BorderManager Authentication Services 3
Articles and Tips: article
01 May 1999
Through BorderManager Authentication services 3, network users who dial in from home or on the road have the same network access and directory-based privileges that they have when they are on site. This article discusses the many benefits BorderManager Authentication Services 3 provides.
BorderManager Authentication Services 3 (BMAS) is the secure remote authentication component of the BorderManager Enterprise Edition 3 Suite. BMAS integrates Remote Authentication Dial-In User Service (RADIUS) with Novell Directory Services (NDS) to provide you with the security and other capabilities you need to easily set up and manage dial-in access to your network. BMAS provides authentication, authorization, and accounting services for dial-in users.
With BMAS you can manage your remote access system as easily as you manage your local network or wide area network (WAN) through NDS and NetWare Administrator (NWAdmin). You are free to provide dial-in access to your users via any network access server (NAS) that is RADIUS compliant, and in many cases your users will be able to access your remote access network via the software with which they are most comfortable.
BorderManager Authentication Services 3 is Year 2000 Ready.
Control remote access to your network with industry standard authentication
Implement user callback for extra security
Implement security auditing and departmental accounting
Outsource remote access management and hardware costs
Choose a server platform or mix server platforms
Choose virtually any dial-in software
Simplify administration through NDS
Add new attributes easily
Ensure a seamless transition to the year 2000
Control Remote Access with Industry Standard Authentication
BorderManager Authentication Services 3 provides security through the RADIUS protocol, the industry standard in remote authentication. Using powerful Rivest-Shamir-Adleman (RSA) Message Digest Algorithm MD5 encryption methods, the RADIUS authentication protocol safely transports sensitive authentication, authorization, and configuration information between the server that allows access to your network and the server you use to authenticate users. The RADIUS protocol supports dial-in user authentication through Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), UNIX login, and other authentication protocols that implement a user name and password. Because the RADIUS protocol has broad support from industry leaders such as Ascend, Bay Networks, Checkpoint, Cisco, Lucent (Livingston), Raptor, and Shiva, you can choose from a wide variety of access servers and be assured that your solution will work with the solution used by other companies around the world.
Figure 1: Dial-access network using the RADIUS protocol.
Implement User Callback for Extra Security
You can configure your RADIUS server to instruct the Network Access Server (NAS) that provides dial-in access to your system to "hang up" on a user and call that user back at a specified number. With this callback feature you can add an extra level of security to ensure that only authorized users can dial in to your network.
Implement Security Auditing and Departmental Accounting
BorderManager Authentication Services 3 has transaction logging capabilities that you can use to protect your network, diagnose connection problems, and create reports for departmental billing and other purposes.
BorderManager Authentication Services 3 keeps a record of all transactions connected with any login attempt, whether successful or unsuccessful, in an audit log. BorderManager Authentication Services 3 starts a new audit log daily. You specify the number of days it keeps audit log files before deleting them. You can review audit logs and quickly determine whether or not unauthorized persons are attempting to access your network. In addition, the logs can be invaluable for tracking down persons who attempt unauthorized access, and when diagnosing remote connection problems.
BorderManager Authentication Services 3 accounting logs provide you with information about who is using remote-access services, as well as when they are using the services and for how long. You can import the data contained in the accounting log files into database and spreadsheet applications that support comma delimited files, such as Microsoft Excel. To make accounting easy you can configure RADIUS accounting log files to accumulate information on a daily, weekly, or monthly basis. You can use accounting log information to aid in troubleshooting, for statistical analysis, and for providing billing departments with information on user accounts.
Outsource Remote Access Management and Hardware Costs
A server running BMAS can act as a proxy RADIUS server (to other RADIUS servers), and can communicate with other RADIUS servers that are acting as proxy RADIUS servers. Because of this you can have an Internet service provider (ISP) take over a major portion of the work as well as the costs involved in giving your users reliable remote access. Outsourcing dial-in access responsibilities to an ISP saves you time and the expense of purchasing and managing costly hardware such as NASs, modems, ISDN terminals, and routers. However, you retain full control over remote user authentication through means of your network-internal NDS database.
Figure 2: Dial-access network that uses ISP to provide RADIUS proxy services.
Choose a Server Platform or Mix Server Platforms
You can install BMAS on either a NetWare 4.11 or above or a Windows NT 4.0 or above server. This cross-platform support means you can use NetWare or Windows NT servers running BorderManager Authentication Services 3 together on the same network, and you can substitute a NetWare server for a Windows NT server and vice versa.
Choose Virtually Any Dial-In Software
BorderManager Authentication Services 3 provides support for a wide variety of dial-in networking software that supports authentication by user name and password. Point-to-point software such as Windows, and terminal emulation programs such as Hyper Terminal, are among the many dial-in networking programs that interoperate with BMAS. Because BMAS does not require you to implement a particular type of dial-in software, the software you choose for a dial-in user's workstation will depend mainly upon the type of RADIUS-compliant NAS that provides the user with remote access to your network.
Simplify Administration through NDS
Not only can you choose from a variety of dial-in software for your users, but with BMAS you can add a virtually unlimited number of users to your remote access system.
Since BMAS is fully integrated with NDS and has a management "snap-in" for the NetWare Administrator (NWAdmin) utility, you can assign dial-in user access privileges"individually, as a group, or as several groups"through the same database you use to manage your local network or WAN. Whether you have one RADIUS server on your dial-access system or many, you can administer them all from one place: the Dial Access System object you create in NWAdmin. This capability allows you to add RADIUS servers to your expanding dial-access system without adding significantly to the time it takes to manage that system. In addition, because you can configure your NDS tree to accommodate a virtually unlimited number of dial-in users, your remote access system has all the room it needs to grow.
Add New Attributes Easily
While BMAS's tight integration with NDS allows you to expand your remote access network as your company changes and grows, its extendable attribute dictionary file enables you to incorporate new attributes as they become available. BMAS supports vendor-specific attributes as well as generic RADIUS attributes proposed by the Internet Engineering Task Force (IETF). Novell plans to make future attributes available by extending BMAS's attribute dictionary file to include attributes that other vendors will offer in future products, as well as any attributes the IETF might add as it extends its RADIUS standard. This means that with BMAS you will have the ability to incorporate new products and technologies by simply downloading the latest attribute dictionary file from the Web.
Ensure a Seamless Transition to the Year 2000
With BMAS you can plan confidently for trouble-free operation as the year 2000 approaches. You will experience a smooth transition from the year 1999 to the year 2000 without any changes in your system's functionality, data content, or user interface. With BMAS you can keep your productivity high throughout the transition to the new millennium. See http://www.novell.com/year2000for more information.
BorderManager Authentication Services 3 Enhancement Pack
BorderManager Authentication Services 3 Enhancement Pack (BMAS EP) is an application that augments the capabilities and security of BorderManager Authentication Services. In addition to the features of BMAS, EP includes token authentication support, proxy enhancements, configurable concurrent login restrictions, and login accounting and metering.
Token Authentication. BMAS EP includes support for NDS authentication using token devices such as ActivCard and other smart cards. Token authentication requires a user to provide a form of personal identification (such as a PIN) as well as identification information provided by the token device. Both users and token devices can be managed in the NDS database. Using token authentication improves security of remote access and provides a single point of administration to lower total cost of ownership
Proxy Enhancements. BMAS EP includes enhanced RADIUS proxy support to forward accounting and token authentication requests to other servers, including the Security Dynamics ACE/Server. By using the RADIUS protocol you can manage users within NDS while leveraging your existing investment in the ACE/Server. You can also specify proxy servers by NDS context or domain name.
Concurrent Login Restrictions. With BMAS EP you can limit the number of dial-in connections that a remote user can have open at one time per network. You can also restrict the number of concurrent dial-in connections for each user object, or you can set a default value for concurrent dial-in connections for each Dial Access System object.
Connection Detail Information and Metering. With BMAS EP you can generate reports that detail user login and connection history. Using RADIUS accounting you can also track network use by user or account for accounting and billing purposes.
You may download BMAS EP at http://support.novell.com/beta/public.
To obtain ActivCard tokens visit: http://www.activcard.com/products/BMAS-ActivCard/index.html.
1MB of free disk space
1MB of free RAM
2MB of free disk space
1MB of free RAM
NetWare 4.11 or above or intraNetWare intranet platform, or Windows NT 4.0 or above
TCP/IP protocol stack configured and loaded
Windows NT 4.0 or Windows 95/98
Novell Client for Windows NT or for Windows 95/98
Network Access Server
File and print services
If you want to provide users with file and print services on your network, your network access server must use network access software that supports IPX.
You can order BorderManager Authentication Services 3 alone or as part of the BorderManager Enterprise Edition suite from any Novell Authorized, Gold, or Platinum Partner. For more information contact your local Novell office or call the Novell Customer Response Center at 1-801-228-4CRC (1-801-228-4272). In the United States and Canada call toll free 1-888-321-4CRC (1-888-321-4272).
You can also visit the BorderManager Authentication Services 3 page on Novell's World Wide Web site at http://www.novell.com/products/bordermanager/bmas.
Novell Education offers authorized training on BorderManager Enterprise Edition 3 through any Novell Authorized Education Center (NAEC). For information please visit Novell Education's Web site at http://education.novell.comor call 1-801-222-7800. In the United States and Canada call toll free 1-800-233-3382.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.