NMAS is designed to help you protect information on your network. NMAS brings together additional ways of authenticating to eDirectoryTM on NetWare® 5.1 and later, Windows* NT*\2000 and Unix networks to help ensure that the people accessing your network resources are who they say they are.
NMAS is available in two different products: NMAS Standard Edition, which is the product that is bundled with other products, and NMAS Enterprise Edition, which is the product that is sold by itself.
This manual deals with NMAS Enterprise Edition and its functionality. If you have NMAS Standard Edition, the procedures for managing NMAS will be similar to NMAS Enterprise Edition, but you will notice less functionality with Standard Edition.
With previous releases of NMAS, authentication devices, such as smart cards, tokens, etc., could be used only for authentication. Now, NMAS employs three different phases of operation during a user's session on a workstation with respect to authentication devices. These phases are as follows:
All three of these phases of operation are completely independent. Authentication devices can be used in each phase, but the same device need not be used each time.
This is the process of gathering the user name. Also provided in this phase are the tree name, the user's context, the server name, and the name of the NMAS Sequence to be used during the Authentication phase. This information can be obtained from an authentication device, or it can be entered manually by the user.
See User Identification Plug-ins for more information on user identification.
NMAS uses three different approaches to logging in to the network called login factors. These login factors describe different items or qualities a user can use to authenticate to the network:
Passwords ("something you know") are important methods for authenticating to networks. NMAS provides the standard NDS password login method, as well as login methods common with LDAP, Internet browsers, and other directories.
Standard NDS password authentication: The standard NDS password method uses a secure password challenge response authentication. Because of the increased security it offers, the standard NDS password authentication is somewhat slower than other password methods.
Cleartext: Cleartext (or plaintext) authentication sends the password over the wire in an unencrypted form. Aside from no authentication at all, this is the lowest form of user authentication from a security standpoint. Because there is no encryption process, plaintext authentication is normally quite fast.
This authentication method is included in NMAS to provide faster authentication in networks requiring less security, as well as to provide interoperability with systems that use cleartext authentication (for example, FTP/Telnet and POP3 e-mail).
SHA-1: The secure hash algorithm (SHA-1) is a popular method of network authentication. A hash (or message digest) is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string.
In terms of security, SHA-1/MD5 authentication is more secure than cleartext because the password is altered when it travels across the network. Authentication is relatively fast because it is easy to compute a shorter hashed value.
MD-5: This message-digest algorithm takes a message of arbitrary length and produces a 128-bit message digest (hash) output. MD-5 was, at one time, the most widely used secure hash algorithm.
Enhanced Password
Third-party authentication developers have written authentication modules for NMAS for two types of physical devices ("something you have"): smart cards and tokens.
NOTE: NMAS uses the word token to refer to all physical device authentication methods (smart cards, tokens, etc.).
Smart cards: A smart card is a plastic card, about the size of a credit card, that includes an embedded, programmable microchip that can store data and perform cryptographic functions. With NMAS, a smart card can be used to establish an identity when authenticating to NDS.
Tokens: A token is a hand-held hardware device that generates a one-time password to authenticate its owner. Token authentication systems are based on one of two schemes: challenge-response and time-synchronous authentication.
Challenge-response authentication: With this approach, the user logs in to an authentication server, which then issues a prompt for a personal identification number (PIN) or a user ID. The user provides the PIN or ID to the server, which then issues a challenge---a random number that appears on the user's workstation. The user enters that challenge number into the token, which then encrypts the challenge with the user's encryption key and displays a response. The user types in this response and sends it to the authentication server.
While the user is obtaining a response from the token, the authentication server calculates what the appropriate response should be based on its database of user keys. When the server receives the user's response, it compares that response with the one it has calculated. If the two responses match, the user is authenticated to the network.
Time-synchronous authentication: With this method, an algorithm that executes both in the token and on the server generates identical numbers that change over time. The user logs in to the authentication server, which issues a prompt for an access code. The user then enters a PIN followed by the digits displayed at that moment on the token. The authentication server compares this entry with the sequence it generated; if they match, the server grants the user access to the network.
X509 Certificates
Entrust and Advanced X509 Certificates
Biometrics is the science and technology of measuring and statistically analyzing human body characteristics ("something you are").
Biometric authentication requires readers or scanning devices, software that converts the scanned information into digital form, and a database or directory that stores the biometric data for comparison with entered biometric data.
In converting the biometric input, the software identifies specific points of data as match points. The match points are processed using an algorithm into a value that can be compared with biometric data scanned when a user tries to gain access.
Biometric authentication can be classified into two groups:
Static biometric authentication: This captures and verifies physiological characteristics linked to the individual. Common static biometric characteristics include fingerprints, eye retinas and irises, and facial features.
Dynamic biometric authentication: This captures and verifies behavioral characteristics of an individual. Common dynamic biometric characteristics include voice or handwriting.
The user's session enters this phase after login is complete. This feature is provided by the Secure Workstation method. The user's session can be terminated when an authentication device (such as a smart card) is removed. This device need not be used in any of the other phases.
You could use a pcProx device for identification, the NDS® password for authentication and the Universal SmartCard plug-in during the device removal detection phase. In this example, the Secure Workstation method would start the device removal plug-in for the Universal SmartCard plug-in when the shell starts. At this point, the Universal SmartCard plug-in would monitor the card in the reader when the shell started, and trigger a device removal event when that card was removed.
You do not need to execute an NMAS login sequence that contained the Universal SmartCard method in the above example. However, most administrators would want the user to log in with the smart card if they are concerned about detecting its removal. The above functionality is probably most useful in scenarios where, for example, an Entrust certificate was read from the smart card, and the Entrust method was used for authentication. The Universal SmartCard device removal plug-in could be used in this scenario even though the Universal SmartCard method was not used during the authentication process.
A login method is a specific implementation of a login factor. NMAS provides multiple login methods to choose from based on the three login factors (password, physical device or token, and biometric authentication).
A post-login method is a security process that is executed after a user has authenticated to NDS. For example, one post-login method is the Workstation Access method that requires the user to provide credentials in order to access the computer after the workstation is locked.
NMAS software includes support for a number of login and post-login methods from Novell and from third-party authentication developers. Additional hardware might be required, depending on the login method. Refer to the PARTNERS.PDF file in the NMAS software build for a list of authorized NMAS partners and a description of their methods.
Once you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods.
An important feature of NMAS Enterprise Edition is graded authentication. Graded authentication allows you to "grade," or control, users' access to the network based on the login methods used to authenticate to the network.
IMPORTANT: Graded authentication is an additional level of control. It does not take the place of regular NDS and file system access rights, which still need to be administered.
Graded authentication is managed from the Security Policy object in the Security container using ConsoleOneTM. This object is created when NMAS is installed.
A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.
NMAS Enterprise Edition comes with three secrecy categories and three integrity categories (Biometric, Token, Password) defined. You can define additional secrecy and integrity categories to meet your company's needs.
Security labels are a set of secrecy and integrity categories. NMAS Enterprise Edition comes with eight security labels defined. The following table shows the pre-defined security labels and the set of categories that define the label:
These labels are used to assign access requirements to NetWare volumes and NDS attributes. You can define additional security labels to meet your company's needs.
Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read and a Write label that specifies what information a user can write to. A user can read data which is labeled at the Read label and below. A user can write data that is labeled between the Read label and the Write label.
NMAS Enterprise Edition defines only one clearance: Multi-level Administrator. Multi-level Administrator has Biometric and Token and Password for the Read label and Logged In for the Write label.
You can define additional clearances to meet your company's needs.
For more information on graded authentication, see Using Graded Authentication .