Novell is now a part of Micro Focus

Setting the Minimum NMAS Authentication Grade

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 29 Jun 2004

This article summarizes how to set the minimum authentication grade in BorderManager 3.8 for NMAS-based authentication. For more details, see TID 10088840.

To take advantage of graded authentication, you need to set the session clearances of the corresponding users properly. The methods are shown below.
  • Password grade methods: enhanced password, DigestMD5.
  • Logged-in grade methods: simple password, MSCHAP, CertMutual, NDS
  • Password and Token grade methods: X.509Cert, USmartCard, Advanced X.509, EntrustAdv etc.
  • Token grade method: PcProx
VPN Password Grade Methods

In order to allow password grade methods only in VPN for NMAS authentication,

  1. In iManager, change the NMAS grade in the authentication rule to "password" and save.
  2. Make sure that the user can use a password grade method, such as enhanced password, etc. Unless the clearance is set to "password," the user will be given a clearance of "login," even though he/she may be using the NDS or simple password sequence.
  3. In ConsoleOne or iManager, change the default clearance to "password" for all user objects that are to be allowed VPN authentication.
  4. Authenticate as that user, using one of the "password" grade sequence in the Sequence field in the VPN client tab.

The user authentication and VPN connection will go through for enhanced password. But the user authentication will fail for simple password or NDS, though the user may have been configured for that. The user authentication through Novell login will also fail with simple password now.

If you want to enable any method for normal authentication, but want a specific grade for VPN only, then set the clearance of the user to "Multi-level Admin", and set the grade to required level "password" or "password + token" in VPN configuration. (Normally, only admin-level users should be assigned the clearance of Multi-level Admin as per NMAS documentation. This option should be avoided unless there is a specific need to allow any sequence for normal authentication).

For more information on clearances and grades of authentication, see the NMAS and MASV documentation available at

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates