2.1 NMAS Functionality

NMAS is designed to help you protect information on your network. In addition to the Password Management tool, NMAS brings together ways of authenticating to Novell eDirectory 8.7.3 or later networks. This helps to ensure that the people accessing your network resources are who they say they are.

2.1.1 NMAS Features

NMAS employs three different phases of operation during a user’s session on a workstation with respect to authentication devices. These phases are as follows:

  1. User Identification Phase (who are you?)

  2. Authentication (Login) Phase (prove who you say you are)

  3. Device Removal Detection Phase (are you still there?)

All three of these phases of operation are completely independent. Authentication devices can be used in each phase, but the same device need not be used each time.

User Identification Phase

This is the process of gathering the username. Also provided in this phase are the tree name, the user’s context, the server name, and the name of the NMAS sequence to be used during the Authentication phase. This authentication information can be obtained from an authentication device, or it can be entered manually by the user.

Authentication (Login) Phase

NMAS uses three different approaches to logging in to the network called login factors. These login factors describe different items or qualities a user can use to authenticate to the network:

For more information on these login factors, see Section 2.1.2, Login and Post-Login Methods and Sequences.

Password Authentication

Passwords (something you know) are important methods for authenticating to networks. NMAS provides several password authentication options:

  • NDS password: The NDS password is stored in a hash form that is non-reversible and only the NDS system can make use of this password. This option uses the Universal Password if it is enabled and set.

  • Simple password: The simple password allows administrators to import users and passwords (clear text and hashed) from foreign LDAP directories. This option uses the Universal Password if it is enabled and set.

  • Digest-MD5 SASL: Digest-MD5 SASL provides the IETF standard DIGEST-MD5 SASL mechanism that validates a password hashed by the MD5 algorithm to be used for a LDAP SASL bind. This option will use the Universal Password if it is enabled and set.

  • Challenge/Response: Challenge/Response provides a way for a user to prove his or her identity using one or more responses to pre-configured challenge questions.

Universal Password is a way to simplify the integration and management of different password and authentication systems into a coherent network. For more information on Universal Password, see the Novell Password Management 3.3.2 Administration Guide.

Physical Device Authentication

Novell developers and third-party authentication developers have written authentication modules for NMAS for several types of physical devices (something you have):

NOTE:NMAS uses the word token to refer to all physical device authentication methods (smart cards with certificates, one-time password (OTP) devices, proximity cards, etc.).

  • Smart card: A smart card is a plastic card, about the size of a credit card, or a USB device that includes an embedded, programmable microchip that can store data and perform cryptographic functions. With NMAS, a smart card can be used to establish an identity when authenticating to eDirectory.

    Novell provides the Novell Enhanced Smart Card login method for the use of smart cards. The Novell Enhanced Smart Card login method is provided as part of the Identity Assurance Client. For more information, see the Novell Enhanced Smart Card Method 3.0 Installation and Administration Guide.

  • One-Time Password (OTP) device: An OTP device is a hand-held hardware device that generates a one-time password to authenticate its owner.

  • Proximity card: A proximity card is a card worn by a person. This technology locks and unlocks a person’s workstation based on the card’s proximity to the workstation.

    Novell provides the pcProx login method, which supports RFID proximity cards. The pcProx login method is provided as part of the Novell SecureLogin product. For more information, see NMAS Login Method and Login ID Snap-In for pcProx.

Biometric Authentication

Biometrics is the science and technology of measuring and statistically analyzing human body characteristics (something you are). Biometric methods are provided by third-party companies for use with NMAS.

Biometric authentication requires readers or scanning devices, software that converts the scanned information into digital form, and a database or directory that stores the biometric data for comparison with entered biometric data.

In converting the biometric input, the software identifies specific points of data as match points. The match points are processed by using an algorithm to create a value that can be compared with biometric data scanned when a user tries to gain access.

Some examples of biometric authentication include scans of fingerprints, retinas, irises, and facial features. Biometrics can also include, handwriting, typing patterns, voice recognition, etc.

Device Removal Detection Phase

The user’s session enters this phase after login is complete. Two methods are available:

  • The Secure Workstation method, which is available with Novell SecureLogin. The user’s session can be terminated when an authentication device (such as a smart card) is removed. This device need not be used in any of the other phases

    For more information on the Secure Workstation method, see the Novell SecureLogin 6.1 Administration Guide.

  • The Novell Enhanced Smart Card login method also provides smart card removal detection. For more information on the Novell Enhanced Smart Card login method, see the Novell Enhanced Smart Card Method Installation Guide.

2.1.2 Login and Post-Login Methods and Sequences

A login method is a specific implementation of a login factor. NMAS provides multiple login methods to choose from based on the three login factors (password, physical device or token, and biometric authentication).

A post-login method is a security process that is executed after a user has authenticated to Novell eDirectory. For example, one post-login method is the Novell Secure Workstation method (available with Novell SecureLogin), which requires the user to provide credentials in order to access the computer after the workstation is locked.

NMAS software includes support for a number of login and post-login methods from Novell and from third-party authentication developers. Additional hardware might be required, depending on the login method. Refer to the third-party product's documentation for more information.

After you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network by using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods.

Both And and Or login sequences exist with NMAS. An And login sequence requires all of the login methods in the sequence to complete successfully. An Or login sequence requires only one of the login methods in the sequence to complete successfully. An example of an Or login sequence is to allow users to use the same login sequence to login to workstations with different authentication devices.

2.1.3 Graded Authentication

Another feature of NMAS is graded authentication. Graded authentication allows you to “grade,” or control, users’ access to the network based on the login methods used to authenticate to the network.

IMPORTANT:Graded authentication is an additional level of control. It does not take the place of regular eDirectory and file system access rights, which still need to be administered.

Graded authentication is only available on NetWare.

Graded authentication is managed from the Security Policy object in the Security container by using iManager or ConsoleOne®. This object is created when NMAS is installed.

For more information on graded authentication, see Section 4.0, Using Graded Authentication.

Categories

A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.

NMAS comes with three secrecy categories and three integrity categories (see Table 2-1). You can define additional secrecy and integrity categories to meet your company's needs.

For more information on defining secrecy and integrity categories, see Section 4.3.1, Defining User-Defined Categories (Closed User Groups).

Security Labels

Security labels are a set of secrecy and integrity categories. NMAS comes with eight security labels defined. The following table shows the predefined security labels and the set of categories that define the label:

Table 2-1 Security Labels

Default Security Labels

Secrecy Categories

Integrity Categories

Biometric & Password & Token

{Biometric, Token, Password}

{0}

Biometric & Password

{Biometric, Password}

{0}

Biometric & Token

{Biometric, Token}

{0}

Password & Token

{Token, Password}

{0}

Biometric

{Biometric}

{0}

Password

{Password}

{0}

Token

{Token}

{0}

Logged In

{0}

{0}

These labels are used to assign access requirements to NetWare volumes and eDirectory attributes. You can define additional security labels to meet your company's needs.

For more information on defining Security labels, see Section 4.3.2, Defining Security Labels.

Clearances

Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read, and a Write label that specifies what information a user can write to. A user can read data that is labeled at the Read label and below. A user can write data that is labeled between the Read label and the Write label.

NMAS defines only one clearance: Multi-level Administrator. Multi-level Administrator has Biometric and Token and Password for the Read label and Logged In for the Write label.

You can define additional clearances to meet your company's needs.

For more information on defining clearances, see Section 4.3.3, Defining Clearances.