Allows for variable-width spine. Assume for now that spine is 1.25" wide; maximum spine width is 2.5". Juniper Networks, Inc. has sales offices worldwide. For contact information, refer to www.juniper.net. 530-010089-01, Revision 1 A book with .25" spine would cut here. A book with 2.5" spine would cut here. User Guide Juniper Networks, Inc. Printed on recycled paper Odyssey Access Client Juniper Networks, Inc. A 1.25" spine would fold here. A 2.5" spine would fold here. Cover size is 8.3 x 10.
Juniper Networks Odyssey Access Client User Guide Unified Access Control Edition Enterprise Edition FIPS Edition Release 4.6 December 2006 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.
Copyright© 2002-2006 Juniper Networks, Inc. All rights reserved. Printed in USA. Odyssey, Juniper Networks, and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice.
Table of Contents About This Guide v Audience.......................................................................................................... v Conventions..................................................................................................... v Documentation ............................................................................................... vi Unified Access Control Documentation .................................................... vi Release Notes .....................
Odyssey Access Client User Guide OAC Manager Display Layout .................................................................. 12 Menu Options ................................................................................................ 12 File Menu Options ................................................................................... 13 Forget Password ............................................................................... 13 Forget Temporary Trust .........................................
Table of Contents Renaming an Adapter.............................................................................. 28 Removing an Adapter.............................................................................. 28 Removing an Adapter Using the Adapter Dialog. .............................. 28 Removing an Adapter Using the Sidebar Icon. .................................. 28 Connecting to a Network ............................................................................... 29 Selecting an Adapter..
Odyssey Access Client User Guide Chapter 6 Managing Network Access 57 Configuring Network Settings......................................................................... 57 Adding or Modifying Network Properties ....................................................... 58 Network Settings ..................................................................................... 59 Specifying a Network Name (Network SSID) ..................................... 59 Connecting to Any Available Network ...........
Table of Contents Editing a Trusted Server Entry .................................................................83 Using the Advanced Method to Configure Trust ............................................. 83 Displaying a Trust Tree............................................................................ 83 Adding Certificate Nodes ......................................................................... 84 Adding Authentication Servers or Intermediate CA Nodes .......................
Odyssey Access Client User Guide viii Table of Contents
About This Guide This guide describes how to install, use, and configure Odyssey Access Client (OAC) for wired or wireless network access. It addresses three licensed editions of OAC: OAC Unified Access Control Edition (referred to in this guide as UE) OAC Enterprise Edition (referred to in this guide as EE) OAC Federal Information Processing Standards (FIPS) Edition (referred to in this guide as FE) These editions of OAC have similar but not identical sets of features.
Odyssey Access Client User Guide Table 1: Notice icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates that you might risk losing data or damaging your hardware. Warning Alerts you to the risk of personal injury. Table 2: Text conventions (except for command syntax) Convention Description Examples Bold typeface Indicates buttons, field names, dialog box names, and other user interface elements.
About This Guide Release Notes Release notes are included with the product software and are available on the product CD or on the Web at: http://www.juniper.net/techpubs/ Release notes provide the latest information about features, changes, known problems, and resolved problems. If the information in the Release notes differs from the information found in the documentation set, follow the Release notes. Web Access To view Juniper product documentation on the Web, go to: http://www.juniper.
Odyssey Access Client User Guide viii Contacting Customer Support
Chapter 1 Odyssey Access Client Overview Odyssey Access Client (OAC) is networking software that runs on endpoints (PCs, laptops, notepad computers, and other supported wireless devices). OAC communicates with wireless access points, 802.1X switches, and network authentication servers such as Juniper Steel-Belted Radius or an Infranet Controller to provide authenticated, secure access to wired and wireless 802.1X networks.
Odyssey Access Client User Guide How OAC Operates in a Network When you attempt to connect to an 802.1X network, OAC requests authenticated access through a wireless access point or through an 802.1X switch. The authentication sequence is the same whether you use a wired or a wireless connection. In either case, your access to protected resources requires authentication by an AAA (authentication) server. With 802.
Chapter 1: Odyssey Access Client Overview 2. In the case of either a wired or a wireless connection, the network access device (an access point or 802.1X switch) forwards the authentication request to the authentication server. The authentication process might involve a secure tunnel between the access point and the authentication server, depending on the authentication protocol being used, such as Tunneled Transport Layer Security (TTLS). 3.
Odyssey Access Client User Guide In a UAC network, OAC communicates with the Infranet Controller to authenticate and establish security compliance. The Infranet Controller authenticates you as a user and determines which protected resources you can access based on your user name and the realm and role to which you belong. (See “Specifying a Preferred Realm and Role” on page 74.
Chapter 1: Odyssey Access Client Overview Figure 3: OAC Authentication in a Network with 802.1X (Layer 2) Endpoint Security Enforcement Networks that include an Infranet Controller perform security enforcement checking to ensure that all endpoints (computing devices) comply with the network’s security policy.
Odyssey Access Client User Guide If an endpoint does not comply with an organization’s security policies, the Infranet Controller can isolate the endpoint to a restricted (quarantine) network. The quarantine network might provide access to limited network resources, such as a file server, but prevent the endpoint from connecting to (and possibly infecting) the rest of the organization’s network. Remediation is the process of bringing an endpoint into compliance with an organization’s security policies.
Chapter 2 Installing OAC Before installing OAC, you should be familiar with networking concepts relating to your wireless or wired network. See Appendix A, “Network Security Concepts,” for basic networking information. Before You Begin You must have administrative privileges on your computer to install OAC on Windows 2000 (with SP4) or Windows XP.
Odyssey Access Client User Guide Requirements The following sections describe hardware and software requirements for OAC. Operating Systems OAC runs on the following operating systems: Windows 2000 Professional with SP 4 Windows XP Home or Professional Network Adapter Cards OAC is compatible with any wireless adapter card that supports the standard 802.11 interfaces. Most wired adapter cards are compatible for use with OAC.
Chapter 2: Installing OAC Licenses You must have a valid license to run OAC. Each OAC edition (UE, EE, and FE) has a corresponding license key. See your system administrator for information about your license or OAC edition. You can purchase licenses from Juniper Networks, Inc. For detail, select Help > License Keys from the OAC Manager display.
Odyssey Access Client User Guide You can install OAC by opening a Web browser and navigating to the IP address or URL for a particular Infranet Controller. Ask your administrator for the correct address information needed to access the Infranet Controller.
Chapter 3 Using Odyssey Access Client Manager This chapter discusses how to use the OAC Manager to configure OAC. Depending on the edition (license) of OAC that you are using, some sections might not apply and are identified clearly where they occur. Opening OAC Manager Once OAC is installed on your computer, it runs as a Windows service. However, the OAC user interface, called Odyssey Access Client Manager, might not be open yet on the desktop.
Odyssey Access Client User Guide Overview of the OAC Manager Interface This section describes the OAC Manager and the operations that you can perform. OAC Manager Display Layout The OAC Manager display consists of the following sections: Menu bar (see “Menu Options” on page 12) Sidebar (see “Sidebar” on page 21) Content dialogs (see “Content Dialogs” on page 22) A menu bar at the top of the display provides a range of pull-down options. Below the menu bar, the left panel is the sidebar.
Chapter 3: Using Odyssey Access Client Manager File Menu Options Forget Password Use this option if you want OAC to discard the current password or PIN that you use to start an authenticated network connection. If your password is required again, you will be prompted to enter it. When you are authenticated for the first time, you have to enter a valid password as part of the login process. OAC remembers the password that you enter and uses it for any subsequent authentications without prompting you again.
Odyssey Access Client User Guide See the OAC User Web Page for more information about the appropriate adapter drivers for use with the OAC FIPS module. There must be a user certificate installed on the client machine prior to configuring OAC for FIPS–compliant connections. This operation should only be performed by a network administrator.
Chapter 3: Using Odyssey Access Client Manager Tools Menu Options OAC Administrator (EE and FE Only) This is a set of special tools for managing and deploying OAC configurations. These are advanced tools and are available only if you have administrative privileges or an EE or FE license for OAC. SIM Card Manager (EE and FE Only) If you use a SIM card to autheticate to the network, use this setting to manage the PIN settings.
Odyssey Access Client User Guide To run a script from a known location: 1. Select Tools > Run Script. 2. In the Select Script File dialog, navigate to the folder location containing the script that your administrator has instructed you to run. 3. Select the script and select Open to run the script. Check New Scripts (EE and FE Only) Use this option to check for new scripts or to run scripts.
Chapter 3: Using Odyssey Access Client Manager Options Individual tabs in this dialog enable you to configure the settings for security, wireless suppression, preemptive networks, and EAP-FAST. Security Use these settings to enable or disable the following features: Enable session resumption—During a session, any subsequent authentications to the same network server can be accelerated by reusing information derived during the first authentication.
Odyssey Access Client User Guide Cache PIN (EE and FE Only)—With this option enabled, OAC caches the PIN that you enter and does not prompt for a PIN. If you disable this option, OAC clears the PIN information from the cache and will not cache the PIN when a PIN prompt occurs. The cache is also cleared when you log out. This option is enabled by default. NOTE: Smart card prompts and caching are disabled with FIPS Mode turned on.
Chapter 3: Using Odyssey Access Client Manager 3. Set Do not resume sessions older than to the maximum number of hours that a session can last after initial authentication before requiring reauthentication. After the time limit has elapsed, the next reauthentication will be a completely new one. The number of hours can have up to three decimal places. By default, session resumption is enabled and an initial authentication is resumed for up to 12 hours.
Odyssey Access Client User Guide Periodic reauthentication serves two purposes: As a general security measure, it verifies that you are still on a trusted network. It results in distribution of fresh shared keys to your PC and access point. The access point might use these shared keys to refresh the keys used to encrypt data. By frequently refreshing keys, you can thwart cryptographic attacks. To enable automatic reauthentication: 1. Go to Tools > Options > Security. 2.
Chapter 3: Using Odyssey Access Client Manager Purchase Information Use this option to access the Juniper Networks Web page to buy other products. About Use this option to review the specific release version of OAC and to get information about how to buy OAC. Sidebar The sidebar contains a group of folders, each of which is described in the following sections. Each folder contains one or more items that you can select and configure or use for connecting to the network.
Odyssey Access Client User Guide Auto-Scan Lists Use this option to set up an ordered list of wireless networks that you have configured. The auto-scan list is convenient when you are moving your computer from one wireless network to another. OAC uses it to scan the list of networks and make the first possible connection automatically. See “Managing Auto-Scan Lists” on page 67.
Chapter 3: Using Odyssey Access Client Manager Informational Graphics and Detailed Status Graphical status icons appear in the lower right of the connection dialogs for an adapter or an Infranet Controller. They provide visual status for your connection. Use the mouse or the keyboard to view detailed connection status information from any of the status icons.
Odyssey Access Client User Guide (black) – Connected, but authentication not in use (blue) – Connected and authenticated The status details that you see depends on your authentication method and access point and might include the following: Result of your last connection attempt Type of authentication Elapsed time (since last connection) Cipher suite used to secure credential exchange Access point identification information Encryption Key Information The encryption key information butto
Chapter 3: Using Odyssey Access Client Manager To move between the dialogs of the OAC, press the up and down arrows on your keyboard. You can use the keyboard arrows to move through option button (mutually exclusive) selections.
Odyssey Access Client User Guide 26 Exiting from OAC Manager
Chapter 4 Managing Network Adapters This chapter describes how to add or remove a wired or wireless network adapter in an OAC configuration and how to connect to a network using that adapter. You can set up one or more network adapters by opening the Configuration folder in the OAC Manager sidebar and selecting Adapters. The adapter must be installed on your computer before you can configure it in OAC.
Odyssey Access Client User Guide Renaming an Adapter When you add a adapter to the OAC configuration, the adapter appears in the sidebar in the Adapters folder. A wired adapter has the default name Ethernet. A wireless adapter has the default name WiFi. If you use multiple wireless adapters, you can rename them to help distinguish one from another. To rename an adapter: 1. Right-click the adapter icon in the sidebar. 2. Select the Rename option, which highlights the adapter name. 3.
Chapter 4: Managing Network Adapters Connecting to a Network This section describes how to use OAC to connect to a specific network from the Adapters dialog (Figure 6 on page 29). The dialog enables you to perform the following tasks: Select a wired or wireless adapter from the list of configured adapters. Connect to a specific network. Disconnect from the network. Scan for available wireless networks.
Odyssey Access Client User Guide Connecting to a Network When you connect to a network, OAC uses the adapter that you select to establish an authenticated 802.1X connection to the network. If you attempt a wired connection to a network switch that does not support 802.1X—for example, to a wired network at home—OAC makes the connection without any authentication. Before you can connect to a network with a wired or wireless adapter, you must configure at least one network and one authentication profile.
Chapter 4: Managing Network Adapters Configuring Multiple Simultaneous Network Connections Each adapter on your computer can connect to a different network. This means that if you have one wired and one or more wireless adapters, you can maintain simultaneous network connections.
Odyssey Access Client User Guide NOTE: A beacon is a signal broadcast by a wireless access point to identify its location. Only wireless networks that are configured by an administrator to “send beacons” are visible to you when you scan. If “send beacons” is off, then you must specify the network from the Networks dialog or choose the default [any] network from the Connection dialog.
Chapter 4: Managing Network Adapters Figure 7: Disconnected Adapter Status You can check other adapter status, as described below. To check adapter status: 1. Open the Adapters folder at the top of the sidebar. 2. Select the specific adapter whose status you want to check. The connection dialog opens on the right and displays the following information: The adapter name (such as Intel PRO/Wireless 2200BG Network Connection). The adapter type (“Ethernet” or “Wi-Fi”).
Odyssey Access Client User Guide Connection Status Connection status shows summary information about the current adapter and network connection, which includes: Status: see Table 3 Elapsed time: the duration (in hours, minutes, and seconds) of current network connection Network SSID: the name of the wireless adapter to which you are connected Access point: the MAC address of the access point to which you are connected IP address: the IP address assigned to your computer when you logged o
Chapter 4: Managing Network Adapters Table 3: Connection Status Information (continued) Status Message Definition adapter not present You are not connected and the configured adapter is not currently available. This might occur when your adapter does not support 802.1X. cable unplugged You are not connected. This can occur if you have a wired connection but your cable is unplugged. adapter in use by another program Your adapter is being used by another program installed on your machine.
Odyssey Access Client User Guide 36 Interaction with Other Adapter Software
Chapter 5 Managing Profiles This chapter describes how to set up an OAC profile for an authenticated network connection. A profile contains all of the information necessary for authenticating a connection to a specific network. This includes information such as your identity (user credentials) and the EAP protocols used to authenticate to that network. You must have a profile for each network to which you connect and authenticate.
Odyssey Access Client User Guide The Profiles dialog lists the configured profiles. The list might include a default profile, called Initial Profile, containing common settings. You can use this as a guideline for setting up other profiles. Your network administrator might have created profiles for you already. Adding or Modifying a Profile This section describes how to create an authentication profile.
Chapter 5: Managing Profiles TTLS—The EAP-TTLS outer protocols and, where they apply, one or more inner protocols. See “TTLS Settings” on page 48. PEAP—The EAP-PEAP outer protocols and, where they apply, one or more inner protocols. See “PEAP Settings” on page 51. JUAC—If you intend to connect to and be authenticated by an Infranet Controller, you must use JUAC as an inner authentication protocol.
Odyssey Access Client User Guide SIM Card—Configure this section when you use a mobile wireless device to authenticate to a network.
Chapter 5: Managing Profiles Select Prompt for login name and password to have OAC prompt you when you connect to the network. NOTE: This is the least secure option because the password prompt occurs before the pre-authentication health check on a UAC network and, thus, does not provide a security guarantee. Select Use the following password and enter a password in the box below this option to have OAC save your password and use it each time you authenticate with this profile.
Odyssey Access Client User Guide Using Certificates for Authentication To use certificate credentials for authentication: 1. Select the Certificate subtab of the User Info tab. 2. Select Permit login using my certificate to enable authentication methods that use your certificate for authentication. a. b. You can select Use automatic certificate selection and let OAC select your certificate automatically (from a smart card reader or from your personal certificate store) at authentication time.
Chapter 5: Managing Profiles Enabling Soft Token Identification To enable soft token authentication: 1. If you want to create a profile that uses only soft token authentication methods (recommended for soft token authentication configuration), clear the Permit login using password setting on the Password subtab of the User Info tab in the Profile Properties dialog. 2. Select Permit login using my RSA Soft Token on the Soft Token subtab of the User Info tab. 3.
Odyssey Access Client User Guide Managing PIN Settings You might have already set a PIN on your SIM card hardware. You have two choices for the PIN field for OAC: Select PIN is not required (default) if you are not required to use the PIN for your connections (you have no PIN assigned to your SIM card). Select Prompt for PIN if you enable a PIN for your use with your SIM card and you want to be prompted for your SIM card PIN each time that you connect.
Chapter 5: Managing Profiles The authentication protocols specified on the Authentication tab are the outer authentication methods, which create a secure tunnel between OAC and the authentication server. Some authentication protocols, such as PEAP and TTLS, require that you specify an inner authentication method. Figure 10: Profile Properties for Authentication Settings NOTE: EAP-TTLS, EAP-PEAP, and EAP-FAST all use inner (tunneled) protocols. EAP-FAST uses EAP-GenericTokenCard as its inner protocol.
Odyssey Access Client User Guide To select more than one protocol at a time, hold down Ctrl on the keyboard as you select them with your mouse. Any protocols already selected are not listed in this dialog. To remove a protocol from the list: 1. Select the protocol. 2. Click Remove. To reorder protocols: 1. Select a protocol. 2. Use the up or down arrow button on the Authentication tab to reposition the protocol in the list.
Chapter 5: Managing Profiles If you use EAP-GenericTokenCard as one of the inner authentication methods or if you use EAP-POTP as the inner authentication method for EAP-PEAP, the Token Card Credentials settings in the Authentication tab apply.
Odyssey Access Client User Guide It is possible that anonymous EAP-PEAP authentication does not work with your network authentication server, in which case leave the Anonymous name blank. NOTE: Your outer identity can be anonymous if your list of configured authentication protocols for this profile includes only EAP-TTLS, EAP-PEAP, and/or EAP-FAST. If you enable any other protocols, OAC cannot keep your identity private and the Anonymous name field is disabled.
Chapter 5: Managing Profiles Table 4: Outer EAP Protocols and Supported Inner Protocols Compatible Inner Authentication Methods EAP-TTLS for Outer Authentication EAP-PEAP for Outer Authentication PAP Yes No CHAP Yes No MS-CHAP (Note: not valid for Windows platforms) Yes No MS-CHAP-V2 Yes Yes PAP/Token Card Yes No EAP Yes No GenericTokenCard No Yes POTP No Yes TLS No Yes JUAC Yes Yes NOTE: When configuring an authentication profile for an Infranet Controller connection, you
Odyssey Access Client User Guide EAP as an Inner Authentication Protocol If you select EAP as your inner authentication protocol, you must configure the Inner EAP protocols list on the TTLS Settings tab of the Profile Properties dialog with one or more protocols. To add an inner EAP protocol: 1. From the TTLS tab in the Profile Properties dialog, select EAP from the pull-down list of inner authentication protocols. 2. Click Add to display the list from which you can choose inner EAP protocols. 3.
Chapter 5: Managing Profiles None—Configure EAP-TTLS authentication without a client-side certificate. This option specifies the most typical use of EAP-TTLS authentication. Select this option unless you intend to use a client certificate as part of EAP-TTLS authentication. 3. Click OK. PEAP Settings If you select EAP-PEAP as an authentication method in the Authentication tab, Table 4 on page 49 shows the inner EAP authentication methods that are valid with PEAP.
Odyssey Access Client User Guide Using Certificates with EAP-PEAP Authentication To select EAP-PEAP personal certificate options: 1. Select Permit login using my certificate on the Certificate subtab of the User Info tab on the Profile dialog. 2. In the PEAP tab of the Profile Properties dialog, select Use my certificate to authenticate to the network. 3. Select one of the following personal certificate options: Not performed—Inner authentication is not performed. Use my personal certificate.
Chapter 5: Managing Profiles c. Re-type the PIN under Please confirm your PIN. d. Click OK. After you create your new PIN, you are re-prompted to enter your new PIN, followed by your token information. Infranet Controller Profile Configuration—UAC Networks Only Connecting to an Infranet Controller requires an authentication profile. Best practices recommend that you have an authentication profile for each Infranet Controller that you use to access protected network resources.
Odyssey Access Client User Guide To set a preferred order of inner EAP protocols: 1. Select one of the inner EAP from the list. 2. Use the arrow button to move the protocol up or down in the list. 3. Repeat this procedure until the list reflects the preferred order. You can add, remove, or reorder any EAP-PEAP inner protocols from the TTLS Settings tab of the Profile Properties dialog. To remove JUAC as in inner authentication protocol for TTLS: 1. Select JUAC in the list of inner EAP protocols. 2.
Chapter 5: Managing Profiles Setting the Preferred Realm and Role This section describes the JUAC tab in the Profile Properties dialog and how to specify a preferred realm and roll for connecting to an Infranet Controller. Part of connecting to an Infranet Controller might include specifying a realm and a role. The realm identifies the network that you have been authenticated to access. The role identifies the network resources that you are authorized to access.
Odyssey Access Client User Guide Sample Profile Configuration This section shows a sample authentication profile for a corporate network. (You do not a profile for a hotspot or a home Wi-Fi network.
Chapter 6 Managing Network Access This chapter describes how to define and configure the networks to which you intend to connect. Before you can connect to any network with OAC, you must configure it in OAC and name it. The networks that you define can include one or more corporate wired and wireless networks, your home wireless network, and one or more “hotspot” networks at airports, train stations, restaurants, or coffee shops.
Odyssey Access Client User Guide Adding or Modifying Network Properties Whether you add a network by clicking Add or modify network properties by clicking Properties, the dialogs display the same settings. Figure 12 is a sample configuration dialog.
Chapter 6: Managing Network Access Network Settings The following sections describe each of the Network configuration categories. Once you have defined a network, it is unlikely that you will need to change it unless your network administrator indicates that a change is necessary. Specifying a Network Name (Network SSID) The network name or SSID (service set identifier) is the actual name of the wireless network to which you want to connect.
Odyssey Access Client User Guide Specifying a Network Type If you do not click Scan to select a network, specify the type of network by choosing one of the options from the Network type drop-down list. Select Access point (infrastructure mode) if this network uses wireless access points to provide connectivity to the corporate network or the Internet. This is the most common setting. Select Peer-to-peer (ad-hoc mode) to set up a private network and connect directly with other PCs or laptops.
Chapter 6: Managing Network Access Encryption Methods for an Association Mode Your choice of encryption method depends on the access point requirements. The choices available to you depend on the association mode you choose. See “Wired-Equivalent Privacy” on page 10 and “Wi-Fi Protected Access and its Encryption Methods” on page 11 for more information. You have the following options: None—Use this setting to select 802.1X authentication without WEP keys.
Odyssey Access Client User Guide Authentication Settings Use the Authentication fields to specify whether or not to use 802.1X authentication for the network and how to generate encryption keys. Authenticating with a Profile To authenticate using your personal credentials: 1. Select Authenticate using profile. 2. Select the name of profile to use for authentication from the drop-down list next to the Authenticate using profile check box.
Chapter 6: Managing Network Access Preshared Keys (WPA or WPA2) If you associate using WPA or WPA2 and if you do not generate encryption keys automatically when associating an authentication profile to the network connection, you must supply a preshared 8–63 character ASCII passphrase in the Passphrase field. The passphrase is used as a seed to generate the required keys. When you use a passphrase, you do not authenticate with a RADIUS server.
Odyssey Access Client User Guide WEP keys are either 40 or 104 bits long. This corresponds to either 5 or 13 characters when you enter them as ASCII characters or 10 or 26 characters when you enter them as hexadecimal digits. Table 6: WEP Key Specifications Bits in the Key ASCII Characters Hexadecimal Digits 40 5 10 104 13 26 To enter any preconfigured WEP keys: 1. In Format for entering keys, select ASCII characters or hexadecimal digits. 2.
Chapter 6: Managing Network Access Sample Network Configuration Setups This section shows three examples of setting up wireless network configurations. The first is for a corporate wireless network. The second is for a wireless hotspot. The third is for a home wireless network.
Odyssey Access Client User Guide Sample Configuration for a Home Wireless Network Table 9: Sample Configuration for a Home Wireless Network 66 Setting Value Network name (SSID) Connect to any available network Yes Description Home wireless network Network Type Access point (infrastructure mode) Association mode open Encryption mode WEP Authenticate using profile home Sample Network Configuration Setups
Chapter 7 Managing Auto-Scan Lists An auto-scan list is an ordered list of networks that you have configured. You can create one or more auto-scan lists and order them based on your preferences for using them. If you connect to a network using an auto-scan list, rather than to an individual network, OAC scans sequentially through the listed networks for the first available network.
Odyssey Access Client User Guide Using the Auto-Scan List Dialog To set up or modify an auto-scan list, open the Configuration folder and select Auto-Scan Lists. The Auto-Scan Lists dialog (Figure 13 on page 68) opens. Figure 13: Auto-Scan Lists Dialog You can perform the following tasks in the Auto-Scan Lists dialog: Add an auto-scan list Remove an auto-scan list Modify an auto-scan list View the contents of an auto-scan list Adding an Auto-Scan List To add an auto-scan list: 1.
Chapter 7: Managing Auto-Scan Lists 5. Order the selected networks based on the frequency with which you expect to connect to them. Place the highest priority networks at the top of the list. A network on this list is considered to be preferred over the networks listed below it. You can select one or more networks and use the up and down arrows to reorder the list. 6. Optionally, you can select Switch to preferred network when available, even if currently connected.
Odyssey Access Client User Guide Viewing the Names in an Auto-Scan List To view the names in an auto-scan list: Double-click the name of the auto-scan list in the Auto-Scan List dialog. The Auto-Scan List Properties dialog then displays the networks in the auto-scan list in order of preference. NOTE: Test the network connection for each network in your auto-scan list separately.
Chapter 8 Managing Infranet Controller Connections This chapter describes how to add an Infranet Controller to your OAC configuration and how to connect and sign on to it. It also addresses connecting to and using multiple Infranet Controllers. If your network does not include an Infranet Controller, you can skip this chapter. After installing and running OAC, you can establish an authenticated connection to one or more Infranet Controllers.
Odyssey Access Client User Guide 4. In the Server URL field, enter the DNS name or the IP address of the Infranet Controller to which you intend to connect. 5. In the Authentication Profile field, specify the name of a profile for authenticating to a specific Infranet Controller. The profile provides all the information needed for authenticated access to that Infranet Controller. See “Adding or Modifying a Profile” on page 38 for details about setting up a profile.
Chapter 8: Managing Infranet Controller Connections 3. An Infranet Controller dialog opens (Figure 14) and shows the IP address of the Infranet Controller in the Server URL field. Below that is a Connect to the Infranet Controller check box. Select the check box to enable a connection to the Infranet Controller. Figure 14: Infranet Controller Dialog Connected Compliance status Endpoint & Authentication Status Icons 4. Sign on to the Infranet Controller when the prompt appears (Figure 15).
Odyssey Access Client User Guide Use the Reconnect button at the bottom of the dialog to reinitialize the connection. See “Menu Options” on page 12 for a discussion of this option. Specifying a Preferred Realm and Role This section describes how to specify a preferred realm and role. An authentication realm is a group of authenticated resources that you select when signing on to the Infranet Controller server.
Chapter 8: Managing Infranet Controller Connections Checking Infranet Controller Status One way to check Infranet Controller status is to view the Infranet Controllers in the Infranet Controllers folder. If an Infranet Controller is currently disconnected from the network, the Infranet Controller icon turns gray and the Connect to the Infranet Controller box is not selected (see Figure 16). The Reconnect button is also disabled in this case.
Odyssey Access Client User Guide Figure 17: Compliance Failure Dialog Compliance warning message Compliance warning icons When you click the How do I resolve this problem? link, another dialog provides you with specific instructions for updating your computer so that it meets compliance requirements. The remediation instructions that you see might vary from the sample shown in Figure 18. Your network administrator determines the detail level of information or instruction that you see.
Chapter 8: Managing Infranet Controller Connections Disconnecting from an Infranet Controller To disconnect from an Infranet Controller: 1. Open the Infranet Controllers folder in the sidebar. 2. Select the Infranet Controller from which you intend to disconnect. 3. After a dialog opens showing the Infranet Controller name, clear the Connect to the Infranet Controller check box.
Odyssey Access Client User Guide 78 Disconnecting from an Infranet Controller
Chapter 9 Managing Trusted Servers This chapter describes trusted servers and the configuration tasks that pertain to managing trust, trusted servers, certificates, and certificate authorities. Use this feature to add, remove, and configure trusted network servers and to configure certificate and identity information for the servers that might authenticate you when you connect. Configuring this feature is required for protocols that implement mutual authentication and is a recommended security measure.
Odyssey Access Client Administration Guide Add or remove certificate nodes. Add authentication servers or intermediate certificate authority (CA) nodes. Remove CA nodes. View certificate information. Manage untrusted servers (temporary trust).
Chapter 9: Managing Trusted Servers Figure 19: Trusted Servers Dialog NOTE: To configure a trusted server with OAC, the root Certificate Authority (CA) or intermediate CA for the server certificate chain must be installed in the trusted root or intermediate certificate store. When you configure OAC to trust a server, specify the name of the server and the certificate chain to which it belongs. You can allow OAC to trust any server that bears a specified signed certificate.
Odyssey Access Client Administration Guide Use an intermediate CA or authentication server domain name to filter the certificate chain when you install the certificate that specifies the issuer of the trusted server certificates. To add a trusted server: 1. Click Add in the Trusted Servers dialog to display the Add Trusted Servers Entry dialog to begin the server configuration. 2.
Chapter 9: Managing Trusted Servers 2. Click Remove. Editing a Trusted Server Entry You might need to change the trusted server configuration. For example, you might want to change the setting from trusting any server with a valid certificate to just one or a small set of domain names. To edit an entry in the trusted servers list: 1. Select the entry from the Trusted Servers dialog. 2. Click Edit. The Trusted Server Properties dialog appears.
Odyssey Access Client Administration Guide Adding Certificate Nodes To add a new certificate to the top level of the trust tree: 1. Click the Add Certificate button. The Select Certificate dialog appears. 2. Select a certificate from the list and click OK. You can select a certificate from the list of intermediate or trusted root certificates. To display detailed information about any certificate before you add it: 1. Select the certificate. 2. Click View on the Select Certificate dialog.
Chapter 9: Managing Trusted Servers 2. For Server or intermediate CA name, enter the name (or final elements of a name) that you want to match. This field is not required if you select Regardless of its name. The form of the name depends on your choice of Server or intermediate CA name type. 3. For the certificate authority Server or intermediate CA name type, indicate how the name is interpreted and where in the certificate the name is found.
Odyssey Access Client Administration Guide Removing Nodes To remove a node: 1. Select the node in the tree to remove. 2. Click Remove. The selected node and any node beneath it is removed from the tree. The node you remove can be any of the following: Top level certificate node Intermediate CA node Server node Viewing Certificate Information To display detailed information about any certificate at the top level of the trust tree: 1. Select the certificate. 2.
Chapter 9: Managing Trusted Servers To trust a server permanently: 1. Select Add this trusted server to the database. 2. Select Yes. The server is added to the list of trusted servers, using the name shown in the Server name must end with field (see “Adding a Trusted Server Entry” on page 81). You can edit the server name. For example, if the server name is auth2.acme.com, you can change it to acme.com if you want to trust all authentication servers belonging to the acme.com domain.
Odyssey Access Client Administration Guide 88 Using the Advanced Method to Configure Trust
Chapter 10 Viewing Log Files and Diagnostics This chapter describes how to access and view log files and diagnostics information. A Juniper Networks technical support member might ask you to access this type of information if you are troubleshooting an OAC problem. NOTE: The log file and diagnostic options presented here are only available for networks that include Unified Access Control (UAC) and at least one Infranet Controller.
Odyssey Access Client User Guide Figure 20: Odyssey Log Viewer Dialog Depending on the size of the log file or the specific contents of interest, you might need to copy and paste all or selected parts of the file and paste the information into an email message to the support member. Accessing Diagnostics There are four categories of diagnostics information available from the Tools > Diagnostics menu. Select one of the following diagnostics from the pull-down options.
Chapter 10: Viewing Log Files and Diagnostics Figure 21: Sample IPsec Diagnostics Dialog IPsec Configuration—UE Only IPsec Configuration shows you configuration information for the IPsec policies that apply to the current session and information about the Infranet Enforcers to which the OAC can connect. These are the current IPsec routing policies that have been downloaded to OAC from the Infranet Controller configuration and used with the IPsec service on your computer.
Odyssey Access Client User Guide Save All Diagnostics Save All Diagnostics collates the output of all the diagnostic functions and lets you save the output to a file. You can then archive the file or send it to the technical support member for analysis. NOTE: It can be very beneficial to the technical support staff if you can provide the approximate time for the event you are reporting.
Appendix A Network Security Concepts This appendix contains background information for anyone needing a better understanding of the concepts and protocols that show how Odyssey Access Client operates in a network, particularly from the standpoint of network security and authentication. Network Security Most organizations can rely on physical security to protect their wired networks.
Odyssey Access Client User Guide IPsec is a set of protocols used to secure (encrypt) IP data packets being exchanged on a network. Best practices for network security usually call for encrypting the data being transferred between protected network resources and endpoint computers. A Juniper UAC network can include a firewall that provides an IPsec gateway deployed in front of protected resources to enforce the security policy.
Network Security Concepts Preshared passphrases used to generate keys for WPA or WPA2 association. Preshared passphrases enable you to configure a simple phrase that is used to generate cryptographically strong encryption keys to be used with AES or TKIP encryption. AES and TKIP periodically change the encryption keys in use. The generated keys keep unauthorized users off the wireless network and encrypt the data of legitimate users.
Odyssey Access Client User Guide 802.11 Wireless Networking There are many types of wireless communication. Odyssey Access Client is designed to work over networks that adhere to the IEEE 802.11 Wireless LAN standards, as well as the Wi-Fi Alliance enhancements to these standards. Many corporations deploy secure wireless 802.11 networks and 802.11 networks are commonly found in hotels, airports, and other “hotspots” as a means of Internet access. Types of 802.
Network Security Concepts The 802.11 standard refers to peer-to-peer network connectivity as ad-hoc mode. See “Specify the Network Type” on page 74, “Adding a Network Description” on page 59, and “Specify the Association Mode” on page 75“Specifying an Association Mode” on page 60 for information about configuring ad-hoc network connections. Wireless Network Names Each wireless network has a name. The 802.11 standard refers to a network name as service set identifier (SSID).
Odyssey Access Client User Guide See the following topics: “Specifying an Association Mode” on page 60 for directions for selecting an association mode in Odyssey Access Clientfor directions on selecting a connection mode (infrastructure or ad-hoc). “Encryption Methods for an Association Mode” on page 61 for directions for selecting WEP encryption when using the shared or open association mode. “Preconfigured Keys (WEP)” on page 78 to use static WEP keys with Odyssey Access Client.
Network Security Concepts See the following topics: “Specifying an Association Mode” on page 60 to use WPA2 or WPA association mode with Odyssey Access Client “Specifying an Association Mode” on page 60 to use AES or TKIP encryption with WPA2 or WPA association “Encryption Methods for an Association Mode” on page 61 to configure a passphrase that is used in encryption key generation. “FIPS Secure Encryption (FE Only)” on page 61 for information about this data encryption security module.
Odyssey Access Client User Guide When preconfigured WEP keys are used, it is the wireless client PC that is authenticated to the network. With 802.1X, it is the user who is authenticated to the network with the user credentials, which might be a password, a certificate, SIM (Subscriber Identity Module) card, or a token card. Moreover, the keys used for data encryption are generated dynamically. The authentication is not performed by the access point, but rather by a central server.
Network Security Concepts Mutual Authentication EAP-TTLS, EAP-PEAP, EAP-TLS, and EAP-FAST provide mutual authentication of the user and the network and produce dynamic keys that can be used to encrypt communications between the client device and access point. With mutual authentication, the network authenticates the user credentials and the client software authenticates the network credentials. Requiring mutual authentication is an important security precaution to take when using wireless networking.
Odyssey Access Client User Guide Each certificate is issued by a certificate authority. By issuing a certificate, the certificate authority warrants that the name in the certificate corresponds to the certificate’s owner (much as a notary public guarantees a signature). The certificate authority also has a certificate, which in turn is issued by a higher certificate authority. At the top of this pyramid of certificates is the root certificate authority.
Network Security Concepts If your enterprise has a user-based certificate infrastructure in place, you have the option to configure user certificate-based credentials for EAP-TTLS authentication, with or without tunneled password credentials. See “Using Certificates with EAP-TTLS Authentication” on page 63. EAP-PEAP EAP-PEAP is comparable to EAP-TTLS, both in its method of operation and its security.
Odyssey Access Client User Guide EAP-LEAP EAP-LEAP (Lightweight EAP, also known as EAP-Cisco Wireless) is a protocol that enables users to be authenticated using their Windows password credentials without the use of certificates. The data exchange in EAP-LEAP is fundamentally similar to the exchange that occurs when a user logs in to a Windows Domain Controller. EAP-LEAP is very convenient because it is Windows-compatible.
Network Security Concepts Recommended practice is to enable session resumption. The necessity for some form of reauthentication occurs fairly frequently in wireless networking, particularly when you are moving between access points. Each time you connect with a new access point, a new authentication occurs. The less time it takes to perform that authentication, the less likely you are to experience a momentary stall in your network applications.
Odyssey Access Client User Guide 106 802.
Appendix B Glossary A AAA—Authentication, Authorization, and Accounting. Access Control List (ACL)—A listing of users and their associated access rights. Used to implement discretionary and or mandatory access control between subjects and objects. Accounting—Tracking users’ access to resources primarily for billing purposes. See also AAA. Advanced Encryption Standard (AES)—Standard approved by NIST for the next 20-30 years of use.
Odyssey Access Client User Guide Asymmetric algorithm—A pair of key values, one public and one private, used to encrypt and decrypt data. Only the holder of the private key can decrypt data encrypted with the public key, which means anyone who obtains a copy of the public key can send data to the private key holder in confidence.
Glossary Certificate Authority (CA)—An online system that issues, distributes, and maintains currency information about digital certificates. Abbreviated as CA. Certificate policy—A statement that governs the use of digital certificates. Certificate revocation—The act of invalidating a digital certificate. Certificate revocation list (CRL)—A list generated by a CA that enumerates digital certificates that are no longer valid and the reason they are no longer valid.
Odyssey Access Client User Guide D Data Encryption Standard (DES)—A cryptographic algorithm designed for protection of unclassified data and published by the National Institute for Standards and Technology in Federal Information Processing Standard (FIPS) Publication 46. Data integrity—Condition existing when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed.
Glossary Encryption hash—A method in which a selection of data is mixed into a section data based on an algorithm. The result is called a hashed value. Encryption keys—A sequence of characters that an encryption algorithm uses to make plain text unreadable unless you share the same encryption key needed to decode the encrypted message. Extensible Authentication Protocol (EAP)—An IETF standard that provides for mutual authentication between a client and a AAA authentication server.
Odyssey Access Client User Guide Firewall—A hardware device or software application designed to filter incoming or outgoing traffic based on predefined rules and patterns. Firewalls can filter traffic based on protocol uses, source or destination address, and port addresses and can even apply state-based rules to block unwanted activities or transactions. G Granularity—The relative fineness to which an access control mechanism can be adjusted.
Glossary Integrity—A monitoring and management system that performs integrity checks and protects systems from unauthorized modifications to data, systems, and applications files. Normally, performing such checks requires access to a prior scan or original versions of the various files involved. Internet—The global set of networks interconnected using TCP/IP.
Odyssey Access Client User Guide Key Pair—A public key and its corresponding private key as used in public key cryptography. Key recovery—A mechanism for determining the key used to encrypt some data. L Layer 2 Tunneling Protocol (L2TP)—A technology used with VPN to establish a communication tunnel between communicating parties over insecure media. L2TP permits a single logical connection to transport multiple protocols between a pair of hosts.
Glossary Node—A point of concentrated communications; a central point of communications. Nonrepudiation—The condition when a receiver knows or has assurance that the sender of some data did in fact send the data, even though the sender later might want to deny ever having sent the data. O OSI—Abbreviation for the Open Systems Interconnection. Usually refers to the 7-layered protocol model for the exchange of information between open systems.
Odyssey Access Client User Guide Private key—A piece of data generated by an asymmetric algorithm that’s used by the host to encrypt data encrypted with a public key. This technique makes digital signatures and nonrepudiation possible. Protocol—The procedures that two or more computer systems use so they can communicate with each other. Proxy—A facility that indirectly provides some service for another facility.
Glossary S Secure channel—A means of conveying information from one entity to another such that an adversary does not have the ability to reorder, delete, insert, or read. (Examples are SSL and IPSEC.) Secure Hypertext Transfer Protocol (HTTPS)—An Internet protocol that encrypts individual messages used for Web communications rather than establishing a secure channel, like in SSL.
Odyssey Access Client User Guide T TACACS+—An enhanced version of Terminal Access Controller Access Control System. TACACS+ is TCP based authentication and access control Internet protocol governed by RFC 1492. TCP—Abbreviation for Transmission Control Protocol. Verifies correct delivery of data from client to server; uses virtual circuit routing. Occupies layer 4 of the OSI reference model. TCP/IP—Abbreviation for Transmission Control Protocol/Internet Protocol.
Glossary W Wired Equivalent Privacy (WEP)—A security protocol used in 802.11 wireless networking, WEP is designed to provide security equivalent to that found in regular wired networks. This is achieved by using basic symmetric encryption to protect data sent over wireless connections, so that sniffing or wireless transmissions does not produce readable data and so drive-by attackers cannot access a wireless LAN without additional efforts and attacks.
Odyssey Access Client User Guide 120
Index Numerics 802.11 ad-hoc mode .............................................................96 defined ......................................................................94 infrastructure mode...................................................96 802.1X authentication ...........................................................62 overview....................................................................99 A access point ad-hoc mode .............................................................
Odyssey Access Client User Guide validate ..................................................................... 46 validation .................................................................. 46 certificate authority chain ......................................................................... 81 defined.................................................................... 102 intermediate.............................................................. 82 root ...............................................
Index certificate requirement ..............................................14 compliance..................................................................8 encryption .................................................................99 FIPS mode certificate requirements ............................................14 description ................................................................99 on/off ........................................................................13 required........................
Odyssey Access Client User Guide peer-to-peer............................................................... 60 preemptive................................................................ 18 preferred ................................................................... 18 properties add or modify .................................................... 58 reconnecting ............................................................. 32 sample configuration.................................................
Index FIPS...........................................................................13 Layer 2 protocol ........................................................60 security enforcement................................................................5 settings......................................................................17 server identity......................................................................82 identity formats.........................................................82 name............
Odyssey Access Client User Guide dynamic .................................................................... 62 open mode................................................................ 97 peer-to-peer............................................................... 98 preconfigured...................................................... 62, 63 shared mode ............................................................. 62 specify....................................................................... 62 static .
Juniper Networks Secure Access Administration Guide
Allows for variable-width spine. Assume for now that spine is 1.25" wide; maximum spine width is 2.5". Juniper Networks, Inc. has sales offices worldwide. For contact information, refer to www.juniper.net. ODR-ZA-ODYCAUG, Revision A00 A book with .25" spine would cut here. A book with 2.5" spine would cut here. Juniper Networks, Inc. Printed on recycled paper Juniper Networks, Inc. A 1.25" spine would fold here. A 2.5" spine would fold here.
