Right on the heels of my last post (here, on a sister site) about the various smart cards, I get an email today that includes the following:

“CAC and Defender are both two factor authentication methods. They can be combined to give you three factor but I haven’t seen anyone do that. CAC uses the DoD PKI structure and Defender uses RADIUS to AD”

So I had to reply with the following:

QAS supports smartcards (and has for years now, including CAC) but doesn’t use Defender for this. Let’s back up and answer exactly what QAS and Defender do.

QAS provides AD integration to Unix/Linux/Mac systems. Defender provides RADIUS authentication using AD as it’s directory. Smartcards (like CAC and PIV) use PKI, not RADIUS, to authenticate the user.

The only time Defender gets involved with smartcards is if the card has a token (not a certificate) on it, in which case, it then provides authentication using that token. There are cards out there that are hybrids, and allow for both tokens and certificates. In that case, Defender only uses the token portion and ignores the certificates.

Now, if someone wants CAC support for QAS, you need to look for the QAS smartcard module, and the related license. To install it, the QAS ISO has a smart card install & admin guide, and you would look for the vassc package to deploy to your particular system. We currently support Red Hat (Linux), Solaris and Mac with the smart card modules.

The other thing that needs to be noted is that nothing that Quest provides can accommodate 3 factor authentication. At least, not on it’s own. As a quick review, the 3 factors to authenticate are:

• Something you know (password, key phrase, hint, account number, username, etc)
• Something you have (a key, a token, a certificate, etc)
• Something you are (biometrics – fingerprint, retinal scan, voice print, etc)

Having multiple instances in the same category (a username, a password, and an account number, for example), does not constitute multiple factors. Now, QAS, Defender, ESSO and other Quest products can all co-exist with other authentication systems, but out of the box, you can get 2-factor authentication from us in a variety of ways, not three.

(edited 2011-11-09 to include link to federalcto.com post referenced in the first sentence)

I’ve been working with VAS for quite a while, and have gone through all the versions since 2.6, and this has to be the biggest thing I’ve seen in over 4 years of working with the prodct. And the big thing is not VAS (or QAS, as its now known) itself, but a free add-on call Identity Manager for Unix (IMU). You can download your copy from here.

And the cool thing is that you can use the product without buying VAS.  What is it?  Its a free, web-based console for managing unix, linux and mac users & groups.  Obviously, if you buy VAS, you get a lot more functionality, but just the core functionality alone makes it a cool download.  If you have more than 2 unix boxes, this makes life a lot easier.  You can now assess all your *nix boxes, get a list of all your users and groups, and make changes right there, in a browser window.

And how do I know its cool?  Because I was on-site with a customer that had been evaluating VAS 3.5 for about a month, and they confirmed it.  They were going to have me go through and show them all the commands, tips & tricks and refresh them on all the things I’d shown them the month before.  Well, after installing IMU, and running through how it worked, they simply replied with “we got everything we need.  You answered all the questions we had with this console, and we feel pretty good that we can drive everything through this instead of the command line.” And that was the goal . . . make unix account management easy to drive from a single point, with no need to script or even log onto multiple boxes. Everything is dead easy . . . and did I mention its free?!?!?

I’ve now had a beta build of VAS 4.0 for a bit, and have finally gotten around to recording some videos featuring some of the new additions.  For core VAS functionality, this blog post here still has a lot of relevant videos.  None of that functionality is going away.  However, there are a lot of new things in 4.0, so here are some starter videos.  I’ll try to post some more, time permitting, but I’ve given up on Camtasia for Mac, so it may take a while.

As with the VAS 3.5 videos, there’s no audio, so you have to use your imagination.  And the second video is quite lengthy, even with some heavy editing to speed things up.  This is simply because the copies of the VAS binaries (all of them) to the server takes a bit of time.  Other than that second video, all the others are under 3.5 minutes.  Enjoy.

http://www.idmwizard.com/quest/vas/vas40-01-install-control-center/index.html
http://www.idmwizard.com/quest/vas/vas40-02-install-IMU/index.html
http://www.idmwizard.com/quest/vas/vas40-03-profile-host-using-IMU/index.html
http://www.idmwizard.com/quest/vas/vas40-04-preflight-host-using-IMU/index.html
http://www.idmwizard.com/quest/vas/vas40-05-install-qas40-via-IMU/index.html
http://www.idmwizard.com/quest/vas/vas40-06-map_local-user-to-AD-via-IMU/index.html

I posted the following in an entry quite some time ago, but thought it made sense to break out just the VAS ones into a separate post for easier searching.  And so I can reference it in the VAS 4.0 blog post I’m about to put up after this one.

All of the following videos are 1-3 minutes in length, with no audio.  They show some of the core VAS functionality which is found across the board on all operating systems supported by VAS:
http://www.idmwizard.com/quest/vas/vas35-01-preflight/index.html
http://www.idmwizard.com/quest/vas/vas35-02-install_and_join/index.html
http://www.idmwizard.com/quest/vas/vas35-03-installation_of_quest_ssh_and_getting_sso_through_it/index.html
http://www.idmwizard.com/quest/vas/vas35-04-unix_enable_user_and_group-password_change-sso_via_ssh/index.html
http://www.idmwizard.com/quest/vas/vas35-05-sudo_group_policy_usage_and_config/index.html
http://www.idmwizard.com/quest/vas/vas35-06-file_copy_policy_with_replacement_macro/index.html
http://www.idmwizard.com/quest/vas/vas35-07-access_controls_via_user_files/index.html
http://www.idmwizard.com/quest/vas/vas35-08-access_controls_via_windows_group_policy/index.html
http://www.idmwizard.com/quest/vas/vas35-09-self_enrollment-automatic_local_to_AD_mapping/index.html

If you happen to have NIS running in your environment, you’ll want to have a look at the next set of videos that target NIS maps, and how VAS brings them directly out of AD and onto your *nix hosts:

http://www.idmwizard.com/quest/vas/vas35-10-installing_vasyp_proxy-getting_yp_maps_from_AD/index.html
http://www.idmwizard.com/quest/vas/vas35-11-using_the_nis_editor/index.html
http://www.idmwizard.com/quest/vas/vas35-12-importing_a_new_nis_map_via_windows/index.html
http://www.idmwizard.com/quest/vas/vas35-13-importing_a_new_nis_map_via_unix_nisedit/index.html
http://www.idmwizard.com/quest/vas/vas35-14-importing_and_enabling_users_with_vastool_load/index.html

For a nice, complete 18 minute long NIS migration video (with audio!!!!) here is one that I recorded for a particular customer:
http://www.idmwizard.com/quest/vas_nis_migration/index.html

Here are some additional random VAS videos that I’ve recorded that are good to keep together.  People often have questions on what the VAS install looks like on the mac – here are 2 videos of that:
http://www.idmwizard.com/quest/vas35_mac_install/index.html
http://www.idmwizard.com/quest/vas35_mac_install_manual/index.html

Lastly, here is VAS’ self-enrollment feature on Solaris 10:
http://www.idmwizard.com/quest/Sol10-VASSelfEnrollment/Sol10-VASSelfEnrollment.html

A long time, when dotcoms rules the land, I was a Dev Manager for www.eTour.com (don’t bother following the link – they’re gone). In those days, we were still trying to introduce people to the web and there was a buzz in the industry that I hadn’t seen before or since. And one that will probably never occur again.

Well, one of the funniest, yet instructional moments came during our death throes. The conversation with the Product Manager went something like this:

Brian: Dmitry, check this out – we need to do this one the site.

Dmitry (walking over): BC, put that site away – this is the workplace – go look at that stuff at home.

BC: no, look at this (closes browser window). See that? There’s another window under it.

DK: yeah, ok. A porn site with pop-ups – what’s your point?

BC: No – check it out.  They manage to put the pop-up under the main window.  Watch again.

DK: OK – I see.  Definitely interesting . . . send me the URL and we’ll figure it out.

Plain and simple, they came up with the ‘pop under’ which was much less obnoxious than the ‘pop-up’ that was so prevalent at the time.  I then had to go to one of our (female) developers and ask her to reverse engineer how it was done.  It turns out it was a simple call to a window.blur() function.

Its interesting that porn (followed by gambling) lead innovation in terms of technology.  It certainly was the only thing making money at the time of the dotcom meltdown and a lot of the things you now see with streaming video (a la YouTube) was not developed by Google or some other well-known company, but by those in the ‘seedy part’ of the internet.

What does this have to do with ‘Identity Management?’ I’m not sure, but I’m willing to bet they will continue to innovate, and it will have some sort of impact on the rest of the computing field.