We are testing NMAS with the Vasco Digipass plugin in order to do
multi-factor authentication. We wish to prompt the user for the
password, followed by the Digipass token. Creating a Digipass sequence
that prompts for the NDS password AND the Digipass token seems to work
great, at least from the Windows Novell Client. I can see in the
dstrace that it does the NDS login successfully, then retrieves the
Digipass password, passes it onto the VASCO LSM, checks that it is
correct, finally authenticating the user. Perfect.

However, I checked to see what error was returned when I tried logging
in from a Linux workstation using ncpmount. When I entered my NDS
password, however, it let me right in and mounted the drive. What??
The user only had one login sequence authorized, which was the Digipass
one. Then I tried de-authorizing every other login sequence, and it did
the exact same thing. It just let me right in. Dstrace showed me
absolutely nothing, besides the successful authentication.

It took me a lot of searching to find that even with NMAS loaded, an
authentication would always fall back to NDS if the user did not have an
NMAS-enabled client. This appears to be for legacy reasons (such as
using ncpmount). I changed the Universal Password policy so that it
would remove the user's NDS password when they logged in. Yes, this
made it so ncpmount could not authenticate. However, it also made it so
that my NDS AND Digipass login sequence no longer worked!

Is there a way to have NDS passwords, but NOT allow the server to fall
back to NDS authentication if the client does not have NMAS? We are not
using Simple Passwords, so that option is out. We would really like to
use NMAS sequences for multi-factor authentication, but it completely
defeats the purpose and the security if you can just scoot right around
it by using a legacy client.


ericll75's Profile: https://forums.netiq.com/member.php?userid=8056
View this thread: https://forums.netiq.com/showthread.php?t=51754