Reference

NAC Glossary

Plain-English definitions of the acronyms, standards and Arbiter terms you'll meet in our docs and dev log.

8

802.1X
IEEE port-based network access control. The supplicant (client) authenticates to the authenticator (switch / AP) which proxies credentials to a RADIUS server.

A

Access policy (Tier 2)
The named profile that says what a permitted device actually gets: VLAN, ACL, session timeout. Matched after the auth policy (Tier 1) has decided the device is allowed to authenticate at all.
ACL
Access Control List. A named ordered set of permit / deny rules applied to a network port or VLAN. Arbiter access profiles can attach a vendor-neutral ACL name as a RADIUS attribute on Access-Accept.
Arbiter PKI
Per-tenant Root → Intermediate → Leaf chain provisioned automatically when a tenant is created. ECDSA P-256 by default. Isolated from every other tenant.
Auth policy (Tier 1)
The named rule that decides who is allowed to authenticate. Matched first; Tier 2 (access policy) follows. Default-Deny at priority 9999 catches anything Tier 1 does not permit.
Authenticator
802.1X term for the network device the supplicant talks to (switch, access point, wireless controller). Acts as a proxy: relays EAP between supplicant and RADIUS server.

B

BYO CA
Bring Your Own Certificate Authority. Importing an existing PKI root or intermediate so Arbiter trusts certificates already issued by your enterprise CA, instead of (or alongside) the per-tenant CA Arbiter provisions.

C

CoA
Change-of-Authorisation, RFC 5176. Server-initiated message to a NAS to alter or terminate an existing session (VLAN flip, quarantine, disconnect).

D

Default Deny
A pinned auth policy at the lowest priority that rejects anything no other policy permits. Auto-created for every Arbiter tenant; cannot be deleted.
DHCP fingerprinting
Inferring a device’s vendor and operating system from the shape of its DHCP Discover (options requested, ordering, vendor class). Arbiter Edge relays DHCP traffic for this purpose without responding to it.

E

EAP
Extensible Authentication Protocol, RFC 3748. The framework 802.1X uses to carry authentication exchanges. Common methods: EAP-TLS, EAP-TTLS, PEAP.
EAP-TLS
Certificate-based 802.1X variant. Both supplicant and server present X.509 certificates. The strongest 802.1X method in common use; phishing-resistant by construction.
Edge appliance
Customer-side VM or physical appliance that terminates RADIUS UDP from the LAN and tunnels to Arbiter cloud over RadSec. Holds a 30-day local cache of known-device decisions so authentication keeps working if the WAN drops.

M

MAB
MAC Authentication Bypass. RADIUS authentication using the device MAC as the username, used for devices that cannot do 802.1X (printers, IoT, some phones).
MAC address
Hardware identifier burned into the device NIC. 12 hex chars, e.g. 00:11:22:33:44:55. Used as the username under MAB and as a policy match criterion.
Message-Authenticator
RFC 3579 / RFC 2869 attribute 80. HMAC-MD5 over the RADIUS packet; defends against CVE-2024-3596 (BlastRADIUS). Arbiter enforces it on every Access-Request.
Monitor mode
Auth-policy flag that coerces would-be denies into permits while still logging the would-have-been verdict. Lets operators validate a new policy against real traffic before flipping to enforcement.
mTLS
Mutual TLS. Both client and server present and verify X.509 certificates during the TLS handshake. RadSec between Arbiter Edge and cloud is mTLS over TCP/2083.

N

NAC
Network Access Control. The policy layer that decides which devices are allowed onto a network and what they can do once on it. RADIUS-based NAC is the industry default.
NAS
Network Access Server. The RADIUS term for the device a client physically connects to (a switch, access point or wireless controller).

O

OUI
Organisationally Unique Identifier. The first 24 bits of a MAC address, assigned to the device vendor by IEEE. Useful for vendor-based policy matching ("any Cisco IP phone").

P

PEAP
Protected EAP. Tunnels MSCHAPv2 (or similar) credentials inside a server-side TLS tunnel. Easier to deploy than EAP-TLS but weaker; vulnerable to credential phishing if supplicants are misconfigured to skip server-cert validation.
PKI
Public Key Infrastructure. The set of CAs, certificates, revocation lists and tooling that issues and validates X.509 certificates. Arbiter ships a per-tenant PKI; BYO CA is supported.

R

RADIUS
Remote Authentication Dial-In User Service, RFC 2865. The 1990s-era protocol still used as the universal authentication plane for wired and wireless network access.
RadSec
RFC 6614. RADIUS over TLS over TCP/2083. The mTLS variant used between Arbiter Edge and Arbiter cloud, so RADIUS credentials and MAC addresses never cross the public internet in cleartext.
Recommendation engine
Background worker that watches real auth traffic and proposes new policies (e.g. "1,247 of these MAC OUIs are landing on Default Deny; suggested policy: permit OUI X to VLAN Y"). Suggestions are reviewable; nothing is auto-applied.

S

SIEM
Security Information and Event Management. The platform a SOC uses to centralise, search and alert on security telemetry. Sentinel, Splunk, Sumo Logic, Datadog, Elastic, Wazuh, QRadar are the common ones.
SIEM Egress
Outbound HTTPS push of Arbiter security and authentication events into your SIEM (Microsoft Sentinel, Splunk, Sumo Logic, generic webhook). Per-tenant destinations, per-stream cadence and rate caps.
Supplicant
802.1X term for the client device that initiates authentication (laptop, phone, printer). The thing trying to get on the network.

T

Tenant PSK
RADIUS shared secret. One per Arbiter tenant. Used between NAS and Edge on the LAN side.

V

VLAN
Virtual LAN. Layer-2 segmentation. Arbiter access profiles assign VLANs via standard RFC 2865 attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id) so the same policy works across any conformant switch vendor.

Missing a term?

We extend the glossary on demand. If a term you ran into on our docs or dev log isn't here, email support@arbiter.ie and we'll add it.

All guides