Odyssey Client ®
User and Administration Guide
Seventh Edition March, 2005
Funk Software, Inc. 222 Third Street Cambridge, MA 02142 (617) 497-6339 (617) 491-6503 (Technical Support) www.funk.com
Odyssey Client © Copyright 2002-2005 Funk Software, Inc. All rights reserved. Odyssey® and Funk® are registered trademarks of Funk Software, Inc. Microsoft, Windows, Windows XP, Windows NT, Windows 2000, Internet Explorer, and other Microsoft products referenced herein are either trademarks or registered trademarks of the Microsoft Corporation in the United States and other countries. Novell is a register trademark and Novell Client is a trademark of Novell Corporation. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org) and cryptographic software written by Eric Young (
[email protected]).
Contents
Chapter 1
Introduction Welcome ........................................................................................................................... 1 Requirements.................................................................................................................... 2 Operating systems.................................................................................................... 2 Wireless adapter card and/or wired network card.............................................. 2 Network hardware ................................................................................................... 3 Licenses...................................................................................................................... 3 Browsers .................................................................................................................... 3 Documentation ................................................................................................................ 3 Technical support ............................................................................................................ 4
Chapter 2
Installation Installation process ......................................................................................................... 5 Installation requirements ................................................................................................ 5 Installation instructions .................................................................................................. 5 Install.......................................................................................................................... 6 Configure................................................................................................................... 6
Chapter 3
Networking with Odyssey Client Preface ............................................................................................................................... 9 Network security overview...........................................................................................10 Encryption and association for secure authentication .....................................11 The 802.11 wireless networking standard..................................................................12 Types of wireless networks...................................................................................13 Wireless network names........................................................................................14 Wired-Equivalent Privacy (WEP)........................................................................14 Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES............................15 The 802.1X standard .....................................................................................................16 Extensible Authentication Protocol (EAP)........................................................17 Reauthentication.....................................................................................................21 Session resumption ................................................................................................21
Odyssey Client User and Administration Guide
iii
Chapter 4
Using Odyssey Client Manager Odyssey Client Manager Overview ............................................................................ 23 Connection panel .......................................................................................................... 27 Select an adapter .................................................................................................... 28 Connect to a network (wireless connections only)........................................... 29 Connect using profile (wired connections only) ............................................... 30 Configure multiple simultaneous network connections .................................. 30 Scan for wireless networks ................................................................................... 31 Reconnect to a network........................................................................................ 31 Reauthenticate to a network ................................................................................ 32 Disconnect from a network connection ............................................................ 32 View connection information.............................................................................. 32 View informational graphics and detailed status .............................................. 34 Profiles panel ................................................................................................................. 36 Profile properties ................................................................................................... 37 Networks panel.............................................................................................................. 51 Network titles......................................................................................................... 52 Network Properties ............................................................................................... 53 Auto-Scan Lists panel................................................................................................... 59 Auto-Scan List properties..................................................................................... 60 Trusted Servers panel ................................................................................................... 61 Using the simple method to configure trust...................................................... 62 Using the advanced method to configure trust................................................. 65 Untrusted servers................................................................................................... 70 Adapters panel ............................................................................................................... 71 Adding a wireless or wired adapter ..................................................................... 72 Removing an adapter from the list of adapters................................................. 73 Settings menu................................................................................................................. 73 Preferences.............................................................................................................. 74 Security Settings ..................................................................................................... 75 Windows Logon Settings...................................................................................... 78 SIM Card Manager ................................................................................................ 87 Odyssey Client Administrator.............................................................................. 88 Enable/Disable Odyssey ...................................................................................... 88 Close ........................................................................................................................ 89 Commands Menu.......................................................................................................... 89 Forget Password .................................................................................................... 90 Forget Temporary Trust....................................................................................... 90 Check New Scripts ................................................................................................ 90 Run Script ............................................................................................................... 92 Survey Airwaves..................................................................................................... 92 Update ..................................................................................................................... 94
iv
March 2005
Web menu.......................................................................................................................95 Odyssey User Page.................................................................................................95 Funk Software Home Page...................................................................................95 Register Odyssey Client.........................................................................................95 Purchase Odyssey Client.......................................................................................95 Help Menu ......................................................................................................................95 Help topics ..............................................................................................................96 License keys.............................................................................................................96 View Readme File ..................................................................................................97 About .......................................................................................................................97 Tray icon menu commands..........................................................................................97 Odyssey Client Manager........................................................................................97 Enable Odyssey or Disable Odyssey...................................................................97 Help commands .....................................................................................................98 Exit ...........................................................................................................................98 Other Odyssey Client features.....................................................................................98 Shortcut keys...........................................................................................................99 Using Odyssey Client with some features disabled...........................................99 Interaction with other adapter software...................................................................100
Chapter 5
Odyssey Client Administration Overview of Odyssey Client Administration .........................................................101 Odyssey Client Administrator....................................................................................102 Connection Settings.............................................................................................104 Initial Settings .......................................................................................................114 Machine Account .................................................................................................118 Permissions Editor...............................................................................................121 Merge Rules...........................................................................................................123 Custom Installer ...................................................................................................128 Testing your settings............................................................................................130 Script Composer...................................................................................................132 PAC Manager........................................................................................................142 Sample administrative workflows..............................................................................143 Preconfigure Odyssey Client for a group of users ..........................................143 Machine only connection....................................................................................145 Machine connection followed by user authentication....................................146 User authentication without machine connection ..........................................147 Scripts for incremental updates of user configurations..................................148 Configuration updates for mass-distribution to your users...........................148
Index ....................................................................................... 151 Odyssey Client User and Administration Guide
v
vi
March 2005
Chapter 1 Introduction
Welcome Thank you for selecting Odyssey®Client. Odyssey Client consists of two main components: X
Odyssey Client Manager, for configuring Odyssey Client on a per-user basis. See “Using Odyssey Client Manager” on page 23.
X
Odyssey Client Administrator, for administering Odyssey Client for your network of users. See “Odyssey Client Administration” on page 101.
With Odyssey Client you can connect to your wireless network easily and securely. You can use Odyssey Client for the following: X
Configure and control your wireless or wired adapter.
X
Connect to access points as well as to peer-to-peer networks.
X
Configure authentication profiles to allow you to connect to different networks with different credentials.
X
Use 802.1X to authenticate to the network.
X
Use a wide variety of authentication methods, including powerful methods such as EAP-TTLS, EAP-PEAP, EAP-TLS, and EAP-FAST to keep your credentials secure.
If you are a network administrator, you can facilitate the following for your users: X
Configure network authentication prior to Windows logon.
X
Configure server and/or user certificates for use with Odyssey Client.
X
Create a custom installer from the Odyssey Client Administrator.
X
Manage user configurations from the Odyssey Client Administrator.
For more introductory information, see the following topics: X
Requirements
X
Documentation
X
Technical support
Requirements Odyssey Client Manager has the following requirements with respect to hardware and software: X
“Operating systems” on page 2
X
“Wireless adapter card and/or wired network card” on page 2
X
“Network hardware” on page 3
X
“Licenses” on page 3
X
“Browsers” on page 3
Operating systems Odyssey Client runs under the following operating systems: X
Windows 98
X
Windows 98 SE
X
Windows Me
X
Windows 2000 Professional or Server
X
Windows XP Home or Professional
Wireless adapter card and/or wired network card In order to use wireless capabilities, your computer must be equipped with a wireless adapter card and a driver that supports the Microsoft-defined 802.11 OIDs, and is 802.1X compliant. In order to authenticate to a network using a wired connection, you need any network card that is adapted for a wired connection. The most recently updated list of compatible adapter cards can be found on the Odyssey User Page on our web site. For a shortcut to this page, select Web > Odyssey User Page from the menu. 2
Introduction
Network hardware For wireless network authentication, your network must include at least one 802.1X compliant access point. For wired network authentication, your network must include at least one 802.1X compatible switch or hub.
Licenses A license key is a text sequence that represents your license to use your copy of Odyssey. You must enter a license key as part of the installation process of Odyssey Client. Some Odyssey Client features are separately licensed. Depending on which license you have purchased, there may be some features of Odyssey Client that are not available. Additionally, some portions of the user interface may be disabled or enabled, and the appearance of dialogs may vary, according to your license. You can purchase license keys from Funk Software, and you can enter your new license key in the License Key dialog. See “License keys” on page 96. If you are upgrading, see also “Upgrade licenses” on page 97.
Browsers Your computer must be running Microsoft Internet Explorer 5.5 or later.
Documentation Your Odyssey Client Manager software includes a help system that allows you to access this documentation on your computer. To bring up this help system, select the Help > HelpTopics menu command from the Odyssey Client Manager. You can also read the manual in PDF format. The manual is called OdysseyClientAdmin.pdf, and is located on your product CD under Docs. You can also get context-sensitive help at any time by clicking F1. The help system appears opened at the section that best explains your current situation. The Help > View Readme File menu command located on the Odyssey Client Manager opens the readme.txt file. This file may have important information about Odyssey Client that is not included in this manual.
Odyssey Client User and Administration Guide
Introduction
3
Technical support If you have any problems installing or using Odyssey Client, there are various resources available to help you at no charge: X
This manual and the README.TXT file may contain the information you need to solve the problem you are having. Please re-read the relevant sections. You may find a solution you overlooked. To view the README.TXT file, select the Help > View Readme File menu command from the Odyssey Client Manager.
X
Check our web site http://www.funk.com for additional information and technical notes. You can also select Web > Odyssey User Page from the menu bar to go to a special home page for Odyssey Client users.
X
E-mail your questions or issues to
[email protected].
X
For technical support by phone, you can call (617) 491-6503, Monday through Friday, 9:00 A.M. to 5:30 P.M., Eastern time.
Within six months of the product purchase date, Funk Software provides for two technical support incidents by phone at no charge. For support beyond this initial warranty period, or beyond two incidents within that period, we offer a range of support options including support and maintenance contracts and pay-per-call. Consult our web site for the support plan that best meets your needs. Go to http://www.funk.com and navigate to the Tech Support > Support Options section of the web site. If you are located outside North America, you can receive support either by contacting the Funk Software partner in your country or by contacting us directly. You can find the name of the support provider nearest you on our web site. Go to http://www.funk.com and navigate to the Contact Info > International section of the web site. Please take a moment to register your copy of Odyssey Client with us. Doing so provides notification of product upgrades and special offers, and will expedite your first contact with our Technical Support department. To register Odyssey, select the Web > Register Odyssey Client menu command.
4
Introduction
Chapter 2 Installation
Installation process If you are running Windows 2000 or Windows XP, you can only install Odyssey Client if you have administrator privileges. You can find the following basic installation instructions in the following topics: X
Installation requirements
X
Installation instructions
See also “Requirements” on page 2.
Installation requirements Before you install Odyssey Client, please note the following: X
Install your wireless (and/or wired) network adapter card and associated driver software.
X
You must have administrative privileges to install Odyssey Client on Windows 2000 or Windows XP.
Installation instructions Installation of Odyssey Client has two phases: X
Install
X
Configure
Install To install Odyssey Client, follow these steps: 1
Insert the installation CD into your CD-ROM drive. The installation process starts automatically.
2
The installation wizard asks you a series of questions. Your answers determine how the software is installed and configured. Follow the instructions as they appear.
3
After you supply all of the necessary information to the installation wizard, you can click the Install button to begin the installation process.
Configure Once the first phase of the install process is complete, use the Configure and Enable Odyssey Wizard to configure Odyssey Client for use by you (the current user who is performing the installation). If this wizard does not open for you automatically, your installation is already complete. Read the following topics to learn more about configuring Odyssey Client: X
Configure Odyssey Client for each user on a single PC
X
Configuring Odyssey Client for multiple machines
Configure Odyssey Client for each user on a single PC Your computer may have multiple user accounts. Once installed on a single PC, Odyssey Client is available to all users. However, the settings that control Odyssey Client’s operation are separate for each user. Whenever you use Odyssey for the first time, the Configure and Enable Odyssey Wizard may appear, so that you can configure Odyssey Client for your own use. If there are multiple users of the same client machine, each is offered the option to configure Odyssey Client through this wizard when the configuration is incomplete. If this wizard does not appear, your initial configuration is complete. In the case that the wizard does appear, you have the following options with respect to personal configuration of Odyssey Client:
6
Installation
X
Accept the option for configuration with the wizard.
X
Decline the option for configuration at the current time, but be asked again upon subsequent log in.
X
Decline the option for configuration, and not be asked again.
NOTE: Even if you decline to configure Odyssey Client for a particular user account, you can configure the product at a later time. To do so, run Odyssey Client Manager from the Start > Programs > Funk Software > Odyssey Client menu. The Configure and Enable Odyssey Wizard automatically starts up.
Configuring Odyssey Client for multiple machines Once you install Odyssey Client on a PC, you can create a custom installer to customize a default configuration for users of multiple machines. See “Preconfigure Odyssey Client for a group of users” on page 143.
Odyssey Client User and Administration Guide
Installation
7
8
Installation
Chapter 3 Networking with Odyssey Client
Preface This chapter introduces the basics concepts and terminology behind wireless and wired networking that underlie the design of Odyssey Client. Read this material to learn about networking choices that allow you to use Odyssey Client to best advantage, and to learn how to maximize the security of your connections over wireless LANs. If you already know all about wireless networking, or if Odyssey has been configured for you by your network administrator, you can safely skip over this material. Some of the basic concepts used by Odyssey Client for network authentication are described in the following topics: X
“Network security overview” on page 10 Z
X
X
“Encryption and association for secure authentication” on page 11
“The 802.11 wireless networking standard” on page 12 Z
“Types of wireless networks” on page 13
Z
“Wireless network names” on page 14
Z
“Wired-Equivalent Privacy (WEP)” on page 14
Z
“Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15
“The 802.1X standard” on page 16 Z
“Extensible Authentication Protocol (EAP)” on page 17
Z
“Reauthentication” on page 21
Z
“Session resumption” on page 21
Network security overview With wired networks, most organizations can rely on physical security to protect their networks. An attacker would have to be physically inside a company’s offices to be able to plug in to the LAN in order to generate or observe network traffic. With wireless networks, all it takes to gain physical access to the network is a device with a wireless card and a comfortable spot in the parking lot outside of the building, or in the office next door. Odyssey Client provides you with the ability to make network connections using protocols that adhere to one or more of these sets of standards: X
The IEEE (Institute of Electrical and Electronic Engineers) standards for wireless LANs known as 802.11. These standards include 802.11a, 802.11b, and 802.11g.
X
The IEEE 802.11i enhancements to 802.11 were introduced to overcome some of the security weaknesses of 802.11.
X
Wi-Fi Alliance’s WPA2 (with AES encryption) adheres to the strong 802.11i enhancements.
X
Wi-Fi Alliance’s WPA (with AES or TKIP encryption) complies with a subset of 802.11i, and, although not as strong as WPA2, addresses some of the security weakness of 802.11 as well.
X
The IEEE has also created the 802.1X standard to supplement the 802.11 standards with secure server-based wireless network connections.
The following features can make wireless networks secure:
10
X
A user must be authenticated by the network before he or she is allowed access, to make the network safe from intruders. For configuration details, see “Profile properties” on page 37.
X
The wireless connection between a PC and access point must be encrypted, so eavesdroppers cannot access data that is supposed to be private. For configuration details, see “Network Properties” on page 53.
X
The network must be authenticated (trusted) by the user before the user allows his or her credentials to be released to the network in order to make a network connection. This prevents a wireless device that may be posing as a legitimate network from impersonating the network and gaining access to the user’s PC. For configuration details, see “Trusted Servers panel” on page 61, and “Validate the server certificate” on page 46.
X
The mutual authentication between user and network must be cryptographically protected. This type of mutual authentication requires
Networking with Odyssey Client
801.1X-based protocols and prevents connections to phony networks. For configuration details, see “Authentication” on page 44.
Encryption and association for secure authentication In order to establish a wireless connection with an access point, a wireless client must associate with the access point. In order for a wireless client device to access a secure network the client must authenticate to the network. The following list briefly defines terminology necessary to understand association, data encryption, and authentication: X
Association is the method by which a client first establishes a relationship with an access point.
X
Data encryption is used to secure data that is exchanged between a client device and an access point (or another client device).
X
Each data encryption algorithm requires encryption keys. Encryption keys may also be used for access point association.
X
Once a wireless client has associated with an access point, the user of that client device may be authenticated to the network. Authentication is used to secure the relationship between a user of a wireless client device and an authentication server. For example, wireless network authentication that is based on the 802.1X standard can make use of cryptographically strong (and dynamically generated) encryption keys.
There are several methods for providing secure authentication over a wireless network. Each method requires data encryption, and consequently requires some method for specifying or generating encryption keys. Some of these methods are known to be more secure than others: X
Preconfigured secrets, called WEP keys. These keys are intended to encrypt the data transferred between the client and the access point and can be used to keep unauthorized users off the wireless network, as well as to encrypt the data of legitimate users. See “Wired-Equivalent Privacy (WEP)” on page 14 for a description of WEP-based encryption the complies with 802.11 standards.
X
Pre-shared passphrases used to generate keys for WPA or WPA2 association. Pre-shared passphrases allow you to configure a simple phrase that is used to generate cryptographically strong encryption keys to be used with AES or TKIP encryption. AES and TKIP also periodically change the encryption keys in use. The generated keys keep unauthorized users off the wireless network and encrypt the data of legitimate users. See “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for a description of AES or TKIP encryption methods that enhance the 802.11 standards.
Odyssey Client User and Administration Guide
Networking with Odyssey Client
11
X
Authentication using an 802.1X-based protocol. This method uses a variety of underlying authentication protocols to control network access. The stronger among these protocols provide cryptographically protected mutual authentication of the user and the network. In addition, you can configure Odyssey Client so that keys that are used to encrypt wireless data are generated dynamically. 802.1X-based authentication can use WEP, AES, or TKIP encryption, depending on network hardware/firmware. See “The 802.1X standard” on page 16 for information on authentication using 802.1X. See “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for a description of some of the strongest available association and encryption modes. The 802.1X methods are also viable for wired 802.1Xbased network connections.
The 802.11 wireless networking standard There are many types of wireless communication. Odyssey Client is designed to work over networks that adhere to the IEEE 802.11 wireless LAN standards, as well as the Wi-Fi Alliance enhancements to these standards. In addition to prescribing methods for modulation and data framing, this standard includes an authentication and encryption method called Wired Equivalent Privacy (WEP). Many corporations deploy secure wireless 802.11 networks, and 802.11 networks are commonly found in hotels, airports, and other “hotspots” as a means of internet access. The following attributes of the 802.11 standard are described here: X
Types of wireless networks
X
Wireless network names
X
Wired-Equivalent Privacy (WEP)
See also the following topics:
12
X
“Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for information on enhancements to 802.11 association and encryption.
X
“The 802.1X standard” on page 16 for information on secure wireless authentication.
Networking with Odyssey Client
Types of wireless networks Your wireless adapter (network interface card) allows you to connect to wireless networks of two types: access point networks and peer-to-peer networks.
Access point networks Access point networking is the most common type of wireless networking, providing for wireless access to a corporate network and the internet. In an access point network, your PC establishes a wireless connection to a device called an access point. The access point links your wireless PC to the rest of the network. An access point typically provides general network connectivity for many PCs. A single network can make use of many different access points. Each access point typically has a range of several hundred feet. An enterprise that uses wireless networking can strategically place access points so that wherever you are located in the company, you are always within range of an access point that can link you to the corporate network. Once you log in to the network, your PC is assigned an IP address on the local network. This address is provided by a network device called a DHCP server. You may also find access points at other locations outside of your company building. For example, you may find access points at hotels, airports, or internet cafes, or you may have your own access point on your home network. Some of these locations require that you log in. Others may provide network access to anyone within range. When you connect to a network via an access point, you are using the 802.11 infrastructure mode. See “Specify the network type” on page 55 for information on configuring infrastructure network connections.
Peer-to-Peer networks Even when no access point is available, two or more wireless clients can use peerto-peer networking to create a private wireless network between these wireless devices. You may want to do this in order to share files, run groupware applications, or play games. The peer-to-peer network requires no additional equipment beyond a set of two or more wireless-enabled PCs that are located within range of each other. As a result, this mode of authentication does not involve an authentication server, and cannot use 802.1X-based authentication. Normally, there is no DHCP server on a peer-to-peer network to assign IP addresses. Instead, you are connected using an “automatic private IP address” that is assigned by Windows. These addresses are in the range 169.254.0.0 to Odyssey Client User and Administration Guide
Networking with Odyssey Client
13
169.254.255.255. Each PC in the peer-to-peer network is assigned such an address, enabling it to communicate with the others. The 802.11 standard refers to peer-to-peer network connectivity as ad-hoc mode. See “Specify the network type” on page 55 and “Specify the association mode” on page 55 for information on configuring ad-hoc network connections.
Wireless network names Each wireless network has a name (SSID). You can select the wireless network to which you want to connect by specifying its name. Network names allow different wireless networks in the same vicinity to coexist without intruding on each other. For example, the company next door to yours may also use wireless networking. Network names allow you to distinguish access points located within your enterprise wireless network from access points that are not within your corporate LAN. Network names do not, in themselves, offer any security features, and cannot prevent you from connecting to a phony network. However, 802.11 does allow for you to use a shared secret for access point association. See “Wired-Equivalent Privacy (WEP)” on page 14 and “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15. Additionally, using secure 802.1X-based authentication methods, your company can prevent intruders from connecting to the network and you can avoid associating with phony networks. See “The 802.1X standard” on page 16 for more information. A network name is simply a text sequence up to 32 characters long, such as Bayonne Office, or Acme-Marketronics, or BE45789, for example. A network name is case-sensitive, so you have to be careful if you type it in. You always have the option to scan for available networks. Scanning allows you to select the network from a list, preventing any data entry errors. The 802.11 standard refers to a network name as Service Set Identifier, or SSID for short.
Wired-Equivalent Privacy (WEP) You can use WEP (Wired-Equivalent Privacy) to provide security during association with access points (or other clients) and to encrypt data transferred between your client device and the access point. When you use WEP for data encryption, you can configure access point association in one of two modes: X
14
Shared: Use this mode when the access point requires that you preconfigure a WEP key for association. When 802.11-based preconfigured (static) WEP keys are in use, both the client and the access point share the same secret
Networking with Odyssey Client
keys, and a client is not allowed to access the network unless it can prove it knows the same preconfigured WEP keys assigned to the access point. You can configure shared association through Network Properties of Odyssey Client. X
Open: Use this mode for WEP-based data encryption (or no with data encryption) when the access point does not require that you preconfigure a WEP key for association. You can configure open association through Network Properties of Odyssey Client.
NOTE: With WEP-enabled access points, you can obtain stronger network security when you use open or shared association with dynamic encryption key generation and 802.1X-based authentication. For shared association, a preconfigured key that is used only for access point association is still required (while keys for data encryption are dynamically generated). See “The 802.1X standard” on page 16, and “Extensible Authentication Protocol (EAP)” on page 17 for more information.
See the following topics: X
“Specify the association mode” on page 55 for directions for selecting an association mode in Odyssey Client.
X
“Specify an appropriate encryption method for your association mode” on page 56 for directions for selecting WEP encryption when using the shared or open association mode
X
“Preconfigured keys (WEP)” on page 57 to use static WEP keys with Odyssey Client
NOTE: You can also use preconfigured keys for WEP data encryption that is used for securing peer-to-peer network connections. In this case, all clients in the peer-to-peer network must share the same WEP keys.
Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES As an enhancement to the 802.11 wireless standard, the Wi-Fi Protected Access (WPA) and the stronger Wi-Fi Protected Access 2 (WPA2) association modes encompass a number of security enhancements over Wired-Equivalent Privacy. These enhancements include the following: X
Improved data encryption via TKIP (temporal key integrity protocol) for WPA. TKIP provides stronger encryption than WEP.
X
Improved data encryption for WPA2 via AES. AES provides stronger encryption than WEP or TKIP.
X
WPA and WPA2 allow for keys to be generated for TKIP (or AES) encryption from a pre-shared passphrase. Although your passphrase may be simple, these encryption methods can generate cryptographically strong
Odyssey Client User and Administration Guide
Networking with Odyssey Client
15
encryption keys from a simple passphrase. Consequently, these encryption methods are stronger than WEP encryption based on preconfigured WEP keys. If you configure a passphrase for key generation for your access points, you cannot use 802.1X based authentication and you must configure the same passphrase in Odyssey Client. When the access point hardware in your network requires that you associate via the enhanced WPA or the stronger WPA2 association mode, you can configure Odyssey Client to associate in that mode. If the hardware is configured for TKIP or the stronger AES encryption, you can configure Odyssey Client for either of these enhanced data encryption methods as well. You should configure your access points and clients for network connections that use the strongest association and encryption methods that are supported by your network access points. NOTE: With WPA2 (or WPA) enabled access points, you can obtain the stronger network security when you use dynamic encryption key generation and 802.1X-based authentication. See “The 802.1X standard” on page 16, and “Extensible Authentication Protocol (EAP)” on page 17 for more information.
See the following topics: X
“Specify the association mode” on page 55 to use WPA2 or WPA association mode with Odyssey Client
X
“Specify an appropriate encryption method for your association mode” on page 56 to use AES or TKIP encryption with WPA2 or WPA association
X
See “Pre-shared keys (WPA or WPA2)” on page 57 to configure a passphrase that is used in encryption key generation.
NOTE: You can also use a preshared passphrase to generate encryption keys for TKIP or AES data encryption for securing peer-to-peer network connections. In this case, all clients in the peer-to-peer network must share the same passphrase.
The 802.1X standard The IEEE 802.1X protocol provides authenticated access to a LAN. This standard applies to wireless as well as wired networks. In a wireless network, the 802.1X authentication occurs after the client has associated to an access point using an 802.11 association method. Wired networks use the 802.1X standard without any 802.11 association. The WEP protocol has various shortcomings when preconfigured keys are in use. Preconfigured WEP keys not only contribute to administrative overhead, but using them poses security weaknesses. Although the encryption methods 16
Networking with Odyssey Client
calculated from keys generated from pre-shared passphrases are stronger than WEP encryption calculated from static WEP keys, the use and distribution of passphrases can also pose administrative and security problems. The use of 802.1X protocols in wireless networks addresses these problems. When preconfigured WEP keys are used, it is the wireless client PC that is authenticated to the network. With 802.1X, it is the user that is authenticated to the network with the user credentials, which may be a password, a certificate, SIM card, or a token card. Moreover, the keys used for data encryption are generated dynamically. The authentication is not performed by the access point, but rather by a central server. If this server uses the RADIUS protocol, it is called a RADIUS server. With 802.1X, a user can log in to the network from any PC, and many access points can share a single RADIUS server to perform the authentication. This makes it much easier for the network administrator to control access to the network. See the following topics for details: X
Extensible Authentication Protocol (EAP)
X
Session resumption
X
Reauthentication
Extensible Authentication Protocol (EAP) 802.1X uses the protocol called EAP (Extensible Authentication Protocol) to perform authentication. EAP is not an authentication mechanism per se, but is a common framework for transporting actual authentication protocols. The advantage of EAP is that the basic EAP mechanism does not have to be altered as new authentication protocols are developed. Odyssey provides a number of EAP protocols, allowing a network administrator to choose the protocols that work best for a particular network. The newer EAP protocols have an additional advantage. They can dynamically generate the WEP, TKIP, or AES keys that are used to encrypt data between the client and the access point. Dynamically created keys have an advantage over preconfigured keys because their lifetimes are much shorter. Known cryptographic attacks against WEP can be thwarted by reducing the length of time that an encryption key remains in use. Furthermore, encryption keys generated using EAP protocols are generated on a per-user and per-session basis. The keys are not shared among users, as they must be with preconfigured keys or pre-shared passphrases.
Odyssey Client User and Administration Guide
Networking with Odyssey Client
17
Odyssey offers a number of EAP authentication methods, including the following: X
EAP-TTLS
X
EAP-PEAP
X
EAP-TLS
X
EAP-FAST
X
EAP-LEAP
Mutual authentication EAP-TTLS, EAP-PEAP, EAP-TLS, and EAP-FAST all provide mutual authentication of the user and the network, and produce dynamic keys that can be used to encrypt communications between the client device and access point. With mutual authentication, not only does the network authenticate the user credentials, but the client software also authenticates the network. Requiring mutual authentication is an important security precaution to take when using wireless networking. By verifying the identity of the authentication server, mutual authentication provides assurance that you connect to your intended network, and not some access point that is pretending to be your network. EAP-TTLS, EAP-PEAP, and EAP-TLS all let you authenticate the network by validating the certificate of the authentication server. If the certificate identifies a server that you trust, and if the authentication server can prove that it is the owner of that certificate, then you can safely connect to this network. These are the strongest authentication methods available, and consequently, it is highly recommended that you use only these methods for network authentication within your enterprise wireless network.
Certificates Certificates are based on public/private key cryptography (or asymmetric cryptography). Public/private key cryptography is used to secure banking transactions, online web commerce, email, and many other types of data exchange. Prior to the use of modern cryptographic techniques for networking, if two people wanted to communicate securely, they had to share the same secret key. This one secret key had to be used to both encrypt and decrypt data. Sharing keys, however, is limiting. The more people with whom you share your key, the more likely it becomes that your key can be revealed.
18
Networking with Odyssey Client
With public/private key cryptography, there are two keys that have different values but work together — a public key, and a private key. You keep your private key secret, but reveal your public key to the whole world. Anyone can encrypt data using your public key with the certain knowledge that only your private key can decrypt it. Furthermore, only you can encrypt data with your private key, and anyone can use your public key to decrypt the data. A certificate is a piece of cryptographic data that guarantees that a particular public key is associated with the private key of a particular entity. This entity can be an individual or a computer. A certificate contains many pieces of information that are used in mutual authentication, including a public key and the name of the entity that owns the certificate. Each certificate is issued by a certificate authority. By issuing a certificate, the certificate authority warrants that the name in the certificate corresponds to the certificate’s owner (much as a notary public guarantees a signature). The certificate authority also has a certificate, which in turn is issued by a higher certificate authority. At the top of this pyramid of certificates is the root certificate authority. The root certificate authority is typically a well-known entity that people trust, whose self-signed certificate is widely known. For example, Verisign and Thawte are public root certificate authorities. Many corporations have set up their own private root certificate authorities as well. Each certificate has a fixed duration and can expire. Additionally, a certificate granting authority can revoke a certificate. Expired or revoked certificates are not valid, but certificates can be re-issued or renewed. A set of certificates in sequence, including any intermediate certificate authorities up to the root certificate authority is called a certificate chain. Certificate chains are typically no more than several certificates in length. In many cases, a chain consists of two certificates — an end entity certificate and a root certificate. Certificates are ideally suited for authentication. The disadvantage of using certificates for authentication is that while it is fairly easy to provide certificates to servers, it is much harder to provide certificates to users. This is because at any given enterprise, the number of servers that may require certificates is relatively small, but the number of users can be enormous. Providing certificates to each employee can be a daunting management task, and may require a level of administration that your company is not prepared to undertake.
EAP-TLS EAP-TLS is a protocol devised by Microsoft, based on the TLS (Transport Layer Security) protocol that is widely used to secure web sites. It requires that both user and authentication server have certificates for mutual authentication. Odyssey Client User and Administration Guide
Networking with Odyssey Client
19
While EAP-TLS is cryptographically strong, it requires a certificate infrastructure that maintains and supplies certificates to all network users.
EAP-TTLS EAP-TTLS is a protocol devised by Funk Software and Certicom. It is designed to provide authentication that is cryptographically as strong as EAP-TLS, while not requiring that each user be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed using a password or other credentials. The credentials are transported in a securely encrypted “tunnel” that is established using the server certificate. Within the EAP-TTLS tunnel, you can employ any of a number of inner authentication protocols. See “TTLS Settings” on page 48 for more information on configuring inner protocols for tunneled authentication. With EAP-TTLS, it is not necessary to create a new infrastructure of user certificates. User authentication can be performed against the same security database that is already in use on the corporate LAN. For example, Windows Active Directory, or an SQL or LDAP database may be used.
EAP-PEAP EAP-PEAP is comparable to EAP-TTLS, both in its method of operation and its security. However, EAP-PEAP is not as flexible as EAP-TTLS and it does not support the range of inside-the-tunnel authentication methods that EAP-TTLS supports. Commercial implementations of this protocol that started appearing at the beginning of 2003 were beset with interoperability problems. Nevertheless, this protocol is supported by Microsoft and Cisco and is in widespread use. EAPPEAP is a suitable protocol for performing secure authentication against Windows domains and directory services. See “PEAP Settings” on page 50 for more information on configuring inner protocols for EAP-PEAP authentication.
EAP-FAST EAP-FAST is an EAP authentication method created by Cisco. Like EAP-TTLS and EAP-PEAP, EAP-FAST offers password-based 802.1X authentication that encapsulates user credentials inside a TLS tunnel. Unlike other tunneled protocols, however, a server certificate is not required as a means of establishing a tunnel. Consequently, although EAP-FAST is resistant to dictionary attacks through the use of tunneled credentials, without the protection of a server certificate, EAP-FAST authentication can be vulnerable to man-in-the-middle attacks (and subsequent off-line dictionary attacks).
20
Networking with Odyssey Client
EAP-LEAP EAP-LEAP (Lightweight EAP, also known as EAP-Cisco Wireless) is a protocol developed by Cisco to allow users to be authenticated using their Windows credentials, without the use of certificates. The data exchange in EAP-LEAP is fundamentally similar to the exchange that occurs when a user logs in to a Windows Domain Controller. EAP-LEAP is very convenient because it is Windows compatible. However, because EAP-LEAP does not use certificates, it relies on the randomness of the user password for its cryptographic strength. As a result, when user passwords are relatively short or insufficiently random, a wireless eavesdropper observing an EAP-LEAP exchange can easily mount a dictionary attack to discover these weak passwords.
Reauthentication When you reauthenticate to your network, encryption keys are refreshed, and any new or updated security policies that are implemented on the network are applied to your network connection. You can configure automatic periodic reauthentication to the network using Odyssey Client. Periodic reauthentication serves two purposes: X
As a general security measure, it verifies that you are still on a trusted network.
X
It results in distribution of fresh shared keys to your PC and access point. The access point may use these shared keys to refresh the keys used to encrypt data. By frequently refreshing keys, you can thwart cryptographic attacks.
See “Automatic reauthentication” on page 76 for more information on configuring this feature.
Session resumption When you first authenticate using EAP-TTLS, EAP-PEAP, or EAP-TLS, a fair amount of intensive computation is performed, both on your client PC and on the network authentication server. Private keys must be used to encrypt or sign data, signatures on certificates must be validated, password credentials must be checked, and so on. Once you have authenticated a connection to the network, your network session begins. During a session, any subsequent authentications to the same network Odyssey Client User and Administration Guide
Networking with Odyssey Client
21
server can be accelerated by reusing the secret information that is derived during the first authentication. This is called session resumption. You can configure clientside session resumption features that apply to the certificate-based protocols using Odyssey Client. It is usually a good idea to enable session resumption. The necessity for some form of reauthentication occurs fairly frequently in wireless networking, particularly when you are moving between access points. Each time you connect with a new access point, a new authentication occurs. The less time it takes to perform that authentication, the less likely you are to experience a momentary stall in your network applications. Additionally, using session resumption rather than reauthentication puts less load on the authentication server. Session resumption results in the distribution of new keys to the client and to the access point, just as a fresh authentication does. See “Session resumption” on page 76 for more information on using this feature. NOTE: If your network does not permit session resumption then any configured clientside session resumption features are ignored.
22
Networking with Odyssey Client
Chapter 4 Using Odyssey Client Manager
Odyssey Client Manager Overview You can use Odyssey Client Manager to control and configure the Odyssey Client product.
If your system administrator has configured Odyssey Client for you in advance, chances are that you only need to use the main Connection panel of the Odyssey Client Manager. Depending on your configuration, you can use this panel for the some or all of the following tasks: X
Connect to a network using a wireless or wired connection
X
Reconnect to a network
X
Reauthenticate to a network
X
View connection information
More advanced tasks that you or your system administrator may want to perform include the following: X
Adding a wireless or wired adapter
X
Creating a user profile and configuring authentication for that profile
X
Adding or editing network properties
X
Configuring trusted servers
See the following topics to learn about operating all features of Odyssey Client Manager: X
“Starting Odyssey Client Manager” on page 24
X
“Odyssey Client Manager display” on page 25
X
“Connection panel” on page 27, for basic connection options and status
X
“Profiles panel” on page 36, for entering user credentials and selecting authentication protocols
X
“Networks panel” on page 51, for specifying network names (SSIDs), association methods, and encryption methods
X
“Auto-Scan Lists panel” on page 59, so that you can establish a network connection to a network selected from an ordered list of possible networks
X
“Trusted Servers panel” on page 61, for configuring server certificates
X
“Adapters panel” on page 71, for selecting network cards
X
“Settings menu” on page 73
X
“Commands Menu” on page 89
X
“Web menu” on page 95
X
“Help Menu” on page 95
X
“Tray icon menu commands” on page 97
X
“Shortcut keys” on page 99
X
“Using Odyssey Client with some features disabled” on page 99
X
“Interaction with other adapter software” on page 100
Starting Odyssey Client Manager You can start Odyssey Client Manager in any of the following ways: X
24
From the System Tray: Double-click the Odyssey icon, or right-click it and choose Odyssey Client Manager.
Using Odyssey Client Manager
X
From Control Panel on your PC: Double-click the Odyssey Client Manager
icon. X
From the Windows taskbar: Select Start > Programs > Funk Software >
Odyssey Client > Odyssey Client Manager. NOTE: The System Tray is the lower right corner of your monitor, where some application icons are displayed.
The Odyssey icon looks as like this sailboat , although its color depends on your connection status. See “Connection status” on page 35.
Odyssey Client Manager display The features available from the Odyssey Client Manager depend on your connection, as well as on your configuration. See the following topics: X
Display for user-authenticated connections
X
Display for machine only connections
X
Tray and menu commands
X
Locked (read-only) features
Display for user-authenticated connections For most network connections, Odyssey Client Manager consists of a number of panels that allow you to control different aspects of its operation: X
Use the Connection panel to control your network connection and display your current connection status.
X
Use the Profiles panel to set information that is used when you authenticate, or log in, to the network, such as your password or certificate.
X
Use the Networks panel to configure different wireless networks and how you want to connect to them.
X
Use the Auto-Scan Lists panel to specify ordered groups of wireless networks for seamless connection.
X
Use the Trusted Servers panel to set certificate and identity information about the servers that may authenticate you when you connect. Configuring this feature is required for mutual authentication, which is a recommended security measure.
X
Use the Adapters panel to configure one or more network adapters (interface cards) for wired or wireless networking.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
25
All of the panels are listed at the left of the Odyssey Client Manager display. Click the name of any panel to view or modify it.
Display for machine only connections If you are connected to the network via the credentials of your client machine (as opposed to your own user credentials), then you can only see connection information from the Odyssey Client Manager display, since there is no data to configure. When you establish a machine connection, you cannot access the Odyssey Client Manager panels. In this case, only a few of the Odyssey Client Manager features are available.
If you are a system administrator, you can find more information about configuring connections with machine credentials in the following topics: X
“Machine Account” on page 108
X
“Connection Settings” on page 104
X
“Testing your settings” on page 130
Tray and menu commands In addition to the Odyssey Client Manager panels, the display includes a number of commands that you can use from the following menus:
26
X
Settings menu
X
Commands Menu
Using Odyssey Client Manager
X
Web menu
X
Help Menu
Some commands are also available if you right-click the Odyssey icon in the System Tray.
Locked (read-only) features It is possible that your system administrator has locked, or partially locked all or some Odyssey Client features with your configuration. You can view any features that are locked, but you cannot edit them. For partially locked profiles, you are permitted to edit your user credentials. The fact that a feature is locked is noted on its associated properties dialog title, as in the following example.
Features of this dialog are locked, as indicated by its title.
Connection panel The Connection panel lets you select an adapter, establish a network connection, and display your current connection status.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
27
You can perform the following tasks in the Connection panel: X
Select an adapter with which to make your network connection
X
Connect to a network (wireless connections only)
X
Connect using profile (wired connections only)
X
Configure multiple simultaneous network connections
X
Scan for wireless networks
X
Reconnect to a network
X
Reauthenticate to a network
X
Disconnect from a network connection
X
View connection information
X
View informational graphics and detailed status
NOTE: The Connection panel display and features vary when you connect from a wired adapter, or if you connect to the network via machine credentials. For example, the scanning feature is unavailable in these cases.
Select an adapter If you or your administrator has configured more than one adapter for use with Odyssey Client, then you can use the Adapter drop-down list in the Connection panel to associate any of those adapter cards with a network connection. 28
Using Odyssey Client Manager
Once you select an adapter, the Adapter type field on the Connection panel is updated to reflect the type (wireless or wired) of adapter you select.
Connect to a network (wireless connections only) When you connect to a network using a wireless adapter, you specify all the information required for the connection using an Odyssey Client network definition. When you define a network in Odyssey Client, you also must associate the user authentication information you specify in an Odyssey Client profile definition. The Connect to network check box on the Connection panel lets you connect and disconnect from the wireless network. If you want to be connected to a wireless network, make sure to check this box. The drop-down list to the right of Connect to network lets you select a wireless network or auto-scan list to connect to. The only items that appear on this list are the individual networks that you have already configured using the Networks panel, and auto-scan lists that you have specified using the Auto-Scan Lists panel. Any auto-scan lists that you have already created appear at the top of the list. These are followed by the names of configured networks. Network names appear in angled brackets, after any network description text that you have specified. Both networks and auto-scan lists have icons before the name: X
for networks
X
for auto-scan lists
To connect to a network that you have already configured: 1
Select the network or the auto-scan list you want to connect to from the drop-down list to the right of Connect to network.
2
Check Connect to network, if it is not already checked.
If you have selected an auto-scan list, then the first network in the list that responds to the authentication request is generally the network to which you connect. To disconnect from a wired network, uncheck Connect to network.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
29
Connect using profile (wired connections only) When you make a network connection using a wired connection, you specify all of the required connection information in a user profile. As a result, when you configure a wired connection, you connect using an Odyssey Client profile. The Connect using profile check box lets you connect and disconnect from the wired 802.1X network switch. If you want to be connected, make sure this box is checked. The drop-down list to the right of Connect using profile lets you select the profile you want to use for the wired connection. All profiles that you have already specified in Odyssey Client appear on the list. To connect using a profile that you have already specified: 1
Select the profile from the drop-down list to the right of Connect using profile.
2
Check Connect using profile, if it is not already checked.
To disconnect from a wired network, uncheck Connect using profile.
Configure multiple simultaneous network connections Each adapter on your computer can have its own connection. This means that if you have two wireless adapters, for example, you can have two simultaneous connections to wireless networks. Similarly, you can simultaneously run a wired connection and a wireless one. You can have as many network connections running simultaneously as you have adapters installed on your machine and configured with Odyssey Client. To connect to more than one configured network using multiple adapters: 1
Select an adapter from the Adapter drop-down list on the Connection panel.
2
Assign a network or an auto-scan list to this connection for wireless connections, or assign a profile for wired connections.
Repeat these steps for each adapter whose network connection you want to establish. You can use the Adapter drop-down list on the Connection panel to toggle between the adapters you have configured for multiple network connections, and hence monitor your multiple network connections.
30
Using Odyssey Client Manager
Scan for wireless networks If you travel frequently, you may want to want to authenticate through locally available wireless networks that you have not already configured. To connect to a wireless network that is not yet configured, follow these steps: 1
Click Scan on the Connection panel. Odyssey Client surveys the air waves and displays a list of all wireless networks that are currently reachable.
2
Select the network to which you want to connect, and click OK. If you have not yet configured settings for this network, Add Network appears. Specify settings and click OK. Once you check Connect to network on the Connection panel, Odyssey Client attempts to connect to the network.
NOTE: Only those wireless networks that are configured by an administrator to “send beacons” are visible to you when you scan. If “send beacons” is off, then you must enter the network from the Networks panel unless you choose the default [any] network from the Connection panel.
Reconnect to a network When you click Reconnect on the Connection panel, Odyssey Client disconnects any existing connection for the currently selected adapter and starts a Odyssey Client User and Administration Guide
Using Odyssey Client Manager
31
brand new connection to the selected wireless network. The new connection may be with a different access point (on the same network) than was used with your previous connection. The access point in use depends on factors such as signal strength. If you are already authenticated with this network, you are reauthenticated when the new connection starts. If dynamic encryption keys are in use, they are refreshed when you reconnect. Note that you do not have this feature available if you are connected using a wired adapter. You probably do not need to use this button often. However, there may be times when your connection is not performing as well as it should. Clicking Reconnect can sometimes help, particularly if it results in a connection with an access point that is able to provide better service.
Reauthenticate to a network When you click Reauthenticate on the Connection panel, Odyssey Client reauthenticates you over the existing connection shown in the display, without starting a new connection. If dynamic encryption keys are in use, they are refreshed.
Disconnect from a network connection To disconnect a network connection, uncheck Connect to network for wireless connections, or Connect using profile for wired connections.
View connection information The Status field on the Connection panel displays the current status of your connection to the network through this adapter. One of the following messages appears:
Status message
Definition
open and authenticated
The connection is authenticated, and you are connected.
open / authenticating
Reauthentication is in progress, and you are connected.
open / requesting authentication
You have requested reauthentication, and you are connected.
open
The connection is not authenticated, but you are connected.
peer-to-peer
The network type is peer-to-peer (ad hoc), and you are connected.
32
Using Odyssey Client Manager
Status message
Definition
authenticating
You are not yet connected, but authentication is in progress.
requesting authentication
You are not yet connected, but you have requested authentication from the access point.
waiting to authenticate
You are not yet connected, and the last authentication failed, but you are waiting to retry. If you see this message for a considerable length of time, you may be experiencing an association problem. If so, check the association mode required for your access point.
searching for access point
You are not connected, and communication with an access point on the requested network has not been established. This may occur when your adapter does not support 802.1X, or if your access point is not within range.
searching for peer(s)
You are not connected, and communication with other PCs on the peer-to-peer network has not been established
disconnected
You are not connected, and Connect to network may be unchecked. See “Connect to a network (wireless connections only)” on page 29 for how to connect.
Odyssey is disabled
You are not connected, and Odyssey Client has been disabled.
adapter not present
You are not connected, and the configured adapter is not currently available. This may occur when your adapter does not support 802.1X.
cable unplugged
You are not connected. This can occur if you have a wired connection, but your cable is unplugged.
The Elapsed time field on the Connection panel displays the time that has elapsed since the current connection has begun. The Network (SSID) field displays the name of the wireless network to which you are connected. See “Wireless network names” on page 14. This field is not displayed when you view the status of a network connection that uses a wired adapter. The Access point field displays the name (NASID) of the wireless access point to which you are connected. If this name is not available, the access point MAC address is displayed instead. A MAC address is a unique 48-bit number encoded into a device by the manufacturer.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
33
The IP address field displays the IP address that is assigned to your Odyssey Client connection. The Packets in/out field displays the total number of network packets received and transmitted since this connection began.
View informational graphics and detailed status Three graphical status buttons at the bottom right corner of the Connection panel give you a visual indication of the status of your connection: X
Signal power status
X
Connection status
X
Encryption key information
You can use the mouse or the keyboard to view detailed connection status information from any of the status buttons: X
Using the mouse: Point to a graphical status button with the mouse, and hold down the left-click button.
X
Using the keyboard: Tab over to a graphical status button and hold down the
space bar.
Signal power status The signal power graphic shows you how strong the signal is between your PC and the access point. The more bars that are filled in, the stronger the signal. You can interpret the signal power status graphic as follows: Strong signal power Moderate signal power Weak signal power Faint signal power No signal power Hold down your mouse button while clicking this icon to see the signal power measured in decibels.
34
Using Odyssey Client Manager
Connection status The connection status button (with the Odyssey “sailing boat” icon) shows the state of your connection, and whether or not you are authenticated. (outline) not connected (red) not connected, due to failed authentication (black) connected, but authentication not in use (blue) connected and authenticated Hold down your left mouse button while clicking this icon to see details of the last authentication that was performed over this connection. The information you see depends on your authentication method and access point, and may include the following: X
Result of your last connection attempt
X
Type of authentication
X
Elapsed time (since last connection)
X
Cipher suite used to secure credential exchange
X
Access point identification information
Encryption key information The encryption key information button indicates whether or not encryption keys are in use over this connection. (outline) data is not encrypted (black) data is encrypted using static keys (blue) data is encrypted using dynamic keys (802.1X) Hold down this button to see the following information: X
Global encryption: The size (in bits) of global encryption keys
X
Access point encryption: The size (in bits) of access point encryption keys
NOTE: An encryption key has a secret part that is either 40 or 104 bits long, and a 24bit long non-secret part that changes for each packet. Thus, the total key is either 64 or 128 bits long. Odyssey Client Manager reports the length of the secret part, which is either 40 or 104 bits. Odyssey Client User and Administration Guide
Using Odyssey Client Manager
35
Profiles panel An Odyssey Client profile contains all the necessary information to authenticate you to the network. This includes information such as your identity (login name, and password or certificate) and the protocols by which you can be authenticated. You can have different profiles for different networks. For example, you may have different login names or passwords on different networks, or you may use a password on one network, and a certificate on another. The Profiles panel lists all the profiles that have been configured. When you first use Odyssey Client Manager, you may find a profile called Initial Profile, containing commonly used settings. Alternatively, your network administrator may have already created one or more profiles for you.
Each profile you configure is displayed in the list.
36
X
To add a profile, click Add. Profile Properties appears. Set the name for the new profile, configure the settings, and click OK.
X
To remove a profile, select the profile and click Remove.
X
To modify a profile, select the profile and click Properties, or double-click the profile. Profile Properties appears. Modify the settings and click OK.
Using Odyssey Client Manager
Profile properties Add Profile (or Profile Properties) allows you to configure a profile. It is displayed when you click Add (or Properties) from the Profiles panel. When you add a new profile to Odyssey Client, type a unique name for the profile in the Profile name field of Add Profile. For example, you may want to use Office, for your profile associated with your place of employment, and Home for your home network. Once you specify and save a profile, you do not have the ability to edit the profile name when you edit any of its other profile properties. You can, however, remove the profile and create a new one with a different name. In addition to the profile name, you can configure (and edit) the following information in a profile: X
Login name
X
Password and/or certificate
X
A specification of the authentication protocols that can be used to authenticate you to the network
You can specify these using the four tabs of Add Profile: X
User Info
X
Authentication
X
TTLS Settings
X
PEAP Settings
User Info You can configure the name you use to log in, as well as your password, certificate, or SIM card information from the User Info tab.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
37
Enter your user name into the Login name field. This is the name that is presented to the network when you authenticate. If you authenticate against a Windows Active Directory, use the form, domain\user_name, (for example, Acme\george). Otherwise, use a login name that matches the form of the user name as it is stored in the authentication database. Note the following:
38
X
If you are logged into your network domain, (as opposed to your machine), by default, Odyssey Client populates this field with the standard network form, domain\user_name, where user_name is your user name.
X
If you are logged in to your client machine, (as opposed to any network domain), Odyssey Client populates this field with your user name only.
X
It is possible that you must add some text after your login name for the purpose of routing your authentication to the proper server. For example, acme\
[email protected]. Your network administrator can tell you how to set this field correctly.
Using Odyssey Client Manager
X
If you are configuring this profile for use with a SIM card, make sure that your login name is of the form that is required by your provider. The standard format is username@realm.
User Info has three sections that you can configure from the tabs at the bottom: X
Password: You must configure this section when you use authentication protocols that require a password (e.g. EAP - TTLS).
X
Certificate: You must configure this section when you use authentication protocols that require a certificate (e.g. EAP - TLS).
X
SIM Card: You must configure this section when you authenticate using a SIM card. This feature requires a special license.
Password You must configure passwords when you select authentication methods for this profile that require passwords. The following authentication methods require passwords: X
EAP-TTLS
X
EAP-PEAP
X
EAP-LEAP
X
EAP-FAST
X
EAP- MD5-Challenge
Check Permit login using password to enable authentication methods that use your password for authentication. When the time comes to authenticate, Odyssey Client can obtain your password in one of several ways: X
Select Use Windows password if you want to authenticate to the network using the same password you present when you log in to Windows. You cannot select this option if you are running under Windows 98, 98 SE, or Me.
X
Select Prompt for password if you want Odyssey Client to prompt you when it is time to authenticate.
X
Select Use the following password and enter a password in the box below, if you want Odyssey Client to save your password and use it each time you authenticate with this profile. NOTE: If you are running under Windows 98, 98 SE, or Me, and you have selected the Use the following password option, you must reenter the password in this field whenever you change your Windows password.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
39
If you select Prompt for password, you are generally only prompted the first time that you are authenticated after startup. Odyssey Client remembers this password and reuses it for the duration of your Windows session. The password you enter applies only to a single profile. If you are authenticated using a different profile, you are prompted again. You may also be prompted to enter your Windows password when connecting to the network under some conditions, including the following: X
You accidentally enter an incorrect password or have any other type of authentication failure. This feature is in place, in part, so as to prevent accidental lockout due to the reuse of bad passwords.
X
You are required to change your Windows password periodically, and you are accessing the network with EAP-TTLS, EAP-PEAP, or EAP-FAST authentication before Windows logon.
NOTE: When you are prompted for your password, you are also given the option to bypass the Odyssey Client network connection. This option gives you an easy way to use a wired network connection when it is available, without having to change your Odyssey Client wireless connection settings in any substantial way. To use this feature, click Yes when the following dialog appears.
NOTE: You can return to the Connection panel to connect to a network using Odyssey Client at any time.
Certificate Configure the Certificate tab under User Info in order to use certificate credentials for authentication.
40
Using Odyssey Client Manager
Note that you are required to select the EAP-TLS authentication protocol in order to negotiate authentication using certificate credentials. Check Permit login using my certificate to enable authentication methods that use your certificate for authentication. Click Browse to select a personal certificate. A list of your personal certificates appears. Select a certificate and click OK. Once you configure a certificate, you can click View, in order to view the certificate. NOTE: This is an advanced feature. See your network administrator for information on which certificate to select for authentication if you require one.
SIM Card When you have a license that is valid for the use of SIM cards with Odyssey Client, you can configure SIM card authentication from the SIM Card tab of the User Info tab of Profile Properties. Odyssey Client User and Administration Guide
Using Odyssey Client Manager
41
In order to use a SIM card when you connect to a network through Odyssey Client, you must configure an Odyssey Client user profile for use with your SIM card, and assign EAP-SIM or EAP-AKA as the authentication protocol. For SIM authentication, the name you type next to Login name is used when you do not choose to use the IMSI from the SIM card. See “EAP-SIM identity” on page 44. NOTE: Although it is not recommended that you configure protocols other than EAPSIM and EAP-AKA for a profile used for SIM authentication, you must configure some other portions of User Info when you use other protocols in the same profile.
The following is an example of the User Info tab of a profile that is configured for SIM card connections.
42
Using Odyssey Client Manager
In order to use Odyssey Client with your SIM card, you must check Permit login using my SIM card. NOTE: Passwords are not required when you use SIM cards for network connections. If you intend to use only your SIM card for network connections, uncheck Permit login using password on the Password tab. You can also leave Permit login using my certificate unchecked on the Certificate tab.
There are three more items to configure under the SIM Card tab: X
SIM card ID
X
PIN settings
X
EAP-SIM identity
SIM card ID
You can configure Odyssey Client to make SIM card connections in one of two ways: X
Use any SIM card that is installed. For this option, choose [any] from the list provided.
X
Use a specific SIM card ID. For this option, you can either type your SIM card ID in the editable list provided, or, if you have already inserted your SIM card into your PC, you can select your SIM card ID from this list.
PIN settings
You may have set a PIN on your SIM card hardware. See “SIM Card Manager” on page 87 for information on managing your SIM card PIN. You have two choices for the PIN field for Odyssey Client: X
Select PIN is not required (default) if you are not required to use the PIN for your connections (you have no PIN assigned to your SIM card).
X
Select Prompt for PIN if you enable a PIN for your use with your SIM card, and you want to be prompted for your SIM card PIN each time you connect. You may want to use this option for security reasons. You must use this option when you select [any] under SIM card ID (as opposed to a specific SIM card ID).
X
Select Use the following PIN in order to use the PIN that you have enabled for use with your specified SIM card ID. In this case, type the PIN in the box provided. With this option, the PIN is stored and you are not prompted to enter it when you make a network connection.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
43
EAP-SIM identity
Your SIM card contains an IMSI (the calling number issued by your service provider) for identification. You have options with respect to how your EAP-SIM identity is presented to your provider for network authentication. The option you choose depends on your provider’s requirements. You have two choices for entering your SIM identity: X
Select Use the IMSI from my SIM card (default) if your provider requires you to use your IMSI for identification.
X
Select Use the login name I entered in this profile if you are required to use an identity (usually of the form username@realm) rather than your IMSI. In this case, you must make sure that your login name is in the form that is required by your provider. Note that when you select this option, if you allow more than one authentication protocol with this profile, then you may have a conflict with your login name. If you are required to select this option, then create a separate profile for connections that use protocols other than EAP-SIM or EAP-AKA.
Authentication The Authentication tab lets you specify the protocols that authenticate you to the network, as well as some EAP protocol-specific options.
44
Using Odyssey Client Manager
You can address the following areas of the Authentication tab: X
Select authentication protocols
X
Validate the server certificate
X
Set tunneled generic token card credential options
X
Set an anonymous name
Select authentication protocols The Authentication protocols list displays the protocols that you have enabled for authentication. You may have a single authentication protocol in the list or you may have several. If you have more than one, you can order them by preference. The ordering you choose affects the protocol that the server uses when it has more than one protocol in common with the ones you select here. You have several options: X
To add a protocol to the list, click Add. Add EAP Protocol appears. Select one or more protocols to add, and click OK. You can select more than one
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
45
protocol if you hold down Ctrl on your keyboard as you select with your mouse. Note that any protocols you have already selected are not listed in this dialog, and EAP-SIM and EAP-AKA require a special license.
X
To remove a protocol listed in Authentication, select the protocol and click Remove.
X
To reorder protocols, select a protocol and use the up and down arrow buttons on Authentication, in order to reposition it.
NOTE: EAP-TTLS, EAP-PEAP, and EAP-FAST all use inner (tunneled) protocols. EAP-FAST uses EAP-GenericTokenCard as its inner protocol by default. You can choose among one or more inner protocols for EAP-TTLS or EAP-PEAP. See “TTLS Settings” on page 48 and “PEAP Settings” on page 50.
Validate the server certificate Certain protocols, such as EAP-TTLS, PEAP, and EAP-TLS, allow you to verify the identity of the authentication server as the server verifies your identity. This is called mutual authentication. Check Validate server certificate to verify the identity of the authentication server based on its certificate when authenticating with EAP-TTLS, PEAP, and EAP-TLS. (This is checked by default.) You can specify your trusted authentication server certificates using the Trusted Servers panel. See “Trusted Servers panel” on page 61. You should, as a general rule, check Validate server certificate. You have the option of turning off this important security precaution because there may be circumstances that require it. You should only do so when your network administrator instructs you to.
46
Using Odyssey Client Manager
Set tunneled generic token card credential options There are two circumstances under which EAP-GenericTokenCard can be the inner protocol for tunneled authentication: X
If you select EAP-FAST as an outer authentication method on the Authentication tab, since EAP-GenericTokenCard is the inner authentication protocol used with EAP-FAST, by default.
X
If you choose EAP-GenericTokenCard as the inner protocol for EAP-PEAP
If you use EAP-GenericTokenCard as one of your inner authentication methods, then the EAP-GenericTokenCard settings under the Authentication tab apply. These settings allow you to choose to use your password credentials or your token card ID for authentication: X
Select My password if your network requires that you use the password credentials assigned with this profile instead of your token card ID for authentication.
X
Select Prompt for token information if your network requires that you use your token ID for authentication.
NOTE: EAP-GenericTokenCard settings do not apply when you configure EAPGenericTokenCard as an inner authentication method for EAP-TTLS (with EAP). Nor do they apply when you choose EAP-GenericTokenCard as an authentication method from the Authentication tab.
Set an anonymous name With EAP-TTLS, EAP-PEAP, and EAP-FAST you can appear to log in anonymously, while passing your actual login name through an encrypted tunnel. As a result, not only are your credentials secure from eavesdropping, but your identity is protected as well. With these three protocols you can have two identities: X
An inner identity, your actual login name, which is taken from the Login name field in the User Info tab.
X
An outer identity, which can be completely anonymous. You can set your outer identity in the Anonymous name field.
Note the following: X
Anonymous outer identities are implemented only when you fill in Anonymous name.
X
When you leave Anonymous name blank, your inner identity is also used as your outer identity.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
47
As a general rule, set Anonymous name to anonymous, its default value. Your network administrator can tell you how to configure this field correctly: X
In some cases you are required to add additional text. For example, if this outer identity is used to route your authentication to the proper server, you may be required to use a format such as
[email protected].
X
It is possible that anonymous EAP-PEAP authentication does not work with your network authentication server. If that is the case, you must leave Anonymous name blank.
NOTE: Your outer identity can be anonymous if your list of authentication protocols only includes EAP-TTLS, EAP-PEAP, and/or EAP-FAST. If you enable any other protocols, Odyssey Client cannot keep your identity private and the Anonymous name field is disabled.
TTLS Settings The TTLS Settings tab lets you configure the use of EAP-TTLS as an authentication protocol. These settings are only relevant when you select EAPTTLS as one of your authentication protocols in the Authentication tab.
EAP-TTLS works by creating a secure, encrypted tunnel through which you present your credentials to the authentication server. Thus, inside EAP-TTLS 48
Using Odyssey Client Manager
there is yet another inner authentication protocol that you must configure. See “EAP-TTLS” on page 20. Select the Inner Authentication Protocol Select from the drop-down list at the right, the Inner authentication protocol you want to use. You can select any of the following: X
PAP
X
CHAP
X
MS-CHAP
X
MS-CHAP-V2
X
PAP/Token Card
X
EAP
The most commonly used protocol is MS-CHAP-V2. It allows you to be authenticated against a Windows Domain Controller as well as other nonWindows user databases. NOTE: You cannot use CHAP as your inner authentication method if you are authenticating against a Windows NT Domain or Active Directory. As a result, do not choose CHAP when authenticating against Odyssey Server, since it can only authenticate against a Windows Domain or Active Directory.
PAP/Token Card is the protocol to use with token cards. When you use PAP/ Token Card, the password value you enter into the Password dialog is never cached, since any token-based password is only good for one use. Check with your network administrator to determine which inner authentication protocols can be used on your network. EAP as an inner authentication protocol If you select EAP as your inner authentication protocol, you must configure the list of Inner EAP protocols with one or more protocols. X
To add a protocol to the list, click Add. Add EAP Protocol appears. Select one or more protocols to add and click OK. You can select more than one protocol if you hold down Ctrl on your keyboard as you select with your mouse. Note that only the protocols you have not already added are available.
X
To remove a protocol listed in TTLS Settings, select the protocol and click Remove.
X
To reorder protocols, select a protocol and use the up and down arrow buttons to reposition it.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
49
PEAP Settings If you select EAP-PEAP as an authentication method in the Authentication tab, then you can use either of the following inner EAP authentication methods: X
EAP-MS-CHAP-V2
X
EAP-GenericTokenCard
To add or remove any inner authentication methods used with EAP-PEAP, follow these steps:
50
1
Go to the PEAP Settings tab.
2
Click Add to add a protocol. Add EAP Protocol appears. Select one or more protocols to add and click OK. Note that any protocols you have already selected are not listed in this dialog.
Using Odyssey Client Manager
3
When you allow more than one inner protocol, you should order the protocols listed under PEAP Settings according to your preferences (requirements). Use the up and down arrows to move a selected protocol around in the list.
4
If you select EAP-GenericTokenCard as one of your PEAP inner authentication methods, then you can configure the EAPGenericTokenCard settings under the Authentication tab. These settings allow you to choose to use your password credentials or your token card ID for authentication.
5
Click OK when you are done creating or modifying the profile configuration.
6
Select any protocols you want to remove under PEAP Settings, and click Remove.
Networks panel You can use the Networks panel to configure settings for connecting to any number of wireless networks.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
51
Each network that you configure is listed in the panel. You can perform the following tasks in the Networks panel: X
To add a network, click Add. Add Network appears. Configure the settings for the new network and click OK.
X
To remove a network, select the network and click Remove.
X
To modify the settings for a network, select the network and click Properties, or double-click the network name. Network Properties appears. Modify the settings and click OK.
Network titles The titles of networks listed in the Networks panel are coded with special formatting: X
The name of the network appears in angled brackets. If the name [any] is listed in angled brackets as an entry in the list of networks, then you can use this network configuration to connect to any available wireless network.
X
The description of the network precedes the name. This description comes from the optional Description field in Network Properties. You can add your own description to any network you configure. This helps you to distinguish networks.
The network description field is useful for situations that advanced users might encounter. You can use it to connect to the same network using different profiles. For example, you may want to use different credentials at different times. The 52
Using Odyssey Client Manager
description field also lets you distinguish two different networks that happen to have the same network name. Network names are arbitrary text chosen by an administrator, so it is possible for two unrelated networks to have the same name. In the illustration in “Networks panel” on page 51, there are two Toronto networks. The descriptions indicate that password credentials are used with one and certificate credentials with the other.
Network Properties You can configure wireless network settings in Add Network or Network Properties when you click Add or Properties from the Networks panel.
You can configure the following network attributes here: X
Network fields
X
Authentication fields
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
53
X
Preconfigured keys (WEP, WPA2, or WPA)
Network fields You can perform the following tasks under Network: X
Specify the network name
X
Scan for a network
X
Configure Odyssey Client to connect to any available network
X
Specify a description of the network
X
Specify the network type
X
Specify the association mode
X
Specify an appropriate encryption method for your association mode
Specify the network name Set Network name (SSID) to the name of the wireless network. The network name may be up to 32 characters long and is case-sensitive. This name must be entered correctly in order to successfully connect. Scan for a network You can type in the name of the network directly, or you can click Scan to select from a list of all currently visible networks. When you are in the vicinity of the network you are configuring, using the Scan button is not only easier than typing, but also guarantees that the network name is set correctly. Note that only access points that transmit beacons are visible to you when you use the Scan button. Configure Odyssey Client to connect to any available network Odyssey Client Manager provides a special network configuration called [any]. The [any] network connects to any available network, regardless of its name. The [any] network is useful when you are wandering through conferences, hotels or other locations that provide network access. When you select the [any] network, from the Connection panel, you can connect to such networks without having to configure them individually. To configure an [any] network, check Connect to any available network. Although you can use WEP keys and profiles with [any], the more common (default) practice is to use [any] without 802.11 or 802.1X authentication. 54
Using Odyssey Client Manager
Specify a description of the network You may want to use network descriptions in order to provide more information about your network than its SSID provides. You can also use the description in order to similar network names. You have the option to enter a description of this network in the Description field. The text you enter into this field allows two networks with the same name to remain distinct on the Odyssey Client Manager display. See “Networks panel” on page 51 for an example. Specify the network type If you did not use the Scan button to select your network, you must specify the type of network by choosing one of the options from the Network type dropdown list. X
Select Access point (infrastructure mode) if this network uses access points to provide connectivity to the corporate network or the internet. This is the most common setting.
X
Select Peer-to-peer (ad-hoc mode) to set up a private network with one or more other PCs.
Specify the association mode Before authentication can take place, you must associate your client to an access point. The association mode that is required of you depends on your access point hardware, and how it is configured. Your network administrator can help you configure the association mode that is required for your network. See “Wired-Equivalent Privacy (WEP)” on page 14 and “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for more information on these encryption and association mode choices. You can choose one of three association modes: X
Open, for connecting to a network through an access point or switch that implements 802.1X authentication. Choose this mode if you are not required to select shared mode or WPA.
X
Shared, for connecting to a network through an access point that requires at least one preconfigured WEP key for association
X
WPA, for connecting to a network through an access point that implements WPA (Wi-Fi Protected Access)
X
WPA2, for connecting to a network through an access point that implements WPA2 (802.11i)
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
55
Specify an appropriate encryption method for your association mode Your choice of encryption method also depends on the access point requirements. Your choices vary according to the association mode you choose. See “Wired-Equivalent Privacy (WEP)” on page 14 and “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for more information. You have the following options: X
None, for using 802.1X authentication without WEP keys. This option is only available to you when you configure access point association in open mode. This is a typical setting to use for wireless hotspots.
X
WEP, for using WEP keys for data encryption. This option is available for open or shared association, and is required when you associate in shared mode. When you use WEP encryption, you must fill in at least one preconfigured WEP key at the bottom of Add Network, unless you authenticate using a profile and check Keys will be generated automatically for data privacy. You must choose WEP encryption when the access points in your network require shared mode association with WEP keys, or when your access points require WEP encryption.
X
TKIP, for using the temporal key integrity protocol. Choose this option when the access points in your network require WPA association and are configured for TKIP data encryption.
X
AES, for using the advanced encryption standard protocol. Choose this option when the access points in your network require WPA or WPA2 association, and are configured for AES data encryption. If your client hardware and access point support AES, use AES encryption when you associate in WPA2 or WPA mode.
Authentication fields You can configure network authentication with the following characteristics: X
Authenticate using profile
X
Automatic key generation
Authenticate using profile If the wireless network you are configuring requires that you authenticate using your personal credentials, check Authenticate using profile, and select the profile to use for authentication from the drop-down list at the right. You must have already configured a profile appropriate for authenticating to this network. 56
Using Odyssey Client Manager
When you check Authenticate using profile, Odyssey Client performs an 802.1X authentication using your password, certificate, or by other means, as is configured in the selected profile. Automatic key generation Check Keys will be generated automatically for data privacy if the authentication method specified in the profile results in the creation of dynamic WEP keys for use between your PC and the access point. Certain authentication methods, such as EAP-TTLS, PEAP, and EAP-TLS, generate keys. Others do not. If you use EAP-TTLS, PEAP, or EAP-TLS to authenticate, check this box. You can use any of these authentication methods if your access point implements 802.1x authentication. This option is more secure than using static (preconfigured) keys. This option is available with all encryption methods (other than none), as long as you are not associating in shared mode. Leave this option unchecked if you are required to use preconfigured WEP keys, or, in the case of WPA association, a pre-shared key.
Preconfigured keys (WEP, WPA2, or WPA) The wireless network may require that you preconfigure WEP keys, or that you pre-share a passphrase in the case of WPA or WPA2 association. You can enter keys in the lower portion of your network properties description, according to your association method: X
Pre-shared keys (WPA or WPA2)
X
Preconfigured keys (WEP)
Pre-shared keys (WPA or WPA2) If you associate in WPA or WPA2 mode, and you do not generate encryption keys automatically when you associate an authentication profile to the network connection, then you must supply a pre-shared ASCII passphrase in the Passphrase field. This passphrase is used as a seed to generate the required keys. When you use a passphrase, you do not authenticate with a RADIUS server. NOTE: If you supply a 64 character ASCII passphrase, Odyssey uses it to produce a 32 byte hex value that is used as the master key.
Preconfigured keys (WEP) If you associate in shared mode, you must configure at least one WEP key that is used for association. You must also configure at least one WEP key under the following conditions: X
You select WEP encryption for the open association mode.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
57
X
You do not generate encryption keys automatically.
X
You associate an authentication profile to the network connection in Add Network.
WEP keys serve the following purposes: X
Associate with an access point before a connection can be established (shared mode).
X
Encrypt data between your PC and the access point (or other PCs in a peerto-peer network) See “Wired-Equivalent Privacy (WEP)” on page 14.
If the wireless network uses 802.1X authentication and dynamic WEP keys are generated (i.e., you check Authenticate using profile and Keys will be generated automatically for data privacy), then you do not need to enter preconfigured WEP keys for data privacy. However, it is possible, though not typical, to use preconfigured WEP keys for authentication in addition to 802.1X. For example, EAP-MD5 does not generate WEP keys for data encryption, so you must supply an encryption WEP key when your profile is set to authenticate with this method. If you implement either of these uses of preconfigured WEP keys, you must check the appropriate boxes and set one or more WEP keys appropriately: X
Check to authenticate to access points (shared mode) if preconfigured WEP keys are required to authenticate to an access point prior to connection to the wireless network.
X
Check for data privacy to use preconfigured WEP keys for encryption of data over the wireless network.
Enter the WEP keys in fields Key 0 through Key 3. The values entered here must match those of the access points or peer computer to which you connect. It is most common for Key 0 to be used, although your network may require other keys as well. You can enter keys either as ordinary text characters (ASCII) or hexadecimal characters. WEP keys are either 40 or 104 bits long. This corresponds to either 5 or 13 characters when you enter them as ASCII characters, or 10 or 26 characters when you enter them as hexadecimal digits.
58
# of bits in key
# of ASCII chars
# of hex digits
40
5
10
104
13
26
Using Odyssey Client Manager
To enter any preconfigured WEP keys, follow these steps: 1
In Format for entering keys, select either ASCII characters or hexadecimal digits, depending on how you want to enter the keys.
2
Type each WEP key that you want to preconfigure into the text fields Key 0 through Key 3.
Auto-Scan Lists panel You can associate an ordered group of wireless networks with an auto-scan list so that you can be connected to any of the networks available in the list. For example, you may want to associate your home network and your office network with the same auto-scan list, so that you do not have to change your network connection specification each time you change location. When you specify a connection on the connections panel to an auto-scan list rather than a single network, Odyssey scans sequentially through the listed networks for an available network. You may want to use this feature if you are moving your client machine between locations that access different networks. You can specify auto-scan lists from the Auto-Scan Lists panel:
Although you can create new lists of networks at any time, each of the individual networks in a list must have been previously configured with the Networks panel. Odyssey Client User and Administration Guide
Using Odyssey Client Manager
59
The Auto-Scan Lists panel displays the lists that you have created so far. You can perform the following tasks in the Auto-Scan Lists panel: X
To add an auto-scan list, click Add. Auto-Scan List Properties appears.
X
To remove an auto-scan list, select it from the list and click Remove.
X
To modify the settings for a network, select it from the list and click Edit, or double-click the auto-scan list name. Auto-Scan List Properties appears.
NOTE: Make sure to separately test each network connection for each network in your auto-scan list. If you misconfigure a network connection on the auto-scan list so that authentication fails at every connection attempt, Odyssey Client does not skip that network to try other networks on the list. To test a single selected network connection, go to the Connection panel and check Connect to network after selecting the network you want to test.
Auto-Scan List properties You can add or edit auto-scan list properties when you click Add or Properties from the Auto-Scan Lists panel. The resulting dialog allows you to manage lists of the wireless networks that you have configured with the Networks panel.
To specify a new auto-scan list, follow these steps: 1
60
Provide the List name. You must fill this field in before you click OK. You cannot choose a list name you have already used, and you cannot edit this
Using Odyssey Client Manager
name later when you click Properties for a selected list in the Auto-Scan Lists panel. 2
Sequentially select networks for your auto-scan list from the list of configured networks listed under Available Networks on the left. Use the right arrows to move networks from the left to the Selected Networks on the right. This is your set of auto-scan networks.
3
Order your selected networks according to the frequency with which you expect to connect to them. Place your most frequently used networks at the top of the list. You can select one or more networks and use the up and down arrows to reorder the list. You can modify this list order or contents at any time when you click Properties of the list by this name from the Auto-Scan Lists panel.
In general, you increase likelihood of connection to a given network (in comparison with other available networks in the same auto-scan list) by moving it up toward the top of the list.
Trusted Servers panel You can configure trusted authentication servers for EAP-TTLS, EAP-TLS, or EAP-PEAP authentication from the Trusted Servers panel.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
61
When you configure Odyssey Client to trust a server, you must specify the name of the server and the certificate chain to which it belongs. You also have the option to allow Odyssey Client to trust any server that bears a specified signed certificate. You can specify trusted servers using either a simple method or a more advanced method. See the following topics for configuring trust: X
“Using the simple method to configure trust” on page 62
X
“Using the advanced method to configure trust” on page 65
X
“Untrusted servers” on page 70
See the following topics for information on certificates and the protocols that use them: X
“Extensible Authentication Protocol (EAP)” on page 17
X
“Certificates” on page 18
Using the simple method to configure trust In the large majority of cases, you can use the simple method of configuring trust. You have two options in creating your list of trusted servers:
62
X
You can allow any server that bears a specified signed certificate to be trusted. With this method, you must specify a certificate from any certificate authority in your certificate authority chain. This could be the certificate of a root or an intermediate certificate authority.
X
Using domain names you can specify a list of servers to be trusted. With this method, you must specify two items: Z
The server domain name, or the ending of the domain name (for example, acme.com)
Z
A certificate from any certificate authority in your certificate authority chain. This could be the certificate of a root or an intermediate certificate authority
Using Odyssey Client Manager
Adding a trusted server entry When you click Add from the Trusted Servers panel, Add Trusted Servers Entry appears.
You can either trust all servers with a specified certificate, or you can use domain names when you specify trusted server certificates: 1
2
You can either configure trust for any server issued with a specified signed certificate, or you can specify one or more servers to be trusted using domain names, when those servers are issued with a given signed certificate: Z
To allow all servers with a specified signed certificate to be trusted, check Trust any server with a valid certificate regardless of name.
Z
To specify servers by name, in the Server name must end with field, enter the identity of the trusted server.
Set the Server certificate must be issued by field to the certificate of the certificate authority that must have directly or indirectly issued the server certificate. The certificate you select may be that of a root or intermediate certificate authority. It need not be the certificate authority that directly issued the server certificate. It may be any certificate in the chain. To assign a certificate, follow these steps: a
Click Browse to get a list of certificates.
b
Select a certificate from the list that appears, and click OK.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
63
3
Click OK to close Add Trusted Servers Entry.
Server identity Each server has an identity that uniquely identifies it, and that name is normally contained in the Subject CN field of the server certificate. A server identity may end with the name of a larger administrative domain, to which the server belongs. For example, the Acme company might have a domain name, such as acme.com. The company might also have several authentication servers, that are identified as auth1.acme.com, auth2.acme.com, and auth3.acme.com, for example. In this case, Acme could configure its server certificates with a common name, acme.com, and fill in the Server name must end with field with acme.com. As in this example, by specifying the ending for a server name, you can configure trust for all the servers in an organization with a single entry.
Removing a trusted server entry To remove an entry from the trusted servers list, select the entry and click Remove.
64
Using Odyssey Client Manager
Editing a trusted server entry To edit an entry in the trusted servers list, select the entry and click Edit. Edit Trusted Servers Entry appears, allowing you to modify the server domain and the certificate of the issuer.
Using the advanced method to configure trust If you need more control over trust, you can use the advanced method. NOTE: If you do not have a working knowledge of certificates and certificate chains, you should not attempt to configure trust using the advanced method. Consult your network administrator as to how to configure trusted servers.
With this method, the entire tree of trust is displayed. The trust tree shows trusted servers added using the simple method as well as the advanced. Each path through the trust tree defines a set of rules for matching a certificate chain. Odyssey Client trusts an authentication server only if its certificate chain matches at least one path through the trust tree. A path through the trust tree is composed of two or more nodes: X
Each top-level node is the certificate of a root or intermediate certificate authority.
X
Each intermediate node (if present) is the name of an intermediate certificate authority in the chain.
X
Each final or leaf node is the name of an authentication server that you trust.
The names of certificate authorities and servers may be specified as subject names or as domain names. In addition, you may specify that the name in a certificate must match the configured name exactly, or that it must end in the configured name.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
65
Displaying the trust tree To display the trust tree, click Advanced. Trusted Servers appears.
You can view and modify trust rules according to the following: X
“Adding certificate nodes” on page 66
X
“Adding authentication servers or intermediate CA nodes” on page 67
X
“Removing nodes” on page 69
X
“Viewing certificate information” on page 70
Adding certificate nodes To add a new certificate to the top level of the trust tree, follow these steps: 1
Click Add certificate. Select Certificate appears.
2
Select a certificate and click OK. You may select either from the list of intermediate or trusted root certificates.
For detailed information about any certificate before you add it, select the certificate and click View.
66
Using Odyssey Client Manager
Adding authentication servers or intermediate CA nodes All nodes below the top level identify either authentication servers or intermediate certificate authorities. If the node is a leaf node, it is assumed to identify an authentication server. Otherwise, it is assumed to identify an intermediate certificate authority. To add an authentication server or intermediate certificate authority to the tree, follow these steps: 1
Select the node in the tree, beneath which you want to add the new item.
2
Click Add Identity. Add Identity appears. Fill it in according to the directions in “Add Identity” on page 68.
3
Enter the information that defines the rules that Odyssey Client uses to match a certificate in the server certificate chain to this node.
4
Click OK.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
67
Add Identity
Add Identity lets you set the matching rules for a single node in the trust tree. For Trust a server or intermediate CA with a valid certificate, select one of the following: X
Regardless of its name to match any certificate, provided it is signed by the certificate authority in the node above
X
If its name matches the following name exactly to require that the name in the certificate exactly match the name you specify
X
If its name ends with the following name to require that the name in the certificate is subordinate to the name you specify. For example, a certificate with name sales.acme.com would match an entry of acme.com
For Name of server or intermediate CA, enter the name (or final elements of a name) you want to match. (This field is not required if you select regardless of its name). The form of the name depends on your choice of Name type. For the certificate authority Name type, you must indicate how the name is interpreted and where in the certificate the name is found. Select one of the following: X
68
Domain name in Subject Alternative Name or Common Name if the domain name (e.g., acme.com) is found in the Subject Alternative Name field in the certificate or, if that is not present, the Common Name within the Subject field of the certificate (this is the most typical choice).
Using Odyssey Client Manager
X
Domain name in Subject Alternative Name if the domain name is found in the Subject Alternative Name field in the certificate. This is similar to but more restrictive than the previous choice.
X
Subject Name if the name is an X.500 name and is found in the Subject field in the certificate. If you enter a full or partial Subject name, it must be in X.500 form. It matches any certificate Subject name that is equal or subordinate to it. For example, if you enter OU=acme.com, C=US it matches any of the following subject names: O=sales, OU=acme.com, C=US CN=george, O=sales, OU=acme.com, C=US
NOTE: If you enter text that includes commas, surround them with single quotation marks. For Maximum number of intermediate certificates, set the maximum number of certificates that may appear in the chain between this node and the node directly above this node. You may select a number between 0 and 5, or unlimited: X
If you choose 0, the certificate that matches this node must have been signed using the certificate that matches the node above this node.
X
If you choose 1, the certificate that matches this node may have been signed by the certificate that matches the node above or by a certificate that in turn has been signed by the certificate that matches the node above.
X
If you choose unlimited, any number of certificates may appear in the chain between the certificate that matches this node and the one that matches the node above.
Removing nodes To remove a node, select the node in the tree you want to remove, and click Remove. The selected node and any node beneath it is removed from the tree. The node you remove may be of any of the following: X
Top level certificate node
X
Intermediate CA node
X
Server node
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
69
Viewing certificate information For detailed information about any certificate at the top level of the trust tree, select the certificate and click View Certificate.
Untrusted servers Under the following conditions, you are given the option to trust a previously untrusted server during network authentication: X
You have enabled temporary trust.
X
The authenticating profile mandates server validation.
X
The trusted root certificate authority of the server certificate (in the example shown below, the certificate AcmeRootCA) is installed on your client machine.
If this is the case, the following dialog appears while you are authenticating to the network.
70
Using Odyssey Client Manager
The dialog shows the entire certificate chain between the authentication server and a trusted root certificate authority. To see detailed information about any certificate in the chain, select the certificate and click View. If you want to temporarily (until you restart Odyssey Client) trust this server in order to authenticate and connect to the network, click Yes. Otherwise, click No. You may be asked to type in your password, depending on the profile you set up for this connection. If you want to permanently trust this server by adding to the Trusted Servers list, check Add this trusted server to the database and click Yes. The server is added to the Trusted Servers list, using the name shown in the Server name must end with field (see “Adding a trusted server entry” on page 63).You may edit the server name. For example, if the server name is auth2.acme.com, you can change it to acme.com, if you want to trust all authentication servers belonging to the acme.com domain.
Adapters panel The Adapters panel lets you select one or more network adapters (interface cards) for wired or wireless networking. You can select more than one adapter if you hold down Ctrl on your keyboard as you select with your mouse. The Adapters panel lists all the wireless and wired adapters that are configured in Odyssey Client. Most likely you have configured single adapter. However, you may configure more than one adapter. You can use the Adapters panel for the following tasks: X
Adding a wireless or wired adapter
X
Removing an adapter from the list of adapters
NOTE: Your adapter must already have been installed on your system before you can configure Odyssey Client to use it.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
71
Adding a wireless or wired adapter To add a wireless or wired adapter that Odyssey Client has not yet recognized, follow these steps from the Adapters panel of Odyssey Client Manager:
72
1
Click Add. Add Adapter appears, displaying a list of all network adapters that are installed on your PC (except for the ones Odyssey Client is already configured to use).
2
Select either the Wireless or Wired 802.1X tab.
Using Odyssey Client Manager
3
Select the desired adapter from the list and click OK. Note that only adapters that you have not yet added to the Adapters panel are displayed.
NOTE: The adapters that you select on the Wireless tab are used for wireless connections, and those that you select under the Wired tab are used for wired connections. In most cases, Odyssey Client Manager can distinguish between wireless and non-wireless network adapters. However, in certain cases it cannot. If you do not see your wireless adapter in the list, select All Adapters. Make sure that each of the adapters you select on the Wireless tab are indeed wireless. You cannot configure Odyssey Client for wireless connections unless you have a wireless adapter. You must configure wired adapters from the Wired 802.1X tab.
Removing an adapter from the list of adapters To remove an adapter from the list of adapters in the Adapters panel, select the adapter you want to remove and click Remove. When you remove an adapter, Odyssey Client stops using it. The adapter is still installed on your system, but operates as if Odyssey Client is not present.
Settings menu The following menu items are available from the Settings menu: X
Preferences
X
Security Settings
X
Windows Logon Settings
X
Enable/Disable Odyssey
X
Close
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
73
Preferences You can change some operational preferences for Odyssey Client by selecting the Preferences command. Odyssey Preferences appears.
Set your preferences, and click OK to make them effective: X
If you select Hide tray icon, then the Odyssey icon is not displayed on the System Tray (at the bottom right of your screen).
X
If you select Hide control panel icon, then the Odyssey icon is not displayed on the Windows Control Panel.
X
If you select Disable splash screen, then the Odyssey Client splash screen is not displayed when you initiate the Odyssey Client service. NOTE: If you have the Windows Control Panel open when you select Hide control panel icon and click OK, then refresh your control panel (press F5) to see the effects. In some cases, you may only see the effect after rebooting.
74
Using Odyssey Client Manager
Security Settings To configure advanced security options related to authentication, select Security Settings. Security Settings appears.
There are two sets of security settings you can configure: X
General
X
EAP-FAST
General The security options on the General tab are initially set to default values that should suit most purposes. You can restore the defaults at any time by clicking Reset Defaults. You can configure time (up to three decimal places) in hours. For example, to specify one hour and fifteen minutes, enter 1.25. You have three options: X
Enable session resumption. When you choose this option, you can specify the maximum length of a session before it expires.
X
Enable automatic reauthentication. When you choose this option, you can specify the reauthentication period.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
75
X
Enable server temporary trust. When you choose this option, you can specify the maximum length of a session with a temporarily trusted server.
Session resumption You can enable the use of session resumption from Security Settings. See “Session resumption” on page 21 for more information on session resumption. To use enable session resumption, do the following: X
Check Enable session resumption.
X
Set Do not resume sessions older than to the maximum number of hours that an initial authentication can be used to accelerate reauthentication. Once the time limit has elapsed, a completely fresh authentication is performed on your next reauthentication. The number of hours can have up to three decimal places. For example, enter 1.25 to indicate one hour and fifteen minutes, or 0.001 for about three seconds. This latter value is the smallest value you can enter.
By default, session resumption is enabled, and an initial authentication is resumed for up to 12 hours. To disable this feature, uncheck Enable session resumption. Automatic reauthentication You can enable or disable the automatic reauthentication feature of Odyssey Client. For information about why you might want to reauthenticate, see “Reauthentication” on page 21. Check Enable automatic reauthentication in Security Settings, in order to cause Odyssey Client to periodically initiate reauthentication with the server. Next to Reauthenticate every, type the time period (in hours) for reauthentication to take place automatically. You can use up to three decimal places to indicate the number of hours. For example, enter 1.25 to indicate one hour and fifteen minutes, or 0.001 for about three seconds. This latter value is the smallest value you can enter. Uncheck Enable automatic reauthentication in Security Settings in order to disable this feature. By default, automatic reauthentication is not enabled. This is because your network administrator may have already configured your access points or authentication server to perform periodic reauthentication. Check with your network administrator for the proper settings for this option.
76
Using Odyssey Client Manager
Server temporary trust Under normal circumstances you can use the Trusted Servers panel to configure the servers you trust for authentication. However, there may be times when you authenticate to a network whose authentication server is not yet configured as trusted in the Trusted Servers panel. In this case, you may want the ability to enable temporary trust for that untrusted server. Check Enable server temporary trust from Security Settings in order to enable temporary trust. Uncheck this field to disable this feature. Notice the following about this feature: X
X
If temporary trust is enabled, you are given the following options: Z
Whether or not to temporarily trust an untrusted server when you attempt to authenticate to it. See “Untrusted servers” on page 70.
Z
Whether or not to permanently add the server to your trust tree. Consequently, the temporary trust feature serves as an alternative to configuring trusted servers through the Trusted Servers panel.
If temporary trust is not enabled, then any authentication attempt that requires the validation of a server certificate fails when the server is not explicitly trusted.
Set Maximum time for temporary trust to the maximum number of hours you want Odyssey Client to continue to trust a server once you accept it. The default behavior for Odyssey Client is that temporary trust is enabled. The maximum time that a particular server is (temporarily) trusted once you accept it is 12 hours. NOTE: These settings do not apply to servers you choose to permanently trust the by checking Add this trusted server to the database when you are prompted for temporary trust. See “Untrusted servers” on page 70.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
77
EAP-FAST When you use EAP-FAST authentication, you can select options that determine when you are re-prompted for credentials:
X
Check Prompt before acquiring credentials from a new server in order to be prompted for new credentials when you authenticate with a new server.
X
Check Prompt before replacing credentials from a known server when your existing credentials have failed in order to be prompted for new credentials when a previous authentication attempt fails.
By default, the EAP-FAST options are initially checked. You can restore the defaults at any time by clicking Reset Defaults.
Windows Logon Settings Your default network connection settings are either of the following: X
Factory-default network connection settings, which result in establishing a network connection after your desktop appears
X
Default network connection settings that have been set by your system administrator
There may be some circumstances for which you want to override the default network connection settings. For example, if you can logon to your domain using cached credentials and your administrator has configured your network 78
Using Odyssey Client Manager
connection to occur prior to Windows logon time, you can change your connection timing so that you connect to the network after your desktop appears. You can modify your network connection timing by selecting the Windows Logon Settings item from the Settings menu. The following dialog opens when you select Windows Logon Settings.
Some of the Windows logon features may not be available to you, depending on how your administrator has set up your installation. To override the default network connection settings for your client machine, check Override default settings for Windows logon. To modify the default timing for network connections through Odyssey Client, select one of the following Windows logon timing options: X
After my desktop appears, for establishing your network connection after your Windows startup, Windows logon, and desktop processes are completed. This is the latest possible time you can make a network connection.
X
After Windows logon, before my desktop appears, for establishing your network connection after your Windows startup and Windows logon processes are completed, but before your desktop processes take place.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
79
X
Prior to Windows logon, for establishing your network connection prior to Windows logon.
Select one of the timing options that is available to you. If you select Prior to Windows logon, then perform the following required tasks and options: X
X
Select the adapter and network (or profile, in the case of a wired connection) from the lists provided. Note the following: Z
You must associate a profile with any network you configure. Do not fill in the user login name for this profile, but make sure it has Use Windows password selected. Odyssey Client uses your Windows logon credentials.
Z
You must check Validate server certificate on the Authentication tab of the Profile Properties on the associated profile.
Z
You also cannot assign to the network connection a profile that uses a stored password. See “Restrictions on early network connections” on page 113 for more information.
Z
If you assign your selected network to encrypt your data using WEP, you must check Keys will be generated automatically for data privacy on that network description.
You can optionally request that a pre-connection prompt dialog appear prior to making the network connection at logon time every time you log on to Windows. To do so, check Prompt before connecting to the network. This can be useful if you experience network authentication problems, as it gives you the option to opt out of connecting to the network at logon time. Z
If you or your administrator have omitted any required configuration elements, you are prompted at logon via the pre-connection prompt dialog to configure part or all of the network connection through a wizard. See “Windows logon pre-connection wizard” on page 84 for more information on the pre-connection prompt dialog and the wizard.
Z
See “Avoiding the pre-connection prompt dialog” on page 83 for information on how to suppress the appearance of the pre-connection prompt dialog.
If you select either prior to desktop connection option, you can defer such connections under certain circumstances. To do so, check Wait until my desktop appears before using Odyssey to connect to the network. You have
80
Using Odyssey Client Manager
two choices for the conditions under which your after desktop connection takes place: X
To make an after desktop connection whenever you are connected to your network through a wired adapter, select any wired adapter is already connected. You can use this option even if your wired adapter is not connected to an 802.1X hub or switch.
X
To make an after desktop connection whenever you are connected to your network through one or more selected adapters, select one of the following adapters is already connected. This option applies to any adapter listed on Windows Logon Settings. Z
To edit this list of adapters, click Edit. Select Adapters appears.
Z
Check any adapters that you want to use for an after desktop network connection, and click OK to close Select Adapters.
Z
Note that if you have a VPN client installed, its virtual adapter appears here. Do not select your VPN client adapter in this case.
Click OK to close Windows Logon Settings.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
81
Odyssey Client pre-connection prompt dialog Odyssey Client may give you some options for settings to use at Windows logon through the main pre-connection prompt dialog.
This dialog appears under the following circumstances: X
You or your administrator have configured this dialog to appear each time you attempt a network connection when you logon to Windows. See “Windows Logon Settings” on page 78.
X
Your default Windows logon network configuration is not complete.
If your network connection configuration is complete, you have three options for connection settings: X
Use the settings (your personal settings) you have previously specified in the Odyssey Client Manager.
X
Use the default prior to Windows logon connection settings configured for your machine by your network administrator.
X
Use new settings that you can specify using the Windows logon preconnection wizard.
Specify your preferences and click Continue. You can also opt to cancel the network connection by clicking Cancel logon.
82
Using Odyssey Client Manager
Note the following: X
In the event that your network connection is incomplete, the first two settings are disabled.
X
If you want to connect to the network after logon, or if you are having any problems connecting to the network, uncheck Use Odyssey to connect to the network.
X
Odyssey Client does not remember the network choices you enter in the preconnection prompt dialog. Should you have an incomplete network configuration, you are presented with the pre-connection prompt dialog each time you logon, until you correct any problems. In order to correct any problems and/or not see this screen every time you logon, follow the instructions in Avoiding the pre-connection prompt dialog.
Avoiding the pre-connection prompt dialog The Odyssey Client pre-connection prompt dialog occurs for one of two reasons: X
You or your administrator have set Odyssey Client to prompt you with this dialog each time you attempt a network connection when you logon to Windows. See “Windows Logon Settings” on page 78.
X
Your prior to Windows logon network configuration is not complete.
In either case, you are prompted to interact with Odyssey Client each time you logon to Windows. To avoid future prompts at pre-connection time: 1
Correct network connection problems, as necessary.
2
Suppress the appearance of the pre-connection prompt.
Correct network connection problems Once you are logged on and connected, you can correct any network connection problems that have occurred. To do so, follow these steps in the Odyssey Client Manager: 1
Specify a profile, network (required for wireless adapters), and adapter for your network connection at Windows logon time.
2
Test the connection by connecting through the Connection panel.
Suppress the appearance of the pre-connection prompt To keep the pre-connection prompt dialog from appearing every time you logon, follow these steps in the Odyssey Client Manager: Odyssey Client User and Administration Guide
Using Odyssey Client Manager
83
1
In Settings > Windows Logon Settings, check Override default settings for Windows logon, select the network (or profile) and adapter you want for this connection, and uncheck Prompt before connecting to the network. Note that any network configuration you assign using the Windows logon pre-connection wizard may include network and profile records stored in the Odyssey Client Manager with the name Windows logon attached to their labels. If so, you can use these to configure your network connection in Windows Logon Settings.
2
Click OK.
Windows logon pre-connection wizard It is possible that your configuration is incomplete for Odyssey Client to log you into the network before Windows logon takes place. In this case, once you select to configure your network connection through the Windows logon preconnection wizard (via the pre-connection dialog), you are prompted with a series of dialogs that request you to specify the following information: X
Adapter for Windows logon
X
Network for Windows logon
X
Authentication protocols for Windows logon
X
User name and password options for Windows logon
Adapter for Windows logon If you have to configure an adapter for Windows logon the following appears.
84
Using Odyssey Client Manager
1
Select an adapter type. Select wireless for a wireless adapter, and wired 802.1X for a wired adapter connection.
2
Select an adapter from the list, and click Next.
Network for Windows logon If you have to configure a network for Windows logon the following appears.
Type in the network name or click Scan to scan for an available configured network. Select the association and encryption methods that are appropriate for your selected access point (SSID). Note that you cannot use any auto-scan lists for this selection.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
85
Authentication protocols for Windows logon If you have to configure authentication protocols for Windows logon the following appears.
Select the authentication protocol from the list. If you specify EAP-TTLS as the authentication protocol, specify the required EAP-TTLS settings as well. Note that EAP-TLS is not available prior to Windows logon. User name and password options for Windows logon If you have to configure your user name and password settings for Windows logon the following appears.
86
Using Odyssey Client Manager
Type your user name (in the correct format, usually domain\user name) in the box, and select your password setting: X
Select Use Windows password to use your regular Windows logon password for logging into the network.
X
Select Prompt for password if you want to be prompted to type in your required password at login time.
X
Select Use the following password to type in a password that is not your Windows password. Note that this password is not stored for future use.
SIM Card Manager If you have a SIM card for use with Odyssey Client that is inserted in your client device, you can manage the PIN on your SIM card hardware when you select Settings > SIM Card Manager.
To disable the PIN for your SIM card, click Disable PIN. Disable PIN appears.
Enter your PIN and click OK. To change the PIN for your SIM card, click Change PIN. Change PIN appears. Odyssey Client User and Administration Guide
Using Odyssey Client Manager
87
Follow the directions for each text field, and click OK. If your card becomes blocked, you can unblock it. To do so, click Unblock Card, and follow the instructions on the Unblock Card dialog that appears. Click Close to close SIM Card Manager.
Odyssey Client Administrator Administrators can launch the Odyssey Client Administrator from the Settings menu. You can use Odyssey Client Administrator for the following: X
Configure settings for new users.
X
Create a customized new installer file for a set of users.
X
Apply locking and constraints to some or most features.
X
Create a customized user settings update file for your users.
X
Create scripts to update some user features.
See “Odyssey Client Administration” on page 101 for more information.
Enable/Disable Odyssey Select Enable Odyssey or Disable Odyssey to turn Odyssey Client on or off.
88
Using Odyssey Client Manager
Odyssey Client is initially enabled, and normally you should not need to disable it. If you choose to disable Odyssey Client, you are no longer able to use Odyssey Client for network connections until you enable it again. You may want to disable Odyssey Client if you have concerns about your current Odyssey configuration. For example, if you are worried that Odyssey Client is in an insecure state, you can use this feature to take yourself off the network until you get a chance to inspect your settings. You can also enable or disable Odyssey Client from the pop-up menu that appears when you right-click the Odyssey icon in the System Tray. NOTE: To stop Odyssey Client from running entirely, select the Exit command when you right-click the Odyssey icon in the System Tray.
Close Select Close to close the Odyssey Client Manager window. Although the user interface is no longer visible, Odyssey Client continues to perform its networking operations normally. You can restart Odyssey Client Manager at any time in any of the following ways: X
From the System Tray: Double-click the Odyssey icon, or right-click it and choose Odyssey Client Manager.
X
From Control Panel: Double-click the Odyssey Client Manager icon.
X
From the Windows taskbar: Select Start > Programs > Funk Software >
Odyssey Client > Odyssey Client Manager. NOTE: To stop Odyssey Client from running entirely, you select the Exit command when you right-click the Odyssey icon in the System Tray.
Commands Menu The following commands are available from the Commands menu: X
Forget Password
X
Forget Temporary Trust
X
Check New Scripts
X
Run Script
X
Survey Airwaves
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
89
Forget Password When you first authenticate using a profile set to prompt for password, you are asked to type in your password. Odyssey Client remembers the password you enter, and uses it for all subsequent authentications using that profile without prompting you again. Normally, Odyssey Client does not forget the password you type in until you reboot your PC, or restart Odyssey Client. If you want Odyssey Client to immediately discard any passwords you type in, select Forget Password. When your password is needed again, you are prompted to enter it. You might need to use this command if you enter your password incorrectly or if your password has been changed on the authentication server.
Forget Temporary Trust If you enable temporary trust from Settings > Security Settings, then whenever you encounter an untrusted authentication server, a dialog pops up, allowing you to trust that server temporarily. Odyssey Client remembers to trust that server for as long a period of time as is configured in Security Settings. See “Untrusted servers” on page 70. If you want Odyssey Client to immediately discard its list of temporarily trusted servers, select Forget Temporary Trust. You might need to use this command if you accept a server as temporarily trusted and then decide to break your connection with it. If you want to be sure the connection is broken immediately, you should disable session resumption and then click Reconnect on the Connection panel. See “Session resumption” on page 76.
Check New Scripts Your administrator may provide you with one or more scripts that update your Odyssey Client configuration. See “Script Composer” on page 132 for directions on how to compose scripts. See “Scripts for incremental updates of user configurations” on page 148 for information on delivering scripts.
90
Using Odyssey Client Manager
The opportunity to process updated scripts is presented to you automatically when New Odyssey Client Scripts appears. You can also access New Odyssey Client Scripts from Commands > Check New Scripts.
New Odyssey Client Scripts contains a list of new configuration scripts. You can process any script in the list by selecting it. You can only address one script at a time. For each script that you select in the list, you have two processing options: X
Click Run, in order to run the script and update your Odyssey Client configuration.
X
Click Delete, in order to delete the script.
Before you can execute a run or delete command, you must first click Yes in the processing option verification dialog that opens.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
91
If there are any new scripts that you do not want to process at this time, you can do one or both of the following: X
You can set a reminder to process script(s) in the future by selecting a number of days, after which New Odyssey Client Scripts reappears. You can select the reminder period in Remind me again after (days). Note that this reminder snooze period is interrupted if your administrator offers you a new script in the interim.
X
You can save one or more unprocessed scripts to your hard drive. After you save them, you can process them immediately in New Odyssey Client Scripts. You can also process these scripts at a later time, one at a time, using Commands > Run Script, or through New Odyssey Client Scripts from Commands > Check New Scripts. To save one or more scripts, follow these steps: a
Select one of the scripts you intend to save.
b
Click Save, in order to save the script to your hard drive so that you can run it at some time in the future. Note that you cannot click Save after you click Run or Delete. When you click Save, you can choose a directory in which to save your configuration script.
c
Repeat until you have saved all the scripts that you want to save.
Run Script You can use the Commands > Run Script to run any scripts that you have saved to your hard drive when presented with Check New Scripts. When you select this command, you can browse to the directory in which you have saved any scripts, and select a script to run.
Survey Airwaves You can use the airwaves survey tool from Commands > Survey Airwaves to view information about the access point and peer-to-peer networks in your vicinity, including those that do not broadcast an SSID.
92
Using Odyssey Client Manager
Airwaves Survey displays information about access point networks from the Access Point Networks tab, and peer-to-peer networks from the Peer-to-Peer Networks tab. You can sort the displayed data according to any of the listed network characteristics by selecting the column heading for the network characteristic by which you want to sort the data. For example, to sort by SSID, select the SSID column heading. To refresh your airwaves survey, click Refresh.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
93
To view details about any selected network on Airwaves Survey, click Details. BSSID Information appears.
Click Close to close BSSID Information.
Update From time to time, you may see a pop-up that indicates you should update your Odyssey Client configuration. In addition, your network administrator may inform you that you can update your configuration. To update your Odyssey Client configuration, follow these steps:
94
1
Select Settings > Update.
2
Select the configuration file in the default directory, or browse to the directory provided to you by your system administrator.
Using Odyssey Client Manager
Web menu The Web menu provides several web links. These include the following: X
Odyssey User Page
X
Funk Software Home Page
X
Register Odyssey Client
X
Purchase Odyssey Client
Odyssey User Page Select Odyssey User Page to open your browser to a page devoted to Odyssey users. You can find technical notes that can help you get the most out of Odyssey, as well as product news and information about new versions at this web site.
Funk Software Home Page Select Funk Software Home Page to open our home page in your browser. Here you can find more information about Funk Software, Inc. and our products.
Register Odyssey Client Select Register Odyssey Client to register your Odyssey Client online. Once you register your software, you are automatically notified about product upgrades and special offers. Additionally, should you need to call our technical support hotline, we can expedite your call if we have your registration on file.
Purchase Odyssey Client Select Purchase Odyssey Client in order to purchase the product.
Help Menu The Help menu has the following items: X
Help topics
X
License keys
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
95
X
View Readme File
X
About
Help topics Select Help Topics to bring up the Odyssey Client help system. You can also get context-sensitive help at any time by pressing F1. The help system appears opened at the section that best explains your current situation.
License keys Select License Keys from the Help menu, to manage your Odyssey Client license keys.
A license key is a text sequence that represents your license to use Odyssey Client. Under most circumstances, you set a license key when you first install Odyssey Client. However, you may need to install additional license keys in the future. For example, you must use an additional license key when you upgrade to a new version, or when you want to enable special features. In this example, no license key is visible. Click Add, to add a new license key. Type a valid license string in Add License Key when it appears, and click OK. To remove a license, select it, and click Remove. NOTE: On Windows 2000 or XP you must have administrative rights in order to add or remove licenses. If you do not have such rights, you are able to view the license keys, but not to add or delete them. You must contact your system administrator to do so.
96
Using Odyssey Client Manager
Upgrade licenses If you are upgrading Odyssey Client from a previous version, you must have at least two license keys listed when you select Help > License Keys: X
An upgrade license key
X
An original product license key that is valid for the previous version
View Readme File Select View Readme File to open the file readme.txt. This file has important information about Odyssey Client.
About Select About to view product and copyright information.
Tray icon menu commands If you right-click on the Odyssey icon in the System Tray, the following menu items appear: X
Odyssey Client Manager
X
Enable Odyssey or Disable Odyssey
X
Help commands
X
Exit
Odyssey Client Manager You can start Odyssey Client Manager (the user interface for Odyssey Client) by selecting the Odyssey Client Manager menu command from the System Tray right-click menu.
Enable Odyssey or Disable Odyssey Select Enable Odyssey or Disable Odyssey to turn Odyssey Client on or off from the System Tray right-click menu. See “Enable/Disable Odyssey” on page 88 for more information on this feature.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
97
Help commands One of the options on the menu that appears when you right-click on the Odyssey icon in the System Tray is Help. There are two further options: Help Topics and About. If you select Help Topics, the Help system appears in a window opened to the table of contents. If you select About, product version and copyright information are displayed.
Exit If you select the Exit command from the System Tray right-click menu, you are offered a prompt.
When you click Yes, Odyssey Client immediately stops running in the background. You may want to use this option when you are not using wireless networking for an extended period. You can restart Odyssey Client by running Odyssey Client Manager from the Start menu.
Other Odyssey Client features In addition to panels and menu items, you may interact with Odyssey Client in the following ways:
98
X
Shortcut keys
X
Using Odyssey Client with some features disabled
Using Odyssey Client Manager
Shortcut keys In addition to using your mouse to access buttons, tabs, and panels on Odyssey Client Manager, you can also use your keyboard to access all of the Odyssey Client features. Most keyboard shortcuts are indicated by letters that are underlined in the Odyssey Client Manager. To use the keyboard shortcuts for these features, press Alt and then the letter. For example, to scan for a network from the connection panel, you can press Alt-n. To move between the panels of the Odyssey Client Manager, use the up and down arrows on your keyboard. You can also use the keyboard arrows to move through radio button (mutually exclusive) selections. You can use the following keyboard shortcuts in order to select the graphical information buttons on the connection panel: X
Alt-1, to display the signal power information
X
Alt-2, to display the connection status information
X
Alt-3, to display the encryption key information
You can also press Alt in conjunction with the appropriate arrow key on your keyboard, in order to implement the corresponding arrow button features, such as those in Auto-Scan Lists.
Using Odyssey Client with some features disabled It is possible that your administrator has restricted your use of certain Odyssey Client features. For example, you may not be able to configure a profile that uses certain protocols. When this is the case, you are apprised of this fact with an error message, such as the one in following example.
In all cases, you must adhere to your administrator’s rules when you configure Odyssey Client features.
Odyssey Client User and Administration Guide
Using Odyssey Client Manager
99
Interaction with other adapter software Your wireless adapter may provide its own user interface software to help you control its operation. This other software may allow you to operate non-standard features of your wireless adapter to which Odyssey Client Manager has no access. In most cases, Odyssey Client Manager and the user interface that comes with your wireless adapter can coexist without problems, but you should avoid using both products for similar purposes. If you use Odyssey Client for network communications, only use the software supplied with your adapter to operate those features that cannot be controlled by Odyssey Client Manager.
100
Using Odyssey Client Manager
Chapter 5 Odyssey Client Administration
Overview of Odyssey Client Administration Odyssey Client provides a set of special tools for performing administrative tasks for managing users of the product. These advanced tools are only available if you have administrative privileges. You can only run these tools on a Windows 2000 or Window XP device. The administrative tasks that you can perform include the following: X
Create a custom new installer file with preconfigured settings for a group of users of any platform. See “Custom Installer” on page 128.
X
Configure settings update files in order to update user configurations for a large group of users. You can easily specify feature-locking, and other constraints through these updates. See “Configuration updates for massdistribution to your users” on page 148.
X
Create custom configuration scripts to distribute to your current users of Odyssey Client. See “Scripts for incremental updates of user configurations” on page 148.
X
Configure the timing for user or machine connections. See “Connection Settings” on page 104.
X
Configure the initial settings for all users of a given client machine. “Initial Settings” on page 114.
X
Specify how to lock or merge features of your Initial Settings configuration for administrative updates, new installer files, and for your computer. See “Merge Rules” on page 123.
X
Specify custom user restrictions for administrative updates (and for your computer). These restrictions apply to Odyssey Client configuration features. See “Permissions Editor” on page 121.
X
Configure machine account settings when you require a machine network connection at Windows startup. See “Connection Settings” on page 104.
Odyssey Client User and Administration Guide
Odyssey Client Administration
101
X
Manually provision PACs for use with EAP-FAST. See “PAC Manager” on page 142.
X
Enable or disable Odyssey Client plug-ins. See “Sample administrative workflows” on page 143.
NOTE: You can use the Odyssey Client Administrator to configure these features for the machine on which you have installed Odyssey Client, or you can apply your Odyssey Client Administrator settings when you create an installer type file that you can distribute to a group of users. Only the Script Composer uses your Odyssey Client Manager configurations.
See also the following topics for some connection scenarios: X
“Machine only connection” on page 145
X
“Machine connection followed by user authentication” on page 146
X
“User authentication without machine connection” on page 147
NOTE: Before using the administrator tools in Odyssey Client Administrator, you should be completely familiar with the Odyssey Client Manager features. See “Using Odyssey Client Manager” on page 23.
Odyssey Client Administrator To launch the Odyssey Client Administrator, select Settings > Odyssey Client Administrator, from the Odyssey Client Manager. You can also double-click the odClientAdministrator.exe application located in the directory in which you have installed the Odyssey Client product.
102
Odyssey Client Administration
You can operate the following advanced administrative tools from the Odyssey Client Administrator by double-clicking a selected tool: X
X
Connection Settings for configuring one or more of the following types of network connection timings: Z
Connection to the network as a machine (machine connection) at Windows startup time
Z
Connection to the network with user credentials prior to Windows logon
Z
Connection to the network with user credentials after Windows logon, but before the desktop appears
Z
Connection to the network with user credentials after the desktop appears
Initial Settings, for one or more of the following: Z
Modifying initial settings for your all users of this machine
Z
Creating the user configuration data (network and profile) to be used with user authentication that takes place prior to Windows logon
Z
Creating and testing a template of preconfigured settings before creating a new custom installer file
Z
Creating and testing a template for updating your user configurations for mass-distribution
X
Machine Account, for configuring a machine network connection
X
Permissions Editor, for applying customized feature by feature restrictions on your user’s ability to modify Odyssey Client configurations
X
Merge Rules, for setting the rules used in creating a settings update file or a new custom installer file. You can also assign rules modify current configurations, or that prevent your users from editing their configuration entirely.
X
Custom Installer, for creating a preconfigured installer file from the initial user and/or machine settings that you configure using the above-listed Odyssey Client Administrator tools
X
Script Composer, for creating configuration scripts that you can use to define or update your users’ Odyssey Client configurations
X
PAC Manager, for manually importing Protected Access Credentials (PACs) for use with EAP-FAST.
You may have occasion to use all, or some of these tools, depending on what you are trying to do. Odyssey Client User and Administration Guide
Odyssey Client Administration
103
For some use cases for Odyssey Client Administrator, see “Sample administrative workflows” on page 143.
Connection Settings Double-click Connection Settings in the Odyssey Client Administrator to open the Connection Settings tool.
You can use the Connection Settings tool to set the following connection options:
104
X
User Account, for configuring the default timing of user logon connections. User connections prior to Windows logon also require that you install GINA from the GINA tab.
X
Machine Account, for configuring network connection options for network authentication with machine credentials at Windows startup time. The settings you choose may override default user account settings, or they may require that you modify user account settings.
Odyssey Client Administration
X
GINA, for installing or removing the ability for users to connect to the network before Windows logon.
Click OK when you are done configuring Connection Settings. See Network connection scenarios for more information on the possible connection configurations.
Network connection scenarios You can configure one of seven different network connection configurations: X
A machine only network connection, during which only machine credentials are authenticated
X
A machine connection to the network at Windows startup time, with subsequent authentication of user credentials prior to when the user logs on
X
A machine connection to the network at Windows startup time, with subsequent authentication of user credentials after the user logs on, but before the user’s desktop appears
X
A machine connection to the network at Windows startup time, with subsequent authentication of user credentials after the user’s desktop appears
X
A connection to the network with user credentials when they logon to Windows
X
A connection to the network with user credentials after they logon to Windows, but before the user’s desktop appears
X
A connection to the network with user credentials after the user’s desktop appears
Of these choices, only the last one is available for Windows 98 and Me machines. Note that some of these features are enabled or disabled according to the other features you select. See “Restrictions on early network connections” on page 113 for more information. For more information on configuring the various network connection scenarios, as well as information about why you might select one scenario over another, see the following topics: X
“Machine only connection” on page 145
X
“Machine connection followed by user authentication” on page 146
X
“User authentication without machine connection” on page 147
Odyssey Client User and Administration Guide
Odyssey Client Administration
105
User Account You have several options to configure the default settings for the timing of network authentication that relies on user credentials. You can configure such connections to occur prior to or after Windows logon time from the User Account tab on Connection Settings.
You can have three options available for configuring the timing of a user account connection with respect to the Windows logon time. These options are listed under Use Odyssey to connect to the network. They are listed in the order of the latest time at which a network connection is established, to the earliest time at which a network connection is established through Windows logon:
106
X
After the user’s desktop appears: Choose this option if you do not require the user to establish a network connection before the desktop appears.
X
After Windows logon, before the desktop appears: Choose this option if you require the user to establish a network connection before the desktop appears, but you do not require them to establish the network connection before the Windows logon process is complete.
Odyssey Client Administration
X
Prior to Windows logon, using the following settings: Choose this option if you require the user to establish a network connection prior to establishing Windows logon.
NOTE: You can only have the Prior to Windows logon option available after you click Install Odyssey GINA module, in the GINA section of Connection Settings.
The success of your connection may depend on the timing you select. It is safest for you to choose to establish the network connection after the desktop appears. However, if you require that the user connects to the network before the desktop appears, select an earlier connection time. This may be necessary, for example, if you run startup scripts from the network. NOTE: If you want to install Windows logon features when creating a custom installer template, follow the guidelines in “Configuring prior to Windows logon connections” on page 116.
For information on compatibility when using the Windows logon features with other applications that initiate at logon time, see “Compatibility with other applications running at logon” on page 112. Prior to Windows logon notes If you select Prior to Windows logon, then perform the following tasks and options: X
Select the adapter and network (or auto-scan list, or profile, in the case of a wired 802.1X connection) from the lists provided. You must first configure these using Initial Settings. See also “Configuring prior to Windows logon connections” on page 116. The profile you select must be password-based, and must have Use Windows password selected.
X
You can optionally require a prompt screen to appear prior to making the network connection at logon time every time your users logon to Windows, by checking Prompt before connecting to the network.
X
Do not assign a network, auto-scan list, or profile connection for which you have selected EAP-TLS as the authentication method.
X
You have the (recommended) option to override Prior to Windows logon connections whenever your users can connect with a wired network adapter. To do so, check Wait until the user’s desktop appears before using Odyssey to connect to the network, and select Any wired adapter is already connected. When you do so, Odyssey Client connections are deferred until after the desktop appears. See Prior to desktop notes for more options.
Odyssey Client User and Administration Guide
Odyssey Client Administration
107
Prior to desktop notes If you select either prior to desktop connection option, you can defer such connections under certain circumstances. To do so, check Wait until the user’s desktop appears before using Odyssey to connect to the network. You have two choices for the conditions under which the after desktop connection takes place: X
To make an after desktop connection whenever users of this machine are connected to your network through a wired adapter, select Any wired adapter is already connected. This option applies even if the wired adapter is not connected to an 802.1X hub or switch.
X
To make an after desktop connection whenever users are connected to your network through one or more specified adapters, select One of the following adapters is already connected. This option applies to any adapter listed. To edit this list of adapters, click Edit. Select Adapters appears.
Z
Check any adapters that you want to use for after windows logon network connections are established. Do not select any virtual adapters that appear as a result of any VPN clients installed.
Z
Click OK to close Select Adapters.
Z
The selected adapters appear on the User Account tab of Connection Settings.
Machine Account You can connect to the network at machine startup time using a set of machine (rather than user) credentials by checking Enable network connection using machine account from the Machine Account tab on Connection Settings.
108
Odyssey Client Administration
You can configure these machine credentials in the Connection Settings tool. Once you check Enable network connection using machine account, you have two mutually exclusive options: X
To sustain your network connection as machine only, select Leave the machine connection active; users are connected via the machine connection. With this option, users have little control of their network connection when they open the Odyssey Client Manager. They can view status information and reconnect or reauthenticate to the network.
X
To drop the machine connection and automatically establish a network connection with your user’s own Windows credentials at or after logon time, select Drop the machine connection; users must connect with their own credentials. With this option, you can account for individual users of the network. Additionally, once connected, each user can modify his or her user account connection settings using the Odyssey Client Manager. If you select this option, then set the timing for the user connection in User Account. The three timing options you can select are as follows: Z
After the user’s desktop appears
Z
After Windows logon, before the desktop appears
Odyssey Client User and Administration Guide
Odyssey Client Administration
109
Z
Prior to Windows logon
You can configure your connection settings according to your selections: X
Double-click Connection Settings in the Odyssey Client Administrator, and configure the machine network connection.
X
If you opt for users to connect with their own credentials after the machine connection is established, double-click Initial Settings in the Odyssey Client Administrator to configure new user account settings.
See “Restrictions on early network connections” on page 113 for a listing of features unavailable when you configure a machine account connection.
GINA You can use Odyssey’s GINA module to allow users of Windows XP or 2000 to connect to the network using their Windows logon credentials prior to Windows logon. Connecting prior to Windows logon can be helpful when users have startup processes that require network connections. You cannot use this connection feature without installing Odyssey’s GINA module. NOTE: If you want to use a non-Microsoft GINA-type logon module with Odyssey Client, then you must install it before you install the Odyssey Client GINA module.
Installing Odyssey’s GINA module You can enable Odyssey’s GINA module features through the GINA tab on Connection Settings.
110
Odyssey Client Administration
To install the GINA module, click Install Odyssey GINA module. Once you do, you can configure prior to Windows logon connections under User Account. NOTE: The GINA module installation is fully completed when you next reboot the machine.
Removing Odyssey’s GINA module To remove Odyssey’s GINA module when it is installed, click Remove Odyssey GINA module.
Odyssey Client User and Administration Guide
Odyssey Client Administration
111
The GINA module removal is completed when you next reboot the machine. Compatibility with other applications running at logon The Odyssey GINA module works by hooking into the Windows Graphical Identification and Authentication (GINA) module. This is the module that presents the Windows Logon dialog. Odyssey Client is compatible with a number of logon modules, preserving single sign-on behavior: X
You may be prompted for credentials by Odyssey Client for some applications that replace the Microsoft Windows logon screen.
X
In the case of Novell®ClientTM for Windows, Odyssey Client uses your Novell credentials at logon time without prompting for credential information.
NOTE: It is possible that you have one or more other applications running a similar GINA process at logon. In this case, install the Odyssey Client GINA module after you install any other applications that run prior to Windows logon, in order to ensure that both programs function correctly. 112
Odyssey Client Administration
Restrictions on early network connections There are no restrictions for user account network connections that occur after the desktop appears, but there may be restrictions on the features you can use when you select particular network connection timing options in Connection Settings. The following table summarizes the restrictions. A Yes in a column implies the feature is valid for that connection setting, while No indicates that it is not.
Feature
Machine account at Windows startup
User account prior to Windows logon
User account after logon, but before desktop
Ad-hoc
Yes
No
Yes
Preconfigured WEP keys
Yes
Only when configured from Initial Settings
Yes
Windows password
No
Yes
Yes
Machine password
Yes
No
No
Prompt for password
No
Yes
No
Prompt for PIN (with EAP-SIM or EAP-AKA)
No
No
No
Use the following password
Yes
No
Yes
EAP-TLS
Yes
No
Yes
EAP-TTLS/PAP/Token Card
No
Yes
No
EAP-GenericTokenCard
Only when configured not to prompt for token. See “Set tunneled generic token card credential options” on page 47, “Machine Account” on page 118, and “User Info” on page 37.
Yes
Only when configured not to prompt for token. See “Set tunneled generic token card credential options” on page 47 and “User Info” on page 37.
EAP-FAST
Only when configured not to prompt. See “Set tunneled generic token card credential options” on page 47, “Machine Account” on page 118, and “User Info” on page 37.
Yes
Only when configured not to prompt for token. See “Set tunneled generic token card credential options” on page 47 and “User Info” on page 37.
Unauthenticated network connections (networks without profiles)
Yes
Only when configured from Initial Settings
Yes
Odyssey Client User and Administration Guide
Odyssey Client Administration
113
Machine account at Windows startup
Feature
User account prior to Windows logon
User account after logon, but before desktop
Pre-shared WPA or WPA2 passphrase to generate encryption keys
Yes
Only when configured from Initial Settings
Yes
Temporary trust
No
No
No
Uncheck Validate server certificate
Yes
No
Yes
Note the following: X
You can configure all of the default user account network settings in Initial Settings. However, the restricted options are not disabled by default in Initial Settings, so make sure you configure the network connection properly.
X
Features that only apply when you configure default Windows logon settings in Initial Settings are not available if your users override default Windows logon settings from the Settings > Windows Logon Settings menu in the Odyssey Client Manager.
X
You can configure all of the machine account network settings in the Connection Settings tool. The restricted options are disabled for you in the Machine Account tool.
X
The password, token, and PIN prompt restrictions apply to the listed protocols whenever they are in use (either as inner tunneled protocols or as outer authentication protocols).
Initial Settings You can use the Initial Settings tool for the following:
114
X
Configure the initial user network connection settings for all new users of Odyssey on a given client machine.
X
Configure the user configuration for network connections for a template for a custom installer or updated user configuration file.
X
Configure any adapter, user profile, and network settings you require for connections that take place prior to Windows logon.
X
The Initial Settings tool works in concert with the Merge Rules tool. Settings you configure here are also used when you configure rules (merge rules) for applying your configuration to your users’ machines. See “Merge
Odyssey Client Administration
Rules” on page 123 for more information. You can use Initial Settings to configure features in before you apply any merge rules to them. To access the Initial Settings tool, double-click Initial Settings in the Odyssey Client Administrator. .
You can configure the following features in the same way that you configure these features in the Odyssey Client Manager. Configure the following initial user network settings: X
Wireless connection(s)
X
Wired connection(s)
X
Profiles
X
Networks
X
Auto-Scan lists
X
Trusted servers: You must configure your trusted server certificate in your machine store of the configuration machine before you configure a trusted server in Initial Settings.
X
Adapters: If you are configuring a template for a custom installer file, your users do not have to have exactly the same wireless or wired adapter as you have (the names and models can differ), as long as you install a similar type (wired or wireless) of equipment on their client machines.
Odyssey Client User and Administration Guide
Odyssey Client Administration
115
See also the following topics: X
“Configuring prior to Windows logon connections” on page 116
X
“Caution on overriding default Windows logon settings” on page 116
X
“Test user connection settings” on page 131
X
“Machine only connection” on page 145
X
“Machine connection followed by user authentication” on page 146
Once you configure Initial Settings, all users who start up Odyssey for the first time on your client machine are presented with the default connection setup you have just configured. You can also use these settings to configure the following: X
A preconfigured installer
X
An updated user configuration file
X
Network settings for user connections that take place prior to Windows logon
Caution on overriding default Windows logon settings The Settings > Windows Logon Settings menu in the Odyssey Client Manager gives users the option to override the default network connection timing. Do not check Override default settings for Windows logon in Initial Settings, or your users will, by default, have initial settings that override the settings you configure in GINA. If you do install Odyssey’s GINA module from Connection Settings, then your users have the ability to configure a network connection prior to Windows logon. If you do not install the GINA module, then your users have only the two postlogon connection options available to them through this menu on the Odyssey Client Manager. Note that even though your users can override the default network connection settings that you configure, they cannot override configured trusted servers when they connect prior to logon time. The only way to change the trust you configure for a Windows logon connection on a given installation is for you (or someone with administrative privileges) to modify these settings in the Trusted Servers panel of Initial Settings.
Configuring prior to Windows logon connections When installing Odyssey Client on Windows XP or 2000, you have the option to enable automatic network connections at the time the user logs on to the machine. This can be helpful when users have startup processes that require 116
Odyssey Client Administration
network connections. You can accomplish this using Odyssey Client’s Windows logon features. There are some restrictions on the features you can use when you configure a network connection for user accounts prior Windows logon time. See “Restrictions on early network connections” on page 113 for more information. Note the following additional instructions for any user account connections you want to configure to occur prior to Windows logon: X
You must associate a profile and adapter (for wired connections) or a network (or auto-scan list) and adapter (for wireless connections) with a Windows logon configuration. The network configuration for Windows logon that you select from the drop-down lists in User Account in Connection Settings reflects the adapters, networks, auto-scan lists, and profiles you specify in Initial Settings.
X
You are not required to associate a profile with any network you configure in Initial Settings when you are configuring user defaults for your machine or for a new custom installer file.
X
If you configure a profile for your prior to Windows logon network connection that uses EAP-TTLS, EAP-TLS, or EAP-PEAP, the server certificate is validated automatically when a user authenticates prior to Windows logon. You are not required to check Validate server certificate on the Authentication tab of the Profile Properties on the associated profile in order for this validation to take place.
X
When configuring the User Info tab in an Initial Settings profile for prior to Windows logon connections, leave the Login name field blank. Odyssey Client uses the user’s Windows logon name.
X
You cannot assign a profile that uses a stored password. See “Restrictions on early network connections” on page 113 for more information.
X
To install or remove Odyssey’s Windows logon features, follow the instructions in “GINA” on page 110.
X
You must configure a trusted server in the Trusted Servers panel of Initial Settings. The trust you configure must include a certificate authority in the signing chain of the trusted server. If you have not already installed the certificate in the machine store on your machine, you must do so prior to configuring this trust.
NOTE: There is some potential for incompatibility of the Odyssey Client Windows logon feature with similar features in other products. See “Compatibility with other applications running at logon” on page 112. As a result, you should not enable the logon features unless you plan to use them.
Odyssey Client User and Administration Guide
Odyssey Client Administration
117
Machine Account If you have configured a machine account network connection in Connection Settings, you can use Machine Account to configure network connections for a machine. Double-click Machine Account in the Odyssey Client Administrator to configure Machine Account.
Configure a machine network login account in Machine Account in very much the same way you would configure a user account, except there are different options for machine account profiles. At a minimum, configure at least one network, adapter, and profile for the machine logon. See the following relevant topics for more information: X
“Machine password” on page 119
X
“Profiles panel” on page 36.
X
“Networks panel” on page 51
X
“Auto-Scan Lists panel” on page 59
X
“Trusted Servers panel” on page 61
X
“Adapters panel” on page 71
Note that you can configure multiple networks, profiles, and adapters, and only those for which you check the Connect to network (for wireless connections), 118
Odyssey Client Administration
and/or Connect using profile for (wired connections) are used by the machine connection. To test machine connection settings, see “Testing your settings” on page 130. See also the following topics: X
“Machine only connection” on page 145
X
“Machine connection followed by user authentication” on page 146
NOTE: Authentication methods that require user interaction, such as those associated with tokens, are not available with machine connection. As a result, this Profiles Panel varies slightly from that of the Odyssey Client Manager. See “Restrictions on early network connections” on page 113 for all restrictions on machine account connections.
Machine password You can configure the use of machine credentials when authenticating using a machine account. To do this, follow this procedure when you create a machine account profile: 1
Create a profile from the Profiles Panel of Machine Account and check Use machine credentials under User Info of Add Profile.
Odyssey Client User and Administration Guide
Odyssey Client Administration
119
2
If you require a realm with your machine credentials, type in the name of the realm next to Optional realm: machine @.
3
Keep Permit login using password checked.
4
Machine credentials are only used with EAP-TTLS or EAP-PEAP. Choose at least one of these authentication methods for the profile, and configure any TTLS Settings and/or PEAP Settings options you require.
Note the following:
120
X
If you enter any passwords for machine account profiles or certificates, and intend to create a custom installer, the credentials you enter here are used by all copies of Odyssey Client that use this installer. It is better to manually enter credentials on each client machine if these are required.
X
You can use these settings to configure a custom installer.
Odyssey Client Administration
X
You must configure trusted server certificate for your machine connection. To do so, you must first install the certificate in your machine certificate store on your configuration machine.
NOTE: You cannot configure machine account settings for machines running Windows 98 or Me.
Permissions Editor You can use the Odyssey Client Permissions Editor to restrict your users from modifying some of the features that you allow them to configure themselves. The rules that you configure in Odyssey Client Permissions Editor apply to your current machine automatically. You can also create a file to export your permission configuration to a group a users. See “Configuration updates for mass-distribution to your users” on page 148. To implement permission/restrictions, double-click Permissions Editor in Odyssey Client Administrator. Odyssey Client Permissions Editor appears.
You can use Odyssey Client Permissions Editor to disable the use of some Odyssey Client features for your users. For example, you may allow your users to create new profiles, but may want to restrict the authentication protocols that they are allowed to use. The items you select in Odyssey Client Permissions Editor affect Odyssey Client Manager features. Check any features to which you want to restrict user access, and click OK when you are done. Odyssey Client User and Administration Guide
Odyssey Client Administration
121
Note the following: X
Any features that you configure as locked in Merge Rules are exempt from constraints you configure in the Permissions Editor.
X
Any items to which you apply constraints remain visible to your users, even though they are unable to configure those features.
X
If you check Disable [any] networks, your users do not have the ability to connect to unspecified networks using the [any] network feature. See “Configure Odyssey Client to connect to any available network” on page 54 for a description of this feature.
X
If you check Disable ad-hoc networks, your users cannot make peer-topeer connections.
X
If you check Remove Odyssey Client Administrator from Settings menu, your users that have administrative privileges on their computers do not have menu access to the Odyssey Client Administrator from the Odyssey Client Manager.
X
If you check Remove License Keys from Help menu, your users cannot modify or view license keys.
X
If you check any of the Disable unauthenticated options, your users are not allowed to create a network configuration using the specified encryption protocol if they do not assign a profile to the network connection. The clear option is for no encryption (none).
X
If you check any of the Disable authenticated options, your users are not allowed to create a network configuration using the specified encryption protocol when they assign a profile to the network connection.
See the following relevant topics: X
“Validate the server certificate” on page 46
X
“Select authentication protocols” on page 45
X
“Specify the network type” on page 55
X
“Authenticate using profile” on page 56
X
“Password” on page 39
X
“Certificate” on page 40
X
“Server temporary trust” on page 77
See also “Configuration updates for mass-distribution to your users” on page 148 for information on applying your permission restrictions to your user configurations. 122
Odyssey Client Administration
Merge Rules You can use Merge Rules to specify how your current Odyssey Client Administrator configuration from Initial Settings and any user’s Windows logon settings in Connection Settings are applied to users of your current machine, as well as to any new custom installer file or any settings update file you create. When you configure merging rules, you have the ability to add, replace, or lock any user features you configure in the Odyssey Client Administrator. The following situations describe a few cases in which you would want to configure rules for merging your Odyssey Client Administrator configuration: X
You have already installed Odyssey Client on a group of client PCs, and you have already configured it for a group of users, but would like to be able to provide periodic administrative updates.
X
You want to create a new custom installer file in order to upgrade your users with a newer version of Odyssey Client. When you do so, you can specify how features are merged into your users current configurations.
X
You want to create a new custom installer file for configuring Odyssey Client for new user machines. In this case, you can specify the locking of the configured features as they are installed on a new machine, or you can use the default settings in Merge Rules (configure nothing) if you are not interested in locking any features you configure.
On a feature by feature basis, you can select the manner in which your current Initial Settings configuration settings are applied to all users of your current machine (or to a new custom installer file, or to a configuration update file). You can choose one of the following modes: X
None, (default for some items on the Other tab) for configuring settings for new users of a given client PC on your network based on selected items that you configure in the Odyssey Client Administrator. You may want to use this mode, for example, if you have recently updated your license, and you want to update a configuration for all new user settings on client machines with settings for the latest features. This mode has no effect on the configurations of current users of an Odyssey Client installation. Once a user begins to use Odyssey Client, they are free to modify any of these settings.
X
Add if not present, (default, except for some items on the Other tab, for which this option is not available) for adding selected Odyssey Client Administrator settings to the current settings of your users without overwriting settings with the same names. This mode affects the configurations for new users, as well as current users of your Odyssey Client installations. All users are free to modify these settings.
Odyssey Client User and Administration Guide
Odyssey Client Administration
123
X
Set, replace if present, for adding selected Odyssey Client Administrator settings to the current settings of your users, while overwriting settings if they already exist with the same names. This mode affects the configurations for new users, as well as current users of your Odyssey Client installations. All users are free to modify these settings.
X
Lock except user info, (available for profiles only) for overwriting all current user settings with selected Odyssey Client Administrator settings, except for user credential information (username, password, or user certificate) associated with a profile. This prevents your users from editing any portions of a locked profile except for their credentials. Do not fill in the username and password or user certificate for any profile that you create in Initial Settings to which you plan to apply this type of profile locking.
X
Lock, for setting or overwriting all current user settings with selected Odyssey Client Administrator settings, and for preventing your users from editing these locked features. When you lock a feature, Odyssey Client deletes all current user settings for features with the same name, and prevents new and current users from editing this feature. Locked features are indicated as such by their title bars in the Odyssey Client Manager.
The settings that you configure in Merge Rules affect Odyssey Client Manager settings for all users of your current machine as soon as you close Merge Rules. Additionally, you can then use these merge rules when you provide configuration updates to your users, or when creating a new installer file. See also “Configuration updates for mass-distribution to your users” on page 148 for information on applying your merge rules to your user configurations.
Assign merge rules To assign rules for applying your Initial Settings and Windows logon configuration to users of your current machine, or to users of a configuration file you create in Custom Installer, follow these steps: 1
124
Double-click Merge Rules in the Odyssey Client Administrator. Merge Rules appears.
Odyssey Client Administration
2
Select the Profiles tab. You can lock all profiles, or set merge rules for individual profiles: Z
Check Permit only the following profiles to lock all profiles listed. When you select this option, the following occur: [
Your users can only use the profiles you configure through Initial Settings.
[
All components (aside from user credentials) of all user profiles are locked.
[
Users cannot add new profiles to their configurations.
[
Users can only edit their credentials for each of the locked profiles you configure.
Odyssey Client User and Administration Guide
Odyssey Client Administration
125
Z
[
Any profiles that were previously configured in Odyssey Client are hidden from you users and disabled. The only way to make these visible to your users again is to uncheck Permit only the following profiles.
[
If, in addition to locking all profiles, you want to lock the user credentials for one or more of these locked profiles, select the profiles whose user credentials you want to lock, right-click your mouse and select Lock.
To set merge rules for one or more individual profiles, follow these steps: a Select one or more profile configurations from the list, and right-click, or click Set Merge Rules. A context menu listing all available merge modes appears.
3
Select one of the five configuration modes (None, Add if not present, Set, replace if present, Lock except user info, or Lock) from the menu.
c
Repeat these steps for as many of the other merge rule modes that you want to apply to any profile(s) that you configure in Initial Settings.
Select the Networks tab. You can lock all networks, or set merge rules for individual networks: Z
Z
126
b
Check Permit only the following networks to lock all networks listed. When you do so, the following occur: [
Users can only use the networks you configure through Initial Settings.
[
All components of all user networks are locked.
[
Users cannot add new networks to their configurations.
[
Any networks that were previously configured in Odyssey Client are hidden from you users and disabled. The only way to make these visible to your users again is to uncheck Permit only the following networks.
To set merge rules for one or more individual networks, select one or more network configurations from the list. Right-click, and select one of
Odyssey Client Administration
the four configuration modes (None, Add if not present, Set, replace if present, or Lock) from the menu that appears. Repeat this step for as many of the other merge rule modes that you want to apply to any network(s) that you configure in Initial Settings. 4
Select the Auto-Scan Lists tab. You can lock all auto-scan lists, or set merge rules for individual auto-scan lists: Z
Z
5
6
Check Permit only the following auto-scan lists to lock all auto-scan lists listed. When you do so, the following occur: [
Your users can only use the auto-scan lists you configure through Initial Settings.
[
All components of all user auto-scan lists are locked.
[
Users cannot add new auto-scan lists to their configurations.
[
Any auto-scan lists that were previously configured in Odyssey Client are hidden from you users and disabled. The only way to make these visible to your users again is to uncheck Permit only the following auto-scan lists.
To set merge rules for one or more individual auto-scan lists, select one or more auto-scan lists from the list. Right-click, and select one of the four configuration modes (None, Add if not present, Set, replace if present, or Lock) from the menu that appears. Repeat this step for as many of the other merge rule modes that you want to apply to any autoscan list(s) that you configure in Initial Settings.
Select the Other tab. You can use this tab to assign configuration update rules for your security settings and trusted servers that you configure in Initial Settings, and for Windows logon settings that you configure in Connection Settings. For each of these items, you can right-click and select one of the three configuration modes (None, Set, replace if present, or Lock) from the menu that appears. Note the following about trusted servers: [
You can also select Add if not present for trusted servers. In this case, you can add trusted server entries to an existing list of trusted servers if they are not present.
[
When you set or lock trusted servers, you replace the entire trust tree for all users.
[
When you lock trusted servers, you users cannot modify the trust you configure.
Click OK when you are done.
Odyssey Client User and Administration Guide
Odyssey Client Administration
127
See “Configuration updates for mass-distribution to your users” on page 148 for information on applying your merge rules to a set of users. NOTE: A warning or error message may appear when you click OK to close Merge Rules. For example, if you attempt to assign an impossible merge rule, an error message appears. These error messages contain helpful information to address any merge rule errors or inconsistencies.
Custom Installer You can use Odyssey’s custom installer features to create a new installer file with a customized user default configuration. You can use these new installer files to upgrade your current user configurations, or to create installers for new client machines. You can also configure custom updated user configuration files. Custom installer files and updated user configuration files derive their configuration from the features you set in the Odyssey Client Administrator, and not in the Odyssey Client Manager. The custom install process is described extensively in the following topics: X
“Preconfigure Odyssey Client for a group of users” on page 143
X
“Configure Odyssey Client to create a template” on page 144
X
“Custom Installer” on page 128
X
“Custom install: Provide printable documentation” on page 145
After configuring and testing your custom installer template in the Odyssey Client Administrator, you can use the Custom Installer in the Odyssey Client Administrator to create a new Odyssey Client installer file with user defaults that are configured from your template. For information on using your current Odyssey Client Administrator configuration to create an updated user configuration file, see “Configuration updates for mass-distribution to your users” on page 148. Follow these steps to complete the custom installation process: 1
128
Double-click Custom Installer in the Odyssey Client Administrator to configure a custom installer. The Custom Installer appears.
Odyssey Client Administration
2
Select New installer file.
3
Type in the source installer file. This file must be a full product installer file for Odyssey Client. You can type in the file name (along with its path), or click the first Browse button. The Select Source File window appears.
4
You can use the Files of type drop-down list at the bottom of the Select Source File window to search for the correct file type. You can use the original Odyssey Client installer file from any current or previous release (OdysseyClient.msi) as the source file. You can find this file in the Client directory on the CD if you have not archived it. If you are configuring an installer for Windows 98 machines, select the .EXE Odyssey
Odyssey Client User and Administration Guide
Odyssey Client Administration
129
Client installer file type, such as OdysseyClient.exe. Double-click your source file in the window, or click Open. 5
Click Browse to browse for the desired destination directory (if you are not already there). Save Destination File appears. Select the name of the new (destination) .MSI file. You can type in the name of the file or select an existing file in the current directory, and then click Save. Note that if you are configuring an installation for Windows 98, save the file as .EXE instead of .MSI.
6
Optionally check Export license key, and type in a license key that is valid for the number of copies you intend to distribute.
7
Optionally check Silent install if you want the installation to run without displaying any dialogs during the install process. Note that if you choose this option and you do not export a license key, the license for the installed product expire in 30 days.
8
Click OK to create the custom installer file.
NOTE: When you use the Settings update file option of the Custom Installer, you can create a configuration file that includes administrative updates from the merge rules and permission restrictions you configure in Merge Rules and Permissions Editor. See “Configuration updates for mass-distribution to your users” on page 148.
Testing your settings You can test your configuration for user and machine connections before creating a custom installer. You can perform the following tests:
130
X
Test user connection settings
X
Test machine connection settings
Odyssey Client Administration
Test user connection settings To test your user connection settings, follow these steps: 1
Select Commands > Reload and test user defaults from Initial Settings.
2
Click OK. This permanently deletes your current Odyssey Client Manager settings, and loads your settings from Initial Settings into the Odyssey Client Manager. In addition, it starts the Odyssey Client Manager through the Configure and Enable Odyssey Wizard. Whatever you see in this wizard is what your users see when they first use the product.
3
Test all the connections through the Connection panel of Odyssey Client Manager. Note that any modifications you make in the Odyssey Client Manager are not reflected in Initial Settings.
4
Return to Initial Settings to correct for any connection problems and retest these connections again, if necessary.
NOTE: This test replaces any settings that you already have configured in the Odyssey Client Manager with settings from Odyssey Client Administrator.
Test machine connection settings To test your machine connection settings: 1
Make sure that the network connection(s) you want to test are configured and set for connection in the Connection panel of Machine Account.
2
Open Machine Account in Connection Settings, and select leave the machine connection active. Click OK.
3
Double-click the Tray icon to open the Odyssey Client Manager, and check the status of your connection(s).
4
Return to Machine Account to correct for any connection problems and retest these connections again, if necessary.
5
If you had to modify your connection settings, re-open Machine Account in Connection Settings, and restore the previous settings.
Odyssey Client User and Administration Guide
Odyssey Client Administration
131
Script Composer You may need to periodically change Odyssey Client configurations for one or more users. You can change per-user configurations using scripts. You can create scripts for your Odyssey Client users based on your configuration components in the Odyssey Client Manager. NOTE: If any Odyssey Client Manager components you include in a client script are locked on your computer, the resulting corresponding components are not locked when your users update their configurations from the script. In addition, if your users have any components that are locked, you cannot use scripts to update those components. See “Merge Rules” on page 123 and “Custom Installer” on page 128 for more information on updating locked components.
You can create scripts using the Script Composer in the Odyssey Client Administrator. Follow these steps:
132
1
Set up Odyssey Client Manager to include all of the configuration components that you want to add or modify through scripting. See “Using Odyssey Client Manager” on page 23 for more information. Note that if you only want to remove items, you do not have to configure them Odyssey Client Manager.
2
Double-click Script Composer. Odyssey Client Script Composer appears.
3
For each script that you want to generate, configure all items that you want to add, remove, or modify according to the directions in the following topics:
Odyssey Client Administration
Z
“Action categories” on page 134
Z
“Component categories” on page 135
4
Click Generate Script. Select Destination File appears.
5
You have two format options for saving scripts. See “Scripts for incremental updates of user configurations” on page 148 for information on how to process and deliver your users’ scripts once you save them: Z
If you want to save your script as an auto-script, so that Odyssey Client processes it automatically when you deliver it to your users, choose the second file type listed.
Z
If you want to save your script so that your users are offered the choice of running the script, then choose the first file type listed. See “Check New Scripts” on page 90 for information on how your users can address scripts.
6
Choose a meaningful name for the file after selecting a file type and click Save.
7
Repeat steps 3 and 4 for each script that you want to generate. You may want to use this feature multiple times if, for example, you have separate changes for different users, for example.
8
Click Done when you have created all of your scripts.
Odyssey Client User and Administration Guide
Odyssey Client Administration
133
9
Deposit the scripts in the correct directory on your users’ machines. See “Scripts for incremental updates of user configurations” on page 148.
NOTE: If there is sufficient variation between each script that you want to create, then leave off step 7 when you follow this procedure for multiple scripts, and follow steps 16 and 8 for each script.
Action categories For each script that you create, you can perform the following actions: X
Add if not present: Configuration components that you select for script generation are added to a user’s configuration when they run the resulting script only when that user’s configuration does not already have components by the same name. The configuration components that you can select to add are the ones that you currently have in your Odyssey Client Manager.
X
Set, replace if present: Configuration components that you select for script generation are added to a user’s configuration when they run the resulting script. In the case that user’s configuration has components by the same name, those components are replaced. The configuration components that you can select to set are the ones that you currently have in your Odyssey Client Manager.
X
Remove: You can remove any configuration components (these do not necessarily have to be configured in Odyssey Client Manager). Components whose names you enter for script generation are removed from a user’s configuration when the resulting script is run.
X
Connect: You can select a profile to which to connect for wired connections, or networks or auto-scan lists to which to connect for wireless connections. When the resulting script is run, the checked network, auto-scan list, or profile specifies the active Odyssey Client network connection. The adapter in use for such a connection is the first appropriate adapter (wired, for wired connections, or wireless, for wireless connections) on the client’s list of adapters.
NOTE: You can only add or set configuration components that you have already configured in Odyssey Client Manager. This feature is independent of your Initial Settings configuration. If you type in an item to be removed, while you also specify that an item of the same name to be added or set, the item is first removed before it is added or set when the script is run.
Once you create and distribute a script, your users can access this file from the Commands > Check New Scripts menu on the Odyssey Client Manager. See “Scripts for incremental updates of user configurations” on page 148 for more information. 134
Odyssey Client Administration
Component categories You can apply the three actions to the following Odyssey Client configuration components: X
Profiles
X
Networks
X
Auto-Scan lists
X
Other components (trusted servers and security settings)
X
SSIDs
Profiles You can add and/or set any number of profiles that you have configured in Odyssey Client Manager in the same script. To do so, follow these steps: 1
Select Profiles under the desired category (Add or Set). All profiles that you have configured in Odyssey Client Manager appear listed on the right.
2
Check all of the profiles that you want to include in this category.
Odyssey Client User and Administration Guide
Odyssey Client Administration
135
Note the following: X
If you include user identity information in your selected profiles (names and/ or passwords), these are conveyed to the users who run the resulting script.
X
If you leave the user identity information in your selected profiles blank, then Odyssey Client attempts to replace the name and/or password with the user’s Windows identity when the script is run. If this is not possible, the user is prompted for identity credentials the first time connecting using Odyssey Client.
X
Certificate information is not passed on through the script.
You can remove any profiles that your users have configured as long as you have the names. To remove a profile, follow these steps:
136
1
Select Profiles under Remove.
2
Type in the names of any profiles you want to remove in the text area provided. Press Enter after each profile name that you want to remove.
Odyssey Client Administration
To specify a profile to be used as the active connection profile for Odyssey Client wired connections, select the profile under Connect.
Networks You can add and/or set one or more networks that you have configured in Odyssey Client Manager in the same script. To do so, follow these steps: 1
Select Networks under the desired category (Add or Set). All networks that you have configured in Odyssey Client Manager appear listed on the right.
Odyssey Client User and Administration Guide
Odyssey Client Administration
137
2
Check all of the networks that you want to include in this category.
You can remove any networks that your users have configured as long as you have the correct names (SSIDs) and corresponding descriptions. Alternatively, you can remove all networks with the same SSIDs, and you do not have to bother with names and descriptions. To remove one or more networks, follow these steps:
138
1
Select Networks under Remove.
2
Type in the names (SSIDs) and corresponding descriptions (if there are any) of any networks that you want to remove in the text area provided. You must use the special network description syntax that appears on Odyssey Client Manager. You must provide the name/description pair in the following format: description . Press Enter after each network name/ description pair that you want to remove.
Odyssey Client Administration
NOTE: For this special syntax, you can only remove networks with descriptions that do not contain angled brackets in their definitions. You can always remove those networks through their SSIDs.
To specify a network to be used as the active connection network for Odyssey Client wireless connections, select the network under Connect.
Odyssey Client User and Administration Guide
Odyssey Client Administration
139
Auto-Scan lists You can add or set one or more auto-scan lists that you have configured in Odyssey Client Manager. To do so, follow these steps: 1
Select Auto-Scan Lists under the desired category (Add or Set). All autoscan lists that you have configured in Odyssey Client Manager appear listed on the right.
2
Check all of the auto-scan lists that you want to include in this category.
You can remove any auto-scan lists that your users have configured as long as you have the correct names. To remove one or more auto-scan lists, follow these steps: 1
Select Auto-Scan Lists under Remove.
2
Type in the names of any auto-scan lists you want to remove in the text area provided. Press Enter after each auto-scan list name that you want to remove.
To specify an auto-scan list to be used as the active connection auto-scan list for Odyssey Client wireless connections, select the auto-scan list under Connect.
Other Depending on which action category you select, you have one or two options for modifying trusted servers and security settings. You can modify these components when you select Other: 140
Odyssey Client Administration
X
X
You can either add or set the complete trust tree that you have configured in the Trusted Servers panel of Odyssey Client Manager: 1
Select Other under the desired action category (Add or Set).
2
Check Trusted servers. Note that when users run the resulting script for trust trees that you add, new trust entries are spliced into an existing tree. When users run the resulting script for trust trees that you set, the entire trust tree is replaced.
You can set (replace) the security settings that you have configured from the Settings > Security Settings command on Odyssey Client Manager: 1
Select Other under Set.
2
Check Security settings.
SSIDs You can remove networks by SSID name, rather than using the network name/ description syntax. When a user runs the resulting script that includes the removal of one or more SSIDs, all networks with the specified SSIDs are removed from the user’s Odyssey Client configuration. To remove one or more networks by SSID, follow these steps: 1
Select SSID under Remove.
Odyssey Client User and Administration Guide
Odyssey Client Administration
141
2
Type in the SSID names of any networks that you want to remove in the text area provided. You are not required to use any special syntax. Press enter after each SSID name that you want to remove.
NOTE: Odyssey Client processes the removal of networks by SSID before it processes the removal of any networks by network configuration name.
PAC Manager You can use the PAC Manager to manually provision Protected Access Credentials (PACs) for use with EAP-FAST authentication. Double-click PAC Manager on Odyssey Client Administrator. Odyssey PAC Manager appears.
142
Odyssey Client Administration
You can perform the following tasks using Odyssey PAC Manager : X
Once a PAC file has been created, you can import the PAC by clicking Import. When the Open dialog appears, browse for the directory containing the PAC file and double-click it to import. If the PAC file you select is password protected, you are prompted for the password before you can successfully import the PAC.
X
To refresh a selected PAC listing, click Refresh to update the display of the PAC usage.
X
To delete one or more selected PACs from the list, click Delete.
X
Click Close when you are done.
Sample administrative workflows There are several tasks that require you to use the Odyssey Client Administrator, including the following: X
“Preconfigure Odyssey Client for a group of users” on page 143
X
“Machine only connection” on page 145
X
“Machine connection followed by user authentication” on page 146
X
“User authentication without machine connection” on page 147
X
“Scripts for incremental updates of user configurations” on page 148
X
“Configuration updates for mass-distribution to your users” on page 148
Preconfigure Odyssey Client for a group of users You can take advantage of your ability to preconfigure profiles and networks for an entire group of users by creating a custom installer in Odyssey. You can create a customized installer that is based on a generic or template configuration that defines settings to be used by a group of new users. Each copy of the client that you install with this customized installer has a default network configuration that is assigned by your template. If all of your users require the same network configuration, creating a custom installer reduces or eliminates the need for your end-users to enter configuration information.
Odyssey Client User and Administration Guide
Odyssey Client Administration
143
If your users have already installed Odyssey Client, you can use your template to create updated configurations for these users. See “Configuration updates for mass-distribution to your users” on page 148. To learn how to provide a custom installer to your users, see the following topics: X
“Configure Odyssey Client to create a template” on page 144
X
“Connection Settings” on page 104
X
“Custom Installer” on page 128
X
“Custom install: Provide printable documentation” on page 145
Configure Odyssey Client to create a template Follow these steps to configure a template for a custom installer: 1
Put the product CD into the CD ROM drive of the client device. Use any Windows 2000 or Window XP device. The installation process should begin automatically. If it does not, browse the CD directory for the setup.exe file and double-click it. Note that if you have already installed a copy of Odyssey Client with a license key that is valid for your users, you can start with step 3.
2
Follow the installation instructions, using a license key that is valid for the installation machine. This may or may not be the license key you preconfigure for your users.
3
If you have installed the product, but want to change the license key to be used by your preconfigured users, you can change it according to the instructions for adding and removing license keys in “License keys” on page 96.
4
Configure your template according to your desired network configuration and connection options: Z
Machine only connection
Z
Machine connection followed by user authentication
Z
User authentication without machine connection
There are a few exceptions as noted below: Z
144
You cannot preconfigure client certificates. If you select EAP-TLS under the Authentication tab in Add Profile Properties (from the Profiles panel of Initial Settings or Connection Settings), your users are prompted to select a client certificate the first time Odyssey Client runs on a client machine. You can, however, configure certificates for any
Odyssey Client Administration
trusted root server in the Trusted Servers panel of Initial Settings or Machine Account. Z
You cannot preconfigure stored passwords or login names.
5
Configure in the Permissions Editor any feature access or control restrictions to be included in this preconfigured installer.
6
Configure in Merge Rules any locking options to be included in this preconfigured installer. The Merge and Set options only apply when you update configurations, but you can use the locking features to lock one or more configuration settings for new users.
7
When you are done configuring the default configuration for the template, test each network connection. See “Testing your settings” on page 130.
You have now set up a template configuration, and you are ready to create a preconfigured Odyssey Client installer. See “Custom Installer” on page 128.
Custom install: Provide printable documentation The custom installer file you create using the methods described in “Custom Installer” on page 128 includes the online help for the product, but does not include the manual in .PDF format. There are two .PDF files in the Docs directory of your product CD: X
OdysseyClientAdmin.pdf
X
OdysseyClientMan.pdf
OdysseyClientAdmin.pdf includes this administrative chapter, while OdysseyClientMan.pdf does not.
In addition to the .MSI (or .EXE, in the case of Window 98) file you create, you can also provide your users with the file OdysseyClientMan.pdf to give them access to printable documentation that does not include information on administrative tasks.
Machine only connection For the purposes of identifying a client machine on the network independent of user credentials, you have the option to connect all client machines to the network with a machine (rather than user) authentication. This can be useful if you have any machine-related startup processes. You can use this feature to maintain network connections for the client machine even when users are logged off.
Odyssey Client User and Administration Guide
Odyssey Client Administration
145
To configure a machine only connection, follow these steps: 1
Double-click Connection Settings in the Odyssey Client Administrator.
2
On the Machine Account tab of Connection Settings, check Enable network connection using machine account, select leave the machine connection active, and click OK.
3
Double-click Machine Account in the Odyssey Client Administrator. Machine Account (Odyssey Client) appears.
4
Run through the panels that are required for setting up your machine network connection, including Networks, Adapters, and Profiles, and close Machine Account (Odyssey Client).
Machine connection followed by user authentication You have the option to connect all client machines to the network with a machine credentials, but subsequently require user authentication. This option allows you to perform network tasks at Windows startup, but subsequently account for the users on the network. To configure a machine connection followed by user authentication, follow these steps:
146
1
Double-click Connection Settings in the Odyssey Client Administrator.
2
On the Machine Account tab of Connection Settings, check Enable network connection using machine account, and select drop the machine connection.
3
Select one of the available user authentication timing options under the User Account tab of Connection Settings and click OK. Note that in order to have a user connect prior to Windows logon, you must first install GINA from the GINA tab of Connection Settings.
4
Double-click Machine Account in the Odyssey Client Administrator. Machine Account (Odyssey Client) appears.
5
Run through the panels that are required for setting up your machine network connection, including Networks, Adapters, and Profiles, and close Machine Account (Odyssey Client).
6
Double-click Initial Settings in the Odyssey Client Administrator. Initial Settings (Odyssey Client) appears.
7
Run through the panels that are required for setting up your user network connection, including Networks, Adapters, and Profiles. Lock any
Odyssey Client Administration
configuration features that require locking using Merge Rules. Close Initial Settings (Odyssey Client) when you are done.
User authentication without machine connection You have the option to connect all users to the network using only their user credentials. You have various options with respect to timing for network authentication with user credentials. For example, if you require any networkrelated startup processes, you can have your users connect to the network prior to Windows logon time. To configure a user network connection, follow these steps: 1
Double-click Initial Settings in the Odyssey Client Administrator. Initial Settings (Odyssey Client) appears.
2
Run through the panels that are required for setting up your user network connection, including Networks, Adapters, and Profiles. Lock any configuration features that require locking using Merge Rules. If you plan to have users connect to the network before Windows logon time, make sure you create at least one profile that does not use EAP-TLS authentication. See “Configuring prior to Windows logon connections” on page 116 for more information.
3
Close Initial Settings (Odyssey Client).
4
Double-click Connection Settings in the Odyssey Client Administrator: Z
If you want users to connect to the network prior to Windows logon time, click Install Odyssey GINA Module, if it is not already installed. Select prior to Windows logon and select a wireless adapter and network (or a wired adapter and profile) that you have already configured in step 2, and click OK. Make sure that the profile associated with this network connection does not use the EAP-TLS authentication method.
Z
If you want to require that users connect to the network after Windows logon time, make sure the Odyssey GINA module is not installed.
Z
If you want users to connect to the network after Windows logon time, (independent of whether or not you install the Odyssey GINA module), select one of the two available user authentication timing options under User Account and click OK. You can either have the users authenticate to the network before or after the desktop appears.
Odyssey Client User and Administration Guide
Odyssey Client Administration
147
Scripts for incremental updates of user configurations You may need to update Odyssey Client configurations for one or more users. For example, if you add new SSIDs to your network, you can configure the network once on your Odyssey Client Manager, and then create a script that feeds the new network configuration to one or more of your users. You can deliver two types of configuration scripts to your users: X
You can deliver an auto-script that is run automatically whenever your user’s Odyssey Client polls for new scripts.
X
You can deliver a script (not in auto-script format) whose execution the user must address when prompted about new scripts. See “Check New Scripts” on page 90 and “Run Script” on page 92 for more information on user interaction with scripts.
To provide configuration scripts to update your users’ configurations, follow these steps: 1
Generate one or more scripts using the Script Composer. See “Script Composer” on page 132. Make sure that you save your scripts in your desired format.
2
Deliver the script(s) to the following directory on your user’s computer: Documents and Settings\username\Application Data\
Funk Software\Odyssey Client\newScripts
Odyssey Client polls this directory for new scripts with regular frequency: Z
Auto-scripts are run automatically when detected by Odyssey Client.
Z
Other scripts prompt your Odyssey Client users to address the script through New Odyssey Client Scripts.
Note that if you want to use merge rules, and/or locked features or permission restrictions to apply to your user configurations, follow the directions in Configuration updates for mass-distribution to your users, below.
Configuration updates for mass-distribution to your users You may want to update Odyssey Client configurations for a large number of users. For example, if you want to update your users’ configurations with some of Odyssey Client’s newer features, you can create an updated customized configuration file through the User update file feature of the Custom Installer. You can distribute this file to your users in order to update their configurations. Before you create this file, you can configure merge rules in order to specify how 148
Odyssey Client Administration
your updated configuration is applied to your users configurations of Odyssey Client. You can create an updated configuration file that is based on your connection settings from Connection Settings, any machine account settings in Machine Account, any user settings in Initial Settings, any locking options from Merge Rules, and any specific feature constraints in Permissions Editor. To do so, follow these steps: 1
Double-click Custom Installer in the Odyssey Client Administrator.
2
Select Settings update file.
3
Click Browse, in order to browse to a destination directory. Select Destination File appears.
4
Type the name of the configuration file that you want to save next to Destination File, and click Save.
5
Click OK to close Custom Installer.
6
Install the file on your users’ machines. You can distribute the installer file to your users to install only if they have administrative privileges on their machines.
NOTE: You cannot use settings update files in order to upgrade your user configurations.
Odyssey Client User and Administration Guide
Odyssey Client Administration
149
150
Odyssey Client Administration
Index
Numerics
802.11 11 ad-hoc mode 13 infrastructure mode 13 802.1X 16 authentication 56 A
about product, the 97 access points ad-hoc mode 55 infrastructure mode 55 introduction 13 IP addresses 13 accounts machine 108 users 106 adapters adding 72 disabling through password prompt 40 multiple networks 30 panel 71 adding auto-scan lists 60 licenses 96 merge rules 123 wired adapters 72 wireless adapters 72 addresses, setting 44 ad-hoc mode defined 13 setting 55
administrative tools testing settings 130 UI for 102 AES configuration 56 overview 15 peer-to-peer 16 airwaves survey 92 anonymous name 47 any network, configuring connections 54 server, trusting 63 SIM card, using 43 association defined 11 methods, configuring 55 asymmetric cryptography 18 authentication network, specifying 56 protocols 45 servers, adding 67 setting in profile properties 44 without machine logon 147 X.500 names 67 auto-scan lists adding 60 connecting to 29 panel 59 properties 60 auto-scripts creating 133 delivering 148 B
BSSID 92 Odyssey Server Administration Guide
151
buying the product 97 bypassing Odyssey 107 C
certificate authorities defined 19 root 19 certificate chains defined 19 trust trees 65 use of 61 certificates overview 19 scripting 135 use of 40 validation 46 changing PINs on SIM cards 87 check new scripts 90 client updates 148 commands from tray icon 97 compatibility, Windows logon 112 configurations client, updating 148 restrictions, setting 121 configuring connection to any network 54 machine connection 118 single clients 6 user authentication 104 connect, script composer 134 connecting wired networks 30 skipping Odyssey with 107 wireless networks 29 connection settings, administrative tools 104
152
connections panel elapsed time 33 encryption key information button 35 informational fields 32 MAC address 33 overview 27 scan for network 31 signal power 34 SSID 33 status field 32 constraints, user 121 credentials, machine 118 custom installer administrative tools 128 notes 145 settings update file 148 preconfiguration documentation, including with 145 process 144 D
defaults, setting for initial users 114 delivering scripts to users 148 user updates 148 descriptions of networks 55 DHCP servers 13 disabled features, error messages 99 disabling adapters for wired connections 40 connections at password prompt 40 features 121 Odyssey 97 disabling PINs on SIM cards 87 disconnecting network connections 32 wired connections 30 wireless networks 29 documentation, including with custom preconfiguration 145 domain controller 49
EAP interaction 21 login name 38 driver software 5 dynamic encryption keys generation 57 reconnection effects 31 E
EAP as inner authentication 49 definition 17 EAP-Cisco Wireless 21 EAP-FAST overview 20 PAC Manager 142 security settings 78 token cards 47 tunneled method 47 EAP-LEAP, overview 21 EAP-PEAP generic token card options 47 inner protocols, selecting 50 overview 20 EAP-SIM identities 44 EAP-TLS key generation 57 overview 19 EAP-TTLS generic token card options 47 key generation 57 overview 20 settings 48 using 48 elapsed time 33 enabling Odyssey 97 encryption keys defined 11 generation 57 information button 35 reconnection effects 31 method, networks panel 56 error messages, disabled features 99 Odyssey Server Administration Guide
Extensible Authentication Protocol 17 F
files, scripts, delivering 148 forgetting password, setting 90 temporary trust 90 Funk Software information i G
generic token card options 47 getting help 96 GINA installing 110 non-Microsoft types 110 restrictions 113 uninstalling 111 H
help menu 95 topics 96 Help commands in product 98 hexadecimal passphrases 57 hiding icons 74 hubs, 802.1X 13 I
icons, hiding 74 identities 44 identity, server 64 IDs, entering 43 IMSI, using 44 infrastructure mode access points 55 defined 13 initial settings, administrative tools 114 inner authentication protocols definition 48 EAP 49 selecting 49
153
installation GINA 110 instructions 5 overview 5 requirements 5 wizard 6 installers, creating and customizing 128 intermediate CAs adding 67 advanced usage 65 overview 19 K
keyboard shortcuts 99 L
LDAP 20 lead nodes 65 LEAP 21 license keys overview 3 specifying 96 upgrading 97 lightweight EAP 21 locking features merge rules, in 124 results for users 27 login names, specifying 38 logon, Windows caution 117 compatibility with other modules 147 configuration notes 116 dialog 78 features 147 installing 110 modules, non-Microsoft, 110 override defaults 116 preconfiguration of features 104 prompt dialog 82 prompts 84 suppressing 83 trust, setting 116 uninstalling 111
154
M
MAC address 33 machine account administrative tools 118 connections before user logon 146 configuring 118 settings for 108 testing 131 without user logon 145 machine credentials 118 tab, connection settings 108 machine credentials, using 118 maintenance contracts 4 managing PACs 142 managing PINs 87 merge rules assigning 124 for administrative updates 123 permit only 124 multiple connections 30 mutual authentication explained 18 implementing 46 N
network cards, using 72 network connections machine and user 146 machine only 145 restrictions 113 user, without machine 147 network properties any network, configuring 54 description field 55 network type 55 scan button 54 networks authentication, specifying 56 configuring 51 connection to any 54 connecting to 29 logon time, at 106
machine authentication 108 description 52 disabling at password prompt 40 disconnecting from 32 multiple connections 30 names scanning for 54 specifying 54 overview 54 panel association 55 encryption method 56 overview 51 reauthenticating 32 reconnecting 31 scanning for connection 31 scripting 137 SSIDs 54 titles 52 type, specifying 55 WEP keys 57 wired, connections 30 new scripts 90 new users, merge rules applying 124 none, merge rules 123 Novell Client for Windows 112 O
Odyssey Client Administrator 102 Manager overview 25 starting 24 open mode, WEP 15 configuring 55 other components, script composer 140 overriding default connection settings 116 Windows logon 107 P
PAC manager 142 passphrases 57 Odyssey Server Administration Guide
passwords configuring in profiles 39 forgetting 90 generic token card 47 prompts for 90 Windows 39 PEAP generic token card options 47 overview 20 settings in profile properties 50 token card settings 47 peer-to-peer networking definition 13 IP addresses 13 product, using for 57 permissions, user, setting 121 permit only options, merge rules 124 PINs 43 changing 87 SIM card settings 43 unlocking 87 preconfiguration, custom initial product install 144 installer, creating 128 logon features 104 templates 144 preconfigured WEP keys 57 preferences hide tray icon 74 setting 74 pre-shared keys 57 private key 19 processing, scripts 91 product information page i product registration 95 profile properties login name 37 passwords 37 PEAP settings 50 user info 37 user information 41 Windows password 39
155
profiles configuring with scripts 135 panel 36 prompting passwords, for 39 Windows logon 82 Protected Access Credentials 142 provider-specific settings, SIM 44 public key 19 pushed configurations 148 R
RADIUS, server product 17 read-only features 27 realms, setting 44 reauthenticating explained 21 networks 32 session resumption 76 why 21 reconnecting dynamic encryption keys, effect on 31 networks, to 31 registering Odyssey 95 reminders, new scripts 90 requirements, installation 5 restrictions, network connections 113 root certificate authority 19 running saved scripts 92 S
saving custom installers 128 scripts 133 settings update files 148 scan button for connections 31 script composer 132 connect 134
156
scripting automatic 133 certificates 135 client configurations 132 connections, automatic 134 networks 137 other components 140 profiles 135 saving 133 SSIDs, removing 141 trusted servers 140 scripts delivering files to users 148 directions 148 notice to users 90 processing 91 running, saved 92 security settings command 75 EAP-FAST 78 general 75 scripting 140 server certificates, validating 46 servers, name 64 Service Set Identifier (SSID) 14 session resumption 21 setting 76 setting initial user defaults 114 machine connections 108 merge rules 124 settings menu EAP-FAST settings 78 overview 73 preferences 74 security settings 75 Windows logon settings 78 settings update file 149 shared mode, WEP 14 configuring 57 shortcut keys 99 signal power, viewing 34
SIM cards any, selecting 43 changing PINs 87 configuring 41 disabling PINs 87 IDs, entering 43 IMSI, using 44 login names, using 44 PIN manager 87 PINs 43 unblocking 88 simultaneous connections establishing 30 monitoring 30 single clients, configuration 6 skipping Odyssey 107 splash screen, hiding 74 SQL 20 SSIDs networks, for 33 removing with scripts 141 starting the product, main interface 24 status from connection panel 32 subject name, trusted servers 69 support information 4 suppressing Windows logon prompts 83 survey airwaves 92 switches, 802.1X 13 System Tray, commands from 97 T
technical support 4 template 143 templates creating 144 preconfiguration 143 temporary trust 70 defined 77 disabling 77 forgetting 90 testing administrative settings 130 user connections 131 Odyssey Server Administration Guide
TKIP implementing 56 overview 15 peer-to-peer 16 TLS, overview 19 token card authentication passwords 47 settings 49 tray, commands from 97 trust trees 65 trusted servers advanced button 65 advanced method 65 any 63 editing 65 entering 63 leaf nodes 65 overriding 116 panel 61 removing 64 scripting 140 TTLS overview 20 settings 48 tunnels 47 U
unblocking PINs 87 SIM cards 88 uninstalling Windows logon features 111 untrusted servers defined 77 dialog 70 updating configuration settings 94 user configurations 148 upgrades, licenses 97 upgrading user configurations 128 user connection settings 106 testing 131 without machine logon 147
157
user info profile properties, in 37 SIM card settings 41 V
validating server certificates 46 version 97 W
WEP keys any network connection 54 defined 14 open mode 15 peer-to-peer 15 shared mode 57 specifying 57 Windows Domain Controller 49 logon skipping 107 password, using for connections 39 Windows logon administering 106 compatibility with other products 112 configuration notes 116 connections 106 installing 110 override defaults 116 overriding 107 prompts 84 requesting 82 suppressing 83 settings for users 78 uninstalling 111 wired adapters, adding 72 Wired-Equivalent Privacy 14 wireless adapters, adding 72 wireless networks connecting 29 disconnecting 29 WPA implementing 55 overview 15 passphrases 57
158
WPA2 overview 15 passphrases 57 specifying 55 X
X.500 names 67
