Cisco Acs 5x User Guide

							Glossary
GL-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
I
I18NInternationalization and localization are means of adapting software for non-native environments, 
especially other nations and cultures. Internationalization is the adaptation of products for potential 
use virtually everywhere, while localization is the addition of special features for use in a specific 
locale.
identityWhom someone or what something is, for example, the name by which something is known.
identity groupsA logical entity that is associated with all types of users and hosts.
incremental backupA scheduled job that allows users to take smaller, periodic backups of the Monitoring & Report Viewer 
database.
integrityThe need to ensure that information has not been changed accidentally or deliberately, and that it is 
accurate and complete.
internal identity 
storeA database that contains the internal user attributes and credential information used to authenticate 
internal users and hosts.
IETFInternet Engineering Task Force . The body that defines standard Internet operating protocols such as 
TCP/IP. The IETF is supervised by the Internet Society Internet Architecture Board (IAB). IETF 
members are drawn from the Internet Societys individual and organization membership.
(IPInternet Protocol. The method or protocol by which data is sent from one computer to another on the 
Internet.
 IPsecInternet Protocol Security. A developing standard for security at the network or packet processing 
layer of network communication.
Interrupt A signal that informs the OS that something has occurred.
intrusion detectionA security management system for computers and networks. An IDS gathers and analyzes information 
from various areas within a computer or a network to identify possible security breaches, which 
include both intrusions (attacks from outside the organization) and misuse (attacks from within the 
organization).
IPInternet Protocol. The method or protocol by which data is sent from one computer to another on the 
Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely 
identifies it from all other computers on the Internet. 
IP addressA computers inter-network address that is assigned for use by the Internet Protocol and other 
protocols. An IP version 4 address is written as a series of four 8-bit numbers separated by periods.
IP floodA denial of service attack that sends a host more echo request (ping) packets than the protocol 
implementation can handle.
IP forwardingAn Operating System option that allows a host to act as a router. A system that has more than 1 
network interface card must have IP forwarding turned on in order for the system to be able to act as 
a router.
IP poofingThe technique of supplying a false IP address. 
						

							Glossary
GL-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
ISOInternational Organization for Standardization, a voluntary, non-treaty, non-government organization, 
established in 1947, with voting members that are designated standards bodies of participating nations 
and non-voting observer organizations.
ISPInternet Service Provider. A business or organization that provides to consumers access to the Internet 
and related services. In the past, most ISPs were run by the phone companies. 
J
JREJava Runtime Environment. A software bundle that allows a computer system to run a Java 
application.
K
KerberosA system developed at the Massachusetts Institute of Technology that depends on passwords and 
symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and 
access control service distributed in a client-server network environment.
keyIn cryptography, a key is a variable value that is applied using an algorithm to a string or block of 
unencrypted text to produce encrypted text, or to decrypt encrypted text. The length of the key is a 
factor in considering how difficult it will be to decrypt the text in a given message. 
L
Layer 2 Forwarding 
Protocol (L2F)An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP 
to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and 
transparent to the dial-up user.
Layer 2 Tunneling 
Protocol (L2TP)An extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable 
the operation of a virtual private network over the Internet.
LDAP clientLDAP Client describes a piece of software that provides access to an LDAP sever. Most standard web 
browsers provide limited LDAP client capabilities using LDAP URLs. LDAP browsers and web 
interfaces are both very common examples of LDAP clients. List of Open Source Clients.
Lightweight 
Directory Access 
Protocol (LDAP)LDAP is a networking protocol for querying and modifying directory services running over TCP/IP 
The LDAP protocol is used to locate organizations, individuals, and other resources such as files and 
devices in a network, on the public Internet or on a corporate Intranet. 
Local Operations 
(secondary servers 
only)The operations performed to register or deregister a secondary server, or to replicate a secondary 
server and a request for a local mode from the Join a Distributed System page.
Log ConfigurationA system that uses logging categories and maintenance parameters that enable you to configure and store 
the logs generated for accounting messages, AAA audit and diagnostics messages, system diagnostics 
messages, and administrative audit messages. 
						

							Glossary
GL-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
M
MAC AddressA physical address; a numeric value that uniquely identifies that network device from every other 
device on the planet.
matchingRule 
(LDAP) The method by which an attribute is compared in a search operation. A matchingRule is an ASN.1 
definition that usually contains an OID a name (for example, caseIgnoreMatch [OID = 2.5.23.2]), and 
the data type it operates on (for example, DirectoryString).
MD5A one way cryptographic hash function. 
MIB (Management 
Information Base)A MIB is a formal description of a set of network objects that can be managed using SNMP (Simple 
Network Management Protocol).
monitoring and 
reportsIn the ACS web interface, a drawer that contains the monitoring, reporting, and troubleshooting 
options.
MPPE Microsoft 
Point-to-Point 
EncryptionA protocol for encrypting data across PPP (Point-to-Point Protocol) and Virtual Private Network links.
N
name space (LDAP) Term used to describe all DNs that lie in (or are contained within or bounded by) a given directory 
information tree (DIT). If the DIT root is dc=example,dc=com, then cn=people,dc=example,dc=com 
is said to lie in the name space but ou=people,dc=example,dc=net does not; it lies in the 
dc=example,dc=net name space.
naming attribute 
(LDAP) A unique identifier for each entry in the directory information tree (DIT). Also known as the Relative 
Distinguished Name (RDN).
naming context 
(LDAP)A a unique name space starting from (and including) the root Distinguished Name (DN). Also known 
as namingContext or directory information tree (DIT).
NAS (Network 
Access Server)A single point of access to a remote resource. The NAS is meant to act as a gateway to guard access 
to a protected resource. This can be anything from a telephone network, to printers, to the Internet.
network device 
groupsA logical grouping of network devices by location and type.
network resourcesA drawer that defines all network devices in the device repository that access the ACS network, 
including Network Device Groups (NDGs), network devices, AAA clients,, and external policy 
servers.
P
PAP (Password 
Authentication 
Protocol.)PAP is a simple authentication protocol used to authenticate a user to a remote access server or Internet 
service provider(ISP).  
						

							Glossary
GL-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
PI (Programmatic 
Interface)The ACS PI is a programmatic interface that provides external applications the ability to communicate 
with ACS to configure and operate ACS; this includes performing the following operations on ACS 
objects: create, update, delete and read.
policy conditionRule-based single conditions that are based on policies, which are sets of rules used to evaluate an 
access request and return a decision.
policy elementGlobal, shared object that defines policy conditions (for example, time and date, or custom conditions 
based on user-selected attributes) and permissions (for example, authorization profiles). Policy 
elements are referenced when you create policy rules.
port settingYou can configure ACS to authenticate using different LDAP servers, or different databases on the 
same LDAP server, by creating more than one LDAP instance with different IP addresses or port 
settings.
PPP (Point-to-Point 
Protocol)PPP is a protocol for communication between two computers using a serial interface, typically a 
personal computer connected by phone line to a server. For example, your Internet server provider 
may provide you with a PPP connection so that the providers server can respond to your requests, pass 
them on to the Internet, and forward your requested Internet responses back to you. PPP uses the 
Internet Protocol (IP) and is designed to handle others. It is sometimes considered a member of the 
TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP 
provides layer 2 (data-link layer) service. Essentially, it packages your computers TCP/IP packets and 
forwards them to the server where they can actually be put on the Internet. 
protocolA protocol is the special set of rules that end points in a telecommunication connection use when they 
communicate. Protocols exist at several levels in a telecommunication connection. For example, there 
are protocols for the data interchange at the hardware device level and protocols for data interchange 
at the application program level. In the standard model known as Open Systems Interconnection 
(OSI), there are one or more protocols at each layer in the telecommunication exchange that both ends 
of the exchange must recognize and observe. Protocols are often described in an industry or 
international standard. 
ProxyAn HTTP Proxy is a server that acts as a middleman in the communication between HTTP clients and 
servers.
Public Key In Cryptography a publicKey is a value provided by some designated authority as an Encryption Key 
that, combined with a private key derived from the public key, can be used to effectively encrypt 
messages andDigital Signatures. 
The use of combined public and private keys is known as asymmetric cryptography. A system for 
using public keys is called a public key infrastructure (PKI). 
Public Key 
Infrastructure (PKI)A PKI enables users of a basically unsecure public network such as the Internet to securely and 
privately exchange data and money through the use of a public and a private cryptographic key pair 
that is obtained and shared through a trusted authority. The Public Key infrastructure provides for a 
Digital Certificate that can identify an individual or an organization and directory services that can 
store and, when necessary, revoke the certificates. Although the components of a PKI are generally 
understood, a number of different vendor approaches and services are emerging. Meanwhile, an 
Internet standard for PKI is being worked on.  
						

							Glossary
GL-15
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
R
RDN (LDAP)The Relative Distinguished Name (frequently but incorrectly written as Relatively Distinguished 
Name). The name given to an attribute(s) that is unique at its level in the hierarchy. RDNs may be 
single valued or multi-valued in which case two or more attributes are combined using + (plus) to 
create the RDN e.g. cn+uid. The term RDN is only meaningful when used as part of a DN to uniquely 
describe the attributes on the path UP the DIT from a selected entry (or search start location) to the 
directory root (or more correctly the Root DSE). More info.
referral (LDAP)An operation in which the LDAP server returns to an LDAP client the name (typically in the form of 
an LDAP URL) of another LDAP server that might be able to provide the information requested by 
the LDAP client.
Remote 
Authentication 
Dial-In User Service 
(RADIUS) RADIUS is a client/server protocol and software that enables remote access servers to communicate 
with a central server to authenticate dial-in users and authorize their access to the requested system or 
service. RADIUS allows a company to maintain user profiles in a central database that all remote 
servers can share. It provides better security, allowing a company to set up a policy that can be applied 
at a single administered network point. Having a central service also means that its easier to track 
usage for billing and for keeping network statistics.
RFC (Request for 
Comments)A series of memoranda that encompass new research, innovations, and methodologies applicable to 
Internet technologies.
RoleA set of typical administrator tasks, each with an associated set of permissions. An administrator can 
have more than one predefined role, and a role can apply to multiple administrators.
root (LDAP)The root entry (a.k.a base, suffix) is one of many terms used to describe the topmost entry in a DIT. 
The Root DSE is a a kind of super root. 
Root DSE (LDAP)Conceptually the top most entry in a LDAP hierarchy - think of it as a super root and normally 
invisible i.e. not accessed in normal operations. Sometimes confused with root or base or suffix. DSE 
stands for DSA Specific Entry and DSA in turn stands for Directory System Agent (any directory 
enabled service providing DAP or LDAP access). Information about the rootDSE may be obtained in 
OpenLDAP by querying the OpenLDAProoDSE classobject and will provide information about 
protocol versions supported, services supported and the naming-context(s) or DIT(s) supported.
rootdn (LDAP)The rootdn is a confusingly named directive in the slapd.conf file which defines a superuser which can 
bypass normal directory access rules.
RPM (RedHat 
Package Manager)An RPM is a downloadable software package that is installable on Linux distributions that use RPM 
as their package management format.
S
SAN (Subject 
Alternative Name)Extension within certificate information. 
						

							Glossary
GL-16
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Schema (LDAP)A package of attributes and object classes that are sometimes (nominally) related. The schema(s) in 
which the object classes and attributes that the application will use (reference) are packaged are 
identified to the LDAP server so that it can read and parse all that wonderful ASN.1 stuff. In 
OpenLDAP this done using the slapd.conf file.
search (LDAP) An operation that is carried out by defining a base directory name (DN), a scope, and a search filter.
Secure Sockets 
Layer(SSL)A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by 
using a public key to encrypt data thats transferred over the SSL connection. SSL is a cryptographic 
protocol which provides secure communications on the Internet for such things as web browsing, 
e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 
1.0, but the protocol remains substantially the same. The term TLS as used here applies to both 
protocols unless clarified by context.
Security PolicyA set of rules and practices that specify or regulate how a system or organization provides security 
services to protect sensitive and critical system resources.
serverA system entity that provides a service in response to requests from other system entities called 
clients.
service provisioningService provisioning refers to the preparation beforehand of IT systems materials or supplies 
required to carry out a specific activity. This includes the provisioning of digital services such as user 
accounts and access privileges on systems, networks and applications, as well as the provisioning of 
non-digital or physical resources such as cell phones and credit cards.
service selection 
policyA set of rules that determines which access policy applies to an incoming request.
SessionA session is a virtual connection between two hosts by which network traffic is passed.
session (LDAP)A session occurs between a LDAP client and a server when the client sends a bind command. A 
session may be either anonymous or authenticated.
session conditionsCustom conditions, and date and time conditions.
Session KeyIn the context of symmetric encryption, a key that is temporary or is used for a relatively short period 
of time. Usually, a session key is used for a defined period of communication between two computers, 
such as for the duration of a single connection or transaction set, or the key is used in an application 
that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently.
shell profilesThe basic “permissions container” for a TACACS+ based device administration policy, in which you 
define permissions to be granted for a shell access request.
SLA (Service Level 
Agreement)A SLA is that part of a service contract in which a certain level of service is agreed upon. A SLA is a 
formal negotiated agreement between two parties. It is a contract that exists between customers and 
their service provider, or between service providers. It transcripts the common understanding about 
services, priorities, responsibilities, guarantee, etc. It then specifies the levels of availability, 
serviceability, performance, operation or other attributes of the service like billing.
SNMP (Simple 
Network 
Management 
Protocol)A TCP/IP network protocol that provides a means to monitor and control network devices, and to 
manage configurations, statistics collection, performance, and security. 
						

							Glossary
GL-17
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
SOAP (Simple 
Object Access 
Protocol)A lightweight XML-based protocol for exchange of information in a decentralized, distributed 
environment. SOAP consists of three parts: an envelope that defines a framework for describing what 
is in a message and how to process it, a set of encoding rules for expressing instances of 
application-defined datatypes, and a convention for representing remote procedure calls and 
responses.
SPML (Service 
Provisioning 
Markup Language) SPML is the open standard protocol for the integration and interoperation of service provisioning 
requests.
SSH(Secure Shell)A program to log into another computer over a network, to execute commands in a remote machine, 
and to move files from one machine to another.
subtype (LDAP)LDAPv3 defines a number of subtypes at this time two have been defined binary (in RFC 2251) and 
lang (in RFC 2596). subtypes may be used when referencing an attribute and qualify e.g. 
cn;lang-en-us=smith would perform a search using US english. The subtype does not affect the 
encoding since UTF-8 (used for cn) allows for all language types. lang subtypes are case insensitive.
suffix (LDAP)Also known as root, base, is one of many terms used to describe the topmost entry in a DIT. The term 
is typically used because this entry is usually defined in the suffix parameter in a OpenLDAPs 
slapd.conf file. The Root DSE is a kind of super root. Suffix Naming.
system 
administrationThe role-based administrative functions performed by a group of administrators.
system 
configurationThe role-based administrative functions performed by a group of administrators to configure system 
performance.
System Health 
DashboardThe Monitoring & Report Viewer Dashboard that provides information about the health status of 
associated ACS instances.
system operationsA set of operations that you must perform to effectively deploy and manage the ACS servers in your 
network.
T
TACACSTACACS (Terminal Access Controller Access Control System) is an older Authentication protocol 
common to UNIX networks that allows a remote access server to forward a users logon password to 
an authenticationServer to determine whether access can be allowed to a given system. TACACS is an 
Encryption protocol and therefore less secure than the later TACACS+ and Remote Authentication 
Dial-In User Service (RADIUS) protocols.
TACACS+ settingsUsed to configure TACACS+ runtime characteristics.
TCP/IPTransmission Control Protocol/Internet Protocol is the basic communication language or protocol of 
the Internet. TCP/IP is a two-layer program. The higher layer, Transmission Control Protocol, 
manages the assembling of a message or file into smaller packets that are transmitted over the Internet 
and received by a TCP layer that reassembles the packets into the original message. The lower layer, 
Internet Protocol, handles the address part of each packet so that it gets to the right destination.  
						

							Glossary
GL-18
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
U
UDPUser Datagram Protocol. A communications protocol that offers a limited amount of service when 
messages are exchanged between computers in a network that uses the Internet Protocol (IP)
URLUniform Resource Locator. The unique address for a file that is accessible on the Internet.
user and identity 
storeA repository of users, user attributes, and user authentication options.
user authentication 
optionAn option to enable or disable TACACS+ password authentication.
user attribute 
configurationAn administrative task consisting of configuring an internal users identity attributes.
V
VPNVirtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by 
encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information 
at the IP level.
VSAVendor Specific Attribute. A proprietary property or characteristic not provided by the standard 
Remote Authentication Dial-In User Service (RADIUS) attribute set. VSAs are defined by vendors of 
remote access servers to customize RADIUS for their servers.
W
WCSCisco Wireless Control System us a platform designed to help enterprises design, control and monitor 
Cisco wireless LANs. WCS is the industry leading platform for wireless LAN planning, configuration, 
and management.
Web serverA Web server is a program that, using the client/server model and the World Wide Webs Hypertext 
Transfer Protocol (HTTP), serves the files that form Web pages to Web users (whose computers 
contain HTTP clients that forward their requests).
Web serviceA Web service is a software system designed to support interoperable machine-to-machine interaction 
over a network. The web server interface is described in a machine-processable format, WSDL. Other 
systems interact with the Web service, typically using HTTP with an XML serialization in conjunction 
with other Web-related standards.
WSDL (Web 
Services Description 
Language)WSDL is an XML-based language used to describe the services a business offers and to provide a way 
for individuals and other businesses to access those services electronically. 
						

							Glossary
GL-19
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
X
X.509A standard for public key infrastructure. X.509 specifies, amongst other things, standard formats for 
public key certificates and a certification path validation algorithm.
XML (eXtensible 
Markup Language)XML is a flexible way to create common information formats and share both the format and the data 
on the World Wide Web, intranets, and elsewhere. 
						

							Glossary
GL-20
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01