Odyssey Client ®

User and Administrator Guide

Sixth Edition November, 2004

Funk Software, Inc. 222 Third Street Cambridge, MA 02142 (617) 497-6339 (617) 491-6503 (Technical Support) www.funk.com

Odyssey Client © Copyright 2002-2004 Funk Software, Inc. All rights reserved. Odyssey® and Funk® are registered trademarks of Funk Software, Inc. Microsoft, Windows, Windows XP, Windows NT, Windows 2000, Internet Explorer, and other Microsoft products referenced herein are either trademarks or registered trademarks of the Microsoft Corporation in the United States and other countries. Novell is a register trademark and Novell Client is a trademark of Novell Corporation. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org) and cryptographic software written by Eric Young ([email protected]).

Contents

Chapter 1

Introduction Welcome ........................................................................................................................... 1 Requirements.................................................................................................................... 2 Operating systems.................................................................................................... 2 Wireless adapter card and/or wired network card.............................................. 2 Network hardware ................................................................................................... 3 Licenses...................................................................................................................... 3 Browsers .................................................................................................................... 3 Documentation ................................................................................................................ 3 Technical support ............................................................................................................ 4

Chapter 2

Installation Installation process ......................................................................................................... 5 Installation requirements ................................................................................................ 5 Installation instructions .................................................................................................. 5 Install.......................................................................................................................... 6 Configure................................................................................................................... 6

Chapter 3

Networking with Odyssey Client Preface ............................................................................................................................... 9 Network security overview...........................................................................................10 Encryption and association for secure authentication .....................................11 The 802.11 wireless networking standard..................................................................12 Types of wireless networks...................................................................................12 Wireless network names........................................................................................14 Wired-Equivalent Privacy (WEP)........................................................................14 Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES............................15 The 802.1X standard .....................................................................................................16 Extensible Authentication Protocol (EAP)........................................................17 Reauthentication.....................................................................................................21 Session resumption ................................................................................................21

Odyssey Server Administration Guide

iii

Chapter 4

Using Odyssey Client Manager Odyssey Client Manager Overview ............................................................................ 23 Starting Odyssey Client Manager ........................................................................ 24 Odyssey Client Manager display.......................................................................... 25 Connection panel .......................................................................................................... 27 Select an adapter .................................................................................................... 28 Connect to a network (wireless connections only)........................................... 29 Connect using profile (wired connections only) ............................................... 30 Configure multiple simultaneous network connections .................................. 30 Scan for wireless networks ................................................................................... 31 Reconnect to a network........................................................................................ 31 Reauthenticate to a network ................................................................................ 32 Disconnect from a network connection ............................................................ 32 View connection information.............................................................................. 32 View informational graphics and detailed status .............................................. 34 Profiles panel ................................................................................................................. 36 Profile properties ................................................................................................... 37 Networks panel.............................................................................................................. 50 Network properties ............................................................................................... 52 Auto-Scan Lists panel................................................................................................... 58 Auto-Scan List properties..................................................................................... 59 Trusted Servers panel ................................................................................................... 60 Using the simple method to configure trust...................................................... 61 Using the advanced method to configure trust................................................. 63 Untrusted servers................................................................................................... 68 Adapters panel ............................................................................................................... 69 Adding a wireless or wired adapter ..................................................................... 70 Removing an adapter from the list of adapters................................................. 71 Settings menu................................................................................................................. 71 Preferences.............................................................................................................. 71 Security Settings ..................................................................................................... 72 Windows Logon Settings...................................................................................... 76 SIM Card Manager ................................................................................................ 84 Odyssey Client Administrator.............................................................................. 86 Enable/Disable Odyssey ...................................................................................... 86 Close ........................................................................................................................ 86 Commands Menu.......................................................................................................... 87 Forget Password .................................................................................................... 87 Forget Temporary Trust....................................................................................... 87 Check New Scripts ................................................................................................ 88 Run Script ............................................................................................................... 90 Update ..................................................................................................................... 90

iv

November 2004

Web menu.......................................................................................................................90 Odyssey User Page.................................................................................................90 Funk Software Home Page...................................................................................90 Register Odyssey Client.........................................................................................91 Purchase Odyssey Client.......................................................................................91 Help Menu ......................................................................................................................91 Help topics ..............................................................................................................91 License keys.............................................................................................................91 View Readme File ..................................................................................................92 About .......................................................................................................................92 Tray icon menu commands..........................................................................................92 Odyssey Client Manager........................................................................................92 Enable Odyssey or Disable Odyssey...................................................................93 Help commands .....................................................................................................93 Exit ...........................................................................................................................93 Other Odyssey Client features.....................................................................................93 Shortcut keys...........................................................................................................94 Using Odyssey Client with some features disabled...........................................94 Interaction with other adapter software.....................................................................95

Chapter 5

Odyssey Client Administration Overview of Odyssey Client Administration ...........................................................97 Odyssey Client Administrator......................................................................................98 Connection Settings...............................................................................................99 Initial Settings .......................................................................................................110 Machine Account .................................................................................................114 Permissions Editor...............................................................................................117 Merge Rules...........................................................................................................119 Custom Installer ...................................................................................................124 Testing your settings............................................................................................126 Script Composer...................................................................................................127 Sample administrative workflows..............................................................................135 Preconfigure Odyssey Client for a group of users ..........................................136 Machine only connection....................................................................................138 Machine connection followed by user authentication....................................138 User authentication without machine connection ..........................................139 Scripts for incremental updates of user configurations..................................140 Configuration updates for mass-distribution to your users...........................141

Index ....................................................................................... 143 Odyssey Server Administration Guide

v

vi

November 2004

Chapter 1 Introduction

Welcome Thank you for selecting Odyssey®Client. Odyssey Client consists of two main components: X

Odyssey Client Manager, for configuring Odyssey Client on a per-user basis. See “Using Odyssey Client Manager” on page 23.

X

Odyssey Client Administrator, for administering Odyssey Client for your network of users. See “Odyssey Client Administration” on page 97.

With Odyssey Client, you can connect to your wireless network easily and securely. You can use Odyssey Client for the following: X

Configure and control your wireless or wired adapter.

X

Connect to access points as well as to peer-to-peer networks.

X

Configure authentication profiles to allow you to connect to different networks with different credentials.

X

Use 802.1X to authenticate to the network.

X

Use a wide variety of authentication methods, including powerful methods such as EAP-TTLS, EAP-PEAP, EAP-TLS, and EAP-FAST to keep your credentials secure.

If you are a network administrator, you can facilitate the following for your users: X

Configure network authentication prior to Windows logon.

X

Configure server and/or user certificates for use with Odyssey Client.

X

Create a custom installer from the Odyssey Client Administrator.

X

Manage user configurations from the Odyssey Client Administrator.

For more introductory information, see the following topics: X

Requirements

X

Documentation

X

Technical support

Requirements Odyssey Client Manager has the following requirements with respect to hardware and software: X

“Operating systems” on page 2

X

“Wireless adapter card and/or wired network card” on page 2

X

“Network hardware” on page 3

X

“Licenses” on page 3

X

“Browsers” on page 3

Operating systems Odyssey Client runs under the following operating systems: X

Windows 98

X

Windows 98 SE

X

Windows Me

X

Windows 2000 Professional or Server

X

Windows XP Home or Professional

Wireless adapter card and/or wired network card In order to use wireless capabilities, your computer must be equipped with a wireless adapter card and a driver that supports the Microsoft-defined 802.11 OIDs, and is 802.1X compliant. In order to authenticate to a network using a wired connection, you need any network card that is adapted for a wired connection. The most recently updated list of compatible adapter cards can be found on the Odyssey User Page on our web site. For a shortcut to this page, select Web > Odyssey User Page from the menu. 2

Introduction

Network hardware For wireless network authentication, your network must include at least one 802.1X compliant access point. For wired network authentication, your network must include at least one 802.1X compatible switch or hub.

Licenses A license key is a text sequence that represents your license to use your copy of Odyssey. You must enter a license key as part of the installation process of Odyssey Client. Some Odyssey Client features are separately licensed. Depending on which license you have purchased, there may be some features of Odyssey Client that are not available. Additionally, some portions of the user interface may be disabled or enabled, and the appearance of dialogs may vary, according to your license. You can purchase license keys from Funk Software, and you can enter your new license key in the License Key dialog. See “License keys” on page 91.

Browsers Your computer must be running Microsoft Internet Explorer 5.5 or later.

Documentation Your Odyssey Client Manager software includes a help system that allows you to access this documentation on your computer. To bring up this help system, select the Help > HelpTopics menu command from the Odyssey Client Manager. You can also read the manual in PDF format. The manual is called OdysseyClientAdmin.pdf, and is located on your product CD under Docs. You can also get context-sensitive help at any time by clicking F1. The help system appears opened at the section that best explains your current situation. The Help > View Readme File menu command located on the Odyssey Client Manager opens the readme.txt file. This file may have important information about Odyssey Client that is not included in this manual.

Odyssey Client User and Administration Guide

Introduction

3

Technical support If you have any problems installing or using Odyssey Client, there are various resources available to help you at no charge: X

This manual and the README.TXT file may contain the information you need to solve the problem you are having. Please re-read the relevant sections. You may find a solution you overlooked. To look at the README.TXT file, select the Help > View Readme File menu command from the Odyssey Client Manager.

X

Check our web site http://www.funk.com for additional information and technical notes. You can also select Web > Odyssey User Page from the menu bar to go to a special home page for Odyssey Client users.

X

E-mail your questions or issues to [email protected].

X

We provide 30 days of technical support by phone at no charge, starting from your first support call. For technical support by phone, you can call (617) 491-6503, Monday through Friday, 9:00 A.M. to 5:30 P.M., Eastern time.

X

For support beyond the initial 30-day period, we offer a range of support options including support and maintenance contracts and pay-per-call. Consult our web site for the support plan that best meets your needs. Select Web > Funk Software Home Page from the menu bar, then navigate to the Tech Support > Support Options section of the web site.

If you are located outside North America, you can receive support either by contacting the Funk Software partner in your country or by contacting us directly. You can find the name of the support provider nearest you on our web site. Select Web > Funk Software Home Page from the menu bar, then navigate to the Contact Info > International section of the web site. Please take a moment to register your copy of Odyssey Client with us. Doing so allows you to receive notifications of product upgrades and special offers and will expedite your first contact with our Technical Support department. To register Odyssey, select the Web > Register Odyssey Client menu command.

4

Introduction

Chapter 2 Installation

Installation process If you are running Windows 2000 or Windows XP, you can only install Odyssey Client if you have administrator privileges. You can find the following basic installation instructions in the following topics: X

Installation requirements

X

Installation instructions

Installation requirements Before you install Odyssey Client, please note the following: X

Install your wireless (and/or wired) network adapter card and associated driver software.

X

On Windows 2000 and Windows XP, you must have administrative privileges to install Odyssey Client.

Installation instructions Installation of Odyssey Client has two phases: X

Install

X

Configure

Install To install Odyssey Client, follow these steps: 1

Insert the installation CD into your CD-ROM drive. The installation process starts automatically.

2

The installation wizard asks you a series of questions. Your answers determine how the software is installed and configured. Follow the instructions as they appear.

3

After you supply all of the necessary information to the installation wizard, you can click the Install button to begin the installation process.

Configure Once the first phase of the install process is complete, use the Configure and Enable Odyssey Wizard to configure Odyssey Client for use by you (the current user who is performing the installation). If this wizard does not open for you automatically, your installation is already complete. Read the following topics to learn more about configuring Odyssey Client: X

Configure Odyssey Client for each user on a single PC

X

Configuring Odyssey Client for multiple machines

Configure Odyssey Client for each user on a single PC Your computer may have multiple user accounts. Once installed on a single PC, Odyssey Client is available to all users. However, the settings that control Odyssey Client’s operation are separate for each user. Whenever you use Odyssey for the first time, the Configure and Enable Odyssey Wizard may appear, so that you configure Odyssey Client for your own use. If there are multiple users of the same client machine, they are each offered the option to configure Odyssey Client through this wizard when the configuration is incomplete. If this wizard does not appear, your initial configuration is complete. In the case that the wizard does appear, you have the following options with respect to personal configuration of Odyssey Client:

6

Installation

X

Accept the option for configuration with the wizard.

X

Decline the option for configuration at the current time, but be asked again upon subsequent log in.

X

Decline the option for configuration, and not be asked again.

NOTE: Even if you decline to configure Odyssey Client for a particular user account, you can configure the product at a later time. To do so, run Odyssey Client Manager from the Start > Programs > Funk Software > Odyssey Client menu. The Configure and Enable Odyssey Wizard automatically starts up.

Configuring Odyssey Client for multiple machines Once you install Odyssey Client on a PC, you can create a custom installer to customize a default configuration for users of multiple machines. See “Preconfigure Odyssey Client for a group of users” on page 136.

Odyssey Client User and Administration Guide

Installation

7

8

Installation

Chapter 3 Networking with Odyssey Client

Preface This chapter introduces the basics concepts and terminology behind wireless and wired networking, insofar as these concepts relate to configuring and using Odyssey Client. Read this material to learn about networking choices that allow you to use Odyssey Client to best advantage, so as to maximize the security of your connections over wireless LANs. If you already know all about wireless networking, or if Odyssey has been configured for you by your network administrator, you can safely skip over this material. Some of the basic concepts used by Odyssey Client for network authentication are described in the following topics: X

“Network security overview” on page 10 Z

X

X

“Encryption and association for secure authentication” on page 11

“The 802.11 wireless networking standard” on page 12 Z

“Types of wireless networks” on page 12

Z

“Wireless network names” on page 14

Z

“Wired-Equivalent Privacy (WEP)” on page 14

Z

“Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15

“The 802.1X standard” on page 16 Z

“Extensible Authentication Protocol (EAP)” on page 17

Z

“Reauthentication” on page 21

Z

“Session resumption” on page 21

Network security overview With wired networking, most organizations can rely on physical security to protect their networks. An attacker would have to be physically inside a company’s offices to be able to plug in to the LAN in order to generate or observe network traffic. For wireless networks, all it takes to gain physical access to the network is a device with a wireless card and a comfortable spot in the parking lot outside of the building, or in the office next door. Odyssey Client provides you with the ability to make network connections using protocols that adhere to one or more of these sets of standards: X

The IEEE (Institute of Electrical and Electronic Engineers) standards for wireless LANs known as 802.11. These standards include 802.11a, 802.11b, and 802.11g.

X

The IEEE 802.11i enhancements to 802.11 were introduced to overcome some of the security weaknesses of 802.11.

X

Wi-Fi Alliance’s WPA2 (with AES encryption) adheres to the strong 802.11i enhancements.

X

Wi-Fi Alliance’s WPA (with AES or TKIP encryption) complies with a subset of 802.11i, and, although not as strong as WPA2, addresses some of the security weakness of 802.11 as well.

X

The IEEE has also created the 802.1X standard to supplement the 802.11 standards with secure server-based wireless network connections.

The following features can make wireless networks secure:

10

X

A user must be authenticated by the network before he or she is allowed access, to make the network safe from intruders.

X

The wireless connection between a PC and access point must be encrypted, so eavesdroppers cannot access data that is supposed to be private.

X

The network must be authenticated (trusted) by the user before the user allows his or her credentials to be released to the network in order to make a network connection. This prevents a wireless device that may be posing as a legitimate network from impersonating the network and gaining access to the user’s PC.

X

The mutual authentication between user and network must be cryptographically protected. This type of mutual authentication that requires 801.1X-based protocols prevents connections to phony networks.

Networking with Odyssey Client

Encryption and association for secure authentication In order to establish a wireless connection with an access point, a wireless client must associate with the access point. In order for a wireless client device to access a secure network they must authenticate to the network. The following briefly define terminology necessary to understand association, data encryption, and authentication: X

Association is the method by which a client first establishes a relationship with an access point.

X

Data encryption is used to secure data that is exchanged between a client device and an access point (or another client device).

X

Each data encryption algorithm requires encryption keys. Encryption keys may also be used for access point association.

X

Once a wireless client has associated with an access point, the user of that client device may be authenticated to the network. Authentication is used to secure the relationship between a user of a wireless client device and an authentication server. Wireless network authentication is based on the 802.1X standard, and may use cryptographically strong (and dynamically generated) encryption keys.

There are several methods for providing secure authentication over a wireless network. Each method requires data encryption, and, consequently, some method for specifying or generating encryption keys. Some of these methods are known to be more secure than others: X

Preconfigured secrets, called WEP keys. These keys are intended to encrypt the data transferred between the client and the access point and can be used to keep unauthorized users off the wireless network as well as to encrypt the data of legitimate users. See “Wired-Equivalent Privacy (WEP)” on page 14 for a description of WEP-based encryption the complies with 802.11 standards.

X

Pre-shared passphrases used to generate keys for WPA or WPA2 association. Pre-shared passphrases allow you to configure a simple phrase that is used to generate cryptographically strong encryption keys to be used with AES or TKIP encryption. AES and TKIP also periodically change the encryption keys in use. The generated keys keep unauthorized users off the wireless network and encrypt the data of legitimate users. See “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for a description of AES or TKIP encryption methods that enhance the 802.11 standards.

X

Authentication using an 802.1X-based protocol. This method uses a variety of underlying authentication protocols to control network access. The strongest of these protocols provides cryptographically protected mutual

Odyssey Client User and Administration Guide

Networking with Odyssey Client

11

authentication of the user and the network, and can dynamically create keys to encrypt wireless data. 802.1X-based authentication can use WEP, AES, or TKIP encryption, depending on network hardware/firmware. See “The 802.1X standard” on page 16 for information on authentication using 802.1X. See “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for a description of some of the strongest available association and encryption modes. The 802.1X methods are also viable for wired 802.1Xbased network connections.

The 802.11 wireless networking standard There are many types of wireless communication. Odyssey Client is designed to work over networks that adhere to the IEEE 802.11 wireless LAN standards, as well as the Wi-Fi Alliance enhancements to these standards. In addition to describing modulation and data framing, this standard includes an authentication and encryption method called Wired Equivalent Privacy (WEP). Many corporations deploy secure wireless 802.11 networks, and 802.11 networks are commonly found in hotels, airports, and other “hotspots” as a means of internet access. The following attributes of the 802.11 standard are described here: X

Types of wireless networks

X

Wireless network names

X

Wired-Equivalent Privacy (WEP)

See also the following topics: X

“Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for information on enhancements to 802.11 association and encryption.

X

“The 802.1X standard” on page 16 for information on secure wireless authentication.

Types of wireless networks Your wireless adapter (network interface card) allows you to connect to wireless networks of two types: access point networks and peer-to-peer networks.

12

Networking with Odyssey Client

Access point networks Access point networking is the most common type of wireless networking, providing for wireless access to a corporate network and the internet. In an access point network, your PC establishes a wireless connection to a device called an access point. The access point links your wireless PC to the rest of the network. An access point typically provides general network connectivity for many PCs. A single network can make use of many different access points and each access point typically has a range of several hundred feet. A company that uses wireless networking can strategically place access points so that wherever you are in the company, you are always in range of an access point that can link you to the corporate network. Once you log in to the network, your PC is assigned an IP address on the local network. This address is provided by a network device called a DHCP server. You may also find access points at other locations outside of your company building. For example, you may find access points at hotels, airports, or internet cafes, or, you may have your own access point on your home network. Some of these locations require that you log in. Others may provide network access to anyone within range. When you connect to a network via an access point, you are using the 802.11 infrastructure mode. See “Specify the network type” on page 54 for information on configuring infrastructure network connections.

Peer-to-Peer networks Even when no access point is available, two or more wireless clients can use peerto-peer networking to create a private wireless network between these wireless devices. You may want to do this in order to share files, run groupware applications, or play games. The peer-to-peer network requires no additional equipment beyond a set of two or more wireless-enabled PCs that are located within range of each other. As a result, this mode of authentication does not involve a RADIUS server, and 802.1X-based authentication is not implemented. Normally, there is no DHCP server on a peer-to-peer network to assign IP addresses. Instead, you are connected using an “automatic private IP address” that is assigned by Windows. These addresses are in the range 169.254.0.0 to 169.254.255.255. Each PC in the peer-to-peer network is assigned such an address, enabling it to communicate with the others.

Odyssey Client User and Administration Guide

Networking with Odyssey Client

13

The 802.11 standard refers to this type of network connectivity as ad-hoc mode. See “Specify the network type” on page 54 and “Specify the association mode” on page 54 for information on configuring ad-hoc network connections.

Wireless network names Each wireless network has a name. You can select the wireless network to which you want to connect by specifying its name. Network names allow different wireless networks in the same vicinity to coexist without intruding on each other. For example, the company next door to yours may also use wireless networking. Network names allow you to distinguish access points within your enterprise wireless network from others, when you select the access point by its network name. Network names do not, in themselves, offer any security features, and cannot prevent you from connecting to a phony network. However, 802.11 does allow for you to use a shared secret for access point association. See “Wired-Equivalent Privacy (WEP)” on page 14 and “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15. Additionally, using secure 802.1X-based authentication methods, your company can prevent intruders from connecting to the network, and you can avoid associating with phony networks. See “The 802.1X standard” on page 16 for more information. A network name is simply a text sequence up to 32 characters long, such as Bayonne Office, or Acme-Marketronics, or BE45789, for example. A network name is case-sensitive, so you have to be careful if you type it in. You always have the option to scan for available networks. This allows you to select the network from a list, preventing any data entry errors. The 802.11 standard refers to a network name as Service Set Identifier, or SSID for short.

Wired-Equivalent Privacy (WEP) You can use WEP (Wired-Equivalent Privacy) to provide security during association with access points (or other clients) and to encrypt data transferred between your client device and the access point. When you use WEP for data encryption, you can configure access point association in one of two modes: X

14

Shared: Use this mode when the access point requires that you preconfigure a WEP key for association. When 802.11-based preconfigured (static) WEP keys are in use, both the client and the access point share the same secret keys, and a client is not allowed to access the network unless it can prove it knows the same preconfigured WEP keys assigned to the access point. You

Networking with Odyssey Client

can configure shared association through Network properties of Odyssey Client. X

Open: Use this mode for WEP-based data encryption (or no with data encryption) when the access point does not require that you preconfigure a WEP key for association. You can configure open association through Network properties of Odyssey Client.

NOTE: You can obtain the stronger network security when you use open or shared association with dynamic encryption key generation and 802.1X-based authentication. For shared association, a preconfigured key that is used only for access point association is still required (while keys for data encryption are dynamically generated). See “The 802.1X standard” on page 16, and “Extensible Authentication Protocol (EAP)” on page 17 for more information.

See the following topics: X

“Specify the association mode” on page 54 for directions for selecting an association mode in Odyssey Client.

X

“Specify an appropriate encryption method for your association mode” on page 55 for directions for selecting WEP encryption when using the shared or open association mode

X

“Preconfigured keys (WEP)” on page 56 to use static WEP keys with Odyssey Client

NOTE: You can also use preconfigured keys for WEP data encryption for securing peer-to-peer network connections. In this case, all clients in the peer-to-peer network must share the same WEP keys.

Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES As an enhancement to the 802.11 wireless standard, the Wi-Fi Protected Access (WPA) and the stronger Wi-Fi Protected Access 2 (WPA2) association modes encompass a number of security enhancements over Wired-Equivalent Privacy. These enhancements include the following: X

Improved data encryption via TKIP (temporal key integrity protocol) for WPA. TKIP provides stronger encryption than WEP

X

Improved data encryption for WPA2 via AES. AES provides stronger encryption than WEP or TKIP.

X

WPA and WPA2 allow for keys to be generated for TKIP (or AES) encryption from a pre-shared passphrase. Although your passphrase may be simple, these encryption methods can generate cryptographically strong encryption keys from a simple passphrase. Consequently, these encryption methods are stronger the WEP encryption based on preconfigured WEP

Odyssey Client User and Administration Guide

Networking with Odyssey Client

15

keys. If you configure a passphrase for key generation for your access points, you cannot use 802.1X based authentication and you must configure the same passphrase in Odyssey Client. When the access point hardware in your network requires that you associate via the enhanced WPA or the stronger WPA2 association mode, you can configure Odyssey Client to associate in that mode. If the hardware is configured for TKIP or the stronger AES encryption, you can configure Odyssey Client for either of these enhanced data encryption methods as well. You should configure your access points and clients for network connections that use the strongest association and encryption methods that are supported by your network access points. NOTE: You can obtain the stronger network security when you use WPA2 or WPA with dynamic encryption key generation and 802.1X-based authentication. See “The 802.1X standard” on page 16, and “Extensible Authentication Protocol (EAP)” on page 17 for more information.

See the following topics: X

“Specify the association mode” on page 54 to use WPA2 or WPA association mode with Odyssey Client

X

“Specify an appropriate encryption method for your association mode” on page 55 to use AES or TKIP encryption with WPA2 or WPA association

X

See “Pre-shared keys (WPA or WPA2)” on page 56 to configure a passphrase that is used in encryption key generation.

NOTE: You can also use a preshared passphrase to generate encryption keys for TKIP or AES data encryption for securing peer-to-peer network connections. In this case, all clients in the peer-to-peer network must share the same passphrase.

The 802.1X standard The IEEE 802.1X protocol provides authenticated access to a LAN. This standard applies to wireless as well as wired networks. In a wireless network, the 802.1X authentication occurs after the client has associated to an access point using an 802.11 association method. Wired networks use the 802.1X standard without any 802.11 association. The WEP protocol using preconfigured keys has various shortcomings, both in terms of ease of administration, as well as security. Although the encryption methods calculated from keys generated from pre-shared passphrases are stronger than WEP encryption calculated from static WEP keys, the use and distribution of passphrases can also pose administrative and security problems. 16

Networking with Odyssey Client

The use of 802.1X protocols in wireless networks has been found to alleviate these problems. Using preconfigured WEP keys, it is the wireless client PC that is authenticated to the network. With 802.1X, it is the user that is authenticated to the network with the user credentials, which may be a password, a certificate, SIM card, or a token card. Moreover, the keys used for data encryption are generated dynamically. The authentication is not performed by the access point, but rather by a central server. If this server uses the RADIUS protocol, it is called a RADIUS server. With 802.1X, a user can log in to the network from any PC, and many access points can share a single RADIUS server to perform the authentication. This makes it much easier for the network administrator to control access to the network. See the following topics for details: X

Extensible Authentication Protocol (EAP)

X

Session resumption

X

Reauthentication

Extensible Authentication Protocol (EAP) 802.1X uses the protocol called EAP (Extensible Authentication Protocol), to perform authentication. EAP is not an authentication mechanism per se, but is a common framework for transporting actual authentication protocols. The advantage of EAP is that the basic EAP mechanism does not have to be altered as new authentication protocols are developed. Odyssey provides a number of EAP protocols, allowing a network administrator to choose the protocols that work best for a particular network. The newer EAP protocols have an additional advantage: they can dynamically generate the keys that are used with either WEP, TKIP, or AES to encrypt data between the client and the access point. Dynamically created keys have an advantage over preconfigured keys because their lifetimes are much shorter. Known cryptographic attacks against WEP can be thwarted by reducing the length of time that an encryption key remains in use. Furthermore, encryption keys generated using EAP protocols are generated on a per-user and per-session basis. The keys are not shared among users, as they must be with preconfigured keys or pre-shared passphrases. Odyssey offers a number of EAP authentication methods, including the following: X

EAP-TTLS

Odyssey Client User and Administration Guide

Networking with Odyssey Client

17

X

EAP-PEAP

X

EAP-TLS

X

EAP-FAST

X

EAP-LEAP

Mutual authentication EAP-TTLS, EAP-PEAP, EAP-TLS, and EAP-FAST all provide mutual authentication of the user and the network, and produce dynamic keys that can be used to encrypt communications between the client device and access point. With mutual authentication, not only does the network authenticate the user credentials, but the client software also authenticates the network. Mutual authentication is an important security precaution when using wireless networking. By verifying the identity of the authentication server, mutual authentication provides assurance that you connect to your intended network, and not an access point that attempts to pretend to be your network. EAP-TTLS, EAP-PEAP, and EAP-TLS all let you authenticate the network by validating the certificate of the authentication server. If the certificate identifies a server that you trust, and if the authentication server can prove that it is the owner of that certificate, then you can safely connect to this network. These are the strongest authentication methods available, and consequently, it is highly recommended that you use only these methods for network authentication within your enterprise wireless network.

Certificates Certificates are based on public/private key cryptography (or asymmetric cryptography). Public/private key cryptography is used to secure banking transactions, online web commerce, email, and many other types of data exchange. Previously, if two people wanted to communicate securely, they had to share the same secret key. This one secret key had to be used to both encrypt and decrypt data. Sharing keys, however, is limiting: the more people you share your key with, the more likely it becomes that your key can be revealed. With public/private key cryptography, there are two keys that have different values but work together — a public key, and a private key. You keep your private key secret, but reveal your public key to the whole world. Anyone can encrypt data using your public key with the certain knowledge that only your private key can decrypt it. Furthermore, only you can encrypt data with your private key, and anyone can use your public key to decrypt the data. 18

Networking with Odyssey Client

A certificate is a piece of cryptographic data that guarantees that a particular public key is associated with the private key of a particular entity. This entity could be an individual or a computer. A certificate contains many pieces of information that are used in mutual authentication, including a public key, and the name of the entity that owns the certificate. Each certificate is issued by a certificate authority. By issuing a certificate, the certificate authority warrants that the name in the certificate corresponds to the certificate’s owner (much as a notary public guarantees a signature). The certificate authority also has a certificate, which, in turn, is issued by a higher certificate authority. At the top of this pyramid of certificates is the root certificate authority. The root certificate authority is typically a well-known entity that people trust, whose self-signed certificate is widely known. For example, Verisign and Thawte are public root certificate authorities. Many corporations have set up their own private root certificate authorities as well. Each certificate has a fixed duration and can expire. Additionally, a certificate granting authority can revoke a certificate. Expired or revoked certificates are not valid, but certificates can be re-issued or renewed. A sequence of certificates through any intermediate certificate authorities up to the root certificate authority is called a certificate chain. Certificate chains are typically no more than several certificates in length. In many cases, a chain consists of two certificates — an end entity certificate and a root certificate. Certificates are ideally suited for authentication. The disadvantage of certificates is that, while it is fairly easy to provide certificates to servers, it is much harder to provide certificates to users. This is because, at any given company, the number of servers that may require certificates is relatively small, but the number of users can be enormous. For your company to provide certificates to each of its employees can be a daunting management task, and may require a level of administration that your company is not prepared to undertake.

EAP-TLS EAP-TLS is a protocol devised by Microsoft, based on the TLS (Transport Layer Security) protocol that is widely used to secure web sites. It requires that both user and authentication server have certificates for mutual authentication. While EAP-TLS is cryptographically strong, it requires that the corporation that deploys it maintain a certificate infrastructure for all of its users.

EAP-TTLS EAP-TTLS is a protocol devised by Funk Software and Certicom. It is designed to provide authentication that is cryptographically as strong as EAP-TLS, while Odyssey Client User and Administration Guide

Networking with Odyssey Client

19

not requiring that each user be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed using a password or other credentials. The credentials are transported in a securely encrypted “tunnel” that is established using the server certificate. Within the EAP-TTLS tunnel, you can employ any of a number of inner authentication protocols. See “TTLS Settings” on page 47 for more information on configuring inner protocols for tunneled authentication. With EAP-TTLS, it is not necessary to create a new infrastructure of user certificates. User authentication can be performed against the same security database that is already in use on the corporate LAN. For example, Windows Active Directory, or an SQL or LDAP database may be used.

EAP-PEAP EAP-PEAP is comparable to EAP-TTLS, both in its method of operation and its security. However, EAP-PEAP is not as flexible as EAP-TTLS and it does not support the range of inside-the-tunnel authentication methods that EAP-TTLS supports. Commercial implementations of this protocol that started appearing at the beginning of 2003 were beset with interoperability problems. Nevertheless, this protocol is supported by Microsoft and Cisco and is in widespread use. EAPPEAP is a suitable protocol for performing secure authentications against Windows domains and directory services. See “PEAP Settings” on page 49 for more information on configuring inner protocols for EAP-PEAP authentication.

EAP-FAST EAP-FAST is an EAP authentication method created by Cisco. Like EAP-TTLS and EAP-PEAP, EAP-FAST offers password-based 802.1X authentication that encapsulates user credentials inside a TLS tunnel. Unlike other tunneled protocols, however, a server certificate is not required as a means of establishing a tunnel. Consequently, although EAP-FAST is resistant to dictionary attacks through the use of tunneled credentials, without the protection of a server certificate, EAP-FAST authentication can be vulnerable to man-in-the-middle attacks (and subsequent off-line dictionary attacks).

EAP-LEAP EAP-LEAP (Lightweight EAP, also known as EAP-Cisco Wireless) is a protocol developed by Cisco to allow users to be authenticated using their Windows credentials, without the use of certificates. The data exchange in EAP-LEAP is fundamentally similar to the exchange that occurs when a user logs in to a Windows Domain Controller. 20

Networking with Odyssey Client

EAP-LEAP is very convenient because it is Windows compatible. However, because EAP-LEAP does not use certificates, it relies on the randomness of the user password for its cryptographic strength. As a result, when user passwords are relatively short, or insufficiently random, a wireless eavesdropper observing an EAP-LEAP exchange can easily mount a dictionary attack to discover these weak passwords.

Reauthentication When you reauthenticate to your network, encryption keys are refreshed and any new or updated security policies that are implemented on the network are applied to your network connection. You can configure automatic periodic reauthentication to the network using Odyssey Client. Periodic reauthentication serves two purposes: X

As a general security measure, it verifies that you are still on a trusted network.

X

It results in distribution of fresh shared keys to your PC and access point. The access point may use these shared keys to refresh the keys used to encrypt data. By frequently refreshing keys, you can thwart cryptographic attacks.

X

See “Automatic reauthentication” on page 74 for more information on configuring this feature.

Session resumption When you first authenticate using EAP-TTLS, EAP-PEAP, or EAP-TLS, a fair amount of intensive computation is performed both on your client PC and on the network authentication server. Private keys must be used to encrypt or sign data, signatures on certificates must be validated, password credentials must be checked, and so on. Once you have authenticated a connection to the network, your network session begins. During a session, any subsequent authentications to the same network server can be accelerated by reusing the secret information that is derived during the first authentication. This is called session resumption. You can configure clientside session resumption features that apply to the certificate-based protocols using Odyssey Client. It is usually a good idea to enable session resumption. The necessity for some form of reauthentication occurs fairly frequently in wireless networking, Odyssey Client User and Administration Guide

Networking with Odyssey Client

21

particularly when you are moving between access points. Each time you connect with a new access point, a new authentication occurs. The less time it takes to perform that authentication, the less likely you are to experience a momentary stall in your network applications. Plus, using session resumption puts less load on the authentication server. Session resumption results in the distribution of new keys to the client and to the access point, just as a fresh authentication does. See “Session resumption” on page 74 for more information on using this feature. NOTE: If your network does not permit session resumption then any configured clientside session resumption features are ignored.

22

Networking with Odyssey Client

Chapter 4 Using Odyssey Client Manager

Odyssey Client Manager Overview Odyssey Client Manager is the Windows interface that allows you to control and configure the Odyssey Client product. This interface is consistent for all platforms on which you can run the product.

If your system administrator has configured Odyssey Client for you in advance, chances are that you only need to use the main Connection panel of the Odyssey Client Manager. Depending on your configuration, you can use this panel for the some or all of the following tasks: X

Connect to a network using a wireless or wired connection

X

Reconnect to a network

X

Reauthenticate to a network

X

View connection information

More advanced tasks that you or your system administrator may want to perform include the following: X

Adding a wireless or wired adapter

X

Creating a user profile and configuring authentication for that profile

X

Adding or editing network properties

X

Configuring trusted servers

See the following topics to learn about operating all features of Odyssey Client Manager: X

“Starting Odyssey Client Manager” on page 24

X

“Odyssey Client Manager display” on page 25

X

“Connection panel” on page 27

X

“Profiles panel” on page 36

X

“Networks panel” on page 50

X

“Auto-Scan Lists panel” on page 58

X

“Trusted Servers panel” on page 60

X

“Adapters panel” on page 69

X

“Settings menu” on page 71

X

“Commands Menu” on page 87

X

“Web menu” on page 90

X

“Help Menu” on page 91

X

“Tray icon menu commands” on page 92

X

“Shortcut keys” on page 94

X

“Using Odyssey Client with some features disabled” on page 94

X

“Interaction with other adapter software” on page 95

Starting Odyssey Client Manager You can start Odyssey Client Manager in any of the following ways: X X

From the System Tray: Double-click the Odyssey icon, or right-click it and choose Odyssey Client Manager. From Control Panel on your PC: Double-click the Odyssey Client Manager

icon. 24

Using Odyssey Client Manager

X

From the Windows taskbar: Select Start > Programs > Funk Software >

Odyssey Client > Odyssey Client Manager. NOTE: The System Tray is the lower right corner of your monitor, where some application icons are displayed.

The Odyssey icon looks as like this

, although it may not have the same color.

Odyssey Client Manager display The features available from the Odyssey Client Manager depend on your connection, as well as on your configuration. See the following topics: X

Display for user-authenticated connections

X

Display for machine only connections

X

Tray and menu commands

X

Locked (read-only) features

Display for user-authenticated connections For most network connections, Odyssey Client Manager consists of a number of panels that allow you to control different aspects of its operation: X

Use the Connection panel to control your network connection and display your current connection status.

X

Use the Profiles panel to set information that is used when you authenticate, or log in, to the network, such as your password or certificate.

X

Use the Networks panel to configure different wireless networks and how you want to connect to them.

X

Use the Auto-Scan Lists panel to specify ordered groups of wireless networks for seamless connection.

X

Use the Trusted Servers panel to set certificate and identity information about the servers that may authenticate you when you connect, to ensure that you are logging in to the network that you intend.

X

Use the Adapters panel to configure one or more network adapters (interface cards) for wired or wireless networking.

All of the panels are listed at the left of the Odyssey Client Manager display. Click the name of any panel to view or modify it.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

25

Display for machine only connections If you are connected to the network via the credentials of your client machine (as opposed to your own user credentials), then you can only see connection information from the Odyssey Client Manager display, since there is no data to configure.When you establish a machine connection, you cannot access the Odyssey Client Manager panels. In this case few of the Odyssey Client Manager features are available.

If you are a system administrator, you can find more information about configuring connections with machine credentials in the following topics: X

“Machine Account” on page 104

X

“Connection Settings” on page 99

X

“Testing your settings” on page 126

Tray and menu commands In addition to the Odyssey Client Manager panels, the display includes a number of commands that you can use from the following menus:

26

X

Settings menu

X

Commands Menu

X

Web menu

X

Help Menu

Using Odyssey Client Manager

Some commands are also available if you right-click the Odyssey icon in the System Tray.

Locked (read-only) features It is possible that your system administrator has locked, or partially locked all or some Odyssey Client features with your configuration. You can view any features that are locked, but you cannot edit them. For partially locked profiles, you are permitted to edit your user credentials. The fact that a feature is locked is noted on its associated properties dialog title, as in the following example.

Features of this dialog are locked, as indicated by its title.

Connection panel The Connection panel lets you select an adapter, establish a connection on it, and display your current connection status.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

27

You can perform the following tasks in the Connection panel: X

Select an adapter with which to make your network connection

X

Connect to a network (wireless connections only)

X

Connect using profile (wired connections only)

X

Configure multiple simultaneous network connections

X

Scan for wireless networks

X

Reconnect to a network

X

Reauthenticate to a network

X

Disconnect from a network connection

X

View connection information

X

View informational graphics and detailed status

NOTE: The Connection panel display and features vary when you connect from a wired adapter, or if you connect to the network via machine credentials. For example, the scanning feature is unavailable in these cases.

Select an adapter If you or your administrator has configured more than one adapter for use with Odyssey Client, then you can use the Adapter drop-down list in the Connection panel to associate any of those adapter cards with a network connection. 28

Using Odyssey Client Manager

Once you select an adapter, the Adapter type field on the Connection panel is updated to reflect the type (wireless or wired) of adapter you select.

Connect to a network (wireless connections only) When you connect to a network using a wireless adapter, you specify all the information required for the connection using an Odyssey Client network definition. When you define a network in Odyssey Client, you also must associate the user authentication information you specify in an Odyssey Client profile definition. The Connect to network check box on the Connection panel lets you connect and disconnect from the wireless network. If you want to be connected to a wireless network, make sure to check this box. The drop-down list to the right of Connect to network lets you select a wireless network or auto-scan list to connect to. The only items that appear on this list are the individual networks that you have already configured using the Networks panel, and auto-scan lists that you have specified using the Auto-Scan Lists panel. Any auto-scan lists that you have already created appear at the top of the list. These are followed by the names of configured networks. Network names appear in angled brackets, after any network description text that you have specified. Both networks and auto-scan lists have icons before the name: X

for networks

X

for auto-scan lists

To connect to a network that you have already configured: 1

Select the network or the auto-scan list you want to connect to from the drop-down list to the right of Connect to network.

2

Check Connect to network, if it is not already checked.

If you have selected an auto-scan list, then the first network in the list that responds to the authentication request is generally the network to which you connect. To disconnect from a wired network, uncheck Connect to network.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

29

Connect using profile (wired connections only) When you make a network connection using a wired connection, you specify all of the required connection information in a user profile. As a result, when you configure a wired connection, you connect using an Odyssey Client profile. The Connect using profile check box lets you connect and disconnect from the wired 802.1X network switch. If you want to be connected, make sure this box is checked. The drop-down list to the right of Connect using profile lets you select the profile you want to use for the wired connection. All profiles that you have already specified in Odyssey Client appear on the list. To connect using a profile that you have already specified: 1

Select the profile from the drop-down list to the right of Connect using profile.

2

Check Connect using profile, if it is not already checked.

To disconnect from a wired network, uncheck Connect using profile.

Configure multiple simultaneous network connections Each adapter on your computer can have its own connection. This means that if you have two wireless adapters, for example, you can have two simultaneous connections to wireless networks. Similarly, you can simultaneously run a wired connection and a wireless one. You can have as many network connections running simultaneously as you have adapters installed on your machine and configured with Odyssey Client. To connect to more than one configured network using multiple adapters: 1

Select an adapter from the Adapter drop-down list on the Connection panel.

2

Assign a network or an auto-scan list to this connection for wireless connections, or assign a profile for wired connections.

Repeat these steps for each adapter whose network connection you want to establish. You can use the Adapter drop-down list on the Connection panel to toggle between the adapters you have configured for multiple network connections, and hence monitor your multiple network connections.

30

Using Odyssey Client Manager

Scan for wireless networks If you travel frequently, you may want to want to authenticate through locally available wireless networks that you have not already configured. To connect to a wireless network that is not yet configured, follow these steps: 1

Click Scan on the Connection panel. Odyssey Client surveys the air waves and displays a list of all wireless networks that are currently reachable.

2

Select the network to which you want to connect, and click OK. If you have not yet configured settings for this network, Add Network appears. Specify settings and click OK. Once you check Connect to network on the Connection panel, Odyssey Client attempts to connect to the network.

NOTE: Only those wireless networks that are configured by an administrator to “send beacons” are visible to you when you scan. If “send beacons” is off, then you must enter the network from the Networks panel.

Reconnect to a network When you click Reconnect on the Connection panel, Odyssey Client disconnects any existing connection for the currently selected adapter and starts a brand new connection to the selected wireless network. The new connection may Odyssey Client User and Administration Guide

Using Odyssey Client Manager

31

be with a different access point (on the same network) than your previous connection, depending on factors such as signal strength. If authentication is in use on this network, you are reauthenticated when the new connection starts. If dynamic encryption keys are in use, they are refreshed. Note that you do not have this feature available if you are connected using a wired adapter. You probably do not need to use this button often. However, there may be times when your connection is not performing as well as it should. Clicking Reconnect can sometimes help, particularly if it results in a connection with an access point that is able to provide better service.

Reauthenticate to a network When you click Reauthenticate on the Connection panel, Odyssey Client reauthenticates you over the existing connection shown in the display, without starting a new connection. If dynamic encryption keys are in use, they are refreshed.

Disconnect from a network connection To disconnect a network connection, uncheck Connect to network for wireless connections, or Connect using profile for wired connections.

View connection information The Status field on the Connection panel displays the current status of your connection to the network through this adapter. One of the following messages appears:

Status message

Definition

open and authenticated

The connection is authenticated, and you are connected.

open / authenticating

Reauthentication is in progress, and you are connected.

open / requesting authentication

You have requested reauthentication, and you are connected.

open

The connection is not authenticated, but you are connected.

peer-to-peer

The network type is peer-to-peer (ad hoc), and you are connected.

authenticating

You are not yet connected, but authentication is in progress.

32

Using Odyssey Client Manager

Status message

Definition

requesting authentication

You are not yet connected, but you have requested authentication from the access point.

waiting to authenticate

You are not yet connected and the last authentication failed but, you are waiting to retry. If you see this message for a considerable length of time, you may be experiencing an association problem. If so, check the association mode required for your access point.

searching for access point

You are not connected, and communication with an access point on the requested network has not been established. This may occur when your adapter does not support 802.1X, or if your access point is not within range.

searching for peer(s)

You are not connected, and communication with other PCs on the peer-to-peer network has not been established

disconnected

You are not connected, and Connect to network may be unchecked.

See “Connect to a network (wireless connections only)” on page 29 for how to connect. Odyssey is disabled

You are not connected and Odyssey Client has been disabled.

adapter not present

You are not connected and the configured adapter is not currently available. This may occur when your adapter does not support 802.1X.

cable unplugged

You are not connected. This can occur if you have a wired connection, but your cable is unplugged.

The Elapsed time field on the Connection panel displays the time that has elapsed since the current connection has begun. The Network (SSID) field displays the name of the wireless network to which you are connected. See “Wireless network names” on page 14. This field is not displayed when you view the status of a network connection that uses a wired adapter. The Access point field displays the name (NASID) of the wireless access point to which you are connected. If this name is not available, the access point MAC address is displayed instead. A MAC address is a unique 48-bit number encoded into a device by the manufacturer. The IP address field displays the IP address that is assigned to your Odyssey Client connection. Odyssey Client User and Administration Guide

Using Odyssey Client Manager

33

The Packets in/out field displays the total number of network packets received and transmitted since this connection began.

View informational graphics and detailed status Three graphical status buttons at the bottom right corner of the Connection panel give you a visual indication of the status of your connection: X

Signal power status

X

Connection status

X

Encryption key information

You can use the mouse or the keyboard to view detailed connection status information from any of these buttons: X

Using the mouse: Point to a graphical status button with the mouse, and hold down the left-click button.

X

Using the keyboard: Tab over to a graphical status button and hold down the

space bar.

Signal power status The signal power graphic shows you how strong the signal is between your PC and the access point. The more bars that are filled in, the stronger the signal. You can interpret the signal power status graphic as follows: Strong signal power Moderate signal power Weak signal power Faint signal power No signal power Hold down your mouse button while clicking this icon to see the signal power measured in decibels.

Connection status The connection status button (with the Odyssey “sailing boat” icon) shows the state of your connection and whether you are authenticated. 34

Using Odyssey Client Manager

(outline) not connected (red) not connected, due to failed authentication (black) connected, but authentication not in use (blue) connected and authenticated Hold down your mouse button while clicking this icon to see details of the last authentication that was performed over this connection. The information you see depends on your authentication method and access point, and may include the following: X

Result of your last connection attempt

X

Type of authentication

X

Elapsed time (since last connection)

X

Cipher suite used to secure credential exchange

X

Access point identification information

Encryption key information The encryption key information button indicates whether or not encryption keys are in use over this connection. (outline) data is not encrypted (black) data is encrypted using static keys (blue) data is encrypted using dynamic keys (802.1X) Hold down this button to see the following information: X

Global encryption: The size (in bits) of global encryption keys

X

Access point encryption: The size (in bits) of access point encryption keys

NOTE: An encryption key has a secret part that is either 40 or 104 bits long, and a 24bit long non-secret part that changes for each packet. Thus, the total key is either 64 or 128 bits long. Odyssey Client Manager reports the length of the secret part, which is either 40 or 104 bits.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

35

Profiles panel An Odyssey Client profile contains all the information necessary to authenticate you to the network. This includes information such as your login name, your password or certificate, and the protocols by which you can be authenticated. Your profile is, in effect, the identity that you present to the network and the means that you use to prove that identity. You can have different profiles for different networks. For example, you may have different login names or passwords on different networks, or you may use a password on one network, and a certificate on another. The Profiles panel lists all the profiles that have been configured. When you first use Odyssey Client Manager, you may find a profile called Initial Profile, containing commonly used settings. Alternatively, your network administrator may have already created one or more profiles for you.

Each profile you configure is displayed in the list.

36

X

To add a profile, click Add. Profile Properties appears. Set the name for the new profile, configure the settings, and click OK.

X

To remove a profile, select the profile and click Remove.

X

To modify a profile, select the profile and click Properties, or double-click the profile. Profile Properties appears. Modify the settings and click OK.

Using Odyssey Client Manager

Profile properties Add Profile (or Profile Properties) allows you to configure a profile. It is displayed when you click Add (or Properties) from the Profiles panel. When you add a new profile to Odyssey Client, type a unique name for the profile in the Profile name field of Add Profile. For example, you may want to use Office, for your profile associated with your place of employment, and Home for your home network. Once you specify and save a profile, you do not have the ability to edit the profile name when you edit any of its other profile properties. You can, however, remove the profile and create a new one with a different name. In addition to the profile name, you can configure (and edit) the following information in a profile: X

Login name

X

Password and/or certificate

X

A specification of the authentication protocols that can be used to authenticate you to the network

You can specify these using the four tabs of Add Profile: X

User Info

X

Authentication

X

TTLS Settings

X

PEAP Settings

User Info You can configure the name you use to log in, as well as your password and/or certificate information from the User Info tab.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

37

Enter your user name into the Login name field. This is the name that is presented to the network when you authenticate. If you authenticate against a Windows Active Directory, use the form, domain\user name, (for example, Acme\george). Otherwise, use a login name that matches the form of the user name as it is stored in the authentication database. Note the following:

38

X

If you are logged into your network domain, (as opposed to your machine), by default, Odyssey Client populates this field with the standard network form, domain\user name, where user name is your user name.

X

If you are logged in to your client machine, (as opposed to any network domain), Odyssey Client populates this field with your user name only.

X

It is possible that you must add some text after your login name for the purpose of routing your authentication to the proper server. For example, acme\[email protected]. Your network administrator can tell you how to set this field correctly.

Using Odyssey Client Manager

X

If you are configuring this profile for use with a SIM card, make sure that your login name is of the form that is required by your provider. The standard format is username@realm.

User Info has three sections that you can configure from the tabs at the bottom: X

Password: You must configure this section when you use authentication protocols that require a password (e.g. EAP - TTLS).

X

Certificate: You must configure this section when you use authentication protocols that require a certificate (e.g. EAP - TLS).

X

SIM Card: You must configure this section when you authenticate using a SIM card. This feature requires a special license.

User Info has two additional sections that you can configure: X

Password: You must configure this section when you use authentication protocols that require a password (e.g. EAP-TTLS).

X

Certificate: You must configure this section when you use authentication protocols that require a certificate (e.g. EAP-TLS).

Password You must configure passwords when you select authentication methods for this profile that require passwords. The following authentication methods require passwords: X

EAP-TTLS

X

EAP-PEAP

X

EAP-LEAP

X

EAP-FAST

X

EAP- MD5-Challenge

Check Permit login using password to enable authentication methods that use your password for authentication. When the time comes to authenticate, Odyssey Client can obtain your password in one of several ways: X

Select Use Windows password if you want to authenticate to the network using the same password you present when you log in to Windows. You cannot select this option if you are running under Windows 98, 98 SE, or Me.

X

Select Prompt for password if you want Odyssey Client to prompt you when it is time to authenticate.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

39

X

Select Use the following password and enter a password in the box below, if you want Odyssey Client to save your password and use it each time you authenticate with this profile. NOTE: If you are running under Windows 98, 98 SE, or Me, and you have selected the Use the following password option, you must reenter the password in this field whenever you change your Windows password.

If you select Prompt for password, you are generally only prompted the first time that you are authenticated after startup. Odyssey Client remembers this password and reuses it for the duration of your Windows session. The password you enter applies only to a single profile. If you are authenticated using a different profile, you are prompted again. You may also be prompted to enter your Windows password when connecting to the network under some conditions, including the following: X

You accidentally enter an incorrect password or have any other type of authentication failure. This feature is in place, in part, so as to prevent accidental lockout due to the reuse of bad passwords.

X

You are required to change your Windows password periodically, and you are accessing the network with EAP-TTLS or PEAP authentication before Windows logon.

NOTE: When you are prompted for your password, you are also given the option to bypass your Odyssey Client network connection. This option gives you an easy way to use a wired network connection when it is available, without having to change your Odyssey Client wireless connection settings in any substantial way. To use this feature, click Yes when the following dialog appears.

NOTE: You can return to the Connection panel to reset your Odyssey Client network connection at any time.

Certificate Configure the Certificate tab under User Info, in order to use certificate credentials for authentication. 40

Using Odyssey Client Manager

Note that you are required to select the EAP-TLS authentication protocol in order to negotiate authentication using certificate credentials. Check Permit login using my certificate to enable authentication methods that use your certificate for authentication. To select a personal certificate with which to authenticate, click Browse. A list of your personal certificates appears. Select a certificate and click OK. Once you configure a certificate, you can click View, in order to view the certificate. NOTE: This is an advanced feature. See your network administrator for information on which certificate to select if you require one.

SIM Card When you have a license that is valid for the use of SIM cards with Odyssey Client, you can configure SIM card authentication from the SIM Card tab of the User Info tab of Profile Properties. Odyssey Client User and Administration Guide

Using Odyssey Client Manager

41

In order to use a SIM card when you connect to a network through Odyssey Client, you must configure an Odyssey Client user profile for use with your SIM card, and assign EAP-SIM or EAP-AKA as the authentication protocol. For SIM authentication, the user login name is used when you do not choose to use the IMSI from the SIM card. See “EAP-SIM identity” on page 43. NOTE: Although it is not recommended that you configure protocols other than EAPSIM and EAP-AKA for a profile used for SIM authentication, you must configure some other portions of User Info when you use other protocols in the same profile.

The following is an example of the User Info tab of a profile that is configured for SIM card connections.

In order to use Odyssey Client with your SIM card, you must check Permit login using my SIM card. NOTE: Passwords are not required when you use SIM cards for network connections. If you intend to use only your SIM card for network connections, then uncheck Permit login using password on the Password tab. You can also leave Permit login using my certificate unchecked on the Certificate tab. 42

Using Odyssey Client Manager

There are three more items to configure under the SIM Card tab: X

SIM card ID

X

PIN settings

X

EAP-SIM identity

SIM card ID

You can configure Odyssey Client to make SIM card connections in one of two ways: X

Use any SIM card that is installed. For this option, choose [any] from the list provided.

X

Use a specific SIM card ID. For this option, you can either type your SIM card ID in the editable list provided, or, if you have already inserted your SIM card into your PC, you can select your SIM card ID from this list.

PIN settings

You may have set a PIN on your SIM card hardware. See “SIM Card Manager” on page 84 for information on managing your SIM card PIN. You have two choices for the PIN field for Odyssey Client: X

Select PIN is not required (default) if you are not required to use the PIN for your connections (you have no PIN assigned to your SIM card).

X

Select Prompt for PIN if you enable a PIN for your use with your SIM card, and you want to be prompted for your SIM card PIN each time you connect. You may want to use this option for security reasons. You must use this option when you select [any] under SIM card ID (as opposed to a specific SIM card ID).

X

Select Use the following PIN in order to use the PIN that you have enabled for use with your specified SIM card ID. In this case, type the PIN in the box provided. With this option, the PIN is stored, and you are not prompted to enter it when you make a network connection.

EAP-SIM identity

Your SIM card contains an IMSI (the calling number issued by your service provider) for identification. You have two choices for entering your SIM identity: X

Select Use the IMSI from my SIM card (default) if your provider requires you to use your IMSI for identification.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

43

X

Select Use the login name I entered in this profile if you are required to use an identity (usually of the form username@realm) rather than your IMSI. In this case, you must make sure that your login name is in the form that is required by your provider. Note that when you select this option, if you allow more than one authentication protocol with this profile, then you may have a conflict with your login name. If you are required to select this option, then create a separate profile for connections that use other protocols.

Authentication The Authentication tab lets you specify the protocols that authenticate you to the network, as well as some EAP protocol-specific options.

You can address the following areas of the Authentication tab:

44

X

Select authentication protocols

X

Validate the server certificate

X

Set generic token card credential options

X

Set an anonymous name

Using Odyssey Client Manager

Select authentication protocols The Authentication protocols list displays the protocols that you have enabled for authentication. You may have a single authentication protocol in the list, or you may have several. If you have more than one, you can order them by preference. The ordering you choose affects the protocol that the server uses when it has more than one protocol in common with the ones you select here. You have several options: X

To add a protocol to the list, click Add. Add EAP Protocol appears. Select one or more protocols to add, and click OK. You can select more than one protocol if you hold down Ctrl on your keyboard as you select with your mouse. Note that any protocols you have already selected are not listed in this dialog, and EAP-SIM and EAP-AKA require a special license.

X

To remove a protocol listed in Authentication, select the protocol and click Remove.

X

To reorder protocols, select a protocol and use the up and down arrow buttons on Authentication, in order to reposition it.

NOTE: EAP-TTLS, EAP-PEAP, and EAP-FAST all use inner (tunneled) protocols. EAP-FAST uses EAP-GenericTokenCard as its inner protocol by default. You can choose among one or more inner protocols for EAP-TTLS or EAP-PEAP. See “TTLS Settings” on page 47 and “PEAP Settings” on page 49.

Validate the server certificate Certain protocols, such as EAP-TTLS, PEAP, and EAP-TLS, allow you to verify the identity of the authentication server as the server verifies your identity. This is called mutual authentication. Check Validate server certificate to verify the identity of the authentication server based on its certificate when authenticating with EAP-TTLS, PEAP, and EAP-TLS. (This is checked by default.) Odyssey Client User and Administration Guide

Using Odyssey Client Manager

45

You can specify your trusted authentication server certificates using the Trusted Servers panel. See “Trusted Servers panel” on page 60. You should, as a general rule, check Validate server certificate. You do have the option of turning off this important security precaution, only because there may be circumstances that require it. You should only do so when your network administrator instructs you to. Set generic token card credential options If you select EAP-GenericTokenCard as one of your innter authentication methods, then the EAP-GenericTokenCard settings under the Authentication tab apply. These settings allow you to choose to use your password credentials or your token card ID for authentication: X

Select My password if your network requires that you use the password credentials assigned with this profile instead of your token card ID for authentication.

X

Select Prompt for token information if your network requires that you use your token ID for authentication.

These options apply only under the following circumstances: X

When you select EAP-GenericTokenCard as an inner authentication protocol for EAP-PEAP

X

When you select EAP-FAST an authentication protocol on the Authentication tab, since EAP-GenericTokenCard is the default inner authentication protocol used with EAP-FAST

NOTE: These EAP-GenericTokenCard settings do not apply when you configure EAPGenericTokenCard as an inner authentication method for EAP-TTLS (with EAP). Nor do they apply when you choose EAP-GenericTokenCard as an authentication method from the Authentication tab.

Set an anonymous name With EAP-TTLS, EAP-PEAP, and EAP-FAST you can appear to log in anonymously, while passing your actual login name through an encrypted tunnel. That means that not only are your credentials secure from eavesdropping, but your identity is protected as well. Consequently, with these three protocols you have two identities: an inner one, and an outer one. The inner identity is your actual login name, and is taken from the Login name field in the User Info tab. Your outer identity can be completely anonymous. Set your outer identity in the Anonymous name field.

46

Using Odyssey Client Manager

As a general rule, set Anonymous name to anonymous, that is, its default value. In some cases you are required to add additional text. For example, if this outer identity is used to route your authentication to the proper server, and you may be required to use [email protected]. Your network administrator can tell you how to configure this field correctly. NOTE: Your outer identity can be anonymous only if your list of authentication protocols only includes EAP-TTLS, EAP-PEAP, or EAP-FAST. If you enable any other protocols, Odyssey Client cannot keep your identity private, and the Anonymous name field is disabled.

TTLS Settings The TTLS Settings tab lets you configure the use of EAP-TTLS as an authentication protocol. These settings are only relevant when you select EAPTTLS as one of your authentication protocols in the Authentication tab.

EAP-TTLS works by creating a secure, encrypted tunnel through which you present your credentials to the authentication server. Thus, inside EAP-TTLS there is yet another inner authentication protocol that you must configure. See “EAP-TTLS” on page 19.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

47

Select the Inner Authentication Protocol Select from the drop-down list at the right, the Inner authentication protocol you want to use. You can select any of the following: X

PAP

X

CHAP

X

MS-CHAP

X

MS-CHAP-V2

X

PAP/Token Card

X

EAP

The most commonly used protocol is MS-CHAP-V2. It allows you to be authenticated against a Windows Domain Controller as well as other, nonWindows user databases. NOTE: You cannot use CHAP as your inner authentication method if you are authenticating against a Windows NT Domain or Active Directory. As a result, do not choose CHAP when authenticating against Odyssey Server, since it can only authenticate against a Windows Domain or Active Directory.

PAP/Token Card is the protocol to use with token cards. When you use PAP/ Token Card, the password value you enter into the Password dialog is never cached, since any token-based password is only good for one use. Check with your network administrator to determine which inner authentication protocol can be used on your network. EAP as an inner authentication protocol If you select EAP as your inner authentication protocol, you must configure the list of Inner EAP protocols with one or more protocols.

48

X

To add a protocol to the list, click Add. Add EAP Protocol appears. Select one or more protocols to add and click OK. You can select more than one protocol if you hold down Ctrl on your keyboard as you select with your mouse. Note that only the protocols you have not already added are available.

X

To remove a protocol listed in TTLS Settings, select the protocol and click Remove.

X

To reorder protocols, select a protocol and use the up and down arrow buttons to reposition it.

Using Odyssey Client Manager

PEAP Settings If you select EAP-PEAP as an authentication method in the Authentication tab, then you can either of the following inner EAP authentication methods: X

EAP-MS-CHAP-V2

X

EAP-GenericTokenCard

To add or remove any inner authentication methods used with EAP-PEAP, follow these steps: 1

Go to the PEAP Settings tab.

2

Click Add to add a protocol. Add EAP Protocol appears. Select one or more protocols to add and click OK. Note that any protocols you have already selected are not listed in this dialog.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

49

3

When you allow more than one inner protocol, you should order the protocols listed under PEAP Settings according to your preferences (requirements). Use the up and down arrows to move a selected protocol around in the list.

4

If you select EAP-GenericTokenCard as one of your PEAP inner authentication methods, then you can configure the EAPGenericTokenCard settings under the Authentication tab. These settings allow you to choose to use your password credentials or your token card ID for authentication.

5

Click OK when you are done creating or modifying the profile configuration.

6

Select any protocols you want to remove under PEAP Settings, and click Remove.

Networks panel You can use the Networks panel to configure settings for connecting to any number of wireless networks.

50

Using Odyssey Client Manager

Each network that you configure is listed in the panel. You can perform the following tasks in the Networks panel: X

To add a network, click Add. Add Network appears. Configure the settings for the new network and click OK.

X

To remove a network, select the network and click Remove.

X

To modify the settings for a network, select the network and click Properties, or double-click the network name. Network Properties appears. Modify the settings and click OK.

Network titles The titles of networks listed in the Networks panel are coded with special formatting: X

The name of the network appears in angled brackets. If the name [any] is listed in angled brackets as an entry in the list of networks, then you use this network configuration to connect to any available wireless network.

X

The description of the network precedes the name. This description comes from the optional Description field in Network Properties. You can add your own description to any network you configure. This helps you to distinguish networks.

The network description field is useful for situations that advanced users might encounter. It lets you easily switch among different “personalities” on the same Odyssey Client User and Administration Guide

Using Odyssey Client Manager

51

network. For example, you may want to use different credentials at different times. The description field also lets you distinguish two different networks that happen to have the same network name. Network names are arbitrary text chosen by an administrator, so it is possible for two unrelated networks to have the same name. In the illustration above, there are two Toronto networks. The configured descriptions indicate that password credentials are used with one and certificate credentials with the other.

Network properties You can configure wireless network settings in Add Network or Network Properties when you click Add or Properties from the Networks panel.

You can configure the following network attributes here: 52

Using Odyssey Client Manager

X

Network fields

X

Authentication fields

X

Preconfigured keys (WEP, WPA2, or WPA)

Network fields You can perform the following tasks under Network: X

Specify the network name

X

Scan for a network

X

Configure Odyssey Client to connect to any available network

X

Specify a description of the network

X

Specify the network type

X

Specify the association mode

X

Specify an appropriate encryption method for your association mode

Specify the network name Set Network name (SSID) to the name of the wireless network. The network name may be up to 32 characters long and is case-sensitive. This name must be entered correctly in order to successfully connect. Scan for a network You can type in the name of the network directly, or you can click Scan to select from a list of all currently visible networks. When you are in the vicinity of the network you are configuring, using the Scan button is not only easier than typing, but also guarantees that the network name is set correctly. Note that only access points that transmit beacons are visible to you when you use the Scan button. Configure Odyssey Client to connect to any available network Odyssey Client Manager provides a special network configuration called [any]. The [any] network connects to any available network, regardless of its name. The [any] network is useful when you are wandering through conferences, hotels or other locations that provide network access. When you select the [any] network, from the Connection panel, you can connect to such networks without having to configure them individually. To configure an [any] network, check Connect to any available network. Odyssey Client User and Administration Guide

Using Odyssey Client Manager

53

Although you can use WEP keys and profiles with [any], the more common practice is to use [any] without 802.11 or 802.1X authentication. Specify a description of the network You may want to use network descriptions in order to provide more information about your network than its SSID provides. You can also use the description in order to similar network names. You have the option to enter a description of this network in the Description field. The text you enter into this field allows two networks with the same name to remain distinct on the Odyssey Client Manager display. Specify the network type If you did not use the Scan button to select your network, you must specify the type of network by choosing one of the options from the Network type dropdown list. X

Select Access point (infrastructure mode) if this network uses access points to provide connectivity to the corporate network or the internet. This is the most common setting.

X

Select Peer-to-peer (ad-hoc mode) to set up a private network with one or more other PCs.

Specify the association mode Before authentication can take place, you must associate your client to an access point. The association mode that is required of you depends on your access point hardware, and how it is configured. Your network administrator can help you configure the association mode that is required for your network. See “Wired-Equivalent Privacy (WEP)” on page 14 and “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for more information on these encryption and association mode choices. You can choose one of three association modes:

54

X

Open, for connecting to a network through an access point or switch that implements 802.1X authentication. Choose this mode if you are not required to select shared mode or WPA.

X

Shared, for connecting to a network through an access point that requires WEP keys for association and data encryption

X

WPA, for connecting to a network through an access point that implements WPA (Wi-Fi Protected Access)

Using Odyssey Client Manager

X

WPA2, for connecting to a network through an access point that implements WPA2 (802.11i)

Specify an appropriate encryption method for your association mode Your choice of encryption method also depends on the access point requirements. Your choices vary according to the association mode you choose. See “Wired-Equivalent Privacy (WEP)” on page 14 and “Wi-Fi Protected Access (WPA or WPA2) and TKIP/AES” on page 15 for more information. You have the following options: X

None, for using 802.1X authentication without WEP keys. This option is only available to you when you configure access point association in open mode.

X

WEP, for using WEP keys for data encryption. This option is available for all association modes, and is required when you associate in shared mode. When you select this option, you must fill in WEP keys at the bottom unless you check Keys will be generated automatically for data privacy. You must choose this option when the access points in your network require shared mode association with WEP keys.

X

TKIP, for using the temporal key integrity protocol. Choose this option when the access points in your network require WPA association, and are configured for TKIP data encryption.

X

AES, for using the advanced encryption standard protocol. Choose this option when the access points in your network require WPA or WPA2 association, and are configured for AES data encryption. If your client hardware and access point support AES, use AES encryption when you associate in WPA2 or WPA mode.

Authentication fields You can configure network authentication with the following characteristics: X

Authenticate using profile

X

Automatic key generation

Authenticate using profile If the wireless network you are configuring requires that you authenticate using your personal credentials, check Authenticate using profile, and select the profile to use for authentication from the drop-down list at the right. You must have already configured a profile appropriate for authenticating onto this network. Odyssey Client User and Administration Guide

Using Odyssey Client Manager

55

When you check Authenticate using profile, Odyssey Client performs an 802.1X authentication using your password, certificate, or by other means, as is configured in the selected profile. Automatic key generation Check Keys will be generated automatically for data privacy if the authentication method specified in the profile results in the creation of dynamic WEP keys for use between your PC and the access point. Certain authentication methods, such as EAP-TTLS, PEAP, and EAP-TLS, generate keys. Others do not. If you use EAP-TTLS, PEAP, or EAP-TLS to authenticate, check this box. You can use any of these authentication methods if your access point implements 802.1x authentication. This option is more secure than using static (preconfigured) keys. This option is available with all encryption methods (other than none), as long as you are not associating in shared mode. Leave this option unchecked if you are required to use preconfigured WEP keys, or, in the case of WPA association, a pre-shared key.

Preconfigured keys (WEP, WPA2, or WPA) The wireless network may require that you preconfigure WEP keys, or that you pre-share a passphrase, in the case of WPA or WPA2 association. You can enter keys in the lower portion of your network properties description, according to your association method: X

Pre-shared keys (WPA or WPA2)

X

Preconfigured keys (WEP)

Pre-shared keys (WPA or WPA2) If you associate in WPA or WPA2 mode, and you do not generate keys automatically when you associate an authentication profile to the network connection, then you must supply a pre-shared ASCII passphrase in the Passphrase field. This passphrase is used as a seed to generate the required keys. When you use a passphrase, you do not authenticate with a RADIUS server. Preconfigured keys (WEP) If you associate in shared mode, you must configure at least one WEP key. You must also configure at least one WEP key when you select WEP encryption for the open association mode, and you do not generate keys automatically when you associate an authentication profile to the network connection. WEP keys serve the following purposes:

56

Using Odyssey Client Manager

X

Associate with an access point before a connection can be established (shared mode).

X

Encrypt data between your PC and the access point (or other PCs in a peerto-peer network) See “Wired-Equivalent Privacy (WEP)” on page 14.

If the wireless network uses 802.1X authentication and dynamic WEP keys are generated (i.e., you check Authenticate using profile and Keys will be generated automatically for data privacy), then you do not need to enter preconfigured WEP keys for data privacy. However, it is possible, though not typical, to use preconfigured WEP keys for authentication in addition to 802.1X. For example, EAP-MD5 does not generate WEP keys for data encryption, so you must supply one when your profile is set to authenticate with this method. If you implement either of these uses of preconfigured WEP keys, you must check the appropriate boxes and set one or more WEP keys appropriately: X

Check to authenticate to access points (shared mode) if preconfigured WEP keys are required to authenticate to an access point prior to connection to the wireless network.

X

Check for data privacy to use preconfigured WEP keys for encryption of data over the wireless network.

Enter the WEP keys in fields Key 0 through Key 3. The values entered here must match those of the access points or peer computer to which you connect. It is most common for Key 0 to be used, although your network may require other keys as well. You can enter keys either as ordinary text characters (ASCII) or hexadecimal characters. WEP keys are either 40 or 104 bits long. This corresponds to either 5 or 13 characters when you enter them as ASCII characters, or 10 or 26 characters when you enter them as hexadecimal digits. # of bits in key

# of ASCII chars

# of hex digits

40

5

10

104

13

26

To enter any preconfigured WEP keys: 1

In Format for entering keys, select either ASCII characters or hexadecimal digits, depending on how you want to enter the keys.

2

Type in the text fields Key 0 through Key 3, each key that you want to preconfigure.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

57

Auto-Scan Lists panel You can associate an ordered group of wireless networks with an auto-scan list, so that you can be connected to any of the networks available in the list. For example, you may want to associate your home network and your office network with the same auto-scan list, so that you do not have to change your network connection specification each time you change location. When you specify a connection on the connections panel to an auto-scan list, rather than a single network, Odyssey scans sequentially through the listed networks for an available network. You may want to use this feature if you are moving your client machine between locations that access different networks. You can specify auto-scan lists from the Auto-Scan Lists panel:

Although you can create new lists of networks at any time, each of the individual networks in a list must have been previously configured with the Networks panel. The Auto-Scan Lists panel displays the lists that you have created so far. You can perform the following tasks in the Auto-Scan Lists panel:

58

X

To add an auto-scan list, click Add. Auto-Scan List Properties appears.

X

To remove an auto-scan list, select it from the list and click Remove.

X

To modify the settings for a network, select it from the list and click Edit, or double-click the auto-scan list name. Auto-Scan List Properties appears.

Using Odyssey Client Manager

NOTE: Make sure to separately test each network connection for each network in your auto-scan list. If you misconfigure a network connection on the auto-scan list, so that authentication fails at every connection attempt, Odyssey Client does not skip that network to try other networks on the list. To test a single selected network connection, go to the Connection panel and check Connect to network and select the network you want to test.

Auto-Scan List properties You can add or edit auto-scan list properties when you click Add or Properties from the Auto-Scan Lists panel. The resulting dialog allows you to manage lists of the wireless networks that you have configured with the Networks panel.

To specify a new auto-scan list, follow these steps: 1

Provide the List name. You must fill this field in before you click OK. You cannot choose a list name you have already used, and you cannot edit this name later when you click Properties for a selected list in the Auto-Scan Lists panel.

2

Sequentially select networks for your auto-scan list from the list of configured networks listed under Available Networks on the left. Use the right arrows to move networks from the left to the Selected Networks on the right. This is your set of auto-scan networks.

3

Order your selected networks according to the frequency with which you expect to connect to them. Place your most frequently used networks at the

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

59

top of the list. You can use the up and down arrows to reorder the list. You can modify this list order or contents at any time when you click Properties of the list by this name from the Auto-Scan Lists panel. In general, you increase likelihood of connection to a given network (in comparison with other available networks in the same auto-scan list) by moving it up towards the top of the list.

Trusted Servers panel The Trusted Servers panel allows you to configure which authentication servers you trust when you authenticate using either EAP-TTLS, EAP-TTLS, or EAPPEAP.

When you configure Odyssey Client to trust a server, you must not only specify the name of the server, but also the certificate chain to which it belongs. You also have the option to allow Odyssey Client to trust any server that bears a specified signed certificate. You can specify trusted servers using either a simple method, or a more advanced method. See the following topics for configuring trust:

60

X

“Using the simple method to configure trust” on page 61

X

“Using the advanced method to configure trust” on page 63

X

“Untrusted servers” on page 68

Using Odyssey Client Manager

See the following topics for information on certificates and the protocols that use them: X

“Extensible Authentication Protocol (EAP)” on page 17

X

“Certificates” on page 18

Using the simple method to configure trust In the large majority of cases, you can use the simple method of configuring trust. You have two options in creating your list of trusted servers: X

You can allow any server that bears a specified signed certificate to be trusted. With this method, you must specify a certificate from any certificate authority in your certificate authority chain. This could be the certificate of a root or an intermediate certificate authority.

X

You can specify, using domain names, a list of servers to be trusted. With this method, you must specify two items: Z

The server domain name, or the ending of the domain name (for example, acme.com)

Z

A certificate from any certificate authority in your certificate authority chain. This could be the certificate of a root or an intermediate certificate authority

Adding a trusted server entry When you click Add from the Trusted Servers panel, Add Trusted Servers Entry appears.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

61

You have the opportunity to configure all servers with a specified certificate to be trusted, or you can use domain names when you specify trusted server certificates. To specify trusted server certificates, follow these steps: 1

2

3

62

You can either configure trust for any server issued with a specified signed certificate, or you can specify one or more servers to be trusted using domain names, when those servers are issued with a given signed certificate: 1

To allow all servers with a specified signed certificate to be trusted, check Trust any server with a valid certificate regardless of name.

2

To specify servers by name, in the Server name must end with field, enter the identity of the trusted server.

Set the Server certificate must be issued by field to the certificate of the certificate authority that must have directly or indirectly issued the server certificate. The certificate you select may be that of a root or intermediate certificate authority. It need not be the certificate that directly issued the server certificate. It may be any certificate in the chain. To assign a certificate, follow these steps: 1

Click Browse to get a list of certificates.

2

Select a certificate from the list that appears, and click OK.

Click OK to close Add Trusted Servers Entry.

Using Odyssey Client Manager

Server identity Each server has an identity that uniquely identifies it, and that name is normally contained in the Subject CN field of the server certificate. A server identity may end with the name of a larger administrative domain, to which the server belongs. For example, the Acme company might have a domain name, such as acme.com. The company might also have several authentication servers, that are identified as auth1.acme.com, auth2.acme.com, and auth3.acme.com, for example. In this case, Acme could configure its server certificates with a common name, acme.com. As in this example, by specifying the ending for a server name, you can configure trust for all the servers in an organization with a single entry.

Removing a trusted server entry To remove an entry from the trusted servers list, select the entry and click Remove.

Editing a trusted server entry To edit an entry in the trusted servers list, select the entry and click Edit. Edit Trusted Servers Entry appears, allowing you to modify the server domain and the certificate of the issuer.

Using the advanced method to configure trust If you need more control over trust, you can use the advanced method. NOTE: If you do not have a working knowledge of certificates and certificate chains, you should not attempt to configure trust using the advanced method. Consult your network administrator as to how to configure trusted servers.

With this method, the entire tree of trust is displayed. The trust tree shows trusted servers added using the simple method as well as the advanced. Each path through the trust tree defines a set of rules for matching a certificate chain. Odyssey Client trusts an authentication server only if its certificate chain matches at least one path through the trust tree. A path through the trust tree is composed of two or more nodes: X

Each top-level node is the certificate of a root or intermediate certificate authority.

X

Each intermediate node (if present) is the name of an intermediate certificate authority in the chain.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

63

X

Each final, or leaf, node is the name of a server that you trust to authenticate you.

The names of certificate authorities and servers may be specified as subject names or as domain names. In addition, you may specify that the name in a certificate must match the configured name exactly or that it must end in the configured name.

Displaying the trust tree To display the trust tree, click Advanced. Trusted Servers appears. You can view and modify trust rules here.

Adding certificate nodes To add a new certificate to the top level of the trust tree: 1

Click Add certificate. Select Certificate appears.

2

Select a certificate and click OK. You may select either from the list of intermediate or trusted root certificates.

For detailed information about any certificate before you add it, select the certificate and click View. 64

Using Odyssey Client Manager

Adding authentication servers or intermediate CA nodes All nodes below the top level identify either authentication servers or intermediate certificate authorities. If the node is a leaf node, it is assumed to identify an authentication server. Otherwise, it is assumed to identify an intermediate certificate authority. To add an authentication server or intermediate certificate authority to the tree: 1

Select the node in the tree, beneath which you want to add the new item.

2

Click Add Identity. Add Identity appears.

3

Enter the information that defines the rules that Odyssey Client uses to match a certificate in the server certificate chain to this node.

4

Click OK.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

65

Add Identity lets you set the matching rules for a single node in the trust tree. For Trust a server or intermediate CA with a valid certificate, select: X

Regardless of its name to match any certificate, provided it is signed by the certificate authority in the node above

X

If its name matches the following name exactly to require that the name in the certificate exactly match the name you specify

X

If its name ends with the following name to require that the name in the certificate is subordinate to the name you specify. For example, a certificate with name sales.acme.com would match an entry of acme.com

For Name of server or intermediate CA, enter the name (or final elements of a name) you want to match. (This field is not required if you select regardless of its name). The form of the name depends on your choice of Name type. For the certificate authority Name type, you must indicate how the name is interpreted and where in the certificate the name is found. Select one of the following:

66

X

Domain name in Subject Alternative Name or Common Name if the domain name (e.g., acme.com) is found in the Subject Alternative Name field in the certificate or, if that is not present, the Common Name within the Subject field of the certificate (this is the most typical choice).

X

Domain name in Subject Alternative Name if the domain name is found in the Subject Alternative Name field in the certificate. This is similar to, but more restrictive than, the previous choice.

Using Odyssey Client Manager

X

Subject Name if the name is an X.500 name and is found in the Subject field in the certificate. If you enter a full or partial Subject name, it must be in X.500 form. It matches any certificate Subject name that is equal or subordinate to it. For example, if you enter OU=acme.com, C=US it matches any of the following subject names: O=sales, OU=acme.com, C=US CN=george, O=sales, OU=acme.com, C=US

NOTE: If you enter text that includes commas, surround them with single quotation marks. For Maximum number of intermediate certificates, set the maximum number of certificates that may appear in the chain between this node and the node directly above this node. You may select a number between 0 and 5, or unlimited: X

If you choose 0, the certificate that matches this node must have been signed using the certificate that matches the node above this node.

X

If you choose 1, the certificate that matches this node may have been signed by the certificate that matches the node above, or by a certificate that in turn has been signed by the certificate that matches the node above.

X

If you choose unlimited, any number of certificates may appear in the chain between the certificate that matches this node and the one that matches the node above.

Removing nodes To remove a node, select the node in the tree you want to remove, and click Remove. The selected node, and any node beneath it is removed from the tree. The node you remove may be of any of the following: X

Top level certificate node

X

Intermediate CA node

X

Server node

Viewing certificate information For detailed information about any certificate at the top level of the trust tree, select the certificate and click View Certificate.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

67

Untrusted servers Under the following conditions, you are given the option to trust a previously untrusted server during network authentication: X

You have enabled temporary trust.

X

The authenticating profile mandates server validation.

X

The trusted root certificate authority of the server certificate (in the example shown below, the certificate AcmeRootCA) is installed on your client machine.

If this is the case, the following dialog appears while you are authenticating to the network.

The dialog shows the entire certificate chain between the authentication server and a trusted root certificate authority. To see detailed information about any certificate in the chain, select the certificate and click View.

68

Using Odyssey Client Manager

If you want to temporarily (until you restart Odyssey Client) trust this server in order to authenticate and connect to the network, click Yes. Otherwise, click No. You may be asked to type in your password, depending on the profile you set up for this connection. If you want to permanently trust this server by adding to the Trusted Servers list, check Add this trusted server to the database and click Yes. The server is added to the Trusted Servers list, using the name shown in the Server name must end with field. You may edit the server name. For example, if the server name is auth2.acme.com, you can change it to acme.com, if you want to trust all authentication servers belonging to the acme.com domain.

Adapters panel The Adapters panel lets you select one or more network adapters (interface cards) for wired or wireless networking. You can select more than one adapter if you hold down Ctrl on your keyboard as you select with your mouse. The Adapters panel lists all the wireless and wired adapters that are configured in Odyssey Client. Most likely you have configured single adapter. However, you may configure more than one adapter. You can use the Adapters panel for the following tasks: X

Adding a wireless or wired adapter

X

Removing an adapter from the list of adapters

NOTE: Your adapter must already have been installed on your system before you can configure Odyssey Client to use it.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

69

Adding a wireless or wired adapter To add a wireless or wired adapter that Odyssey Client has not yet recognized, follow these steps from the Adapters panel of Odyssey Client Manager:

70

1

Click Add. Add Adapter appears, displaying a list of all network adapters that are installed on your PC (except for the ones Odyssey Client is already configured to use).

2

Select either the Wireless or Wired 802.1X tab.

Using Odyssey Client Manager

3

Select your desired adapter from the list of adapters displayed, and click OK. Note that only adapters that you have not yet added to the Adapters panel are displayed.

NOTE: The adapters that you select on the Wireless tab are used for wireless connections, and those that you select under the Wired tab are used for wired connections. In most cases, Odyssey Client Manager can distinguish between wireless and non-wireless network adapters. However, in certain cases it cannot. If you do not see your wireless adapter in the list, select All Adapters. Make sure that each of the adapters you select on the Wireless tab are indeed wireless. You cannot configure Odyssey Client for wireless connections unless you have a wireless adapter. You must configure wired adapters from the Wired 802.1X tab.

Removing an adapter from the list of adapters To remove an adapter from the list of adapters in the Adapters panel, select the adapter you want to remove and click Remove. Odyssey Client stops using the adapter. The adapter is still installed on your system, but operates as if Odyssey Client is not present.

Settings menu The following menu items are available from the Settings menu: X

Preferences

X

Security Settings

X

Windows Logon Settings

X

Enable/Disable Odyssey

X

Close

Preferences You can change the way that Odyssey Client operates by selecting the Preferences command. Odyssey Preferences appears.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

71

Set your preferences, and click OK to make them effective: X

If you select Hide tray icon, then the Odyssey icon is not displayed on the System Tray (at the bottom right of your screen).

X

If you select Hide control panel icon, then the Odyssey icon is not displayed on the Windows Control Panel.

X

If you select Disable splash screen, then the Odyssey Client splash screen is not displayed when you initiate the Odyssey Client service. NOTE: If you have the Windows Control Panel open when you select Hide control panel icon and click OK, then refresh your control panel (press F5) to see the effects. In some cases, you may only see the effect after rebooting.

Security Settings To configure advanced security options related to authentication, select Security Settings. Security Settings appears.

72

Using Odyssey Client Manager

There are two sets of security settings you can configure: X

General

X

EAP-FAST

General The security options on the General tab are initially set to default values that should suit most purposes. You can restore the defaults at any time by clicking Reset Defaults. You can configure time (up to three decimal places) in hours. For example, to specify one hour and fifteen minutes, enter 1.25. You have three options: X

Enable session resumption. When you choose this option, you can specify the maximum length of a session before it expires.

X

Enable automatic reauthentication. When you choose this option, you can specify the reauthentication period.

X

Enable server temporary trust. When you choose this option, you can specify the maximum length of a session with a temporarily trusted server.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

73

Session resumption You can enable the use of session resumption from Security Settings. See “Session resumption” on page 21 for more information on session resumption. To use enable session resumption, do the following: X

Check Enable session resumption.

X

Set Do not resume sessions older than to the maximum number of hours that an initial authentication can be used to accelerate reauthentication. Once the time limit has elapsed, a completely fresh authentication is performed on your next reauthentication. The number of hours can have up to three decimal places. For example, enter 1.25 to indicate one hour and fifteen minutes, or 0.001 for about three seconds. This latter value is the smallest value you can enter.

By default, session resumption is enabled, and an initial authentication is resumed for up to 12 hours. To disable this feature, uncheck Enable session resumption. Automatic reauthentication You can enable or disable the automatic reauthentication feature of Odyssey Client as well. For information about why you might want to reauthenticate, see “Reauthentication” on page 21. Check Enable automatic reauthentication in Security Settings, in order to cause Odyssey Client to periodically initiate reauthentication with the server. Set in Reauthenticate every, the time period, in hours, for reauthentication to take place automatically. You can use up to three decimal places to indicate the number of hours. For example, enter 1.25 to indicate one hour and fifteen minutes, or 0.001 for about three seconds. This latter value is the smallest value you can enter. Uncheck Enable automatic reauthentication in Security Settings, in order to disable this feature. By default, automatic reauthentication is not enabled. This is because your network administrator may have already configured your access points or authentication server to perform periodic reauthentication. Check with your network administrator for the proper settings for this option. Server temporary trust Normally, you can use the Trusted Servers panel to configure the servers you trust for authentication. However, there may be times when you are 74

Using Odyssey Client Manager

authenticating to a network whose authentication server is not yet configured as trusted in the Trusted Servers panel. In this case, you may want the ability to enable temporary trust for that untrusted server. Check Enable server temporary trust from Security Settings, in order to enable temporary trust. Uncheck this field to disable this feature. Notice the following about this feature: X

If temporary trust is enabled, you are given the option of whether or not to trust an untrusted server temporarily when you attempt to authenticate to an untrusted server. See “Untrusted servers” on page 68.

X

Untrusted Server opens when you attempt to authenticate to a server for which you have not configured trust, and permits you to permanently add the server to your trust tree. Thus, you can use temporary trust as an alternative to the Trusted Servers panel, and configure trusted servers as they are encountered.

X

If temporary trust is not enabled, then any authentication attempt that requires the validation of a server certificate fails when the server is not explicitly trusted.

Set Maximum time for temporary trust to the maximum number of hours you want Odyssey Client to continue to trust a server once you accept it. The default behavior is that temporary trust is enabled, and that 12 hours is the maximum time that a particular server is trusted once you accept. NOTE: These settings do not apply to servers you choose to permanently trust the by checking Add this trusted server to the database in Untrusted Server. See “Untrusted servers” on page 68.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

75

EAP-FAST When you use EAP-FAST authentication, you can select options that determine when you are re-prompted for credentials:

X

Check Prompt before acquiring credentials from a new server in order to be prompted for new credentials when you authenticate with a new server.

X

Check Prompt before replacing credentials from a known server when your existing credentials have failed in order to be prompted for new credentials when a previous authentication attempt fails.

By default, the EAP-FAST options are initially checked. You can restore the defaults at any time by clicking Reset Defaults.

Windows Logon Settings Your default network connection settings are either of the following: X

Factory-default network connection settings, which result in establishing a network connection after your desktop appears

X

Default network connection settings that have been set by your system administrator

There may be some circumstances for which you want to override the default network connection settings. For example, if you can logon to your domain using cached credentials, and your administrator has configured your network connection to occur prior to Windows logon time, you can change your 76

Using Odyssey Client Manager

connection timing so that you connect to the network before your desktop appears. You can modify your network connection timing by selecting the Windows Logon Settings item from the Settings menu. The following dialog opens when you select Windows Logon Settings.

Some of the Windows logon features may not be available to you, depending on how your administrator has set up your installation. To override the default network connection settings for your client machine, check Override default settings for Windows logon. To modify the default timing for network connections through Odyssey Client, select one of the following Windows logon timing options: X

After my desktop appears, for establishing your network connection after your Windows startup, Windows logon, and desktop processes are completed. This is the latest possible time you can make a network connection.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

77

X

After Windows logon, before my desktop appears, for establishing your network connection after your Windows startup, and Windows logon, processes are completed, but before your desktop processes take place.

X

Prior to Windows logon, for establishing your network connection prior to Windows logon. This is the earliest time you can make a network connection.

Select one of the timing options that is available to you. If you select Prior to Windows logon, then address the following required tasks and options: X

X

X

78

Select the adapter and network (or profile, in the case of a wired connection) from the lists provided. Note the following: Z

You must associate a profile with any network you configure. Do not fill in the username for this profile. Odyssey Client uses your Windows logon credentials.

Z

You must check Validate server certificate on the Authentication tab of the Profile Properties on the associated profile.

Z

You also cannot assign to the network connection a profile that uses a stored password. See “Restrictions on early network connections” on page 109 for more information.

Z

If you assign your selected network to encrypt your data using WEP, you must check Keys will be generated automatically for data privacy on that network description.

You can optionally request that a pre-connection prompt dialog appear prior to making the network connection at logon time every time you logon to Windows, by checking Prompt before connecting to the network. This can be useful if you experience network authentication problems, as it gives you the option to opt out of connecting to the network at logon time. Z

If you or your administrator have omitted any required configuration elements, you are prompted at logon via the pre-connection prompt dialog to configure part or all of the network connection through a wizard. See “Windows logon pre-connection wizard” on page 82 for more information on the pre-connection prompt dialog and the wizard.

Z

See “Avoiding the pre-connection prompt dialog” on page 81 for information on how to suppress the appearance of the pre-connection prompt dialog.

If you do not select after my desktop appears, then you have the option request an after desktop connection on a per adapter basis. To use this feature, check Wait until my desktop appears before using Odyssey to

Using Odyssey Client Manager

connect to the network. You have two choices for the conditions under which your after desktop connection takes place: X

To make an after desktop connection whenever you are connected to your network through a wired adapter, select any wired adapter is already connected. You can use this option even if your wired adapter is not connected to an 802.1X hub or switch.

X

To make an after desktop connection whenever you are connected to your network through a set of adapters (wired or wireless) that you specify explicitly, select one of the following adapters is already connected. This option pertains to any adapter listed. To edit this list of adapters, click Edit. Select Adapters appears. Check any adapters that you want to use for after windows logon network connections are established, and click OK to close Select Adapters.

X

Click OK to close Windows Logon Settings.

Odyssey Client pre-connection prompt dialog Odyssey Client may give you some options for settings to use at Windows logon through the main pre-connection prompt dialog.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

79

This dialog appears under the following circumstances: X

You or your administrator have configured this dialog to appear each time you attempt a network connection when you logon to Windows. See “Windows Logon Settings” on page 76.

X

Your default Windows logon network configuration is not complete.

If your network connection configuration is complete, you have three options for connection settings: X

Use the settings (your personal settings) you have previously specified in the Odyssey Client Manager.

X

Use the default prior to Windows logon connection settings configured for your machine by your network administrator.

X

Use new settings that you can specify using the Windows logon preconnection wizard.

Specify your preferences, and click Continue. You can also opt to cancel the network connection at this time, by clicking Cancel logon. Note the following:

80

X

In the event that your network connection is incomplete, the first two settings are disabled.

X

If you want to connect to the network after logon, or if you are having any problems connecting to the network, uncheck Use Odyssey to connect to the network.

Using Odyssey Client Manager

X

Odyssey Client does not remember the network choices you enter in the preconnection prompt dialog. Should you have an incomplete network configuration, you are presented with the pre-connection prompt dialog each time you logon, until you correct any problems. In order to correct any problems and/or not see this screen every time you logon, follow the instructions in “Avoiding the pre-connection prompt dialog” on page 81.

Avoiding the pre-connection prompt dialog The Odyssey Client pre-connection prompt dialog occurs for one of two reasons: X

You or your administrator have set Odyssey Client to prompt you with this dialog each time you attempt a network connection when you logon to Windows. See “Windows Logon Settings” on page 76.

X

Your prior to Windows logon network configuration is not complete.

In either case, you are prompted to interact with Odyssey Client each time you logon to Windows. To avoid future prompts at pre-connection time: 1

Correct network connection problems, as necessary.

2

Suppress the appearance of the pre-connection prompt.

Correct network connection problems Once you are logged on and connected, you can correct any network connection problems that have occurred. To do so, follow these steps in the Odyssey Client Manager: 1

Specify a profile, network (required for wireless adapters), and adapter, as well as a network (if necessary) for your network connection at Windows logon time.

2

Test the connection by connecting through the Connection panel.

Suppress the appearance of the pre-connection prompt To keep the pre-connection prompt dialog from appearing every time you logon, follow these steps in the Odyssey Client Manager: 1

In Settings > Windows Logon Settings, check Override default settings for Windows logon, select the network (or profile) and adapter you want for this connection, and uncheck Prompt before connecting to the network. Note that any network configuration you assign using the Windows logon pre-connection wizard may include network and profile records stored in the Odyssey Client Manager with the name Windows logon attached to their

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

81

labels. If so, you can use these to configure your network connection in Windows Logon Settings. 2

Click OK.

Windows logon pre-connection wizard It is possible that your configuration is incomplete for Odyssey Client to log you into the network before Windows logon takes place. In this case, once you select to configure your network connection through the Windows logon preconnection wizard (via the pre-connection dialog), you are prompted with a series of dialogs that request you to specify the following information: X

Adapter for Windows logon

X

Network for Windows logon

X

Authentication protocols for Windows logon

X

User name and password options for Windows logon

Adapter for Windows logon If you have to configure an adapter for Windows logon, the following appears.

82

1

Select an adapter type. Select wireless for a wireless adapter, and wired 802.1X for a wired adapter connection.

2

Select an adapter from the list, and click Next.

Using Odyssey Client Manager

Network for Windows logon If you have to configure a network for Windows logon, the following dialog appears.

Type in the network name, or click Scan to scan for an available configured network. Note that you cannot use any auto-scan lists for this selection. Authentication protocols for Windows logon If you have to configure authentication protocols for Windows logon, the following dialog appears.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

83

Select the authentication protocol from the list. If you specify EAP-TTLS as the authentication protocol, specify the required EAP-TTLS settings as well. Note that EAP-TLS is not available to you. User name and password options for Windows logon If you have to configure your user name and password settings for Windows logon, the following dialog appears.

Type your user name (in the correct format, usually domain\user name) in the box, and select your password setting: X

Select Use Windows password to use your regular Windows logon password for logging into the network.

X

Select Prompt for password if you want to be prompted to type in your required password at login time.

X

Select Use the following password: to type in a password that is not your Windows password. Note that this password is not stored for future use.

SIM Card Manager If you have a SIM card for use with Odyssey Client that is inserted in your client device, you can manage the PIN on your SIM card hardware when you select Settings > SIM Card Manager.

84

Using Odyssey Client Manager

To disable the PIN for your SIM card, click Disable PIN. Disable PIN appears.

Enter your PIN and click OK. To change the PIN for your SIM card, click Change PIN. Change PIN appears.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

85

Follow the directions for each text field, and click OK. If your card becomes blocked, you can unblock it. To do so, click Unblock Card, and follow the instructions on the Unblock Card dialog that appears. Click Close to close SIM Card Manager.

Odyssey Client Administrator You can launch the Odyssey Client Administrator from the Settings menu. You can use Odyssey Client Administrator for the following: X

Configure settings for new users.

X

Create a customized new installer file for a set of users.

X

Apply locking and constraints to some or most features.

X

Create a customized user settings update file for your users.

X

Create scripts to update some user features.

See “Odyssey Client Administration” on page 97 for more information.

Enable/Disable Odyssey Select Enable Odyssey or Disable Odyssey to turn Odyssey Client on or off. Odyssey Client is initially enabled, and normally you should not need to disable it. If you choose to disable Odyssey Client, you are no longer able to use Odyssey Client for network connections until you enable it again. You may want to disable Odyssey Client if you have concerns about your current Odyssey configuration. For example, if you are worried that Odyssey Client is in an insecure state, you can use this feature to take yourself off the network until you get a chance to inspect your settings. You can also enable or disable Odyssey Client from the pop-up menu that appears when you right-click the Odyssey icon in the System Tray. NOTE: To stop Odyssey Client from running entirely, select the Exit command when you right-click the Odyssey icon in the System Tray.

Close Select Close to close the Odyssey Client Manager window. Although the user interface is no longer visible, Odyssey Client continues to perform its networking operations normally. 86

Using Odyssey Client Manager

You can restart Odyssey Client Manager at any time, in any of the following ways: X

From the System Tray: Double-click the Odyssey icon, or right-click it and

choose Odyssey Client Manager. X

From Control Panel: Double-click the Odyssey Client Manager icon.

X

From the Windows taskbar: Select Start > Programs > Funk Software >

Odyssey Client > Odyssey Client Manager. NOTE: To stop Odyssey Client from running entirely, you select the Exit command when you right-click the Odyssey icon in the System Tray.

Commands Menu The following commands are available from the Commands menu: X

Forget Password

X

Forget Temporary Trust

X

Check New Scripts

X

Run Script

Forget Password When you first authenticate using a profile set to prompt for password, you are asked to type in your password. Odyssey Client remembers the password you enter, and uses it for all subsequent authentications using that profile without prompting you again. Normally, Odyssey Client does not forget the password you type in until you reboot your PC, or restart Odyssey Client. If you want Odyssey Client to immediately discard any passwords you type in, select Forget Password. When your password is needed again, you are prompted to enter it. You might need to use this command if you enter your password incorrectly or if your password has been changed on the authentication server.

Forget Temporary Trust If you enable temporary trust from Settings > Security Settings, then whenever you encounter an untrusted authentication server, a dialog pops up, allowing you

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

87

to trust that server temporarily. Odyssey Client remembers to trust that server for as long a period of time as is configured in Security Settings. If you want Odyssey Client to immediately discard its list of temporarily trusted servers, select Forget Temporary Trust. You might need to use this command if you accept a server as temporarily trusted and then decide to break your connection with it. If you want to be sure the connection is broken immediately, you should disable session resumption and then click Reconnect on the Connection panel.

Check New Scripts Your administrator may provide you with one or more scripts that update your Odyssey Client configuration. See “Script Composer” on page 127 for directions on how to compose scripts. See “Scripts for incremental updates of user configurations” on page 140 for information on delivering scripts. The opportunity to process updated scripts is presented to you automatically when New Odyssey Client Scripts appears. You can also access New Odyssey Client Scripts from Commands > Check New Scripts.

88

Using Odyssey Client Manager

New Odyssey Client Scripts contains a list of new configuration scripts. You can process any script in the list by selecting it. You can only address one script at a time. For each script that you select in the list, you have two processing options: X

Click Run, in order to run the script and update your Odyssey Client configuration.

X

Click Delete, in order to delete the script.

Before you can execute a run or delete command, you must first click Yes in the processing option verification dialog that opens.

If there are any new scripts that you do not want to process at this time, you can do one or both of the following: X

You can set a reminder to process script(s) in the future by selecting a number of days, after which New Odyssey Client Scripts reappears. You can select the reminder period in Remind me again after (days). Note that this reminder snooze period is interrupted if your administrator offers you a new script in the interim.

X

You can save one or more unprocessed scripts to your hard drive. After you save them, you can process them immediately in New Odyssey Client Scripts. You can also process these scripts at a later time, one at a time, using Commands > Run Script, or through New Odyssey Client Scripts from Commands > Check New Scripts: Z

Select one of the scripts you intend to save.

Z

Click Save, in order to save the script to your hard drive so that you can run it at some time in the future. Note that you cannot click Save after you click Run or Delete. When you click Save, you can choose a directory in which to save your configuration script.

Z

Repeat until you have saved all the scripts that you want to save.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

89

Run Script You can use the Commands > Run Script to run any scripts that you have saved to your hard drive when presented with Check New Scripts. When you select this command, you can browse to the directory in which you have saved any scripts, and select a script to run.

Update From time to time, you may see a pop-up that indicates you should update your Odyssey Client configuration. In addition, your network administrator may inform you that you can update your configuration. To update your Odyssey Client configuration, follow these steps: 1

Select Settings > Update.

2

Select the configuration file in the default directory, or browse to the directory provided to you by your system administrator.

Web menu The Web menu provides several web links. These include the following: X

Odyssey User Page

X

Funk Software Home Page

X

Register Odyssey Client

X

Purchase Odyssey Client

Odyssey User Page Select Odyssey User Page to open your browser to a page devoted to Odyssey users. You can find technical notes that can help you get the most out of Odyssey, as well as product news and information about new versions at this web site.

Funk Software Home Page Select Funk Software Home Page to open our home page in your browser. Here you can find more information about Funk Software, Inc. and our products.

90

Using Odyssey Client Manager

Register Odyssey Client Select Register Odyssey Client to register your Odyssey Client online. Once you register your software, you are automatically notified about product upgrades and special offers. Additionally, should you need to call our technical support hotline, we can expedite your call if we have your registration on file.

Purchase Odyssey Client Select Purchase Odyssey Client in order to purchase the product.

Help Menu The Help menu has the following items: X

Help topics

X

License keys

X

View Readme File

X

About

Help topics Select Help Topics to bring up the Odyssey Client help system. You can also get context-sensitive help at any time by pressing F1. The help system appears opened at the section that best explains your current situation.

License keys Select License Keys from the Help menu, to manage your Odyssey Client license keys.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

91

A license key is a text sequence that represents your license to use Odyssey Client. Under most circumstances, you set a license key when you first install Odyssey Client. However, you may need to install additional license keys in the future. For example, you must use an additional license key when you upgrade to a new version, or when you want to enable special features. In this example, no license key is visible. Click Add, to add a new license key. To remove a license, select it, and click Remove. NOTE: On Windows 2000 or XP you must have administrative rights in order to add or remove licenses. If you do not have such rights, you are able to view the license keys, but not to add or delete them, and you must contact your system administrator to do so.

View Readme File Select View Readme File to open the file readme.txt. This file has important information about Odyssey Client that could not be included in this manual.

About Select About to view version and copyright information.

Tray icon menu commands If you right-click on the Odyssey icon in the System Tray, the following menu items appear: X

Odyssey Client Manager

X

Enable Odyssey or Disable Odyssey

X

Help commands

X

Exit

Odyssey Client Manager You can start Odyssey Client Manager (the user interface for Odyssey Client) by selecting the Odyssey Client Manager menu command from the System Tray right-click menu.

92

Using Odyssey Client Manager

Enable Odyssey or Disable Odyssey Select Enable Odyssey or Disable Odyssey to turn Odyssey Client on or off from the System Tray right-click menu. See “Enable/Disable Odyssey” on page 86 for more information on this feature.

Help commands One of the options on the menu that appears when you right-click on the Odyssey icon in the System Tray is Help. There are two further options: Help Topics and About. If you select Help Topics, the Help system appears in a window opened to the table of contents. If you select About, product version and copyright information are displayed.

Exit If you select the Exit command from the System Tray right-click menu, you are offered a prompt.

When you click Yes, Odyssey Client immediately stops running in the background. You may want to use this option when you are not using wireless networking for an extended period. You can restart Odyssey Client by running Odyssey Client Manager from the Start menu.

Other Odyssey Client features In addition to panels and menu items, you may interact with Odyssey Client in the following ways: Odyssey Client User and Administration Guide

Using Odyssey Client Manager

93

X

Shortcut keys

X

Using Odyssey Client with some features disabled

Shortcut keys In addition to using your mouse to access buttons, tabs, and panels on Odyssey Client Manager, you can also use your keyboard to access all of the Odyssey Client features. Most keyboard shortcuts are indicated by letters that are underlined in the Odyssey Client Manager. To use the keyboard shortcuts for these features, press Alt and then the letter. For example, to scan for a network from the connection panel, you can press Alt-n. To move between the panels of the Odyssey Client Manager, use the up and down arrows on your keyboard. You can use the following keyboard shortcuts in order to select the graphical information buttons on the connection panel: X

Alt-1, to display the signal power information

X

Alt-2, to display the connection status information

X

Alt-3, to display the encryption key information

You can also press Alt in conjunction with the appropriate arrow key on your keyboard, in order to implement the corresponding arrow button features, such as those in Auto-Scan Lists.

Using Odyssey Client with some features disabled It is possible that your administrator has restricted your use of certain Odyssey Client features. For example, you may not be able to configure a profile that uses certain protocols. When this is the case, you are apprised of this fact with an error message, such as the one in following example.

94

Using Odyssey Client Manager

In all cases, you must adhere to your administrator’s rules when you configure Odyssey Client features.

Interaction with other adapter software Your wireless adapter may provide its own user interface software to help you control its operation. This software may allow you to operate non-standard features of your wireless adapter, to which Odyssey Client Manager has no access. In most cases, Odyssey Client Manager and the user interface that comes with your wireless adapter can coexist without problems, but you should avoid using both products for similar purposes. If you use Odyssey Client for network communications, only use the software supplied with your adapter to operate those features that cannot be controlled by Odyssey Client Manager.

Odyssey Client User and Administration Guide

Using Odyssey Client Manager

95

96

Using Odyssey Client Manager

Chapter 5 Odyssey Client Administration

Overview of Odyssey Client Administration Odyssey Client provides a set of special tools for performing administrative tasks for managing users of the product. These advanced tools are only available if you have administrative privileges. You can only run these tools on a Windows 2000 or Window XP device. The administrative tasks you can perform include the following: X

Create a custom new installer file with preconfigured settings for a group of users of any platform. See “Custom Installer” on page 124.

X

Configure settings update files in order to update user configurations for a large group of users. You can easily specify feature-locking, and other constraints through these updates. See “Configuration updates for massdistribution to your users” on page 141.

X

Create custom configuration scripts to distribute to your current users of Odyssey Client. See “Scripts for incremental updates of user configurations” on page 140.

X

Configure the timing for user or machine connection. See “Connection Settings” on page 99.

X

Configure the initial settings for all users of a given client machine. “Initial Settings” on page 110.

X

Specify how to lock or merge features of your Initial Settings configuration for administrative updates, new installer files, and for your computer. See “Merge Rules” on page 119.

X

Specify custom user restrictions for administrative updates (and for your computer). You apply these restrictions to portions of configuration items. See “Permissions Editor” on page 117.

X

Configure machine account settings when you require a machine network connection at Windows startup. See “Connection Settings” on page 99.

Odyssey Client User and Administration Guide

Odyssey Client Administration

97

X

Enable or disable Odyssey Client plug-ins. See “Sample administrative workflows” on page 135.

NOTE: You can use the Odyssey Client Administrator to configure these features for the machine on which you have installed Odyssey Client, or you can apply your Odyssey Client Administrator settings when you create an installer type file that you can distribute to a group of users. Only the script composer tool uses your Odyssey Client Manager configurations.

See also the following topics for some connection scenarios: X

“Machine only connection” on page 138

X

“Machine connection followed by user authentication” on page 138

X

“User authentication without machine connection” on page 139

NOTE: Before using the administrator tools in Odyssey Client Administrator, you should be completely familiar with the Odyssey Client Manager features.

Odyssey Client Administrator To launch the Odyssey Client Administrator, select Settings > Odyssey Client Administrator, from the Odyssey Client Manager. You can also double-click the odClientAdministrator.exe application in the directory in which you have installed the Odyssey Client product. Odyssey Client Administrator appears on your screen.

You can operate the following advanced administrative tools from the Odyssey Client Administrator by double-clicking a selected tool: X

98

Connection Settings for configuring one or more of the following types of network connection timings:

Odyssey Client Administration

X

Z

Connection to the network as a machine (machine connection) at Windows startup time

Z

Connection to the network with user credentials prior to Windows logon

Z

Connection to the network with user credentials after Windows logon, but before the desktop appears

Z

Connection to the network with user credentials after the desktop appears

Initial Settings, for one or more of the following: Z

Modifying initial settings for your all users of this machine

Z

Creating the user configuration data (network and profile) to be used with user authentication that takes place prior to Windows logon

Z

Creating and testing a template of preconfigured settings before creating a new custom installer file

Z

Creating and testing a template for updating your user configurations for mass-distribution

X

Machine Account, for configuring a machine network connection

X

Permissions Editor, for applying customized feature by feature restrictions on your user’s ability to modify Odyssey Client configurations

X

Merge Rules, for setting the rules used in creating a settings update file or a new custom installer file. You can also assign rules modify current configurations, or that prevent your users from editing their configuration entirely.

X

Custom Installer, for creating a preconfigured installer file from the initial user and/or machine settings that you configure using the above-listed Odyssey Client Administrator tools

X

Script Composer, for creating configuration scripts that you can use to define or update your users’ Odyssey Client configurations

You may have occasion to use all, or some of these tools, depending on what you are trying to do. For some use cases for Odyssey Client Administrator, see “Sample administrative workflows” on page 135.

Connection Settings Double-click Connection Settings in the Odyssey Client Administrator to open the Connection Settings tool. Odyssey Client User and Administration Guide

Odyssey Client Administration

99

You can use the Connection Settings tool to set the following connection options: X

User Account, for configuring the default timing of user logon connections

X

Machine Account, for configuring network connection options for network authentication with machine credentials at Windows startup time. The settings you choose may or may not require you to set additional default user account settings.

X

GINA, for installing or removing the ability for users to connect to the network before Windows logon.

Click OK when you are done configuring Connection Settings. See Network configuration scenarios for more information on the possible connection configurations.

100

Odyssey Client Administration

Network configuration scenarios You can configure one of six different network connection configurations: X

A machine only network connection, during which only machine credentials are authenticated

X

A machine connection to the network at Windows startup time, with subsequent authentication of user credentials after the user logs on, but before the user’s desktop appears

X

A machine connection to the network at Windows startup time, with subsequent authentication of user credentials after the user’s desktop appears

X

A connection to the network with user credentials when they logon to Windows

X

A connection to the network with user credentials after they logon to Windows, but before the user’s desktop appears

X

A connection to the network with user credentials after the user’s desktop appears

Of these choices, only the last one is available for Windows 98 and Me machines. Note that some of these features are enabled or disabled according to the other features you select. See “Restrictions on early network connections” on page 109 for more information. For more information on configuring the various network connection scenarios, as well as information about why you might select one scenario over another, see the following topics: X

“Machine only connection” on page 138

X

“Machine connection followed by user authentication” on page 138

X

“User authentication without machine connection” on page 139

User Account You have several options to configure the default settings for the timing of network authentication that relies on user credentials. You can configure such connections to occur prior to or after Windows logon time from the User Account tab on Connection Settings.

Odyssey Client User and Administration Guide

Odyssey Client Administration

101

You can have up to three options available for configuring the timing of a user account connection with respect to the Windows logon time. These options are listed under Use Odyssey to connect to the network. They are listed in the order of the latest time at which a network connection is established, to the earliest time at which a network connection is established through Windows logon: X

After the user’s desktop appears: Choose this option if you do not require the user to establish a network connection before the desktop appears.

X

After Windows logon, before the desktop appears: Choose this option if you require the user to establish a network connection before the desktop appears, but you do not require them to establish the network connection before the Windows logon process is complete.

X

Prior to Windows logon, using the following settings: Choose this option if you require the user to establish a network connection prior to establishing Windows logon.

Note the following:

102

Odyssey Client Administration

X

You do not have the Prior to Windows logon option available when you set a machine connection for initial logon.

X

You can only have the Prior to Windows logon option available when you click Install Odyssey GINA module, in the Odyssey “GINA” module section of Connection Settings.

X

If you do select the Prior to Windows logon option, do not assign a network, auto-scan list, or profile connection for which you have selected EAP-TLS as the authentication method.

The success of your connection may depend on the timing you select. It is safest for you to choose to establish the network connection after the desktop appears. However, if you require that the user connects to the network before the desktop appears, select an earlier connection time. If you select prior to Windows logon, then perform the following tasks and options: X

Select the adapter and network (or auto-scan list, or profile, in the case of a wired 802.1X connection) from the lists provided. You must first configure these using Initial Settings. See also “Configuring connections that occur prior to Windows logon” on page 113.

X

You can optionally require a prompt screen to appear prior to making the network connection at logon time every time your users logon to Windows, by checking Prompt before connecting to the network.

X

You have the (recommended) option to override prior to Windows logon connections through Odyssey Client whenever you are connected to a wired network adapter. To do so, check Wait until my desktop appears before using Odyssey to connect to the network, and select Any wired adapter is already connected.

If you do not select After my desktop appears, then you have the option to request an after desktop connection on a per adapter basis. To use this feature, check Wait until my desktop appears before using Odyssey to connect to the network. You have two choices for the conditions under which your after desktop connection takes place: X

To make an after desktop connection whenever your users of this machine are connected to your network through a wired adapter, select Any wired adapter is already connected. This option applies even if the wired adapter is not connected to an 802.1X hub or switch.

X

To make an after desktop connection whenever you are connected to your network through a set of adapters (wired or wireless) that you specify explicitly, select One of the following adapters is already connected. This option pertains to any adapter listed. To edit this list of adapters, click Edit.

Odyssey Client User and Administration Guide

Odyssey Client Administration

103

Select Adapters appears. Check any adapters that you want to use for after windows logon network connections are established, and click OK to close Select Adapters.

X

Click OK to close Windows Logon Settings.

NOTE: If you want to install Windows logon features when creating a custom installer template, follow the guidelines in “Configuring connections that occur prior to Windows logon” on page 113.

For information on compatibility when using the Windows logon features with other applications that initiate at logon time, see “Compatibility with other applications running at logon” on page 108.

Machine Account You can connect to the network at Windows startup time using a set of machine (rather than user) credentials by checking Enable network connection using machine credentials from the Machine Account tab on Connection Settings.

104

Odyssey Client Administration

You can configure these machine credentials in the Connection Settings tool. Once you check Enable network connection using machine credentials, you have two mutually exclusive options: X

To sustain your network connection as machine only, select Leave the machine connection active; users are connected via the machine connection. With this option, users have little control of their network connection when they open the Odyssey Client Manager. They can view status information and reconnect or reauthenticate to the network.

X

To automatically establish a network connection with your user’s own credentials once they have logged into Windows, select Drop the machine connection; users must connect with their own credentials. With this option, you can account for individual users of the network, and each user can modify his or her user account connection settings using the Odyssey Client Manager. If you select this option, then set the timing for the user connection in User Account. The two timing options you can select are as follows: Z

After the user’s desktop appears

Odyssey Client User and Administration Guide

Odyssey Client Administration

105

Z

After Windows logon, before the desktop appears

You can configure your connection settings according to your selections: X

Double-click Connection Settings in the Odyssey Client Administrator, and configure the machine network connection.

X

If you opt for users to connect with their own credentials after the machine connection is established, double-click Initial Settings in the Odyssey Client Administrator to configure new user account settings.

NOTE: You do not have the option to enable a machine account connection if you have installed the Odyssey GINA Module. Uninstall this feature before you proceed to configure a machine account connection.

See “Restrictions on early network connections” on page 109 for a listing of features unavailable when you configure a machine account connection.

GINA You can use Odyssey’s GINA module to allow users of Windows XP or 2000 to connect to the network using their Windows logon credentials prior to Windows logon. Connecting prior to Windows logon can be helpful when users have startup processes that require network connections. You cannot use this connection feature without installing Odyssey’s GINA module. NOTE: If you want to use a non-Microsoft GINA-type logon module with Odyssey Client, then you must install it before you install the Odyssey Client GINA module.

Installing Odyssey’s GINA module You can enable Odyssey’s GINA module features through the GINA tab on Connection Settings.

106

Odyssey Client Administration

To install the GINA module, click Install Odyssey GINA module. If you want to use this network connection option and have already checked a machine connection option, uncheck the machine connection option before clicking this. The GINA module installation is completed when you next reboot the machine. Removing Odyssey’s GINA module To remove Odyssey’s GINA module when it is installed, click Remove Odyssey GINA module.

Odyssey Client User and Administration Guide

Odyssey Client Administration

107

The GINA module removal is completed when you next reboot the machine. Compatibility with other applications running at logon The Odyssey GINA module works by hooking into the Windows Graphical Identification and Authentication (GINA) module. This is the module that presents the Windows Logon dialog. Odyssey Client is compatible with a number of logon modules, preserving single sign-on behavior: X

You may be prompted for credentials by Odyssey Client for some applications that replace the Microsoft Windows logon screen.

X

In the case of Novell®ClientTM for Windows, Odyssey Client uses your Novell credentials at logon time without prompting for credential information.

NOTE: It is possible that you have one or more other applications running a similar GINA process at logon. In this case, install the Odyssey Client GINA module after you install any other applications that run prior to Windows logon, in order to ensure that both programs function correctly. 108

Odyssey Client Administration

Restrictions on early network connections There are no restrictions for user account network connections that occur after the desktop appears, but otherwise, there may be restrictions on the features you can use when you select particular network connection timing options in Connection Settings. The following table summarizes the restrictions.

Feature

Machine account at Windows startup

User account at Windows logon

User account after logon, but before desktop

Ad-hoc

yes

no

yes

Preconfigured WEP keys

yes

only when configured from Initial Settings

yes

Windows password

no

yes

yes

Machine password

yes

no

no

Prompt for password

no

yes

no

Prompt for PIN (with SIM cards)

no

no

no

Use the following password

yes

no

yes

EAP-TLS

yes

no

yes

EAP-TTLS/PAP/Token Card

no

yes

no

EAP-GenericTokenCard

only when configured not to prompt for token. See “Set generic token card credential options” on page 46, “Machine Account” on page 114, and “User Info” on page 37.

yes

only when configured not to prompt for token. See “Set generic token card credential options” on page 46 and “User Info” on page 37.

EAP-TTLS/EAP/EAPGenericTokenCard

only when configured not to prompt. See “Set generic token card credential options” on page 46, “Machine Account” on page 114, and “User Info” on page 37.

yes

only when configured not to prompt for token. See “Set generic token card credential options” on page 46 and “User Info” on page 37.

Odyssey Client User and Administration Guide

Odyssey Client Administration

109

User account after logon, but before desktop

Machine account at Windows startup

User account at Windows logon

EAP-PEAP/EAPGenericTokenCard

only when configured not to prompt. See “Set generic token card credential options” on page 46, “Machine Account” on page 114, and “User Info” on page 37.

yes

only when configured not to prompt for token. See “Set generic token card credential options” on page 46 and “User Info” on page 37.

Unauthenticated network connections (networks without profiles)

yes

only when configured from Initial Settings

yes

Pre-shared WPA or WPA2 passphrase to generate encryption keys

yes

only when configured from Initial Settings

yes

Temporary trust

no

no

no

Uncheck Validate server certificate

yes

no

yes

Feature

A yes in a column implies the feature is valid for that connection setting, while no indicates that it is not. Note the following: X

You can configure all of the default user account network settings in Initial Settings. However, the restricted options are not, by default, disabled in Initial Settings, so make sure you configure the network connection properly.

X

Features that only apply when you configure default Windows logon settings in Initial Settings are not available if your users override default Windows logon settings from the Settings > Windows Logon Settings menu in the Odyssey Client Manager.

X

You can configure all of the machine account network settings in the Connection Settings tool. The restricted options are disabled for you in the Machine Account tool.

Initial Settings You can use the Initial Settings tool for the following:

110

Odyssey Client Administration

X

Configure the initial user network connection settings for all new users of Odyssey on a given client machine.

X

Configure the user configuration for network connections for a template for a custom installer or updated user configuration file.

X

Configure any adapter, and user profile or network settings you require for connections that take place prior to Windows logon.

X

The Initial Settings tool works in concert with the Merge Rules tool. Settings you configure here are also used when you configure rules (merge rules) for applying your configuration to your users’ machines. See “Merge Rules” on page 119 for more information. You can use Initial Settings to configure features in before you apply any merge rules to them.

To access the Initial Settings tool, double-click Initial Settings in the Odyssey Client Administrator. .

You can configure the following features in the same way that you configure these features in the Odyssey Client Manager. Configure the following initial user network settings: X

Wireless connection(s)

X

Wired connection(s)

X

Profiles

X

Networks

Odyssey Client User and Administration Guide

Odyssey Client Administration

111

X

Auto-Scan lists

X

Trusted servers: You must configure your trusted server certificate in your machine store of the configuration machine before you configure a trusted server in Initial Settings.

X

Adapters: If you are configuring a template for a custom installer file, your users do not have to have exactly the same wireless or wired adapter as you have (the names and models can differ), as long as you install a similar type (wired or wireless) of equipment on their client machines.

See also the following topics: X

“Configuring connections that occur prior to Windows logon” on page 113

X

“Caution on overriding default Windows logon settings” on page 112

X

“Test user connection settings” on page 126

X

“Machine only connection” on page 138

X

“Machine connection followed by user authentication” on page 138

Once you configure Initial Settings, all users who start up Odyssey for the first time on your client machine are presented with the default connection setup you have just configured. You can also use these settings for configuring the following: X

A preconfigured installer

X

An updated user configuration file

X

Network settings for user connections that take place prior to Windows logon

Caution on overriding default Windows logon settings The Settings > Windows Logon Settings menu in the Odyssey Client Manager gives users the option to override the default network connection timing. Do not check Override default settings for Windows logon in Initial Settings, or your users will, by default, have initial settings that override the settings you configure in GINA. If you do install Odyssey’s GINA module from Connection Settings, then your users have the ability to configure a network connection prior to Windows logon. If you do not install the GINA module, then your users have only the two postlogon connection options available to them through this menu on the Odyssey Client Manager. Note that even though your users can override the default network connection settings that you configure, they cannot override configured trusted servers when 112

Odyssey Client Administration

they connect prior to logon time. The only way to change the trust you configure for a Windows logon connection on a given installation is for you (or someone with administrative privileges) to modify these settings in the Trusted Servers panel of Initial Settings.

Configuring connections that occur prior to Windows logon When installing Odyssey Client on Windows XP or 2000, you have the option to enable automatic network connections at the time the user logs on to the machine. This can be helpful when users have startup processes that require network connections. You can accomplish this using Odyssey Client’s Windows logon features. There are some restrictions on the features you can use when you configure a network connection for user accounts prior Windows logon time. See “Restrictions on early network connections” on page 109 for more information. Note the following additional instructions for any user account connections you want to configure to occur prior to Windows logon: X

You must associate a profile and adapter (for wired connections) or a network (or auto-scan list) and adapter (for wireless connections) with a Windows logon configuration. The network configuration for Windows logon that you select from the drop-down lists in User Account in Connection Settings reflects the adapters, networks, auto-scan lists, and profiles you specify in Initial Settings.

X

You are not required to associate a profile with any network you configure in Initial Settings when you are configuring user defaults for your machine or for a new custom installer file.

X

If you configure a profile for your prior to Windows logon network connection that uses EAP-TTLS, EAP-TLS, or PEAP, the server certificate is validated automatically when a user authenticates prior to Windows logon. You are not required to check Validate server certificate on the Authentication tab of the Profile Properties on the associated profile in order for this validation to take place.

X

When configuring the User Info tab of the profile for prior to Windows logon connections, leave the Login name field blank. Odyssey Client uses the user’s Windows logon name.

X

You cannot assign to the network connection a profile that uses a stored password on the User Info tab of a profile that you have configured in Initial Settings. See “Restrictions on early network connections” on page 109 for more information.

Odyssey Client User and Administration Guide

Odyssey Client Administration

113

X

If you assign your selected network to encrypt your data using WEP, you can either specify fixed WEP keys on that network description, or you can check Keys will be generated automatically for data privacy.

X

To install or remove Odyssey’s Windows logon features, follow the instructions in “GINA” on page 106.

X

Select the third radio button (prior to Windows logon) and specify the network (or profile) and adapter in User Account in Connection Settings.

X

You must configure a trusted server in the Trusted Servers panel of Initial Settings. The trust you configure must include a certificate authority in the signing chain of the trusted server. If you have not already installed the certificate in the machine store on your machine, you must do so prior to configuring this trust.

NOTE: There is some potential for incompatibility of the Odyssey Client Windows logon feature with similar features in other products. See “Compatibility with other applications running at logon” on page 108. As a result, you should not enable the logon features unless you plan to use them.

Machine Account If you have configured a machine account network connection in Connection Settings, you can use Machine Account to configure network connections for a machine. Double-click Machine Account in the Odyssey Client Administrator to configure Machine Account.

114

Odyssey Client Administration

Configure a machine network login account in Machine Account in very much the same way you would configure a user account, except there are different options for machine account profiles. At a minimum, configure at least one network, adapter, and profile for the machine logon. See the following relevant topics for more information: X

“Profiles panel” on page 36.

X

“Networks panel” on page 50

X

“Auto-Scan Lists panel” on page 58

X

“Trusted Servers panel” on page 60

X

“Adapters panel” on page 69

Note that you can configure multiple networks, profiles, and adapters, and only those for which you check the Connect to network (for wireless connections), and/or Connect using profile for (wired connections) are used by the machine connection. To test machine connection settings, see “Testing your settings” on page 126. See also the following topics: X

“Machine only connection” on page 138

X

“Machine connection followed by user authentication” on page 138

Note the following:

Odyssey Client User and Administration Guide

Odyssey Client Administration

115

116

X

Authentication methods that require user interaction, such as those associated with tokens, are not available with machine connection. As a result, this Profiles Panel varies slightly from that of the Odyssey Client Manager. See “Restrictions on early network connections” on page 109 for all restrictions on machine account connections.

X

You can configure the use of machine credentials when authenticating using a machine account. To do this, follow this procedure when you create a machine account profile: 1

Create a profile from the Profiles Panel of Machine Account and check Use machine credentials under User Info of Add Profile.

2

If you require a realm with your machine credentials, type in the name of the realm next to Optional realm: machine @.

3

Keep Permit login using password checked.

4

Machine credentials are only used with EAP-TTLS or EAP-PEAP. Choose at least one of these authentication methods for the profile, and

Odyssey Client Administration

configure any TTLS Settings and/or PEAP Settings options you require. X

If you enter any passwords for machine account profiles or certificates, and intend to create a custom installer, the credentials you enter here are used by all copies of Odyssey Client that use this installer. It is better to manually enter credentials on each client machine, if these are required.

X

You can use these settings to configure a custom installer.

X

You must configure your trusted server certificate for your machine connection. You must first install the certificate in your machine certificate store on your configuration machine.

NOTE: You cannot configure machine account settings for machines running Windows 98 or Me.

Permissions Editor You can use the Odyssey Client Permissions Editor to restrict your users from modifying some of the features that you allow them to configure themselves. The rules that you configure in Odyssey Client Permissions Editor apply to your current machine automatically. You can also create a file to export your permission configuration to a group a users. See “Configuration updates for mass-distribution to your users” on page 141. To implement permission/restrictions, double-click Permissions Editor in Odyssey Client Administrator. Odyssey Client Permissions Editor appears.

Odyssey Client User and Administration Guide

Odyssey Client Administration

117

You can use Odyssey Client Permissions Editor to disable the use of some Odyssey Client features for your users. For example, you may allow your users to create new profiles, but may want to restrict the authentication protocols that they are allowed to use. The items listed in Odyssey Client Permissions Editor pertain to features you can find on the Odyssey Client Manager. Check any features to which you want to restrict user access, and click OK when you are done. Note the following: X

Any features that you configure as locked in Merge Rules are exempt from constraints you configure in the Permissions Editor.

X

Any items to which you apply constraints remain visible to your users, even though they are unable to configure those features.

X

If you check Disable [any] networks, your users do not have the ability to connect to unspecified networks using the [any] network feature. See “Configure Odyssey Client to connect to any available network” on page 53 for a description of this feature.

X

If you check Disable ad-hoc networks, your users cannot make peer-topeer connections.

X

If you check Remove Odyssey Client Administrator from Settings menu, your users that have administrative privileges on their computers do not have menu access to the Odyssey Client Administrator from the Odyssey Client Manager.

X

If you check Remove License Keys from Help menu, your users cannot modify or view license keys.

X

If you check any of the Disable unauthenticated options, your users are not allowed to create a network configuration using the specified encryption protocol if they do not assign a profile to the network connection. The clear option is for no encryption (none).

X

If you check any of the Disable authenticated options, your users are not allowed to create a network configuration using the specified encryption protocol when they assign a profile to the network connection.

See the following relevant topics:

118

X

“Validate the server certificate” on page 45

X

“Select authentication protocols” on page 45

X

“Specify the network type” on page 54

X

“Authenticate using profile” on page 55

Odyssey Client Administration

X

“Password” on page 39

X

“Certificate” on page 40

X

“Server temporary trust” on page 74

See also “Configuration updates for mass-distribution to your users” on page 141 for information on applying your permission restrictions to your user configurations.

Merge Rules You can use Merge Rules to specify how your current Odyssey Client Administrator configuration from Initial Settings, as well as your user’s Windows logon settings in Connection Settings, is applied to users of your current machine, as well as to any new custom installer file or any settings update file you create. When you configure merging rules, you have the ability to add, replace, or lock any user features you configure in the Odyssey Client Administrator. The following situations describe a few cases in which you would want to configure rules for merging your Odyssey Client Administrator configuration: X

You have already installed Odyssey Client on a group of client PCs, and you have already configured it for a group of users, but would like to be able to provide periodic administrative updates.

X

You want to create a new custom installer file in order to upgrade your users with a newer version of Odyssey Client. When you do so, you can specify how features are merged into your users current configurations.

X

You want to create a new custom installer file for configuring Odyssey Client for new user machines. In this case, you can specify the locking of the configured features as they are installed on a new machine, or you can use the default settings in Merge Rules (configure nothing) if you are not interested in locking any features you configure.

On a feature by feature basis, you can select the manner in which your current Initial Settings configuration settings are applied to all users of your current machine (or to a new custom installer file, or to a configuration update file). You can choose one of the following modes: X

None, (default for some items on the Other tab) for configuring settings for new users of a given client PC on your network based on selected items that you configure in the Odyssey Client Administrator. You may want to use this mode, for example, if you have recently updated your license, and you want to update your configuration of all new user settings on client machines with settings for the latest features. This mode has no effect on the

Odyssey Client User and Administration Guide

Odyssey Client Administration

119

configurations of current users of an Odyssey Client installation. Once a user begins to use Odyssey Client, they are free to modify any of these settings. X

Add if not present, (default, except for some items on the Other tab, for which this option is not available) for adding selected Odyssey Client Administrator settings to the current settings of your users without overwriting settings with the same names. This mode affects the configurations for new users, as well as current users of your Odyssey Client installations. All users are free to modify these settings.

X

Set, replace if present, for adding selected Odyssey Client Administrator settings to the current settings of your users, while overwriting settings if they already exist with the same names. This mode affects the configurations for new users, as well as current users of your Odyssey Client installations. All users are free to modify these settings.

X

Lock except user info, (available for profiles only) for overwriting all current user settings with selected Odyssey Client Administrator settings, except for user credential information (username, password, or user certificate) associated with a profile. This prevents your users from editing any portions of a locked profile except for their credentials. Do not fill in the username and password or user certificate for any profile that you create in Initial Settings to which you plan to apply this type of profile locking.

X

Lock, for setting or overwriting all current user settings with selected Odyssey Client Administrator settings, and preventing your users from editing these locked features. When you lock a feature, Odyssey Client deletes all current user settings for features with the same name, and prevent new and current users from editing this feature. Locked features are indicated as such by their title bars in the Odyssey Client Manager.

The settings that you configure in Merge Rules affect Odyssey Client Manager settings for all users of your current machine as soon as you close Merge Rules. Additionally, you can then use these merge rules when you provide configuration updates to your users, or when creating a new installer file. See also “Configuration updates for mass-distribution to your users” on page 141 for information on applying your merge rules to your user configurations.

Assign merge rules To assign rules for applying your Initial Settings and Windows logon configuration to users of your current machine, or to users of a configuration file you create in Custom Installer, follow these steps: 1

120

Double-click Merge Rules in the Odyssey Client Administrator. Merge Rules appears.

Odyssey Client Administration

2

Select the Profiles tab. You can lock all profiles, or set merge rules for individual profiles: Z

Check Permit only the following profiles to lock all profiles listed. When you select this option, the following occur: [

Your users can only use the profiles you configure through Initial Settings.

[

All components (aside from user credentials) of all user profiles are locked.

[

Users cannot add new profiles to their configurations.

[

Users can only edit their credentials for each of the locked profiles you configure.

Odyssey Client User and Administration Guide

Odyssey Client Administration

121

Z

[

Any profiles that were previously configured in Odyssey Client are hidden from you users and disabled. The only way to make these visible to your users again is to uncheck Permit only the following profiles.

[

If, in addition to locking all profiles, you want to lock the user credentials for one or more of these locked profiles, select the profiles whose user credentials you want to lock, right-click your mouse, and select Lock.

To set merge rules for one or more individual profiles, follow these steps: a Select one or more profile configurations from the list, and right-click, or click Set Merge Rules. A context menu listing all available merge modes appears.

3

Select one of the five configuration modes (None, Add if not present, Set, replace if present, Lock except user info, or Lock) from the menu.

c

Repeat these steps for as many of the other merge rule modes that you want to apply to any profile(s) that you configure in Initial Settings.

Select the Networks tab. You can lock all networks, or set merge rules for individual networks: Z

Z

122

b

Check Permit only the following networks to lock all networks listed. When you do so, the following occur: [

Your users can only use the networks you configure through Initial Settings.

[

All components of all user networks are locked.

[

Users cannot add new networks to their configurations.

[

Any networks that were previously configured in Odyssey Client are hidden from you users and disabled. The only way to make these visible to your users again is to uncheck Permit only the following networks.

To set merge rules for one or more individual networks, select one or more network configurations from the list. Right-click, and select one of

Odyssey Client Administration

the four configuration modes (None, Add if not present, Set, replace if present, or Lock) from the menu that appears. Repeat this step for as many of the other merge rule modes that you want to apply to any network(s) that you configure in Initial Settings. 4

Select the Auto-Scan Lists tab. You can lock all auto-scan lists, or set merge rules for individual auto-scan lists: Z

Z

5

6

Check Permit only the following auto-scan lists to lock all auto-scan lists listed. When you do so, the following occur: [

Your users can only use the auto-scan lists you configure through Initial Settings.

[

All components of all user auto-scan lists are locked.

[

Users cannot add new auto-scan lists to their configurations.

[

Any auto-scan lists that were previously configured in Odyssey Client are hidden from you users and disabled. The only way to make these visible to your users again is to uncheck Permit only the following auto-scan lists.

To set merge rules for one or more individual auto-scan lists, select one or more auto-scan lists from the list. Right-click, and select one of the four configuration modes (None, Add if not present, Set, replace if present, or Lock) from the menu that appears. Repeat this step for as many of the other merge rule modes that you want to apply to any autoscan list(s) that you configure in Initial Settings.

Select the Other tab. You can use this tab to assign configuration update rules for your security settings and trusted servers that you configure in Initial Settings, and for Windows logon settings that you configure in Connection Settings. For each of these items, you can right-click and select one of the three configuration modes (None, Set, replace if present, or Lock) from the menu that appears. Note the following about trusted servers: [

You can also select Add if not present for trusted servers. In this case, you can add trusted server entries to an existing list of trusted servers if they are not present.

[

When you set or lock trusted servers, you replace the entire trust tree for all users.

[

When you lock trusted servers, you users cannot modify the trust you configure.

Click OK when you are done.

Odyssey Client User and Administration Guide

Odyssey Client Administration

123

See “Configuration updates for mass-distribution to your users” on page 141 for information on applying your merge rules to a set of users.

Custom Installer You can use Odyssey’s custom installer features to create a new installer file with a customized user default configuration. You can use these new installer files to upgrade your current user configurations, or to create installers for new client machines. You can also configure custom updated user configuration files. Custom installer files and updated user configuration files derive their configuration from the features you set in the Odyssey Client Administrator, and not in the Odyssey Client Manager. The custom install process is described extensively in the following topics: X

“Preconfigure Odyssey Client for a group of users” on page 136

X

“Configure Odyssey Client to create a template” on page 136

X

“Custom Installer” on page 124

X

“Custom install: Provide printable documentation” on page 137

After configuring and testing your custom installer template in the Odyssey Client Administrator, you can use the Custom Installer in the Odyssey Client Administrator to create a new Odyssey Client installer file with user defaults that are configured from your template. For information on using your current Odyssey Client Administrator configuration to create an updated user configuration file, see “Configuration updates for mass-distribution to your users” on page 141. Follow these steps to complete the custom installation process: 1

124

Double-click Custom Installer in the Odyssey Client Administrator to configure a custom installer. The Custom Installer appears.

Odyssey Client Administration

2

Select New installer file.

3

Type in the source installer file. This file must be a full product installer file for Odyssey Client. You can type in the file name (along with its path), or click the first Browse button. The Select Source File window appears.

You can use the Files of type drop-down list at the bottom of the Select Source File window to search for the correct file type. You can use the original Odyssey Client installer file from any current or previous release (OdysseyClient.msi) as the source file. You can find this file in the Client directory on the CD if you have not archived it. If you are Odyssey Client User and Administration Guide

Odyssey Client Administration

125

configuring an installer for Windows 98 machines, select the .EXE Odyssey Client installer file type, such as OdysseyClient.exe. Double-click your source file in the window, or click Open. 4

Click Browse, to browse for your desired destination directory (if you are not already there). Save Destination File appears. Select the name of your new (destination) .MSI file. You can type in the name of the file, or select an existing file in the current directory, and click Save. Note that if you are configuring an installation for Windows 98, save the file as .EXE instead of .MSI.

5

Optionally check Export license key, and type in a license key that is valid for the number of copies you intend to distribute.

6

Optionally check Silent install if you want the installation to run without displaying any dialogs during the install process. Note that if you choose this option and you do not export a license key, your users’ licenses expire in 30 days.

7

Click OK to create the custom installer file.

NOTE: You can also use the Settings update file option of the Custom Installer in order to create a configuration file from which you can apply administrative updates that include merge rules and permission restrictions. See “Configuration updates for mass-distribution to your users” on page 141.

Testing your settings You can test your configuration for user and machine connections before creating a custom installer. Note that when you do so, you remove any configurations that you already have set in the Odyssey Client Manager. You can perform the following tests: X

Test user connection settings

X

Test machine connection settings

Test user connection settings To test your user connection settings:

126

Odyssey Client Administration

1

Select Commands > Reload and test user defaults from Initial Settings.

2

Click OK. This permanently deletes your current Odyssey Client Manager settings, and loads your settings from Initial Settings into the Odyssey Client Manager. In addition, it starts the Odyssey Client Manager through the Configure and Enable Odyssey Wizard. Whatever you see in this wizard is what your users see when they first use the product.

3

Test all the connections through the Connection panel. Note that any modifications you make in the Odyssey Client Manager are not reflected in Initial Settings. Modify the configuration in Initial Settings, as necessary. Retest any modifications you require.

4

Return to Initial Settings to correct for any connection problems and verify these connections again, if necessary.

Test machine connection settings To test your machine connection settings: 1

Make sure that the network connection(s) you want to test are configured and set for connection in the Connection panel of Connection Settings.

2

Open Machine Account, and select leave the machine connection active. Click OK.

3

Double-click the Tray icon to open the Odyssey Client Manager, and check the status of your connection(s). Modify the configuration in Machine Account, as necessary. Retest any modifications you require.

If, in order to test your machine connection, you had to modify your connection settings setup, re-open Machine Account, and restore the previous settings.

Script Composer You may need to periodically change Odyssey Client configurations for one or more users. You can change per-user configurations using scripts. You can create Odyssey Client User and Administration Guide

Odyssey Client Administration

127

scripts for your Odyssey Client users based on your configuration components in the Odyssey Client Manager. NOTE: If any Odyssey Client Manager components you include in a client script are locked on your computer, the resulting corresponding components are not locked when your users update their configurations from the script. In addition, if your users have any components that are locked, you cannot use scripts to update those components. See “Merge Rules” on page 119 and “Custom Installer” on page 124 for more information on updating locked components.

You can create scripts using the Script Composer in the Odyssey Client Administrator. Follow these steps:

128

1

Set up your Odyssey Client Manager configuration to include all of the configuration components that you want to add or modify through scripting. See “Using Odyssey Client Manager” on page 23 for more information. Note that if you only want to remove items, you do not have to configure them Odyssey Client Manager.

2

Double-click Script Composer. Odyssey Client Script Composer appears.

3

For each script that you want to generate, configure all items that you want to add, remove, or modify according to the directions in the following topics: Z

“Action categories” on page 130

Z

“Component categories” on page 130

Odyssey Client Administration

4

Click Generate Script. Select Destination File appears.

5

You have two format options for saving scripts. See “Scripts for incremental updates of user configurations” on page 140 for information on how to process and deliver your users’ scripts once you save them: Z

If you want to save your script as an auto-script, so that when you deliver it to your users, it is run automatically, choose the second file type listed.

Z

If you want to save your script so that your users are offered the choice of running the script, then choose the first file type listed. See “Check New Scripts” on page 88 for information on how your users can address scripts.

6

Once you select a file type, choose a meaningful name for the file, and click Save.

7

Repeat steps 3 and 4 for each script that you want to generate. You may want to use this feature multiple times if you have separate changes for different users, for example.

8

Click Done when you have created all of your scripts.

9

Deposit your scripts in the correct directory on your users’ machines. See “Scripts for incremental updates of user configurations” on page 140.

Odyssey Client User and Administration Guide

Odyssey Client Administration

129

NOTE: If there is sufficient variation between each script that you want to create, then leave off step 7 when you follow this procedure for multiple scripts, and follow steps 16 and 8 for each script.

Action categories For each script that you create, you can perform the following actions: X

Add if not present: Configuration components that you select for script generation are added to a user’s configuration when they run the resulting script only when that user’s configuration does not already have components by the same name. The configuration components that you can select to add are the ones that you currently have in your Odyssey Client Manager.

X

Set, replace if present: Configuration components that you select for script generation are added to a user’s configuration when they run the resulting script. In the case that user’s configuration has components by the same name, those components are replaced. The configuration components that you can select to set are the ones that you currently have in your Odyssey Client Manager.

X

Remove: You can remove any configuration components (these do not necessarily have to be configured in Odyssey Client Manager). Components whose names you enter for script generation are removed from a user’s configuration when the resulting script is run.

NOTE: You can only add or set configuration components that you have already configured in Odyssey Client Manager. This feature operates independent of your Initial Settings configuration.

Once you create and distribute a script, your users can access this file from the Commands > Check New Scripts menu on the Odyssey Client Manager. See “Scripts for incremental updates of user configurations” on page 140 for more information.

Component categories You can apply the three actions to the following Odyssey Client configuration components:

130

X

Profiles

X

Networks

X

Auto-Scan lists

X

Other components (trusted servers and security settings)

X

SSIDs

Odyssey Client Administration

Profiles Within one script, you can add and/or set any number of profiles that you have configured in Odyssey Client Manager. To do so, follow these steps: 1

Select Profiles under the desired category (Add or Set). All profiles that you have configured in Odyssey Client Manager appear listed on the right.

2

Check all of the profiles that you want to include in this category.

Note the following: X

If you include user identity information in your selected profiles (names and/ or passwords) these are conveyed to the users who run the resulting script.

X

If you leave the user identity information in your selected profiles blank, then Odyssey Client attempts to replace the name and/or password with the user’s identity when the script is run. If this is not possible, the user is prompted for identity credentials the first time connecting using Odyssey Client.

X

Certificate information is not passed on through the script.

You can remove any profiles that your users have configured as long as you have the names. To remove a profile, follow these steps: 1

Select Profiles under Remove.

2

Type in the names of any profiles you want to remove in the text area provided. Press Enter after each profile name that you want to remove.

Odyssey Client User and Administration Guide

Odyssey Client Administration

131

Networks Within one script, you can add and/or set one or more networks that you have configured in Odyssey Client Manager. To do so, follow these steps:

132

1

Select Networks under the desired category (Add or Set). All networks that you have configured in Odyssey Client Manager appear listed on the right.

2

Check all of the networks that you want to include in this category.

Odyssey Client Administration

You can remove any networks that your users have configured as long as you have the correct names (SSIDs) and corresponding descriptions. Alternatively, you can remove all networks with the same SSIDs, and you do not have to bother with names and descriptions. To remove one or more networks, follow these steps: 1

Select Networks under Remove.

2

Type in the names (SSIDs) and corresponding descriptions (if there are any) of any networks that you want to remove in the text area provided. You must use the special network description syntax that appears on Odyssey Client Manager. You must provide the name/description pair in the following format: description . Press Enter after each network name/ description pair that you want to remove.

NOTE: For this special syntax, you can only remove networks with descriptions that do not contain angled brackets in their definitions. You can always remove those networks through their SSIDs.

Auto-Scan lists You can add or set one or more auto-scan lists that you have configured in Odyssey Client Manager. To do so, follow these steps: 1

Select Auto-Scan Lists under the desired category (Add or Set). All autoscan lists that you have configured in Odyssey Client Manager appear listed on the right.

2

Check all of the auto-scan lists that you want to include in this category.

Odyssey Client User and Administration Guide

Odyssey Client Administration

133

You can remove any auto-scan lists that your users have configured as long as you have the correct names. To remove one or more auto-scan lists, follow these steps: 1

Select Auto-Scan Lists under Remove.

2

Type in the names of any auto-scan lists you want to remove in the text area provided. Press Enter after each auto-scan list name that you want to remove.

Other Depending on which action category you select, you have one or two options for modifying trusted servers and security settings. You can modify these components when you select Other: X

X

134

You can either add or set the complete trust tree that you have configured in the Trusted Servers panel of Odyssey Client Manager: 1

Select Other under the desired action category (Add or Set).

2

Check Trusted servers. Note that when users run the resulting script for trust trees that you add, new trust entries are spliced into an existing tree. When users run the resulting script for trust trees that you set, the entire trust tree is replaced.

You can set (replace) the security settings that you have configured from the Settings > Security Settings command on Odyssey Client Manager:

Odyssey Client Administration

1

Select Other under Set.

2

Check Security settings.

SSIDs You can remove networks by SSID name, rather than using the network name/ description syntax. When a user runs the resulting script that includes the removal of one or more SSIDs, all networks with the specified SSIDs are removed from the user’s Odyssey Client configuration. To remove one or more networks by SSID, follow these steps: 1

Select SSID under Remove.

2

Type in the SSID names of any networks that you want to remove in the text area provided. You are not required to use any special syntax. Press enter after each SSID name that you want to remove.

Sample administrative workflows There are several tasks that require you to use the Odyssey Client Administrator, including the following: X

“Preconfigure Odyssey Client for a group of users” on page 136

X

“Machine only connection” on page 138

X

“Machine connection followed by user authentication” on page 138

Odyssey Client User and Administration Guide

Odyssey Client Administration

135

X

“User authentication without machine connection” on page 139

X

“Scripts for incremental updates of user configurations” on page 140

X

“Configuration updates for mass-distribution to your users” on page 141

Preconfigure Odyssey Client for a group of users You can take advantage of your ability to preconfigure profiles and networks for an entire group of users by creating a custom installer in Odyssey. You can create a customized installer that is based on a generic or template configuration that defines settings to be used by a group of new users. Each copy of the client that you install with this customized installer has a default network configuration that is assigned by your template. If all of your users require the same network configuration, creating a custom installer reduces or eliminates the need for your end-users to enter configuration information. If your users have already installed Odyssey Client, you can use your template to create updated configurations for these users. See “Configuration updates for mass-distribution to your users” on page 141. To learn how to provide a custom installer to your users, see the following topics: X

“Configure Odyssey Client to create a template” on page 136

X

“Connection Settings” on page 99

X

“Custom Installer” on page 124

X

“Custom install: Provide printable documentation” on page 137

Configure Odyssey Client to create a template Follow these steps to configure a template for a custom installer:

136

1

Put the product CD into the CD ROM drive of the client device. Use any Windows 2000 or Window XP device. The installation process should begin automatically. If it does not, browse the CD directory for the setup.exe file and double-click it. Note that if you have already installed a copy of Odyssey Client with a license key that is valid for your users, you can start with step 3.

2

Follow the installation instructions, using a license key that is valid for the installation machine. This may or may not be the license key you preconfigure for your users.

Odyssey Client Administration

3

If you have installed the product, but want to change the license key to be used by your preconfigured users, you can change it according to the instructions for adding and removing license keys in “License keys” on page 91.

4

Configure your template according to your desired network configuration and connection options: Z

Machine only connection

Z

Machine connection followed by user authentication

Z

User authentication without machine connection

There are a few exceptions as noted below: Z

You cannot preconfigure client certificates. If you select EAP-TLS under the Authentication tab in Add Profile Properties (from the Profiles panel of Initial Settings or Connection Settings), your users are prompted to select a client certificate the first time Odyssey Client runs on a client machine. You can, however, configure certificates for any trusted root server in the Trusted Servers panel.

Z

You cannot preconfigure stored passwords or login names.

5

Configure in the Permissions Editor any feature access or control restrictions that you want to apply to all recipients of this preconfigured installer.

6

Configure in Merge Rules any locking options that you want to apply to all recipients of this preconfigured installer. The Merge and Set options only apply when you update configurations, but you can use the locking features to lock one or more configuration settings for new users.

7

When you are done configuring the default configuration for the template, test each network connection. See “Testing your settings” on page 126.

You have now set up a template configuration, and you are ready to create a preconfigured Odyssey Client installer. See “Custom Installer” on page 124.

Custom install: Provide printable documentation The custom installer file you create using the methods described in “Custom Installer” on page 124 includes the online help for the product, but does not include the manual in .PDF format. There are two .PDF files in the Docs directory of your product CD: X

OdysseyClientAdmin.pdf

X

OdysseyClientMan.pdf

Odyssey Client User and Administration Guide

Odyssey Client Administration

137

OdysseyClientAdmin.pdf includes this administrative chapter, while OdysseyClientMan.pdf does not.

In addition to the .MSI (or .EXE, in the case of Window 98) file you create, you can also provide your users with the file OdysseyClientMan.pdf to give them access to printable documentation that does not include information on administrative tasks.

Machine only connection For the purposes of identifying a client machine on the network independent of user credentials, you have the option to connect all client machines to the network with a machine (rather than user) authentication. This can be useful if you have any machine-related startup processes. This feature also allows you to maintain network connections for the client machine, even when users are logged off. To configure a machine only connection, follow these steps: 1

Double-click Connection Settings in the Odyssey Client Administrator.

2

Check Enable network connection using machine credentials, select leave the machine connection active, and click OK.

3

Double-click Connection Settings in the Odyssey Client Administrator. Machine Account (Odyssey Client) appears.

4

Run through the panels that are required for setting up your machine network connection, including Networks, Adapters, and Profiles, and close Machine Account (Odyssey Client).

Machine connection followed by user authentication You have the option to connect all client machines to the network with a machine credentials, but subsequently require user authentication. This option allows you to perform network tasks at Windows startup, but subsequently account for the users on the network. To configure a machine connection followed by user authentication, follow these steps:

138

1

Double-click Connection Settings in the Odyssey Client Administrator.

2

Check Enable network connection using machine credentials, and select drop the machine connection.

3

Select one of the two available user authentication timing options under User Account and click OK. You can either have the users authenticate to the network before or after the desktop appears.

Odyssey Client Administration

4

Double-click Connection Settings in the Odyssey Client Administrator. Machine Account (Odyssey Client) appears.

5

Run through the panels that are required for setting up your machine network connection, including Networks, Adapters, and Profiles, and close Machine Account (Odyssey Client).

6

Double-click Initial Settings in the Odyssey Client Administrator. Initial Settings (Odyssey Client) appears.

7

Run through the panels that are required for setting up your user network connection, including Networks, Adapters, and Profiles, locking your configuration features as required. Close Initial Settings (Odyssey Client) when you are done.

User authentication without machine connection You have the option to connect all users to the network using only their user credentials. You have various options with respect to timing for network authentication with user credentials. For example, if you require any networkrelated startup processes, you can have your users connect to the network prior to Windows logon time. To configure a user network connection, follow these steps: 1

Double-click Initial Settings in the Odyssey Client Administrator. Initial Settings (Odyssey Client) appears.

2

Run through the panels that are required for setting up your user network connection, including Networks, Adapters, and Profiles, locking your configuration features as required. If you plan to have users connect to the network before Windows logon time, make sure you create at least one profile that does not use EAP-TLS authentication. See “Configuring connections that occur prior to Windows logon” on page 113 for more information.

3

Close Initial Settings (Odyssey Client).

4

Double-click Connection Settings in the Odyssey Client Administrator: Z

If you want users to connect to the network prior to Windows logon time, click Install Odyssey GINA Module, if it is not already installed. Select prior to Windows logon and select a wireless adapter and network (or a wired adapter and profile) that you have already configured in step 2, and click OK. Make sure that the profile associated with this network connection does not use the EAP-TLS authentication method.

Odyssey Client User and Administration Guide

Odyssey Client Administration

139

Z

If you want to require that users connect to the network after Windows logon time, make sure the Odyssey GINA module is not installed.

Z

If you want users to connect to the network after Windows logon time, (independent of whether or not you install the Odyssey GINA module), select one of the two available user authentication timing options under User Account and click OK. You can either have the users authenticate to the network before or after the desktop appears.

Scripts for incremental updates of user configurations You may need to update Odyssey Client configurations for one or more users. For example, if you add new SSIDs to your network, you can configure the network once on your Odyssey Client Manager, and then create a script that feeds the new network configuration to one or more of your users. You can deliver two types of configuration scripts to your users: Z

You can deliver an auto-script that is run automatically whenever your user’s Odyssey Client polls for new scripts.

Z

You can deliver a script (not in auto-script format) whose execution the user must address when prompted about new scripts. See “Check New Scripts” on page 88 and “Run Script” on page 90 for more information on user interaction with scripts.

To provide configuration scripts to update your users’ configurations, follow these steps: 1

Generate one or more scripts using the Script Composer. See “Script Composer” on page 127. Make sure that you save your scripts in your desired format.

2

Deliver the script(s) to the following directory on your user’s computer: Documents and Settings\username\Application Data\ Funk Software\Odyssey Client\newScripts

Odyssey Client polls this directory for new scripts with regular frequency: Z

Auto-scripts are run automatically when detected by Odyssey Client.

Z

Other scripts prompt your Odyssey Client users to address the script through New Odyssey Client Scripts.

Note that if you want to use merge rules, and/or locked features or permission restrictions to apply to your user configurations, follow the directions in Configuration updates for mass-distribution to your users, below. 140

Odyssey Client Administration

Configuration updates for mass-distribution to your users You may want to update Odyssey Client configurations for a large number of users. For example, if you want to update your users’ configurations with some of Odyssey Client’s newer features, you can create an updated customized configuration file through the User update file feature of the Custom Installer. Later, you can distribute this file to your users in order to update their configurations. Before you create this file, you can configure merge rules in order to specify how your updated configuration is applied to your users configurations of Odyssey Client. You can create an updated configuration file from your machine account settings in Connection Settings, any user settings in Initial Settings, any locking options from Merge Rules, and any specific feature constraints in Permissions Editor, by following these steps: 1

Double-click Custom Installer in the Odyssey Client Administrator.

2

Select Settings update file.

3

Click Browse, in order to browse to a destination directory. Select Destination File appears.

4

Type the name of the configuration file that you want to save next to Destination File, and click Save.

5

Click OK to close Custom Installer.

6

Install the file on your users’ machines. You can distribute the installer file to your users to install only if they have administrative privileges on their machines.

NOTE: You cannot use settings update files in order to upgrade your user configurations.

Odyssey Client User and Administration Guide

Odyssey Client Administration

141

142

Odyssey Client Administration

Index

Numerics

802.11 11 ad-hoc mode 13 infrastructure mode 13 802.1X 16 authentication 55 A

about the product i access points ad-hoc mode 54 infrastructure mode 54 introduction 13 IP addresses 13 accounts machine 104 users 101 adapters adding 70 disabling through password prompt 40 multiple networks 30 panel 69 adding auto-scan lists 59 merge rules 120 wired adapters 70 wireless adapters 70 addresses, setting 43 ad-hoc mode defined 13 setting 54 administrative tools testing settings 126 UI for 98

Odyssey Server Administration Guide

AES configuration 55 overview 15 peer-to-peer 16 anonymous name 46 any network, configuring connections 53 server, trusting 61 SIM card, using 43 association defined 11 methods, configuring 54 asymmetric cryptography 18 authentication network, specifying 55 protocols 45 servers, adding 65 setting in profile properties 44 without machine logon 139 X.500 names 65 auto-scan lists adding 59 connecting to 29 panel 58 properties 59 auto-scripts creating 129 delivering 140 B

bypassing Odyssey 103 C

certificate authorities defined 19 root 19 143

certificate chains defined 19 trust trees 63 use of 60 certificates overview 19 scripting 131 use of 40 validation 45 changing PINs on SIM cards 85 check new scripts 88 client updates 141 commands from tray icon 92 compatibility, Windows logon 108 configurations client, updating 141 restrictions, setting 117 configuring connection to any network 53 machine connection 114 single clients 6 user authentication 99 connecting wired networks 30 skipping Odyssey with 103 wireless networks 29 connection settings, administrative tools 99 connections panel elapsed time 33 encryption key information button 35 informational fields 32 MAC address 33 overview 27 scan for network 31 signal power 34 SSID 33 status field 32 constraints, user 117 credentials, machine 114 custom installer administrative tools 124 notes 137

144

settings update file 141 preconfiguration documentation, including with 137 process 136 D

defaults, setting for initial users 110 delivering scripts to users 140 user updates 141 descriptions of networks 54 DHCP servers 13 disabled features, error messages 94 disabling adapters for wired connections 40 connections at password prompt 40 features 117 Odyssey 93 disabling PINs on SIM cards 85 disconnecting network connections 32 wired connections 30 wireless networks 29 documentation, including with custom preconfiguration 137 domain controller 48 EAP interaction 20 login name 38 driver software 5 dynamic encryption keys generation 56 reconnection effects 31 E

EAP as inner authentication 48 definition 17 EAP-Cisco Wireless 20 EAP-FAST overview 20 security settings 76 token cards 46 tunneled method 46

EAP-LEAP, overview 20 EAP-PEAP generic token card options 46 inner protocols, selecting 49 overview 20 EAP-SIM identities 43 EAP-TLS key generation 56 overview 19 EAP-TTLS generic token card options 46 key generation 56 overview 19 settings 47 using 47 elapsed time 33 enabling Odyssey 93 encryption keys defined 11 generation 56 information button 35 reconnection effects 31 method, networks panel 55 error messages, disabled features 94 Extensible Authentication Protocol 17

H

help menu 91 topics 91 Help commands in product 93 hiding icons 71 hubs 802.1X 13 I

files, scripts, delivering 140 forgetting password, setting 87 temporary trust 87 Funk Software information i

icons, hiding 71 identities 43 identity, server 63 IDs, entering 43 IMSI, using 43 infrastructure mode access points 54 defined 13 initial settings, administrative tools 110 inner authentication protocols definition 47 EAP 48 selecting 48 installation GINA 106 instructions 5 overview 5 requirements 5 wizard 6 installers, creating and customizing 124 intermediate CAs adding 65 advanced usage 63 overview 19

G

K

generic token card options 46 getting help 91 GINA installing 106 non-Microsoft types 106 restrictions 109 uninstalling 107

keyboard shortcuts 94

F

Odyssey Server Administration Guide

L

LDAP 20 lead nodes 63 LEAP 20

145

license keys overview 3 specifying 91 lightweight EAP 20 locking features merge rules, in 120 results for users 27 login names, specifying 38 logon, Windows caution 114 compatibility with other modules 140 configuration notes 113 dialog 76 features 140 installing 106 modules, non-Microsoft, 106 override defaults 112 preconfiguration of features 99 prompt dialog 79 prompts 82 suppressing 81 trust, setting 112 uninstalling 107 M

MAC address 33 machine account administrative tools 114 connections before user logon 138 configuring 114 settings for 104 testing 127 without user logon 138 machine credentials 114 tab, connection settings 104 machine credentials, using 114 maintenance contracts 4 managing PINs 84 merge rules assigning 120 for administrative updates 119 permit only 120 multiple connections 30 146

mutual authentication explained 18 implementing 45 N

network cards, using 70 network connections machine and user 138 machine only 138 restrictions 109 user, without machine 139 network properties any network, configuring 53 description field 54 network type 54 scan button 53 networks authentication, specifying 55 configuring 50 connection to any 53 connecting to 29 logon time, at 101 machine authentication 104 description 51 disabling at password prompt 40 disconnecting from 32 multiple connections 30 names scanning for 53 specifying 53 overview 53 panel association 54 encryption method 55 overview 50 reauthenticating 32 reconnecting 31 scanning for connection 31 scripting 132 SSIDs 53 titles 51 type, specifying 54 WEP keys 56 wired, connections 30 new scripts 88

new users, merge rules applying 120 none, merge rules 119 Novell Client for Windows 108 O

Odyssey Client Administrator 98 Manager overview 25 starting 24 open mode, WEP 15 configuring 54 other components, script composer 134 overriding default connection settings 112 Windows logon 103 P

passwords configuring in profiles 39 forgetting 87 generic token card 46 prompts for 87 Windows 39 PEAP generic token card options 46 overview 20 settings in profile properties 49 token card settings 46 peer-to-peer networking definition 13 IP addresses 13 product, using for 56 permissions, user, setting 117 permit only options, merge rules 120 PINs 43 changing 84 SIM card settings 43 unlocking 84 preconfiguration, custom initial product install 136 installer, creating 124 logon features 99 templates 136 Odyssey Server Administration Guide

preferences hide tray icon 71 setting 71 private key 18 processing, scripts 89 product information page i product registration 91 profile properties login name 37 passwords 37 PEAP settings 49 user info 37 user information 41 Windows password 39 profiles configuring with scripts 131 panel 36 prompting passwords, for 39 Windows logon 79 provider-specific settings, SIM 43 public key 18 pushed configurations 141 R

RADIUS, server product 17 read-only features 27 realms, setting 43 reauthenticating explained 21 networks 32 session resumption 74 why 21 reconnecting dynamic encryption keys, effect on 31 networks, to 31 registering Odyssey 91 reminders, new scripts 88 requirements, installation 5 restrictions, network connections 109 root certificate authority 19 running saved scripts 90

147

S

saving custom installers 124 scripts 129 settings update files 141 scan button for connections 31 script composer 127 scripting automatic 129 certificates 131 client configurations 127 networks 132 other components 134 profiles 131 saving 129 SSIDs, removing 135 trusted servers 134 scripts delivering files to users 140 directions 140 notice to users 88 processing 89 running, saved 90 security settings command 72 EAP-FAST 76 general 73 scripting 134 server certificates, validating 45 servers, name 63 Service Set Identifier (SSID) 14 session resumption 21 setting 74 setting initial user defaults 110 machine connections 104 merge rules 120 settings menu overview 71 preferences 71 security settings 72 Windows logon settings 76 settings update file 141

148

shared mode, WEP 14 configuring 56 shortcut keys 94 signal power, viewing 34 SIM cards any, selecting 43 changing PINs 85 configuring 41 disabling PINs 85 IDs, entering 43 IMSI, using 43 login names, using 43 PIN manager 84 PINs 43 unblocking 86 simultaneous connections establishing 30 monitoring 30 single clients, configuration 6 skipping Odyssey 103 splash screen, hiding 71 SQL 20 SSIDs networks, for 33 removing with scripts 135 starting the product, main interface 24 status from connection panel 32 subject name, trusted servers 67 support information 4 suppressing Windows logon prompts 81 switches, 802.1X 13 System Tray, commands from 92 T

technical support 4 template 136 templates creating 136 preconfiguration 136 temporary trust 68 defined 74 disabling 74 forgetting 87

testing administrative settings 126 user connections 126 TKIP implementing 55 overview 15 peer-to-peer 16 TLS, overview 19 token card authentication passwords 46 settings 48 tray, commands from 92 trust trees 63 trusted servers advanced button 63 advanced method 63 any 61 editing 63 entering 61 leaf nodes 63 overriding 112 panel 60 removing 63 scripting 134 TTLS overview 19 settings 47 tunnels 46 U

unblocking PINs 84 SIM cards 86 uninstalling Windows logon features 107 untrusted servers defined 74 dialog 68 update command 90 updating configuration settings 90 user configurations 141 upgrading user configurations 124

Odyssey Server Administration Guide

user connection settings 101 testing 126 without machine logon 139 user info profile properties, in 37 SIM card settings 41 V

validating server certificates 45 W

WEP keys any network connection 53 defined 14 open mode 15 peer-to-peer 15 shared mode 56 specifying 56 Windows Domain Controller 48 logon skipping 103 password, using for connections 39 Windows logon administering 101 compatibility with other products 108 configuration notes 113 connections 101 installing 106 override defaults 112 overriding 103 prompts 82 requesting 79 suppressing 81 settings for users 76 uninstalling 107 wired adapters, adding 70 Wired-Equivalent Privacy 14 wireless adapters, adding 70 wireless networks connecting 29 disconnecting 29

149

WPA implementing 54 overview 15 WPA2 overview 15 specifying 54 X

X.500 names 65

150