1.1 NMAS Functionality

NMAS is designed to help you protect information on your network. In addition to the Password Management tool, NMAS brings together ways of authenticating to NetIQ eDirectory 8.7.3 or later networks. This helps to ensure that the people accessing your network resources are who they say they are.

1.1.1 NMAS Features

NMAS employs three different phases of operation during a user’s session on a workstation with respect to authentication devices. These phases are as follows:

  1. User Identification Phase (who are you?)

  2. Authentication (Login) Phase (prove who you say you are)

  3. Device Removal Detection Phase (are you still there?)

All three of these phases of operation are completely independent. Authentication devices can be used in each phase, but the same device need not be used each time.

User Identification Phase

This is the process of gathering the username. Also provided in this phase are the tree name, the user’s context, the server name, and the name of the NMAS sequence to be used during the Authentication phase. This authentication information can be obtained from an authentication device, or it can be entered manually by the user.

Authentication (Login) Phase

NMAS uses three different approaches to logging in to the network called login factors. These login factors describe different items or qualities a user can use to authenticate to the network:

For more information on these login factors, see Section 1.1.2, Login and Post-Login Methods and Sequences.

Password Authentication

Passwords (something you know) are important methods for authenticating to networks. NMAS provides several password authentication options:

  • NDS password: The NDS password is stored in a hash form that is non-reversible and only the NDS system can make use of this password. This option uses the Universal Password if it is enabled and set.

  • Simple password: The simple password allows administrators to import users and passwords (clear text and hashed) from foreign LDAP directories. This option uses the Universal Password if it is enabled and set.

  • Digest-MD5 SASL: Digest-MD5 SASL provides the IETF standard DIGEST-MD5 SASL mechanism that validates a password hashed by the MD5 algorithm to be used for a LDAP SASL bind. This option will use the Universal Password if it is enabled and set.

  • Challenge/Response: Challenge/Response provides a way for a user to prove his or her identity using one or more responses to pre-configured challenge questions.

Universal Password is a way to simplify the integration and management of different password and authentication systems into a coherent network. For more information on Universal Password, see the NetIQ Password Management 3.3.2 Administration Guide.

Physical Device Authentication

NetIQ developers and third-party authentication developers have written authentication modules for NMAS for several types of physical devices (something you have):

NOTE:NMAS uses the word token to refer to all physical device authentication methods (smart cards with certificates, one-time password (OTP) devices, proximity cards, etc.).

  • Smart card: A smart card is a plastic card, about the size of a credit card, or a USB device that includes an embedded, programmable microchip that can store data and perform cryptographic functions. With NMAS, a smart card can be used to establish an identity when authenticating to eDirectory.

    NetIQ provides the NetIQ Enhanced Smart Card login method for the use of smart cards. The NetIQ Enhanced Smart Card login method is provided as part of the Identity Assurance Client. For more information, see the NetIQ Enhanced Smart Card Method 3.0 Installation and Administration Guide.

  • One-Time Password (OTP) device: An OTP device is a hand-held hardware device that generates a one-time password to authenticate its owner.

  • Proximity card: A proximity card is a card worn by a person. This technology locks and unlocks a person’s workstation based on the card’s proximity to the workstation.

    NetIQ provides the pcProx login method, which supports RFID proximity cards. The pcProx login method is provided as part of the NetIQ SecureLogin product. For more information, see NMAS Login Method and Login ID Snap-In for pcProx.

Biometric Authentication

Biometrics is the science and technology of measuring and statistically analyzing human body characteristics (something you are). Biometric methods are provided by third-party companies for use with NMAS.

Biometric authentication requires readers or scanning devices, software that converts the scanned information into digital form, and a database or directory that stores the biometric data for comparison with entered biometric data.

In converting the biometric input, the software identifies specific points of data as match points. The match points are processed by using an algorithm to create a value that can be compared with biometric data scanned when a user tries to gain access.

Some examples of biometric authentication include scans of fingerprints, retinas, irises, and facial features. Biometrics can also include, handwriting, typing patterns, voice recognition, etc.

Device Removal Detection Phase

The user’s session enters this phase after login is complete. Two methods are available:

  • The Secure Workstation method, which is available with NetIQ SecureLogin. The user’s session can be terminated when an authentication device (such as a smart card) is removed. This device need not be used in any of the other phases

    For more information on the Secure Workstation method, see the NetIQ SecureLogin 7.0 SP3 Administration Guide.

  • The NetIQ Enhanced Smart Card login method also provides smart card removal detection. For more information on the NetIQ Enhanced Smart Card login method, see the NetIQ Enhanced Smart Card Method Installation Guide.

1.1.2 Login and Post-Login Methods and Sequences

A login method is a specific implementation of a login factor. NMAS provides multiple login methods to choose from based on the three login factors (password, physical device or token, and biometric authentication).

A post-login method is a security process that is executed after a user has authenticated to NetIQ eDirectory. For example, one post-login method is the NetIQ Secure Workstation method (available with NetIQ SecureLogin), which requires the user to provide credentials in order to access the computer after the workstation is locked.

NMAS software includes support for a number of login and post-login methods from NetIQ and from third-party authentication developers. Additional hardware might be required, depending on the login method. Refer to the third-party product's documentation for more information.

After you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network by using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods.

Both And and Or login sequences exist with NMAS. An And login sequence requires all of the login methods in the sequence to complete successfully. An Or login sequence requires only one of the login methods in the sequence to complete successfully. An example of an Or login sequence is to allow users to use the same login sequence to login to workstations with different authentication devices.

1.1.3 Security Object Caching

The security container is created off the root partition when the first server is installed in the tree and holds information such as global data, security policies, and keys.

After universal password was introduced, whenever a user logged into eDirectory through NMAS, NMAS accessed the information in the security container to authenticate the login. When the partition having the security container was not present locally, NMAS accessed the server, which had this partition. This had an adverse impact on the performance of NMAS authentication. The situation was worse in the scenarios where the server containing the partition having the security container had to be accessed over WAN links.

To resolve this, with eDirectory 8.8, the security container data is cached onto the local server. Therefore, NMAS does not need to access the security container located on a different machine whenever a user logs in, it can easily access it locally. This increases the performance. Adding the partition having security container to local server improves the performance, but it might not be feasible in scenarios where there are too many servers.

If the actual data in the security container changes on the server containing the security container partition, the local cache is refreshed by a background process called backlinker. By default, backlinker runs every thirteen hours and it pulls the modified data from remote server. In case, the data needs to be synchronized immediately, you can schedule backlinker on the local server either through iMonitor, ndstrace on Linux, or ndscons on Windows. For more information, refer to the iMonitor online help or the ndstrace manpage.

The security object caching feature is enabled by default. If you do not want backlinker to cache any data, remove CachedAttrsOnExtRef from the NCP server object.