Reset Search
 

 

Article

KB10696 - Configure Odyssey for smart card logon using a smart card certificate

« Go Back

Information

 
Last Modified Date8/1/2015 7:33 PM
Synopsis
Configure Odyssey for smart card logon using a smart card certificate
Problem or Goal
Cause
Solution
Overview

You can configure Odyssey Client for smart card logon using certificate credentials (EAP-TLS). You can use the smart card configuration of Odyssey Client to perform GINA time authentication (prior to Windows logon) using EAP-TLS. You can also configure profiles that use smart card certificates (and EAP-TLS) when your users have smart cards, while password-based protocols are used when smart cards are not present at authentication time prior to Windows logon.

Before you begin
 
In order to configure any mutually authenticating protocols such as EAP-TLS or EAP-TTLS you must first install and configure the trusted server certificate for use with Odyssey Client. See KB10484.

In order to configure certificate-based smart card authentication, you must have already installed and registered your smart card. You must also have exported a certificate to the smart card while it is installed on your Odyssey Client machine.

Create a profile for smart card authentication

You can configure Odyssey client for smart card authentication in a number of ways:
  • You can configure a profile for single-protocol authentication using EAP-TLS and the certificate from the smart card.
  • You can configure a profile for single-protocol authentication using EAP-TTLS and the certificate from the smart card.
  • You can optionally configure a profile for multiple protocol authentication using either a smart card with its certificate, along with a certificate-based authentication method, or using a password-based protocol such as EAP-TTLS, EAP-PEAP or EAP-FAST in the event that you do not use the Smart Card for logon with prior to Windows logon authentication..
 
To create a profile for smart card EAP-TLS authentication with no other protocols, follow these steps:
  1. Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator if you are configuring settings for first time users or for a custom installer).
  2. Click Add. Add Profile appears.
  3. Type in a name for the profile and leave the login name blank.
  4. Un-check Permit login using password on the Password tab of User Info.
  5. Select the Certificate tab of User Info.
  6. Check Permit login using my Certificate, and select Use the certificate from my Smart Card Reader. If you have more than one reader, select a specific reader from the list. Otherwise, leave the default reader (any reader) unchanged.
  7. Select the Authentication tab.
  8. Select EAP-TTLS from the list of protocols, and click Remove.
  9. Click Add, select EAP-TLS to add it the protocol list, and click OK to close the Add EAP Protocol dialog.
  10. Leave all other settings unchanged, and click OK to save the profile.

To create a profile for smart card EAP-TTLS authentication for certificate-based authentication, follow these steps:
  1. Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator if you are configuring settings for first time users or for a custom installer).
  2. Click Add. Add Profile appears.
  3. Type in a name for the profile and leave the network the login name blank.
  4. Un-check Permit login using password on the Password tab of User Info.
  5. Select the Certificate tab of User Info.
  6. Check Permit login using my Certificate, and select Use the certificate from my Smart Card Reader. If you have more than one reader, select a specific reader from the list. Otherwise, leave the default reader (any reader) unchanged.
  7. Select TTLS Settings. Select Use only my certificate for authentication.
  8. Leave all other settings unchanged, and click OK to save the profile.

To create a profile that negotiates either certificate-based smart card authentication, or password-based EAP-TTLS (or other password based) authentication prior to Windows logon, follow these steps:
  1. Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator if you are configuring settings for first time users or for a custom installer).
  2. Click Add. Add Profile appears.
  3. Type in a name for the profile, and type in the network login name.
  4. Keep Permit login using password checked on the Password tab of User Info, and select a password option.

    If you select Prompt for password, you are prompted for the Windows password if you negotiate password-based authentication at logon.

    Note that if you select Use Windows password, you should have the GINA module installed, even if you do not use the profile for GINA time login. (Network administrators must do this). See KB10659 for general information on GINA, and installing GINA. In particular, see GINA installation.
  5. Select the Certificate tab of User Info.
  6. Check Permit login using my Certificate, and select Use the certificate from my smart card Reader.
  7. If you have more than one reader, select a specific reader from the list. Otherwise, leave the default reader (any reader) unchanged.
  8. Select the Authentication tab.
  9. Click Add to add EAP-TLS to the list of authentication protocols.  Select EAP-TLS, as well as any other password-based authentication protocol you require if you do not plan to use EAP-TTLS as your sole password-based authentication method. Click OK.
  10. Reorder the protocols according to your preference. If you prefer to rely on smart card certificates for authentication, move EAP-TLS to the top of the list of authentication methods on the Authentication tab.
  11. Follow either of these procedures depending on your choice of password-based protocol(s):
    • For EAP-TTLS password-based authentication, select TTLS Settings. Select and order any required inner protocols.
    • For EAP-PEAP password-based authentication, select PEAP Settings. Select and order any required inner protocols.
  12. Click OK to save the profile.

Note: You are required to enter a login name for all password-based protocols (except if you are creating a GINA profile in Initial Settings of the Odyssey Client Administrator.

Configure Trusted Servers, Networks, Adapters, and Connection panels

See any of the following topics for specifics on configuring Trusted Servers, Networks, Adapters, and the Connection panels (follow step 1, and steps 3 - 5 in any of these notes):
  • KB10663 for EAP-TTLS password-based authentication
  • KB10662 for EAP-TLS authentication
  • KB10661 for EAP-PEAP authentication
 
Notes on configuring Smart Card authentication at GINA time

To configure Smart Card authentication at GINA time, follow these steps:
  1. Create a Smart Card profile (such as one of the four described above) in Initial Settings of the Odyssey Client Administrator. Leave the  login name blank in each case, however.
  2. Follow the steps for configuring the Trusted Servers, Networks, Adapters, and the Connection panels, except configure these in  Initial Settings of the Odyssey Client Administrator.
  3. Follow the instructions for installing GINA and specifying connection settings in See KB10659.
  4. Test your connections according to KB10659.
  5. Note the following behavior if you create a GINA profile that uses both smart card certificates and some password based protocols:
    • If your users log into their client machines using the smart card PIN, then the certificate-based authentication is used, while all other profile protocols are ignored.
    • If your users log into their client machines using their Windows password, then the password-based protocols are used, and the smart card settings are ignored.

Connection time prompts

Note: Your users may be prompted  for the Smart Card PIN at logon.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255