Reference
NAC Glossary
Plain-English definitions of the acronyms, standards and Arbiter terms you'll meet in our docs and dev log.
8
- 802.1X
- IEEE port-based network access control. The supplicant (client) authenticates to the authenticator (switch / AP) which proxies credentials to a RADIUS server.
A
- Access policy (Tier 2)
- The named profile that says what a permitted device actually gets: VLAN, ACL, session timeout. Matched after the auth policy (Tier 1) has decided the device is allowed to authenticate at all.
- ACL
- Access Control List. A named ordered set of permit / deny rules applied to a network port or VLAN. Arbiter access profiles can attach a vendor-neutral ACL name as a RADIUS attribute on Access-Accept.
- Arbiter PKI
- Per-tenant Root → Intermediate → Leaf chain provisioned automatically when a tenant is created. ECDSA P-256 by default. Isolated from every other tenant.
- Auth policy (Tier 1)
- The named rule that decides who is allowed to authenticate. Matched first; Tier 2 (access policy) follows. Default-Deny at priority 9999 catches anything Tier 1 does not permit.
- Authenticator
- 802.1X term for the network device the supplicant talks to (switch, access point, wireless controller). Acts as a proxy: relays EAP between supplicant and RADIUS server.
B
- BYO CA
- Bring Your Own Certificate Authority. Importing an existing PKI root or intermediate so Arbiter trusts certificates already issued by your enterprise CA, instead of (or alongside) the per-tenant CA Arbiter provisions.
C
- CoA
- Change-of-Authorisation, RFC 5176. Server-initiated message to a NAS to alter or terminate an existing session (VLAN flip, quarantine, disconnect).
D
- Default Deny
- A pinned auth policy at the lowest priority that rejects anything no other policy permits. Auto-created for every Arbiter tenant; cannot be deleted.
- DHCP fingerprinting
- Inferring a device’s vendor and operating system from the shape of its DHCP Discover (options requested, ordering, vendor class). Arbiter Edge relays DHCP traffic for this purpose without responding to it.
E
- EAP
- Extensible Authentication Protocol, RFC 3748. The framework 802.1X uses to carry authentication exchanges. Common methods: EAP-TLS, EAP-TTLS, PEAP.
- EAP-TLS
- Certificate-based 802.1X variant. Both supplicant and server present X.509 certificates. The strongest 802.1X method in common use; phishing-resistant by construction.
- Edge appliance
- Customer-side VM or physical appliance that terminates RADIUS UDP from the LAN and tunnels to Arbiter cloud over RadSec. Holds a 30-day local cache of known-device decisions so authentication keeps working if the WAN drops.
M
- MAB
- MAC Authentication Bypass. RADIUS authentication using the device MAC as the username, used for devices that cannot do 802.1X (printers, IoT, some phones).
- MAC address
- Hardware identifier burned into the device NIC. 12 hex chars, e.g. 00:11:22:33:44:55. Used as the username under MAB and as a policy match criterion.
- Message-Authenticator
- RFC 3579 / RFC 2869 attribute 80. HMAC-MD5 over the RADIUS packet; defends against CVE-2024-3596 (BlastRADIUS). Arbiter enforces it on every Access-Request.
- Monitor mode
- Auth-policy flag that coerces would-be denies into permits while still logging the would-have-been verdict. Lets operators validate a new policy against real traffic before flipping to enforcement.
- mTLS
- Mutual TLS. Both client and server present and verify X.509 certificates during the TLS handshake. RadSec between Arbiter Edge and cloud is mTLS over TCP/2083.
N
- NAC
- Network Access Control. The policy layer that decides which devices are allowed onto a network and what they can do once on it. RADIUS-based NAC is the industry default.
- NAS
- Network Access Server. The RADIUS term for the device a client physically connects to (a switch, access point or wireless controller).
O
- OUI
- Organisationally Unique Identifier. The first 24 bits of a MAC address, assigned to the device vendor by IEEE. Useful for vendor-based policy matching ("any Cisco IP phone").
P
- PEAP
- Protected EAP. Tunnels MSCHAPv2 (or similar) credentials inside a server-side TLS tunnel. Easier to deploy than EAP-TLS but weaker; vulnerable to credential phishing if supplicants are misconfigured to skip server-cert validation.
- PKI
- Public Key Infrastructure. The set of CAs, certificates, revocation lists and tooling that issues and validates X.509 certificates. Arbiter ships a per-tenant PKI; BYO CA is supported.
R
- RADIUS
- Remote Authentication Dial-In User Service, RFC 2865. The 1990s-era protocol still used as the universal authentication plane for wired and wireless network access.
- RadSec
- RFC 6614. RADIUS over TLS over TCP/2083. The mTLS variant used between Arbiter Edge and Arbiter cloud, so RADIUS credentials and MAC addresses never cross the public internet in cleartext.
- Recommendation engine
- Background worker that watches real auth traffic and proposes new policies (e.g. "1,247 of these MAC OUIs are landing on Default Deny; suggested policy: permit OUI X to VLAN Y"). Suggestions are reviewable; nothing is auto-applied.
S
- SIEM
- Security Information and Event Management. The platform a SOC uses to centralise, search and alert on security telemetry. Sentinel, Splunk, Sumo Logic, Datadog, Elastic, Wazuh, QRadar are the common ones.
- SIEM Egress
- Outbound HTTPS push of Arbiter security and authentication events into your SIEM (Microsoft Sentinel, Splunk, Sumo Logic, generic webhook). Per-tenant destinations, per-stream cadence and rate caps.
- Supplicant
- 802.1X term for the client device that initiates authentication (laptop, phone, printer). The thing trying to get on the network.
T
- Tenant PSK
- RADIUS shared secret. One per Arbiter tenant. Used between NAS and Edge on the LAN side.
V
- VLAN
- Virtual LAN. Layer-2 segmentation. Arbiter access profiles assign VLANs via standard RFC 2865 attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id) so the same policy works across any conformant switch vendor.
Missing a term?
We extend the glossary on demand. If a term you ran into on our docs or dev log isn't here, email support@arbiter.ie and we'll add it.