Odyssey® is a wireless LAN access control and security solution that not only provides strong security over the wireless link, but also can be easily and widely deployed and managed across an enterprise network. Odyssey includes client and server software. It secures the authentication and connection of wireless LAN (WLAN) users, ensuring that only authorized users can connect, that connection credentials will not be compromised, and that data privacy will be maintained. Odyssey is based on the IEEE security standard 802.1x, and supports a wide variety of 802.1x security methods, including the strong and easily managed security method EAP-TTLS. EAP-TTLS offers the significant benefit of not requiring the set up and management of client certificates on each WLAN user’s PC. Instead, the WLAN user is safely authenticated to the network using ordinary password-based credentials, whose use is made proof against active and passive attack by enclosing it in a TLS security wrapper. You’ll be able to safely deploy WLAN access against your existing authentication infrastructure, significantly alleviating your management burden and allowing users to connect with the credentials they’re accustomed to using. Odyssey Client runs on multiple Windows platforms, Both Odyssey Client and Server support all 802.1x-capable access equipment, for unsurpassed multi-vendor compatibility.
Runs on Windows® XP, 2000, 98, Me, Pocket PC 2002, and Windows Mobile™ 2003 for Pocket PC and lets a user securely connect to a WLAN. It can communicate with Odyssey Server or any authentication server which supports an Odyssey authentication type, to get necessary security and connection information.
Odyssey Server is a RADIUS server customized to handle WLAN users and security. It handles connection requests from Odyssey Clients and other 802.1x clients which support WLAN authentication types. Odyssey is available as a Client/Server system, and as a stand-alone Client.
Multiple Security Types
The level of security on a WLAN is determined by the “EAP authentication type” in use. EAP (Extensible Authentication Protocol) authentication types provide credential security, data security, or both. Odyssey supports the following EAP authentication types:
EAP-TTLS is an IETF draft jointly authored by Funk Software and Certicom, and is a working document of the PPP Extensions group. EAP-TTLS provides secure user authentication, using a TLS tunnel to encrypt password-based credentials that would be otherwise subject to dictionary attack on the wireless link. It provides strong security, while supporting legacy password protocols, enabling rapid deployment against your existing security infrastructure. EAP-TTLS is supported on Odyssey Client, Odyssey Client for Pocket PC, and Odyssey Server.
EAP-PEAP is similar to EAP-TTLS, and provides a similar level of security. However, with EAP-PEAP, only EAP may be carried as a protocol inside the tunnel. EAP-PEAP is appropriate for use against Windows Active Directory and domains (via EAP-MS-CHAP-V2). Both the Microsoft® and Cisco® versions of EAP-PEAP are supported on Odyssey Client and Server. EAP-TLS is a follow-on to Secure Socket Layer (SSL). It provides strong security, but relies on client certificates for user authentication. EAP-TLS is supported on both Odyssey Client and Server. LEAP – this authentication method is used primarily for WLAN clients connecting to Cisco WLAN access points such as the Cisco Aironet® Series. LEAP is supported on both Odyssey Client, Odyssey Client for Pocket PC, and Odyssey Server. EAP-MD5 – this authentication method essentially duplicates CHAP password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP support among 802.1x devices. EAP-MD5 is supported on Odyssey Client.
For the strongest security, we recommend the use of EAP-TTLS, EAP-PEAP, or EAP-TLS.
Benefits of EAP-TTLS
One of the primary benefits of EAP-TTLS is that it provides complete security for users’ connection credentials (i.e., user name and password) as they’re being authenticated to the network. With EAP-TTLS, a WLAN user’s identity and password-based credentials are tunneled during authentication negotiation, and are not observable in the communications channel. This strong security prevents dictionary attacks, man-in-the-middle attacks, and hijacked connections by wireless eavesdroppers – and protects your network from the havoc an attacker who’s connecting with valid credentials can wreak. EAP-PEAP and EAP-TLS also provides this high level of credential security. With LEAP, passwords which are short or insufficiently random are vulnerable to dictionary attack. A second major benefit of EAP-TTLS is that it supports all major password protocols, including PAP, CHAP, MS-CHAP, MS-CHAP-V2, EAP-MD5Challenge, and EAP-TokenCard. With EAP-TTLS, WLAN users can safely connect – without danger of cryptographic attack on password – using the connection credentials they’re accustomed to using. This lets you use consolidate the management of your wired and WLAN users, and allows WLAN users to connect using the credentials they’re accustomed to using, simplifying their access process. Odyssey Server can authenticate WLAN users directly against Windows NT Domains or Windows 2000 Native Domains. It can also forward EAP-TTLS requests to other RADIUS servers, including Funk Software’s Steel-Belted Radius, for authentication of WLAN users against non-Windows databases such as token systems or SQL/LDAP.
A third major benefit of using EAP-TTLS is that it does not require the use of client certificates to provide strong credential security.
Both EAP-TTLS and EAP-TLS use TLS (Transport Layer Security, the successor to SSL) as the underlying strong cryptography. However, EAP-TTLS differs in that only the RADIUS servers, not the users, are required to have certificates. The user is authenticated to the network using ordinary password-based credentials, whose use is made proof against active and passive attack by enclosing it in the TLS security wrapper. Users of EAP-TTLS are spared the administrative burden associated with setting up and maintaining a certificate infrastructure. Because EAP-TLS requires that each user have a certificate, organizations that deploy it can look forward to a substantial administrative burden in operating a certificate authority to distribute, revoke, and otherwise manage user certificates. While EAP-TLS provides strong security and is appropriate for organizations which have already deployed a PKI infrastructure, EAP-TTLS provides equally strong security and requires little additional administration beyond what you’re already doing to administer your Windows users.
Additional Security Features
With EAP-TTLS, dynamic per-session keys are generated to encrypt the wireless connection and protect data privacy. Odyssey Server can be configured to re-authenticate and thus re-key at any interval; frequent re-keying thwarts known attacks against the encryption method used in wireless communications (WEP).
EAP-TTLS also provides strong mutual authentication of Client and Odyssey Server, preventing an intrusion onto the network by an unauthorized user, and ensuring that the client is connecting to the right server. EAP-PEAP, EAP-TLS, and LEAP also provide these safeguards.
Odyssey can safely authenticate WLAN users directly against your existing Windows 2000 Native Domain or NT Domain authentication database, and includes full support for user and group designations.
And, for seamless integration into networks which aren’t exclusively Windows-based, Odyssey can also forward EAP-TTLS authentication requests to other RADIUS servers, including Funk Software’s Steel-Belted Radius, for safe authentication against non-Windows authentication schemes. If you set up Odyssey to forward EAP-TTLS authentication requests to Steel-Belted Radius, you’ll be able to authenticate WLAN users against:
Token systems (RSA Security’s ACE/Server SQL/LDAP databases)
- Solaris NIS , NIS+
- NT Domains/Windows 2000 Native Domains
- Any combination of the above
- Designed for Compatibility
Odyssey is an end-to-end solution which provides unsurpassed security and ease of management when using EAP-TTLS. It was designed to be compatible in a wide variety of WLAN environments, and with other 802.1x solutions.
Odyssey supports the widest variety of WLAN network adapter cards and access points – including those from 3Com, Agere, Avaya, Cisco, Enterasys, Proxim, and Symbol – for ensured compatibility in your network environment. Odyssey Server can manage connections from Microsoft (via EAP-PEAP or EAP-TLS) or Cisco (via EAP-PEAP or EAP-LEAP) 802.1x clients you may have already deployed.
Odyssey Client is compatible with Odyssey Server, Steel-Belted Radius, and other EAP-compatible RADIUS amd since it runs with equivalent security functionality and interface on more Windows platforms, it is an excellent complement to the XP-only Microsoft client. Odyssey gives you the flexibility to easily migrate from one security methodology to another. Odyssey Server can easily support both LEAP and EAP-TTLS methods while you transition your WLAN clients to Odyssey/EAP-TTLS.
Easily Deploy Across the Enterprise
Odyssey Client incorporates numerous conveniences for end users, and many deployment tools for network managers. This powerful combination of features allows rapid adoption by the end user population, to significantly reduce support and training costs; and enables rapid deployment of a configured client across all the wireless devices in your organization.
Odyssey Server – a RADIUS server specially designed to manage WLAN access – reflects the simple set-up, reliable and high-performance operation, and multi-vendor compatibility that are the hallmarks of Steel-Belted Radius, our market-leading RADIUS/AAA server. Odyssey Server writes a log file detailing all WLAN access activity, for easy reporting and diagnostics.
• Multi-platform 802.1X client runs on Windows XP, 2000, 98, ME, and Windows Mobile 2003 for Pocket PC
• Supports both 802.1X wireless and wired network access
• Great for enterprise and hotspot access
• Supports EAP-TTLS, EAPPEAP, EAP-TLS, EAP-FAST, LEAP, EAP-SIM, and EAP-MD5
• Supports Wi-Fi Protected Access (WPA) and WPA2 for enhanced data security
• Pre-configure Odyssey Client settings for easy deployment across the enterprise
• Auto-scan network lists provides seamless connection to networks, and seamless movement between networks
• Sophisticated network logon capabilities, including support for GINA and the Novell Client for Windows and machine connections, facilitate connection and administration processes
• Client lockdown capabilities and endpoint integrity interface let you enforce any security policy
• Easily deploy new network settings or changes to your security policy
• Compatible with any RADIUS server that supports EAP
Sophisticated Network Logon Capabilities
In addition, Odyssey Client provides advanced network logon capabilities
– including support for an advanced “GINA module” and machine connections
– which significantly facilitate network connection and administration processes. The following logon capabilities are supported when either the Windows login client or the Novell Client for Windows is used:
• Simplified connection from new, wireless-only devices – to eliminate support calls associated with not being able to connect from devices which have never logged in to a domain controller.
• Automatic running of login scripts – so wireless devices can be centrally administered by IT staff in the same way wired devices commonly are.
• The use of a shared wireless device by several different users – for example on a factory floor or at a nurse’s station
– with each user being able to log in and access his network profile.
• Easy access to the wireless device by network managers when a user is not logged in – to silently perform such tasks as machine back-ups, virus scan updates, and the like, during off-hours.
Supports 802.1X Wired Connections
Odyssey Client supports both wireless and wired connections to a network. As you consider moving to 802.1X-based wired access for the enhanced security, lower IT costs, and user-based network access it provides, Odyssey Client will fully meet your requirements for an 802.1X client. Odyssey Client can manage multiple adapter cards simultaneously, so your users won’t have to change their configuration settings as they move, for example, from a wired office connection to a wireless conference room connection. This ensures a much simpler experience.
Designed for Compatibility
Odyssey Client’s multi-platform, multiprotocol support ensures compatibility in any environment, whether on the secure enterprise WLAN or wired 802.1X network, or at a public WLAN hotspot. Because it implements standard protocols and EAP methods, it is fully interoperable with solutions from other vendors which support these protocols. For example, an Odyssey Client user can easily be authenticated by a RADIUS server from Cisco or Microsoft.
Odyssey Client optionally supports EAP-SIM, the WLAN protocol that allows GSM subscribers log on to a public WLAN and be authenticated against their provider’s Subscriber Information Management (SIM)-based infrastructure.