802.1X is a port based network access control protocol. It authenticates and controls the accessing user devices on the ports of LAN access devices. If a user device passes the authentication, it gets access to the resources on the LAN. Otherwise, the user device is denied as if the physical link was broken.
Authentication, authorization and accounting (AAA) is a network security mechanism that provides a framework for configuring such security functions as authentication, authorization and accounting.
Access control list (ACL) is a traffic identification mechanism. An ACL includes a set of rules configured on a network device to permit or deny (according to the predefined policy) the specified traffics.
Challenge-Handshake Authentication Protocol (CHAP) is a network security authentication protocol. It consists of three handshake authentication processes in which the user password is not transmitted in plain text on the network.
Endpoint Admission Defense (EAD) is a powerful security solution. It ensures that only terminal devices without potential security defects can get access to the network. EAD provides management of security policies, client ACLs, traffic monitoring polices, terminal security software, patch control, controlled software/processes/services/files, registry monitoring policies, terminal share policies, operating system password monitoring, and hierarchical node management.
Extensible Authentication Protocol (EAP) is a family of authentication protocols running between clients, devices and authentication servers.
EAP-MD5 is a unidirectional authentication mechanism based on the EAP. It uses three-way handshake authentication. In this authentication mode, a user password is not transmitted in plaintext over the network.
Protected Extensible Authentication Protocol (PEAP) initiates EAP authentication on the security channel set up by TLS authentication between a client and the AAA server. This means that EAP-TLS authentication happens before all the other identity authentication processes. The EAP-TLS authentication protects the user identity and the negotiation process of EAP authentication. To establish a TLS channel, a client certificate is unnecessary while an AAA server certification is required.
EAP-TLS authentication happens between clients and AAA servers through NAS devices. The TLS packets are transmitted over EAP. SessionId is used for fast reauthentication, which simplifies the authentication process. In addition, larger TLS packets are fragmented.
EAP-TTLS is Initiates certificate authentication over a TLS channel between the endpoint and UAM. The authentication method protects the user identity and the negotiation process of EAP authentication. Over the TLS channel, UAM can initiate EAP or non-EAP authentication.
As an intelligent client, iNode client supports 802.1X and Portal authentication. Working with the user access manager , iNode client can implement advanced features like anti-proxy, anti dual-NIC, client message and autorun task upon successful authentication. Working with the EAD Security Policy Component, iNode client can implement EAD features like anti-virus software collaboration, controllable group check and patch check.
Lightweight Directory Access Protocol (LDAP) provides a way to access the directory server (LDAP server) for authentication. The directory server provides user authentication information in a tree structure.
Password Authentication Protocol (PAP) is a network security authentication protocol. It consists of two handshake authentication processes in which the user password is transmitted in plain text.
As a distributed protocol, Portal is used for message exchange between authentication clients and BAS devices. It is mainly used in web-based broadband access authentication system to complete user authentication and authorization.
Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server protocol for information exchange. It is widely used to prevent unauthorized access to networks that require higher security while allowing remote access, for example, to manage a number of sparsely scattered dialup users accessing through modems.
Virtual local area network (VLAN) is a technology that divides a LAN into several logical LANs (VLANs), with each VLAN being a broadcast domain. The hosts in a VLAN can communicate with each other in the way as they are in the same LAN, but do not have direct access to the hosts in other VLANs. Therefore broadcast traffic originating on any host is received only by the hosts in the same VLAN.
The operators manage INC. You can manage the operators through the platform and specify their management rights. Besides the password, you can also limit the operator's access through the ACL. That is, the operators can log in to the system only with the IP addresses permitted by the ACL.
Service defines how an end user can use the network. A service is a set of predefined network use features, including information about authorization, authentication binding and client configuration.
Denylist is a state of the access account. A denylist access account is not allowed to access the network temporarily. Currently there are two cases of blocking an account. Case one: You can block, for some reason, an access account manually to disable login of the account. Case two: After a certain times of consecutive unsuccessful login attempts by a suspected malicious access account, the system will block the access account automatically. A manually blocked account has no access to the network until it is removed from the denylist manually. An automatically blocked account is automatically released at 00:00:00 the next day.
An access device is a switch, a router or any other device that supports RADIUS. As the RADIUS client, an access device sends RADIUS requests to the RADIUS server.
Client in this help refers to the client (generally non-iNode client) supporting standard 802.1X authentication. The client can implement authentication and authorization, but not advanced features like anti-proxy, anti dual-NIC and EAD.
As a fundamental concept of INC, user is one of the three managed objects of the system along with network and service. Network is the platform on which services are run, user uses the network, and service runs on the network. INC provides a centralized and scalable user management platform through which the users of all the services can be managed.
There are generally different services running on the network, and a user can use one or more of the services. To allow a user to use different services for various purposes, you can create multiple accounts for a user, with each account corresponding to a specific service. Normally an account includes features specific to a certain service. For example, the access account corresponds to the user access and EAD service. An account is created only when the user needs to use a certain service.
A public key certificate, often called a certificate, is attested by a digital signature. It binds the public key to the corresponding private key of a host, device or service. The certificate format complies with the ITU-T X.509 standard (which ensures interoperability between various systems using digital certificates).