server will attempt to match a user entry in its database with information in the Access-Request to authenticate the user.

Special user, known by the system on which the AAA server is running and is able to configure and to manage the AAA server.

Third-party entities that manage and distribute software-based services and solutions to customers across a wide area network from a central data center, abbreviated as ASP.

Application Service Provider.

The RADIUS protocol defines things in terms of attributes. Each attribute may take on one of a set of values. When a RADIUS packet is exchanged among clients and servers, one or more attributes and values are sent pair wise from the client to the server. For the AAA Server software, all valid attributes and values are listed in the dictionary file, abbreviated as A-V pair.

The process of identifying and proving the identity of an entity, for example, a user, a network client, or a network server.

The process of determining what types of activities is permitted. Usually, authorization is in the context of authentication; once users are authenticated, they may be authorized different types of access or activity.

Attribute-value pair.

Log-in security procedure for dial-in access. Rather than send an unencrypted password, a random number is sent to the client as a challenge. The challenge is one-way hashed with the password, and the result is sent back to the server. The server does the same with its copy of the password and verifies that it gets the same result to authenticate the user, abbreviated as CHAP.

See Challenge Handshake Authentication Protocol.

NAS, proxy server, or other networking device that uses the AAA server services to authenticate and authorize users.

A query and response protocol that can be used to exchange policy information between a policy server (Policy Decision Point or PDP) and its clients (Policy Enforcement Points or PEPs, such as a router), abbreviated as COPS.

See Common Open Policy Service.

Each request is authenticated locally or forwarded to a remote server according to the number called to access a network service.

See Dialed Number Identification Service.

Extensible Authentication Protocol. Described in RFC 2284.

The Finite State Machine is the component of the AAA Server software that controls the flow of access request authentication and accounting request handling, abbreviated as FSM.

The AAA server that receives an Access-Request from a client and forwards that request to another AAA server for authentication.

See Finite State Machine.

Carries user specific token cards for authentication. The main feature in GTC is Digital Certificate/Token Card-based Authentication.

When a user requests access to a service of a specific configuration, a client may provide this information in an Access-Request as a hint to the AAA server. The server may reject the request based on the hints or supply the service as specified by the hints, by the server’s configuration, or by a combination of the hints and the server’s configuration.

See Internet Engineering Task Force.

A digital internet access line using copper phone lines.

Used to connect multiple AAA servers in a fabric with SLAs and to establish policies among them.

Internet standards setting organization.

A Layer 3 (network layer) protocol that contains addressing information and some control information that allows packets to be routed, abbreviated as IP.

A group associated with IETF focusing on research rather than standards.

Communications service company that provides Internet access and services to its customers. ISPs range in size from small independents serving a local calling area to large, established telecommunications companies, abbreviated as ISP.

See Internet Protocol.

See Internet Research Task Force.

Internet service provider.

See Integrated Services Digital Network.

See Local Authorization Server.

See Lightweight Directory Access Protocol.

Used for directories providing naming, location, management, security, and other services for Internet networking, abbreviated as LDAP.

Supports and manages the dynamic Wired Equivalent Privacy (WEP) key exchange between Cisco Aironet 802.11x wireless LAN clients and access points, abbreviated as LEAP.

See Lightweight Extensible Authentication Protocol.

A local authorization server is the HP-UX SERVER code that authorizes, accounts, and bill users based on realms, abbreviated as LAS.

An implementation of the CHAP protocol that Microsoft created to authenticate remote Windows workstations. In most respects, MS-CHAP is identical to CHAP, but there are a few differences. MS-CHAP is based on the encryption and hashing algorithms used by Windows networks, and the MS-CHAP response to a challenge is in a format optimized for compatibility with Windows operating systems.

See Network Access Server.

Refers to the navigation links on the left side of the Server Manager GUI.

A device that interfaces telephony circuits to the network, abbreviated as NAS.

See Password Authentication Protocol.

A simple password protocol that transmits a user name and password across the network, unencrypted, abbreviated as PAP.

Functionally very similar to TTLS, but does not encapsulate legacy authentication methods. PEAP features include: Dynamic Key Exchange; Mutual Authentication; and, Encrypted Tunnelling.

The standard protocol for dial-up networking. The family of standards covers many aspects including authentication, encryption, compression, addressing, multi-protocols, etc., abbreviated as PPP.

A very broadly used term. To the AAA server, it means the conditionally applicable set of attribute-value pairs that an AAA protocol, such as RADIUS, may support. HP-UX SERVER policies are simple or complex decisions that control the authentication, authorization, and accounting process for a user's access request.

See Point-to-Point Protocol.

A set of rules established between two devices to allow communications to occur.

The mechanism that allows one system to mediate between two other systems in response to protocol requests. A RADIUS server can act as a proxy client and forward an Access-Request to another AAA server for authentication. As a proxy client, the server would mediate the requests and replies between the client where the Access-Request originated from and the server that the request was forwarded to.

See Remote Access Dial In User Service.

A NAS or other device that sends requests to an AAA server.

See Remote Access Server.

A realm is a logical group of users, who usually can be authenticated using one particular method. Grouping users into realms simplifies the management of those users in a distributed environment. For example, an ISP’s users may be from different organizations located in different cities. Each organization already has one way or another to authenticate its users and each corresponds to a realm. Each realm would be responsible for managing its users, providing authentication and authorization for their access requests.
A realm has a name that looks very much like a domain name, but they bear different meanings. Realms are only used by the AAA Server to determine where an authentication request should be sent and what kind of authentication to request, etc. Naming a realm with its domain name simplifies things for the users, since their access ids will then look the same as their e-mail addresses. A realm may also have multiple aliases, providing a way to shorten long realm names.

An authentication and accounting protocol defined by the IETF in a series of RFCs, abbreviated as RADIUS.

A service that allows remote clients running Microsoft Windows or Windows NT to dial in to a network, abbreviated as RAS.

In the context of a proxy Access-Request, the remote server is the AAA server that receives the request from the forwarding server. The remote server authenticates the request and sends a reply to the forwarding server.

The basis for an IETF standard, abbreviated as RFC.

See Request For Comment.

See Simultaneous Access Token.

A Web-based graphical user interface which provides an interface between an administrator and the AAA servers. In addition to creating, modifying, and deleting entries in many of the server’s configuration files, an administrator may start and stop the AAA server, access the server’s status and system time, retrieve information from accounting and session logs, and terminate sessions.

The RADIUS client provides a service to the dial-in user, such as PPP or Telnet.

Each service provided by the client to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended. A user may have multiple sessions in parallel or series if the RADIUS client supports that feature.

Provides a mechanism for a centrally located management workstation to monitor the activity of remote computers and network services.

The concept of token helps define and enforce policies in regard to modem pool sharing among various participating institutions. A simultaneous access token is required when a user accesses a non-priority modem. Tokens are allocated to realms and are grouped into pools. The total number of tokens a realm has is defined by the HP-UX Server so that the LAS may control simultaneous use, abbreviated as SAT.

Service Level Agreement.

Service Level Specification.

See Simultaneous Access Token.

A token pool contains a number of tokens belonging to some organization and having a given name. These tokens may be shared among one or more realms.

A secure connection between a client workstation and an intranet or other network, that provides a VPN to a user. This connection may be a voluntary tunnel initiated by the client or a compulsory tunnel initiated during authentication by a server or other dedicated network equipment.

Uses TLS (also known as SSL) to authenticate the client using its digital certificate. Note: some wireless supplicants require specific extensions to support certificates for EAP. TLS features include: Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token Card-based Authentication; and, Encrypted Tunnelling.

Can carry additional EAP or legacy authentication methods like PAP and CHAP. Integrates with the widest variety of password storage formats and existing password-based authentication systems. Wireless supplicants available for a large number of clients. TTLS features include: Dynamic Key Exchange; Mutual Authentication; Password-based Authentication; and, Encrypted Tunnelling.

Individuals whom the AAA server must authenticate and authorize before by they can access an organization’s service, such as Internet access through an ISP.

See Virtual Private Network.

A network service offered by public carriers in which the user is provided a network that in many ways appears as if it is a private network (user-unique addressing, network management capabilities, dynamic reconfiguration, etc.) but which, in fact, is provided over the carrier's public network facilities, abbreviated as VPN.