Ldapwiki: NMAS

Overview #

Novell Modular Authentication Service (NMAS) is a component of Novell eDirectory™ that enables you to centrally manage multiple Authentication Methods across your network.

The NMAS SDK provides a set of tools to create an expanded set of NMAS login methods to help you secure critical network resources.

NMAS Functionality#

NMAS is designed to help you protect information on your network. In addition to the Password Management tool, NMAS brings together different Authentication Methods to NetIQ eDirectory networks. This helps to ensure that the people accessing your network resources are who they say they are.

NMAS employs three different phases of operation during a user’s session on a workstation with respect to authentication devices. These phases are as follows:

User Identification Phase (who are you?)
Authentication (Login) Phase (prove who you say you are)
Device Removal Detection Phase (are you still there?)

All three of these phases of operation are completely independent. Authentication devices can be used in each phase, but the same device need not be used each time.

User Identification Phase#

User Identification Phase is the process of gathering the username. Also provided in this phase are the NDS Tree-name, the user’s context, the server name, and the name of the NMAS sequence to be used during the Authentication phase. This authentication information can be obtained from an authentication device, or it can be entered manually by the user.

Authentication (Login) Phase#

NMAS uses three different approaches to logging in to the network called Authentication Factors. These Authentication Factors describe different items or qualities a user can use to authenticate to the network:

Password Authentication (something You Know)
Physical Device Authentication (something You Have)
Biometric Authentication (something You Are)

Password Authentication #

Passwords (something You Know) are important methods for authenticating to networks. NMAS provides several password authentication options:

NDS Password: The NDS Password is stored in a hash form that is non-reversible and only the NDS system can make use of this password. This option, by default, uses the Universal Password if enabled and set.
Simple Password: The simple password allows administrators to import users and passwords (plaintext and hashed) from foreign LDAP directories. This option, by default, uses the Universal Password if enabled and set.
DIGEST-MD5 SASL: DIGEST-MD5 SASL provides the IETF standard DIGEST-MD5 SASL Mechanism that validates a password hashed by the MD5 algorithm to be used for a LDAP SASL Bind Request. This option, by default, uses the Universal Password if enabled and set.
Challenge-response: Challenge-response provides a way for a user to Authenticate using one or more responses to pre-configured nsimRandomQuestions or nsimRequiredQuestions.

Universal Password is a way to simplify the integration and management of different password and authentication Methods into a coherent network.

Novell Secure Password Manager provides methods for management of the Universal Password

NMAS Physical Device Authentication #

NMAS developers and third-party authentication developers have written authentication modules for NMAS for several types of physical devices (something You Have):

NOTE:NMAS uses the word to refer to all physical device authentication methods (smart Cards with certificates, One-Time password (OTP) devices, proximity Cards, etc.).

with NMAS, a Smart Card can be used to establish an identity when authenticating to eDirectory.

NetIQ provides the NetIQ Enhanced Smart Card login method for the use of smart cards. The NetIQ Enhanced Smart Card login method is provided as part of the Identity Assurance Client. For more information, see the NetIQ Enhanced Smart Card Method 3.0 Installation and Administration Guide.

One-Time password (OTP) device: An OTP device is a hand-held hardware device that generates a one-time password to authenticate its owner.

NMAS provides the pcProx login method, which supports RFID proximity Cards. The pcProx login method is provided as part of the NetIQ SecureLogin product.