描述
开 本: 16开纸 张: 胶版纸包 装: 平装-胶订是否套装: 否国际标准书号ISBN: 9787302519768丛书名: 大学计算机教育国外著名教材系列(影印版)
About the Author 13
Chapter 1 Introduction 1
Computer Security Concepts 4
The OSI Security Architecture 8
Security Attacks 9
Security Services 11
Security Mechanisms 15
A Model for Network Security 16
Standards 19
Outline of This Book 19
Recommended Reading 20
Internet and Web Resources 20
Key Terms, Review Questions, and Problems 21
PART ONE CRyPTOgRAPhy 23
Chapter 2 Symmetric Encryption and Message Confidentiality 23
Symmetric Encryption Principles 25
Symmetric Block Encryption Algorithms 30
Random and Pseudorandom Numbers 36
Stream Ciphers and RC4 41
Cipher Block Modes of Operation 46
Recommended Reading 51
Key Terms, Review Questions, and Problems 52
Chapter 3 Public-Key Cryptography and Message Authentication 57
Approaches to Message Authentication 59
Secure Hash Functions 63
Message Authentication Codes 70
Public-Key Cryptography Principles 76
Public-Key Cryptography Algorithms 79
Digital Signatures 87
Recommended Reading 88
Key Terms, Review Questions, and Problems 88
PART TWO NETWORk SECuRiTy APPliCATiONS 95
Chapter 4 Key Distribution and User Authentication 95
Symmetric Key Distribution Using Symmetric Encryption 96
Kerberos 98
Key Distribution Using Asymmetric Encryption 111
X.509 Certificates 113
Public-Key Infrastructure 121
Federated Identity Management 123
Recommended Reading 129
Key Terms, Review Questions, and Problems 130
Chapter 5 Network Access Control and Cloud Security 135
Network Access Control 136
Extensible Authentication Protocol 139
IEEE 802.1X Port-Based Network Access Control 143
Cloud Computing 145
Cloud Security Risks and Countermeasures 152
Data Protection in the Cloud 154
Cloud Security as a Service 157
Recommended Reading 160
Key Terms, Review Questions, and Problems 161
Chapter 6 Transport-Level Security 162
Web Security Considerations 163
Secure Sockets Layer (SSL) 165
Transport Layer Security (TLS) 179
HTTPS 183
Secure Shell (SSH) 184
Recommended Reading 195
Key Terms, Review Questions, and Problems 196
Chapter 7 Wireless Network Security 198
Wireless Security 199
Mobile Device Security 202
IEEE 802.11 Wireless LAN Overview 206
IEEE 802.11i Wireless LAN Security 212
Recommended Reading 226
Key Terms, Review Questions, and Problems 227
Chapter 8 Electronic Mail Security 230
Pretty Good Privacy (PGP) 231
S/MIME 239
DomainKeys Identified Mail (DKIM) 255
Recommended Reading 262
Key Terms, Review Questions, and Problems 262
Chapter 9 IP Security 264
IP Security Overview 266
IP Security Policy 270
Encapsulating Security Payload 276
Combining Security Associations 283
Internet Key Exchange 287
Cryptographic Suites 295
Recommended Reading 297
Key Terms, Review Questions, and Problems 297
Contents 5
PART ThREE SySTEm SECuRiTy 299
Chapter 10 Malicious Software 299
Types of Malicious Software (Malware) 300
Propagation—Infected Content—Viruses 303
Propagation—Vulnerability Exploit—Worms 308
Propagation—Social Engineering—SPAM E-mail, Trojans 313
Payload—System Corruption 315
Payload—Attack Agent—Zombie, Bots 316
Payload—Information Theft—Keyloggers, Phishing, Spyware 318
Payload—Stealthing—Backdoors, Rootkits 319
Countermeasures 321
Distributed Denial of Service Attacks 327
Recommended Reading 332
Key Terms, Review Questions, and Problems 333
Chapter 11 Intruders 336
Intruders 338
Intrusion Detection 342
Password Management 357
Recommended Reading 368
Key Terms, Review Questions, and Problems 369
Chapter 12 Firewalls 373
The Need for Firewalls 374
Firewall Characteristics 375
Types of Firewalls 377
Firewall Basing 383
Firewall Location and Configurations 386
Recommended Reading 391
Key Terms, Review Questions, and Problems 391
APPENDICES 395
Appendix A Some Aspects of Number Theory 395
Prime and Relatively Prime Numbers 396
Modular Arithmetic 398
Appendix B Projects for Teaching Network Security 400
Research Projects 401
Hacking Project 402
Programming Projects 402
Laboratory Exercises 403
Practical Security Assessments 403
Firewall Projects 403
Case Studies 404
Writing Assignments 404
Reading/Report Assignments 404
References 405
Index 412
“There is the book, Inspector. I leave it with you, and you cannot doubt that
it contains a full explanation.”
—The Adventure of the Lion’s Mane, Sir Arthur Conan Doyle
In this age of universal electronic connectivity, of viruses and hackers, of electronic eavesdropping
and electronic fraud, there is indeed no time at which security does not matter.
Two trends have come together to make the topic of this book of vital interest. First, the
explosive growth in computer systems and their interconnections via networks has increased
the dependence of both organizations and individuals on the information stored and communicated
using these systems. This, in turn, has led to a heightened awareness of the need
to protect data and resources from disclosure, to guarantee the authenticity of data and
messages, and to protect systems from network-based attacks. Second, the disciplines of
cryptography and network security have matured, leading to the development of practical,
readily available applications to enforce network security.
Objectives
It is the purpose of this book to provide a practical survey of network security applications
and standards. The emphasis is on applications that are widely used on the Internet and for
corporate networks, and on standards (especially Internet standards) that have been widely
deployed.
What ’s New in the Fifth Edition
In the four years since the fourth edition of this book was published, the field has seen continued
innovations and improvements. In this new edition, I try to capture these changes
while maintaining a broad and comprehensive coverage of the entire field. To begin this
process of revision, the fourth edition of this book was extensively reviewed by a number
of professors who teach the subject and by professionals working in the field. The result is
that, in many places, the narrative has been clarified and tightened, and illustrations have
been improved.
Beyond these refinements to improve pedagogy and user-friendliness, there have been
substantive changes throughout the book. Roughly the same chapter organization has been
retained, but much of the material has been revised and new material has been added. The
most noteworthy changes are as follows:
? Network access control: A new chapter provides coverage of network access control,
including a general overview plus discussions of the Extensible Authentication Protocol
and IEEE 802.1X.
Network Access Control
Elements of a Network Access Control System
Network Access Enforcement Methods
5.2
Extensible Authentication Protocol
Authentication Methods
EAP Exchanges
5.3
IEEE 802.1X Port-Based Network Access Control
5.4
Cloud Computing
Cloud Computing Elements
Cloud Computing Reference Architecture
5.5
Cloud Security Risks and Countermeasures
5.6
Data Protection in the Cloud
5.7
Cloud Security as a Service
5.8
Recommended Reading
5.9
Key Terms, Review Questions, and Problems
Chapter
Network Access
o
trol
d
loud
ecurity
135
AccnnSc136 Chapter 5 / Network aCCess CoNtrol aNd Cloud seCurity
Learning Objectives
After studying this chapter, you should be able to:
u Discuss the principal elements of a network access control system.
u Discuss the principal network access enforcement methods.
u Present an overview of the Extensible Authentication Protocol.
u
Understand the operation and role of the IEEE 802.1X Port-Based
Network Access Control mechanism.
u Present an overview of cloud computing concepts.
u Understand the unique security issues related to cloud computing.
This chapter begins our discussion of network security, focusing on two key topics:
network access control and cloud security. We begin with an overview of network
access control systems, summarizing the principal elements and techniques involved
in such a system. Next, we discuss the Extensible Authentication Protocol and
IEEE 802.1X, two widely implemented standards that are the foundation of many
network access control systems.
The remainder of the chapter deals with cloud security. We begin with an
overview of cloud computing, and follow this with a discussion of cloud security
issues. 5.1
etw
rk
ccess
ntr
Network access control (NAC) is an umbrella term for managing access to a network.
NAC authenticates users logging into the network and determines what data
they can access and actions they can perform. NAC also examines the health of the
user’s computer or mobile device (the endpoints).
Elements of a Network Access Control System
NAC systems deal with three categories of components:
. Access requestor (AR): The AR is the node that is attempting to access the
network and may be any device that is managed by the NAC system, including
workstations, servers, printers, cameras, and other IP-enabled devices. ARs
are also referred to as supplicants, or simply, clients.
“No ticket! Dear me, Watson, this is really very singular. According to my
experience
it is not possible to reach the platform of a Metropolitan train without exhibiting
one’s ticket.”
—The Adventure of the Bruce-Partington Plans, Sir Arthur Conan Doyle
Accn 5.1 / Network aCCess CoNtrol 137
. Policy server: Based on the AR’s posture and an enterprise’s defined policy,
the policy server determines what access should be granted. The policy server
often relies on backend systems, including antivirus, patch management, or a
user directory, to help determine the host’s condition.
. Network access server (NAS): The NAS functions as an access control point
for users in remote locations connecting to an enterprise’s internal network.
Also called a media gateway, a remote access server (RAS), or a policy server,
an NAS may include its own authentication services or rely on a separate
authentication service from the policy server.
Figure 5.1 is a generic network access diagram. A variety of different ARs
seek access to an enterprise network by applying to some type of NAS. The first
step is generally to authenticate the AR. Authentication typically involves some
sort of secure protocol and the use of cryptographic keys. Authentication may be
performed by the NAS, or the NAS may mediate the authentication process. In the
latter case, authentication takes place between the supplicant and an authentication
server that is part of the policy server or that is accessed by the policy server.
Supplicants
Network access servers
Authentication
server
DHCP
server
VLAN
server
Policy
server
Patch
management
Network
resources
Quarantine
network
Antivirus Antispyware
Enterprise network
Figure 5.1
Network Access Control Context
AccnnSc138 Chapter 5 / Network aCCess CoNtrol aNd Cloud seCurity
The authentication process serves a number of purposes. It verifies a supplicant’s
claimed identity, which enables the policy server to determine what access
privileges, if any, the AR may have. The authentication exchange may result in the
establishment of session keys to enable future secure communication between the
supplicant and resources on the enterprise network.
Typically, the policy server or a supporting server will perform checks on the
AR to determine if it should be permitted interactive remote access connectivity.
These checks—sometimes called health, suitability, screening, or assessment
checks—require software on the user’s system to verify compliance with certain requirements
from the organization’s secure configuration baseline. For example, the
user’s antimalware software must be up-to-date, the operating system must be fully
patched, and the remote computer must be owned and controlled by the organization.
These checks should be performed before granting the AR access to the enterprise
network. Based on the results of these checks, the organization can determine
whether the remote computer should be permitted to use interactive remote access.
If the user has acceptable authorization credentials but the remote computer does
not pass the health check, the user and remote computer should be denied network
access or have limited access to a quarantine network so that authorized personnel
can fix the security deficiencies. Figure 5.1 indicates that the quarantine portion of
the enterprise network consists of the policy server and related AR suitability servers.
There may also be application servers that do not require the normal security
threshold be met.
Once an AR has been authenticated and cleared for a certain level of access
to the enterprise network, the NAS can enable the AR to interact with resources in
the enterprise network. The NAS may mediate every exchange to enforce a security
policy for this AR, or may use other methods to limit the privileges of the AR.
Network Access Enforcement Methods
Enforcement methods are the actions that are applied to ARs to regulate access
to the enterprise network. Many vendors support multiple enforcement methods
simultaneously, allowing the customer to tailor the configuration by using one or a
combination of methods. The following are common NAC enforcement methods.
. IEEE 802.1X: This is a link layer protocol that enforces authorization before
a port is assigned an IP address. IEEE 802.1X makes use of the Extensible
Authentication Protocol for the authentication process. Sections 5.2 and
5.3 cover the Extensible Authentication Protocol and IEEE 802.1X,
respectively.
. Virtual local area networks (VLANs): In this approach, the enterprise network,
consisting of an interconnected set of LANs, is segmented logically
into a number of virtual LANs.1 The NAC system decides to which of the
1A VLAN is a logical subgroup within a LAN that is created via software rather than manually moving
cables in the wiring closet. It combines user stations and network devices into a single unit regardless of
the physical LAN segment they are attached to and allows traffic to flow more efficiently within populations
of mutual interest. VLANs are implemented in port-switching hubs and LAN switches.
EnAncnPc 5.2 / exteNsible autheNtiCatioN protoCol 139
network’s VLANs it will direct an AR, based on whether the device needs
security remediation, Internet access only, or some level of network access to
enterprise resources. VLANs can be created dynamically and VLAN membership,
of both enterprise servers and ARs, may overlap. That is, an enterprise
server or an AR may belong to more than one VLAN.
. Firewall: A firewall provides a form of NAC by allowing or denying network
traffic between an enterprise host and an external user. Firewalls are discussed
in Chapter 12.
. DHCP management: The Dynamic Host Configuration Protocol (DHCP) is
an Internet protocol that enables dynamic allocation of IP addresses to hosts.
A DHCP server intercepts DHCP requests and assigns IP addresses instead.
Thus, NAC enforcement occurs at the IP layer based on subnet and IP assignment.
A DCHP server is easy to install and configure, but is subject to various
forms of IP spoofing, providing limited security.
There are a number of other enforcement methods available from vendors.
The ones in the preceding list are perhaps the most common, and IEEE 802.1X is by
far the most commonly implemented solution. 5.2
xtensib
e
uthenticati
n Pr
t
c
The Extensible Authentication Protocol (EAP), defined in RFC 3748, acts as a
framework for network access and authentication protocols. EAP provides a set
of protocol messages that can encapsulate various authentication methods to be
used between a client and an authentication server. EAP can operate over a variety
of network and link level facilities, including point-to-point links, LANs, and
other networks, and can accommodate the authentication needs of the various
links and networks. Figure 5.2 illustrates the protocol layers that form the context
for EAP.
Authentication
methods
EAP
layer
Data link
layer
Extensible Authentication Protocol (EAP)
IEEE 802.1X
EAP over LAN (EAPOL)
EAPTLS
EAPTTLS
EAPPSK
EAPIKEv2
PPP
802.3
Ethernet
802.11
WLAN
Other
Other
Figure 5.2
EAP Layered Context
AccnnSc140 Chapter 5 / Network aCCess CoNtrol aNd Cloud seCurity
Authentication Methods
EAP supports multiple authentication methods. This is what is meant by referring to
EAP as extensible. EAP provides a generic transport service for the exchange of authentication
information between a client system and an authentication server. The
basic EAP transport service is extended by using a specific authentication protocol,
or method, that is installed in both the EAP client and the authentication server.
Numerous methods have been defined to work over EAP. The following are
commonly supported EAP methods:
. EAP-TLS (EAP Transport Layer Security): EAP-TLS (RFC 5216) defines
how the TLS protocol (described in Chapter 6) can be encapsulated in EAP
messages. EAP-TLS uses the handshake protocol in TLS, not its encryption
method. Client and server authenticate each other using digital certificates.
Client generates a pre-master secret key by encrypting a random number with
the server’s public key and sends it to the server. Both client and server use
the pre-master to generate the same secret key.
. EAP-TTLS (EAP Tunneled TLS): EAP-TTLS is like EAP-TLS, except only
the server has a certificate to authenticate itself to the client first. As in EAPTLS,
a secure connection (the “tunnel”) is established with secret keys, but
that connection is used to continue the authentication process by authenticating
the client and possibly the server again using any EAP method or
legacy method such as PAP (Password Authentication Protocol) and CHAP
(Challenge-Handshake Authentication Protocol). EAP-TTLS is defined in
RFC 5281.
. EAP-GPSK (EAP Generalized Pre-Shared Key): EAP-GPSK, defined in
RFC 5433, is an EAP method for mutual authentication and session key derivation
using a Pre-Shared Key (PSK). EAP-GPSK specifies an EAP method
based on pre-shared keys and employs secret key-based cryptographic algorithms.
Hence, this method is efficient in terms of message flows and computational
costs, but requires the existence of pre-shared keys between each
peer and EAP server. The set up of these pairwise secret keys is part of the
peer registration, and thus, must satisfy the system preconditions. It provides
a protected communication channel when mutual authentication is successful
for both parties to communicate over and is designed for authentication
over insecure networks such as IEEE 802.11. EAP-GPSK does not require
any public-key cryptography. The EAP method protocol exchange is done in
a minimum of four messages.
. EAP-IKEv2: It is based on the Internet Key Exchange protocol version 2
(IKEv2), which is described in Chapter 9. It supports mutual authentication
and session key establishment using a variety of methods. EAP-TLS is defined
in RFC 5106.
EAP Exchanges
Whatever method is used for authentication, the authentication information and
authentication protocol information are carried in EAP messages.
EnAncnPc 5.2 / exteNsible autheNtiCatioN protoCol 141
RFC 3748 defines the goal of the exchange of EAP messages to be successful
authentication. In the context of RFC 3748, successful authentication is an exchange
of EAP messages, as a result of which the authenticator decides to allow access
by the peer, and the peer decides to use this access. The authenticator’s decision
typically involves both authentication and authorization aspects; the peer may
successfully authenticate to the authenticator, but access may be denied by the
authenticator due to policy reasons.
Figure 5.3 indicates a typical arrangement in which EAP is used. The following
components are involved:
. EAP peer: Client computer that is attempting to access a network.
. EAP authenticator: An access point or NAS that requires EAP authentication
prior to granting access to a network.
. Authentication server: A server computer that negotiates the use of a specific
EAP method with an EAP peer, validates the EAP peer’s credentials,
and authorizes access to the network. Typically, the authentication server is a
Remote Authentication Dial-In User Service (RADIUS) server.
The authentication server functions as a backend server that can authenticate
peers as a service to a number of EAP authenticators. The EAP authenticator then
makes the decision of whether to grant access. This is referred to as the EAP passthrough
mode. Less commonly, the authenticator takes over the role of the EAP
server; that is, only two parties are involved in the EAP execution.
As a first step, a lower-level protocol, such as PPP (point-to-point protocol)
or IEEE 802.1X, is used to connect to the EAP authenticator. The software
entity in the EAP peer that operates at this level is referred to as the
supplicant. EAP messages containing the appropriate information for a
chosen EAP method are then exchanged between the EAP peer and the
authentication server.
Method
EAP peer/
Authenticator
EAP layer
Lower layer
EAP
authenticator
EAP layer
Lower layer
Method
EAP peer/
Authenticator
EAP layer
Lower layer
RADIUS
EAP
messages
EAP
messages
802.1X,
PPP
EAP peer
EAP authenticator Authentication server
(RADIUS)
Figure 5.3
EAP Protocol Exchanges
AccnnSc142 Chapter 5 / Network aCCess CoNtrol aNd Cloud seCurity
EAP messages may include the following fields:
. Code: Identifies the Type of EAP message. The codes are Request (1),
Response (2), Success (3), and Failure (4).
. Identifier: Used to match Responses with Requests.
. Length: Indicates the length, in octets, of the EAP message, including the
Code, Identifier, Length, and Data fields.
. Data: Contains information related to authentication. Typically, the Data field
consists of a Type subfield, indicating the type of data carried, and a Type-
Data field.
The Success and Failure messages do not include a Data field.
The EAP authentication exchange proceeds as follows. After a lower-level
exchange that established the need for an EAP exchange, the authenticator sends a
Request to the peer to request an identity, and the peer sends a Response with the
identity information. This is followed by a sequence of Requests by the authenticator
and Responses by the peer for the exchange of authentication information. The
information exchanged and the number of Request–Response exchanges needed
depend on the authentication method. The conversation continues until either (1)
the authenticator determines that it cannot authenticate the peer and transmits an
EAP Failure or (2) the authenticator determines that successful authentication has
occurred and transmits an EAP Success.
Figure 5.4 gives an example of an EAP exchange. Not shown in the figure is a
message or signal sent from the EAP peer to the authenticator using some protocol
EAP peer
EAP-Response/Identity
EAP-Request/Identity
EAP authenticator Authentication server
(RADIUS)
EAP-Response/Auth
EAP-Request/Auth
EAP-Response/Auth
EAP-Request/Auth
EAP-Success/Failure
Figure 5.4
EAP Message Flow in Pass-Through Mode
IEEEXPBAccn 5.3 / ieee 802.1x port-based Network aCCess CoNtrol 143
other than EAP and requesting an EAP exchange to grant network access. One
protocol used for this purpose is IEEE 802.1X, discussed in the next section. The
first pair of EAP Request and Response messages is of Type identity, in which the
authenticator requests the peer’s identity, and the peer returns its claimed identity
in the Response message. This Response is passed through the authenticator to the
authentication server. Subsequent EAP messages are exchanged between the peer
and the authentication server.
Upon receiving the identity Response message from the peer, the server
selects an EAP method and sends the first EAP message with a Type field related
to an authentication method. If the peer supports and accepts the selected EAP
method, it replies with the corresponding Response message of the same type.
Otherwise, the peer sends a NAK, and the EAP server either selects another EAP
method or aborts the EAP execution with a failure message. The selected EAP
method determines the number of Request/Response pairs. During the exchange
the appropriate authentication information, including key material, is exchanged.
The exchange ends when the server determines that authentication has succeeded
or that no further attempt can be made and authentication has failed. 5.3
802.1
P
rt-
ased
etw
rk
ccess
ntr
IEEE 802.1X Port-Based Network Access Control was designed to provide access control
functions for LANs. Table 5.1 briefly defines key terms used in the IEEE 802.11
standard. The terms supplicant, network access point, and authentication server correspond
to the EAP terms peer, authenticator, and authentication server, respectively.
Until the AS authenticates a supplicant (using an authentication protocol),
the authenticator only passes control and authentication messages between the supplicant
and the AS; the 802.1X control channel is unblocked, but the 802.11 data
channel is blocked. Once a supplicant is authenticated and keys are provided, the
authenticator can forward data from the supplicant, subject to predefined access
control limitations for the supplicant to the network. Under these circumstances,
the data channel is unblocked.
As indicated in Figure 5.5, 802.1X uses the concepts of controlled and uncontrolled
ports. Ports are logical entities defined within the authenticator and refer to
physical network connections. Each logical port is mapped to one of these two types
of physical ports. An uncontrolled port allows the exchange of protocol data units
(PDUs) between the supplicant and the AS, regardless of the authentication state
of the supplicant. A controlled port allows the exchange of PDUs between a supplicant
and other systems on the network only if the current state of the supplicant
authorizes such an exchange.
The essential element defined in 802.1X is a protocol known as EAPOL (EAP
over LAN). EAPOL operates at the network layers and makes use of an IEEE 802
LAN, such as Ethernet or Wi-Fi, at the link level. EAPOL enables a supplicant to
communicate with an authenticator and supports the exchange of EAP packets for
authentication.
The most common EAPOL packets are listed in Table 5.2. When the
supplicant first connects to the LAN, it does not know the MAC address of the
AccnnScauthenticator. Actually it doesn’t know whether there is an authenticator present
at all. By sending an EAPOL-Start packet to a special group-multicast address
reserved for IEEE 802.1X authenticators, a supplicant can determine whether an
authenticator is present and let it know that the supplicant is ready. In many cases,
the authenticator will already be notified that a new device has connected from
some hardware notification. For example, a hub knows that a cable is plugged in
before the device sends any data. In this case the authenticator may preempt the
Start message with its own message. In either case the authenticator sends an EAPRequest
Identity message encapsulated in an EAPOL-EAP packet. The EAPOLEAP
is the EAPOL frame type used for transporting EAP packets.
The authenticator uses the EAP-Key packet to send cryptographic keys to the
supplicant once it has decided to admit it to the network. The EAP-Logoff packet
type indicates that the supplicant wishes to be disconnected from the network.
The EAPOL packet format includes the following fields:
. Protocol version: version of EAPOL.
. Packet type: indicates start, EAP, key, logoff, etc. 144 Chapter 5 / Network aCCess CoNtrol aNd Cloud seCurity
Table 5.1 Terminology Related to IEEE 802.1X
Authenticator
An entity at one end of a point-to-point LAN segment that facilities authentication of the entity to the other
end of the link.
Authentication exchange
The two-party conversation between systems performing an authentication process.
Authentication process
The cryptographic operations and supporting data frames that perform the actual authentication.
Authentication server (AS)
An entity that provides an authentication service to an authenticator. This service determines, from the credentials
provided by supplicant, whether the supplicant is authorized to access the services provided by the
system in which the authenticator resides.
Authentication transport
The datagram session that actively transfers the authentication exchange between two systems.
Bridge port
A port of an IEEE 802.1D or 802.1Q bridge.
Edge port
A bridge port attached to a LAN that has no other bridges attached to it.
Network access port
A point of attachment of a system to a LAN. It can be a physical port, such as a single LAN MAC attached to
a physical LAN segment, or a logical port, for example, an IEEE 802.11 association between a station and an
access point.
Port access entity (PAE)
The protocol entity associated with a port. It can support the protocol functionality associated with the
authenticator, the supplicant, or both.
Supplicant
An entity at one end of a point-to-point LAN segment that seeks to be authenticated by an authenticator
attached to the other end of that link.
评论
还没有评论。