Using Digipass Strong User Authentication with Novell NMAS and ICHAIN
Using Digipass Strong User Authentication with Novell NMAS and ICHAIN Contents Contents ...........................................................................................................................................................................................................2 Overview ...................................................................................................................................................................................................
Overview This document shows you how Novell IChain and NMAS optimizes its authentication by integrating VASCO Digipass for strong user authentication and offering several secure web and RADIUS access solutions.
Technical Concept Topology Concept – Fig www.vasco.
Novell Components Description NMAS Novell® Modular Authentication Service is an extensible security product that offers you an easy way to centrally manage multiple authentication methods across your network. With Novell Modular Authentication Service, you can implement stronger forms of authentication and authorization to secure your critical corporate resources.
• Proxy-server clustering • Server fault tolerance • Support for Remote Authentication Dial-In User Service protocol (RADIUS) Novell iChain is the ideal product to secure and accelerate your company's transformation to eBusiness. It is also a key component of Novell Secure Access™, Novell's comprehensive security suite. VASCO Components Description Digipasses Digipass Family of tokens is a general name used by VASCO to describe the family of handheld security devices that VASCO manufactures and markets.
• User-managed passwords are the single largest cause of incorrect authentication VASCO delivers strong authentication and guarantees data integrity for electronic transactions by means of the Digipass Family of Tokens. In the concept, we implemented the cures for the weak areas of authentication and data integrity.
our Digipass Family of tokens. These modes are the Response-Only mode, the ChallengeResponse mode and the Digital Signature mode. But first we will start by showing you the complete application cycle of the Digipass token usage. Databases and Files General concept for Digipass Family hardware token usage (Fig 1a) The first step is the tokens are initialized with their unique set of secrets and keys per token.
(Fig 1b) Once this is done, the application owner will assign those Digipass secrets to their end-users. This assignment is done based on the serial number of the Digipass token and the name of the end-user. The Digipass token is then shipped to the end-user together with a manual and the protected PIN-code on a secure PIN-mailer. Once the token is received by the end-user, he can start using it.
Airlines site (web server 10.0.0.1), two subnets are configured. As the local data or e-business applications resides on the 10.0.0.0 subnet (Fig 3), address translation will enable transparent access. Fig 3 Radius will be the Protocol used for Authentication, as such, a Radius profile needs to be configured. Fig 3a, 3b www.vasco.
Fig 3a Select authentication, then select radius authentication. Fig 3b Configure the IP Address of the Radius Server www.vasco.
Configuration of NMAS NMAS System Settings In this section we need to configure the type of services to be used in order to access its’ resources. The services are user-related. Configuring Radius Access is done in two steps : 1. Add the Radius Dial Access Service 2. Add the Radius Dial Access Protocol (Here we can provide attributes or we can just use the default setting.) In this case default settings are used. Fig 4a Enable Dial Access Control.
Services represents the Radius Dial Access Protocol. Double click on Services www.vasco.
Select the RADIUS_DAS Service. www.vasco.
We finished configuring the Radius_DAS Service. Now we need to specify the Radius Protocol . For example Callback , ….. Click Add to configure. www.vasco.
Once again select Services. www.vasco.
Select RADIUS_DAP and click OK. You can rename it to Radius Dial Access Protocol. When no method is specified, adds `default` . Example. Radius Dial Access Protocol. [DEFAULT] www.vasco.
NMAS VASCO Digipass import Configure VASCO Digipass container Fig 5 As NMAS has VASCO integrated, there is only the need to configure the service and activate it.Configuration of a container for Digipasses is done through creating a new object in Services. Fig 5 www.vasco.
Fig 6 VASCO Digipass container will contain the VASCO Digipass token object, for which you can give a friendly name. Fig 6 www.vasco.
Fig 7 For importing tokens, a VASCO Digipass token object is created. This object will contain all Digipasses and their functions conform the initialization sheet. This is also the location where a user will be assigned a Digipass. Fig 7. In order to import tokens, the location of the dpx file and its’ encryption key need to be provided. www.vasco.
Import Dpx files Fig 8. This is also the location where a user will be assigned a Digipass. Fig 8. In order to import tokens, the location of the dpx file and its’ encryption key need to be provided. NMAS User-VASCO Digipass Management Assignment users In this section we need to configure type of authentication a user is configured for and the type of services it will use in order to access its’ resources. www.vasco.
Fig 9 Fig 9 represents the DNS structure where Digital Airlines is the applicationas well as the container where all users accessing it, will be registered and given permissions, levels of access and type of authentication. Fig 10. By selecting the properties of a newly created user, a Digipass is assigned to that user. Fig.10 To be sure that the Digipass works fine, a test can be done by entering the values presented on the Digipass, into the required fields. www.vasco.
Activation Authentication Method – VASCO Digipass Authentication Fig 12 For each user select the authentication method. Here we select the VASCO token. Fig 12 Configuration of Radius Novell For detailed configuration of Radius within the Novell Radius Service, we refer you to visit http://www.novell.com VASCO As in this example we integrated Novell Radius Services. It's also possible to use VASCO Radius Services. For more information on these server products you can contact us at http://www.vasco.
Configuration of Web Novell For more information regarding configuration or product details, we refer to http://www.novell.com Other web servers, services In the current scenario we used the Novell web server. To find other web solutions VASCO has fully support on Apache or IIS. http://www.microsoft.com http://www.apache.
Appendix A – Delta Airlines Access Examples Authentication – Authorization over IChain secured www.vasco.
www.vasco.
www.vasco.
Appendix B Local Network Logon VASCO – Challenge Response Authentication Novell NMAS will present you the VASCO challenge which needs to be entered into a token in order to enter the correct response into the `Enter password` field. Once authenticated by VASCO, NMAS presents the NDS static password as second verification. Authentication settings are configured on user basis (covered earlier in this paper). www.vasco.
www.vasco.
Appendix C – The VASCO VRM & Tokens work with BM (BMAS) VPN Services VPN Secure Authentication with The Digipass 300 and the Digipass Go-1 with PIN+RESPONSE When defining the Login Policy Rule for VPN, the External Login Service Method must be defined as MANDATORY. You cannot use "Required if assigned" So, it is a global setting for anyone using VPN that will be required to use Token Authentication. You will need to install the VRM from VASCO and get it working. (Test with a RADIUS client like NTRadPing).
Founded: Web: CEO President and COO: Employees: Worldwide Headquarters: European Headquarters: VASCO Product Range: 1997 www.VASCO.com Ken Hunt Jan Valcke 80 1901 South Meyers Road, Suite 210, Oakbrook Terrace, Illinois, USA Koningin Astridlaan 164, B-1780 Wemmel, Belgium VACMAN: Authentication, Authorization, Administration, AAA Security Digipass: Encryption, Remote Access, Corporate Access, Hard- & software tokens VASCO’s roots are in cryptography.
• • • Digipass Pro 700 offers sophisticated and yet user-friendly strong authentication services with extended digital signature capability. Digipass Pro 800 is used by several top tier banking institutions worldwide and is strongly appreciated by the banks and their clients for securing full access to financial applications on the existing banking network via an existing smart card, in a flexible, easy to use and cost-effective way. Digipass GO: Digipass GO can be used Anywhere, Anyhow and Anytime.
• • VACMAN Server for Networks provides strong user authentication and access control management for RADIUS and LAN environments in a fully integrated system. VACMAN Server for Web delivers access control to Web enabled applications, whether Internet, extranet or intranet based. www.vasco.
