NMAS is designed to help you protect information on your network. NMAS brings together additional ways of authenticating to Novell eDirectory™ 8.7.3 or later networks to help ensure that the people accessing your network resources are who they say they are.
NMAS employs three different phases of operation during a user’s session on a workstation with respect to authentication devices. These phases are as follows:
All three of these phases of operation are completely independent. Authentication devices can be used in each phase, but the same device need not be used each time.
This is the process of gathering the username. Also provided in this phase are the tree name, the user’s context, the server name, and the name of the NMAS sequence to be used during the Authentication phase. This information can be obtained from an authentication device, or it can be entered manually by the user.
This section describes the authentication phase.
NMAS uses three different approaches to logging in to the network called login factors. These login factors describe different items or qualities a user can use to authenticate to the network:
Passwords (something you know) are important methods for authenticating to networks. NMAS provides several password authentication options:
NDS password: The NDS password is stored in a hash form that is non-reversible and only the NDS system can make use of this password.
Simple password: The simple password allows administrators to import users and passwords (clear text and hashed) from foreign LDAP directories.
Digest-MD5 SASL: Digest-MD5 SASL provides the IETF standard DIGEST-MD5 SASL mechanism that validates a password hashed by the MD5 algorithm to be used for a LDAP SASL bind.
Challenge/Response: Challenge/Response provides a way for a user to prove his or her identity using one or more responses to pre-configured challenge questions.
Third-party authentication developers have written authentication modules for NMAS for several types of physical devices (something you have):
NOTE:NMAS uses the word token to refer to all physical device authentication methods (smart cards with certificates, one-time password (OTP) devices, proximity cards, etc.).
Smart cards: A smart card is a plastic card, about the size of a credit card, that includes an embedded, programmable microchip that can store data and perform cryptographic functions. With NMAS, a smart card can be used to establish an identity when authenticating to eDirectory.
One-Time Password (OTP) device: An OTP device is a hand-held hardware device that generates a one-time password to authenticate its owner.
Proximity cards: A proximity card is a card worn by a person. This technology locks and unlocks a person’s workstation based on the card’s proximity to the workstation.
Biometrics is the science and technology of measuring and statistically analyzing human body characteristics (something you are). Biometric methods are provided by third-party companies for use with NMAS.
Biometric authentication requires readers or scanning devices, software that converts the scanned information into digital form, and a database or directory that stores the biometric data for comparison with entered biometric data.
In converting the biometric input, the software identifies specific points of data as match points. The match points are processed by using an algorithm to create a value that can be compared with biometric data scanned when a user tries to gain access.
Some examples of biometric authentication include scans of fingerprints, retinas, irises, and facial features. Biometrics can also include recognition of voice, handwriting, typing patterns, etc.
The user’s session enters this phase after login is complete. This feature is provided by the Secure Workstation method which is available with Novell Secure Login (NSL). The user’s session can be terminated when an authentication device (such as a smart card) is removed. This device need not be used in any of the other phases.
A login method is a specific implementation of a login factor. NMAS provides multiple login methods to choose from based on the three login factors (password, physical device or token, and biometric authentication).
A post-login method is a security process that is executed after a user has authenticated to Novell eDirectory™. For example, one post-login method is the Novell Secure Workstation method (available with Novell Secure Login (NSL)), which requires the user to provide credentials in order to access the computer after the workstation is locked.
NMAS software includes support for a number of login and post-login methods from Novell and from third-party authentication developers. Additional hardware might be required, depending on the login method. Refer to the third-party product's documentation for more information.
After you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods.
Another feature of NMAS is graded authentication. Graded authentication allows you to “grade,” or control, users' access to the network based on the login methods used to authenticate to the network.
IMPORTANT:Graded authentication is an additional level of control. It does not take the place of regular eDirectory and file system access rights, which still need to be administered.
Graded authentication is managed from the Security Policy object in the Security container by using iManager or ConsoleOne®. This object is created when NMAS is installed.
A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.
NMAS comes with three secrecy categories and three integrity categories (Biometric, Token, Password) defined. You can define additional secrecy and integrity categories to meet your company's needs.
Security labels are a set of secrecy and integrity categories. NMAS comes with eight security labels defined. The following table shows the predefined security labels and the set of categories that define the label:
These labels are used to assign access requirements to NetWare volumes and eDirectory attributes. You can define additional security labels to meet your company's needs.
Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read, and a Write label that specifies what information a user can write to. A user can read data that is labeled at the Read label and below. A user can write data that is labeled between the Read label and the Write label.
NMAS defines only one clearance: Multi-level Administrator. Multi-level Administrator has Biometric and Token and Password for the Read label and Logged In for the Write label.
You can define additional clearances to meet your company's needs.
For more information on graded authentication, see Section 4.0, Using Graded Authentication.