Planning Authentication Policies

All users accessing services through Novell BorderManager 3.7 must be authenticated. All authentication, regardless of which Novell BorderManager 3.7 service is being accessed, is processed by a special module, the Authentication Device Manager (ADM), that authenticates users for the following services:

The authentication policies enforced by the ADM are defined and stored in an eDirectory object called the Authentication Policy object (APO). The APO contains authentication rules that define the relationships among the services, users, and authentication methods so that the ADM can determine and enforce the appropriate authentication requirements.


Authentication Device Manager

All Novell BorderManager 3.7 servers must load the ADM. On each Novell BorderManager 3.7 server object, an attribute specifies the Authentication Policy object that contains the authentication rules to be enforced on that server. If ADM is loaded and no Authentication Policy object is specified, then the ADM loads but does not process authentication requests. Therefore, until a Authentication Policy is set, access to Novell BorderManager 3.7 from any service is not available.

IMPORTANT:  You must set up a generic authentication policy to allow all users to access network services through each of the various Novell BorderManager 3.7 services.

When a particular service needs to authenticate a user, that service calls the ADM and passes the necessary information about itself (such as its service ID) and the user, container, or group object (the distinguished name and credentials) for the ADM to process the request. The ADM uses this information to determine the applicable authentication rule from the rule set stored in the Authentication Policy object, and then enforces that rule set.


Authentication Policy Object

Authentication rules or policies are defined and stored in eDirectory in the Authentication Policy object. This allows you to define policies that can be used locally (on a single server), or globally (across multiple servers and services throughout the NDS or eDirectory tree).

NOTE:  You will usually need only one Authentication Policy object for each eDirectory replica.

The Authentication Policy object is administered through NetWare Administrator. This object enables you to set up authentication rules that allow you to manage authentication for the following Novell BorderManager 3.7 service types:

To define a rule for a service type, you must select the service type from NetWare Administrator. The VPN, Proxy Services, and SOCKS service types are predefined. The Authentication Services service type is represented by an eDirectory Dial Access System (DAS) object. To define a rule for Authentication Services, you must select the distinguished name of the DAS object associated with the service.


Supported Authentication Methods

Novell BorderManager 3.7 supports a variety of authentication methods. The exact methods supported depend on the service type. The following table lists the authentication methods supported for each service type.


Table 1. Authentication Methods Supported

Service Type Authentication Methods Supported

Proxy Services

Any user-assigned device

eDirectory passwords

Token-based authentication methods

SOCKS

Any user-assigned device

eDirectory passwords

Token-based authentication methods

VPN

Any user-assigned device

eDirectory passwords (mandatory)

Token-based authentication methods

NOTE: When token-based authentication is selected, the VPN client will be required to supply both a token password and an eDirectory password

Authentication Services

Any user-assigned device

eDirectory passwords

Token-based authentication methods

Dial access passwords (PAP)

Dial access passwords (CHAP)


Authentication Rules

Authentication rules define the authentication method required for a specific user, container, or group object to access a particular Novell BorderManager 3.7 service. When a user requests access, the applicable rule will be enforced. You can define a single authentication rule for all Novell BorderManager 3.7 services, or different authentication rules for the different Novell BorderManager 3.7 service types. If you define multiple authentication rules, the rules are applied in the order in which they appear in the list. Once a rule has been matched, no other rules are evaluated. To change the priority of a rule, simply change its position in the list.

You can also define the level of enforcement for a rule. The following enforcement levels are defined:

The following table illustrates some possible authentication rules.


Table 2. Authentication Rule Examples

Service Users Authentication Method Enforcement

<VPN>

.hr.acme

<eDirectory password>

.token.acme

Mandatory

Mandatory

<Proxy>

.sales.acme

.token.acme

<eDirectory password>

Required if assigned

Mandatory

<SOCKS>

<Any>

.token.acme

Required if assigned

.das.acme

<Any>

.token.acme

<eDirectory password>

Required if assigned

Mandatory

<Any>

<Any>

<eDirectory password>

Mandatory