You can configure Odyssey Client for secure password-based authentication using EAP-TTLS. You can log in anonymously while your credentials and other data are encrypted. You can use one of a number of inner RADIUS protocols with the tunneled authentication.Before you begin
In order to configure Odyssey Client for EAP-TTLS network authentication you must verify the following information with your network administrator:
- You must have a wireless adapter installed and enabled on your client machine.
- You must know the exact name (SSID) of the access point network to which your credentials are authenticated. If you do not know the exact name of the access point network, you must be in its vicinity at the time of configuration.
- You must know how the access point association and encryption is configured. It is typical for EAP-TTLS authentication that access points are configured in open association mode and for WEP encryption with dynamic key generation. The instructions below reflect this scenario. If this is not the case, you can modify the association and encryption choices in step 3g below. For example, your access point might be configured for WPA2 association with AES encryption.
- You must know the name of the appropriate CA-issued certificate to be used for EAP-TTLS authentication. (Note: CA = Certificate Authority)
- You must already have the appropriate CA-issued certificate installed on your client machine. See KB10484 for information on installing a CA-issued certificate on the client machine if you do not already have one installed.
- You must already know the name of the inner authentication method(s) your EAP-TTLS authentication server accepts. The Inner authentication protocol is used to authenticate against the particular backend database in which the user's credentials are stored.
If you are configuring Odyssey Client for EAP-TTLS authentication using machine account or prior to Windows logon (GINA), then all certificates for trusted server validation must be installed in the local machine store (as opposed to the current user store). Follow the instructions in procedure III of KB10484
for installing CA-issued certificates in the trusted root store of the local machine. Follow the instructions in KB10483
configuring machine account. See KB10659
for instructions for configuring prior to Windows logon connections.Configuring Odyssey Client for EAP-TTLS password-based authentication
Follow these steps in order to configure Odyssey Client for secure EAP-TTLS authentication:
- Add a wireless adapter:
- Select the Adapters panel in Odyssey Client Manager.
- Click Add. Add Adapter appears.
- Click the Wireless tab of Add Adapter, and select the adapter that you want to use for wireless authentication.
- Click OK. The wireless adapter appears on the Adapters panel.
- Create a user profile to specify your desired authentication options:
- Select the Profiles panel in Odyssey Client Manager.
- Click Add. Add Profile appears.
- Create a name for the profile, and type it next to Profile name.
- On the User Info tab of Add Profile, enter the login name. If you are already on your enterprise network when you configure Odyssey Client, then Odyssey Client picks up your network login name by default.
- Permit login using password is checked by default on the Password subtab of the User Info tab of Add Profile. Keep this checked, and select a method for entering the password. If you select the default password connection option (Use Windows password), or, if you type in a password to use (Use the following password) then you will have the least amount of interaction at connection time.
- Select the Authentication tab. EAP-TTLS is the default authentication method selected. Keep this option, and keep Validate Server Certificate checked in order to validate the server prior to sending the user's credentials to the RADIUS server. Note that when you check this option, you must configure a CA certificate for use with Odyssey Client. (See step 4. below). Keep the default value anonymous in the Anonymous name field, unless your network requires some other anonymous login name.
- Select the TTLS Settings tab, and select an inner authentication protocol from the list (the default inner authentication protocol is MS-CHAP-V2). Note: If you select EAP as the EAP-TTLS inner authentication method, then you must also select at least one of the inner EAP methods by clicking Add, selecting one or more inner EAP methods, and clicking OK.
- Click OK to close Add Profile. The profile appears in the Profiles panel.
- Add a network:
- Select the Networks panel in Odyssey Client Manager.
- Click Add. Add Network appears.
- Enter the name of the wireless network (SSID) to which Odyssey Client authenticates the user. If you do not know the name of the access point network, and you are in the vicinity of the network, click Scan. Available Networks appears, displaying the results of a scan for the wireless access points in your vicinity. Select the correct network, and click OK to close Available Networks.
- Do not check Connect to any available network.
- Optionally enter a description for the network. You might want to use this option when you connect to two networks of the same name, but with different configurations.
- Select Access Point (Infrastructure mode) for the Network type. This is the default value.
- Select the Association mode (Open) and then select the related Encryption option (WEP). The values you select depend on how your network access point is configured. See your network administrator to verify the correct access point association and encryption options.
- Check Authenticate using profile and select the profile that you created in the Profiles panel in step 2.
- Check Keys will be generated dynamically for data privacy. (Once you complete step 3h, this is checked by default).
- Click OK. The network appears in the Networks panel.
- Configure Odyssey Client with the trusted server certificate:
- Select the Trusted Servers panel in Odyssey Client Manager.
- Click Add. Add Trusted Server Entry appears.
- Check Trust any server with a valid certificate regardless of its name.
- Click Browse. Select Certificate appears.
- Select the Trusted Root Certificate Authorities tab, and select the required CA certificate and click OK. See your network administrator if you have any questions about which certificate to select.
- Click OK to close Add Trusted Server Entry. The trusted server entry appears in the Trusted Servers panel.
- Connect to the wireless network:
- Select the Connection panel in Odyssey Client Manager.
- Select the adapter that you configured in step 1.
- Select the wireless network that you created in step 3.
- Check Connect to network.
- You can optionally check the status of the connection under Connection information on the Connection panel:
If the Status field appears as open and authenticated, then you have successfully authenticated to the wireless network using EAP-TTLS with the Odyssey Client.
If the Status field does not appear as open and authenticated, verify your Odyssey Client configuration. Also verify that the your EAP-TTLS Odyssey Client configuration is correct for the configuration of your access point and RADIUS server.
You may elect not to add the trusted server (as in step 4) during the configuration of the Odyssey Client. If you complete all steps except step 4, after completing step 5d, then, Odyssey Client prompts you to validate your trust of the RADIUS server prior to sending the your credentials to the RADIUS server during the authentication process. When prompted, optionally check 'Add this trusted server to the database', and click Yes in order to continue with the EAP-TTLS authentication. By checking Add this trusted server to the database, you configure Odyssey Client to trust this server for all future authentication attempts.