Previous Page: NMAS Overview  Next Page: NMAS Software

NMAS Functionality

NMAS is designed to help you protect information on your network. NMAS brings together additional ways of authenticating to NDS® eDirectoryTM on NetWare® 5.1 and later and Windows* NT*\2000 networks to help ensure that the people accessing your network resources are who they say they are.

NMAS is available in two different products: NMAS, which is the product that is bundled with other products, and NMAS Enterprise Edition, which is the product that is sold by itself.

This manual deals with NMAS Enterprise Edition and its functionality.

There are three key features of NMAS Enterprise Edition:


Login Factors

NMAS uses three different approaches to logging in to the network called login factors. These login factors describe different items or qualities a user can use to authenticate to the network:


Password Authentication

Passwords ("something you know") are important methods for authenticating to networks. NMAS provides the standard NDS password login method, as well as login methods common with LDAP, Internet browsers, and other directories.


Physical Device Authentication

Third-party authentication developers have written authentication modules for NMAS for two types of physical devices ("something you have"): smart cards and tokens.

NOTE:  NMAS uses the word token to refer to all physical device authentication methods (smart cards, tokens, etc.).


Biometric Authentication

Biometrics is the science and technology of measuring and statistically analyzing human body characteristics ("something you are").

Biometric authentication requires readers or scanning devices, software that converts the scanned information into digital form, and a database or directory that stores the biometric data for comparison with entered biometric data.

In converting the biometric input, the software identifies specific points of data as match points. The match points are processed using an algorithm into a value that can be compared with biometric data scanned when a user tries to gain access.

Biometric authentication can be classified into two groups:


Login and Post-Login Methods and Sequences

A login method is a specific implementation of a login factor. NMAS provides multiple login methods to choose from based on the three login factors (password, physical device or token, and biometric authentication).

A post-login method is a security process that is executed after a user has authenticated to NDS. For example, one post-login method is the Workstation Access method that requires the user to provide credentials in order to access the computer after the workstation is locked.

NMAS software includes support for a number of login and post-login methods from Novell and from third-party authentication developers. Additional hardware might be required, depending on the login method. Refer to the PARTNERS.PDF file on the NMAS CD-ROM for a list of authorized NMAS partners and a description of their methods.

Once you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods.


Graded Authentication

An important feature of NMAS Enterprise Edition is graded authentication. Graded authentication allows you to "grade," or control, users' access to the network based on the login methods used to authenticate to the network.

IMPORTANT:  Graded authentication is an additional level of control. It does not take the place of regular NDS and file system access rights, which still need to be administered.

Graded authentication is managed from the Security Policy object in the Security container using ConsoleOneTM. This object is created when NMAS is installed.


Categories

A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.

NMAS Enterprise Edition comes with three secrecy categories and three integrity categories (Biometric, Token, Password) defined. You can define additional secrecy and integrity categories to meet your company's needs.


Security Label

Security labels are a set of secrecy and integrity categories. NMAS Enterprise Edition comes with eight security labels defined. The following table shows the pre-defined security labels and the set of categories that define the label:

Default Security Labels Secrecy Categories Integrity Categories

Biometric & Password & Token

{Biometric, Token, Password}

{0}

Biometric & Password

{Biometric, Password}

{0}

Biometric & Token

{Biometric, Token}

{0}

Password & Token

{Token, Password}

{0}

Biometric

{Biometric}

{0}

Password

{Password}

{0}

Token

{Token}

{0}

Logged In

{0}

{0}

These labels are used to assign access requirements to NetWare volumes and NDS attributes. You can define additional security labels to meet your company's needs.


Clearances

Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read and a Write label that specifies what information a user can write to. A user can read data which is labeled at the Read label and below. A user can write data that is labeled between the Read label and the Write label.

NMAS Enterprise Edition defines only one clearance: Multi-level Administrator. Multi-level Administrator has Biometric and Token and Password for the Read label and Logged In for the Write label.

You can define additional clearances to meet your company's needs.

For more information on graded authentication, see Using Graded Authentication.



  Previous Page: NMAS Overview  Next Page: NMAS Software