Juniper Networks - How to configure Odyssey Client for secure EAP-TLS certificate ...

Page 1 of 2

How to configure Odyssey Client for secure EAP-TLS certificate based

authentication

Odyssey Series

VINAYAK PATIL
Logout

[KB10662] Hide KB Properties

Categories:

Logged In

My Account
Knowledge Base ID:

KB10662

Last Updated:

05 Aug 2010

Version:

4.0

SUMMARY:
How to configure Odyssey Client for secure EAP-TLS certificate based authentication

My Subscriptions

ASK THE KB
Question or KB ID:

PROBLEM OR GOAL:
Ask

SOLUTION:
Overview
You can configure Odyssey Client for secure certificate-based authentication using EAP-TLS.

Before you begin

In order to configure Odyssey Client for EAP-TLS network authentication you must verify the following information with
your network administrator:
You must have a wireless adapter installed and enabled on your client machine.
You must know the exact name (SSID) of the access point network to which your credentials are authenticated. If
you do not know the exact name of the access point network, you must be in its vicinity at the time of configuration.
You must know how the access point association and encryption is configured. It is typical for EAP-TLS
authentication that access points are configured in open association mode and for WEP encryption with dynamic key
generation. The instructions below reflect this scenario. If this is not the case, you can modify the association and
encryption choices in step 3g below. For example, your access point might be configured for WPA2 association with
AES encryption.
You must know the name of the appropriate user certificate to be used as your credentials for EAP-TLS
authentication.
You must already have the appropriate user certificate installed on your personal certificate store of your client
machine. See KB10482 for information on installing a user certificate on the client machine if you do not already have
one installed.
You must know the name of the appropriate CA-issued certificate to be used for EAP-TLS authentication. (Note: CA
= Certificate Authority)
You must already have the appropriate CA-issued certificate installed in your trusted root certificate store your client
machine. See KB10484 for information on installing a CA-issued certificate on the client machine if you do not
already have one installed.

Knowledge Center Home

If you are configuring Odyssey Client for EAP-TLS authentication using machine account, then all certificates must be
installed in the local machine store (as opposed to the current user store). Follow the instructions in KB10483 configuring
machine account. Follow the instructions in procedure III of KB10484 for installing CA-issued certificates in the trusted root
store of the local machine. See KB10482 for installing personal certificates on a local machine.

Subscribe

Configuring Odyssey Client

Follow these steps in order to configure Odyssey Client for secure EAP-TLS authentication:
1.

2.

3.

4.

Add a wireless adapter:

A.
Select the Adapters panel in Odyssey Client Manager.
B.
Click Add. Add Adapter appears.
C.
Click the Wireless tab of Add Adapter, and select the adapter that you want to use for wireless authentication.
D.
Click OK. The wireless adapter appears on the Adapters panel.
Create a user profile to specify your desired authentication options:
A.
Select the Profiles panel in Odyssey Client Manager.
B.
Click Add. Add Profile appears.
C.
Create a name for the profile, and type it next to Profile name.
D.
On the User Info tab of Add Profile, enter the login name. If you are already on your enterprise network when
you configure Odyssey Client, then Odyssey Client picks up your network login name by default. You can
uncheck Permit login using password in the Password subtab of User Info.
E.
Select the Certificate subtab of User Info tab of Add Profile, and check Permit login using my certificate. Click
Browse. Select Certificate appears. Select your user certificate from the list of personal certificates, and click
OK. See your network administrator if you have any questions about which certificate to select.
F.
Select the Authentication tab. Click Add in order to add EAP-TLS to the list of authentication methods. Select
EAP-TLS on the list that appears, and click OK. Select the default authentication method (EAP-TTLS) from
the list of authentication methods, and click Remove. Keep Validate Server Certificate checked in order to
validate the server prior to sending the user's certificate credentials to the RADIUS server. Note that when
you check this option, you must configure a CA certificate for use with Odyssey Client. (See step 4. below).
G.
Click OK to close Add Profile. The profile appears in the Profiles panel.
Add a network:
A.
Select the Networks panel in Odyssey Client Manager.
B.
Click Add. Add Network appears.
C.
Enter the name of the wireless network (SSID) to which Odyssey Client authenticates the user. If you do not
know the name of the access point network, and you are in the vicinity of the network, click Scan. Available
Networks appears, displaying the results of a scan for the wireless access points in your vicinity. Select the
correct network, and click OK to close Available Networks.
D.
Do not check Connect to any available network.
E.
Optionally enter a description for the network. You might want to use this option when you connect to two
networks of the same name, but with different configurations.
F.
Select Access Point (Infrastructure mode) for the Network type. This is the default value.
G.
Select the Association mode (Open) and then select the related Encryption option (WEP). The values you
select depend on how your network access point is configured. See your network administrator to verify the
correct access point association and encryption options.
H.
Check Authenticate using profile and select the profile that you created in the Profiles panel in step 2.
I.
Check Keys will be generated dynamically for data privacy. (Once you complete step 3h, this is checked by
default).
J.
Click OK. The network appears in the Networks panel.
Configure Odyssey Client with the trusted server certificate:
A.
Select the Trusted Servers panel in Odyssey Client Manager.
B.
Click Add. Add Trusted Server Entry appears.
C.
Check Trust any server with a valid certificate regardless of its name.
D.
Click Browse. Select Certificate appears.
E.
Select the Trusted Root Certificate Authorities tab, and select the required CA certificate and click OK. See
your network administrator if you have any questions about which certificate to select.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10662

Browse Popular Content

Browse Recently Updated
Browse All
Knowledge Center News
J-Net Search
PR Search
Create a Support Case
Knowledge Center Feedback
Report a Security Vulnerability
Browse Knowledge Base
Categories

ARTICLE FEEDBACK
*Selection Required
*This article solved my problem
Yes
No
Partially
Just browsing
*Please rate this article
Great
Good
Average
Fair
Poor
Comments?

Your response will be used to improve

our document content.
Submit

29-09-2013

Juniper Networks - How to configure Odyssey Client for secure EAP-TLS certificate ... Page 2 of 2

F.

5.

Click OK to close Add Trusted Server Entry. The trusted server entry appears in the Trusted Servers panel.

Connect to the wireless network:

A.
Select the Connection panel in Odyssey Client Manager.
B.
Select the adapter that you configured in step 1.
C.
Select the wireless network that you created in step 3.
D.
Check Connect to network.
E.
You can optionally check the status of the connection under Connection information on the Connection panel:
If the Status field appears to be open and authenticated, then you have successfully authenticated to the
wireless network using EAP-TLS with the Odyssey Client.
If the Status field does not appear to be open and authenticated, verify your Odyssey Client configuration.
Also verify that your EAP-TLS Odyssey Client configuration is correct for the configuration of your access
point and RADIUS server.

You may elect not to add the trusted server (as in step 4) during the configuration of the Odyssey Client. If you
complete all steps except step 4, then, after completing step 5d, Odyssey Client prompts you to validate your trust of the
RADIUS server prior to sending the your credentials to the RADIUS server during the authentication process. When
prompted, check Add this trusted server to the database, and click Yes in order to continue with the EAP-TLS
authentication. By checking Add this trusted server to the database, you configure Odyssey Client to trust this server for all
future authentication attempts.

PURPOSE:
Troubleshooting

RELATED LINKS:

Site Map / RSS Feeds / Careers / Accessibility / Feedback / Privacy & Policy / Legal Notices

Copyright 1999-2012 Juniper Networks, Inc. All rights reserved.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10662

29-09-2013