NMAS Functionality

NMAS is designed to help you protect information on your network. NMAS brings together additional ways of authenticating to Novell eDirectoryTM on NetWare® 5.1 or later, Windows* NT*\2000 and UNIX* networks to help ensure that the people accessing your network resources are who they say they are.


NMAS Features

With previous releases of NMAS, authentication devices, such as smart cards, tokens, etc., could be used only for authentication. Now, NMAS employs three different phases of operation during a user's session on a workstation with respect to authentication devices. These phases are as follows:

  1. User identification (who are you?)
  2. Authentication (prove who you say you are)
  3. Device removal detection (are you still there?)

All three of these phases of operation are completely independent. Authentication devices can be used in each phase, but the same device need not be used each time.


User Identification Phase

This is the process of gathering the username. Also provided in this phase are the tree name, the user's context, the server name, and the name of the NMAS sequence to be used during the Authentication phase. This information can be obtained from an authentication device, or it can be entered manually by the user.

See User Identification Plug-Ins for more information on user identification.


Authentication Phase


Login Factors

NMAS uses three different approaches to logging in to the network called login factors. These login factors describe different items or qualities a user can use to authenticate to the network:


Password Authentication

Passwords (something you know) are important methods for authenticating to networks. NMAS provides the standard NDS password login method, as well as login methods common with LDAP, Internet browsers, and other directories.


Physical Device Authentication

Third-party authentication developers have written authentication modules for NMAS for two types of physical devices (something you have): smart cards and tokens.

NOTE:  NMAS uses the word token to refer to all physical device authentication methods (smart cards, tokens, etc.).


Biometric Authentication

Biometrics is the science and technology of measuring and statistically analyzing human body characteristics (something you are).

Biometric authentication requires readers or scanning devices, software that converts the scanned information into digital form, and a database or directory that stores the biometric data for comparison with entered biometric data.

In converting the biometric input, the software identifies specific points of data as match points. The match points are processed by using an algorithm to create a value that can be compared with biometric data scanned when a user tries to gain access.

Biometric authentication can be classified into two groups:


Device Removal Detection Phase

The user's session enters this phase after login is complete. This feature is provided by the Secure Workstation method. The user's session can be terminated when an authentication device (such as a smart card) is removed. This device need not be used in any of the other phases.


Example

You could use a pcProx* device for identification, the NDS password for authentication, and the Universal SmartCard plug-in during the device removal detection phase. In this example, the Secure Workstation method starts the device removal plug-in for the Universal SmartCard plug-in when the shell starts. Then, the Universal SmartCard plug-in monitors the card in the reader when the shell starts, and triggers a device removal event when that card is removed.

You do not need to execute an NMAS login sequence that contained the Universal SmartCard method in the above example. However, most administrators would want the user to log in with the smart card if they are concerned about detecting its removal. The above functionality is probably most useful in scenarios where, for example, an Entrust* certificate is read from the smart card, and the Entrust method is used for authentication. The Universal SmartCard device removal plug-in could be used in this scenario even though the Universal SmartCard method was not used during the authentication process.


Login and Post-Login Methods and Sequences

A login method is a specific implementation of a login factor. NMAS provides multiple login methods to choose from based on the three login factors (password, physical device or token, and biometric authentication).

A post-login method is a security process that is executed after a user has authenticated to Novell eDirectory. For example, one post-login method is the Secure Workstation method, which requires the user to provide credentials in order to access the computer after the workstation is locked.

NMAS software includes support for a number of login and post-login methods from Novell and from third-party authentication developers. Additional hardware might be required, depending on the login method. Refer to the NMAS Partners Web site for a list of authorized NMAS partners and a description of their methods.

After you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods.


Graded Authentication

An important feature of NMAS is graded authentication. Graded authentication allows you to "grade," or control, users' access to the network based on the login methods used to authenticate to the network.

IMPORTANT:  Graded authentication is an additional level of control. It does not take the place of regular eDirectory and file system access rights, which still need to be administered.

Graded authentication is managed from the Security Policy object in the Security container by using ConsoleOne®. This object is created when NMAS is installed.


Categories

A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.

NMAS comes with three secrecy categories and three integrity categories (Biometric, Token, Password) defined. You can define additional secrecy and integrity categories to meet your company's needs.


Security Label

Security labels are a set of secrecy and integrity categories. NMAS comes with eight security labels defined. The following table shows the predefined security labels and the set of categories that define the label:

Default Security Labels Secrecy Categories Integrity Categories

Biometric & Password & Token

{Biometric, Token, Password}

{0}

Biometric & Password

{Biometric, Password}

{0}

Biometric & Token

{Biometric, Token}

{0}

Password & Token

{Token, Password}

{0}

Biometric

{Biometric}

{0}

Password

{Password}

{0}

Token

{Token}

{0}

Logged In

{0}

{0}

These labels are used to assign access requirements to NetWare volumes and eDirectory attributes. You can define additional security labels to meet your company's needs.


Clearances

Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read, and a Write label that specifies what information a user can write to. A user can read data that is labeled at the Read label and below. A user can write data that is labeled between the Read label and the Write label.

NMAS defines only one clearance: Multi-level Administrator. Multi-level Administrator has Biometric and Token and Password for the Read label and Logged In for the Write label.

You can define additional clearances to meet your company's needs.

For more information on graded authentication, see Using Graded Authentication .