Intermec Funk Odyssey Client and Server Features
Odyssey is a wireless LAN access control and security solution that not only provides strong security over the wireless link, but also can be easily and widely deployed and managed across an enterprise network.
Odyssey includes client and server software. It secures the authentication and connection of wireless LAN (WLAN) users, ensuring that only authorized users can connect, that connection credentials will not be compromised, and that data privacy will be maintained.
Odyssey is based on the IEEE security standard 802.1x, and supports a wide variety of 802.1x security methods, including the strong and easily managed security method EAP-TTLS.
EAP-TTLS offers the significant benefit of not requiring the set up and management of client certificates on each WLAN user’s PC. Instead, the WLAN user is safely authenticated to the network using ordinary password-based credentials, whose use is made proof against active and passive attack by enclosing it in a TLS security wrapper. You’ll be able to safely deploy WLAN access against your existing authentication infrastructure, significantly alleviating your management burden and allowing users to connect with the credentials they’re accustomed to using.
Odyssey Client runs on multiple Windows platforms, Both Odyssey Client and Server support all 802.1x-capable access equipment, for unsurpassed multi-vendor compatibility.
Runs on Windows XP, 2000, 98, Me, Pocket PC 2002, and Windows Mobile 2003 for Pocket PC and lets a user securely connect to a WLAN. It can communicate with Odyssey Server or any authentication server which supports an Odyssey authentication type, to get necessary security and connection information.
Odyssey Server is a RADIUS server customized to handle WLAN users and security. It handles connection requests from Odyssey Clients and other 802.1x clients which support WLAN authentication types.
Odyssey is available as a Client/Server system, and as a stand-alone Client.
Multiple Security Types
The level of security on a WLAN is determined by the “EAP authentication type” in use. EAP (Extensible Authentication Protocol) authentication types provide credential security, data security, or both. Odyssey supports the following EAP authentication types:
EAP-TTLS is an IETF draft jointly authored by Funk Software and Certicom, and is a working document of the PPP Extensions group. EAP-TTLS provides secure user authentication, using a TLS tunnel to encrypt password-based credentials that would be otherwise subject to dictionary attack on the wireless link. It provides strong security, while supporting legacy password protocols, enabling rapid deployment against your existing security infrastructure. EAP-TTLS is supported on Odyssey Client, Odyssey Client for Pocket PC, and Odyssey Server.
EAP-PEAP is similar to EAP-TTLS, and provides a similar level of security. However, with EAP-PEAP, only EAP may be carried as a protocol inside the tunnel. EAP-PEAP is appropriate for use against Windows Active Directory and domains (via EAP-MS-CHAP-V2). Both the Microsoft and Cisco versions of EAP-PEAP are supported on Odyssey Client and Server.
EAP-TLS is a follow-on to Secure Socket Layer (SSL). It provides strong security, but relies on client certificates for user authentication. EAP-TLS is supported on both Odyssey Client and Server.
LEAP – this authentication method is used primarily for WLAN clients connecting to Cisco WLAN access points such as the Cisco Aironet Series. LEAP is supported on both Odyssey Client, Odyssey Client for Pocket PC, and Odyssey Server.
EAP-MD5 – this authentication method essentially duplicates CHAP password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP support among 802.1x devices. EAP-MD5 is supported on Odyssey Client.
For the strongest security, we recommend the use of EAP-TTLS, EAP-PEAP, or EAP-TLS.
Benefits of EAP-TTLS
One of the primary benefits of EAP-TTLS is that it provides complete security for users’ connection credentials (i.e., user name and password) as they’re being authenticated to the network.
With EAP-TTLS, a WLAN user’s identity and password-based credentials are tunneled during authentication negotiation, and are not observable in the communications channel. This strong security prevents dictionary attacks, man-in-the-middle attacks, and hijacked connections by wireless eavesdroppers – and protects your network from the havoc an attacker who’s connecting with valid credentials can wreak.
EAP-PEAP and EAP-TLS also provides this high level of credential security. With LEAP, passwords which are short or insufficiently random are vulnerable to dictionary attack.
A second major benefit of EAP-TTLS is that it supports all major password protocols, including PAP, CHAP, MS-CHAP, MS-CHAP-V2, EAP-MD5Challenge, and EAP-TokenCard.
With EAP-TTLS, WLAN users can safely connect – without danger of cryptographic attack on password – using the connection credentials they’re accustomed to using. This lets you use consolidate the management of your wired and WLAN users, and allows WLAN users to connect using the credentials they’re accustomed to using, simplifying their access process.
Odyssey Server can authenticate WLAN users directly against Windows NT Domains or Windows 2000 Native Domains. It can also forward EAP-TTLS requests to other RADIUS servers, including Funk Software’s Steel-Belted Radius, for authentication of WLAN users against non-Windows databases such as token systems or SQL/LDAP.
A third major benefit of using EAP-TTLS is that it does not require the use of client certificates to provide strong credential security.
Both EAP-TTLS and EAP-TLS use TLS (Transport Layer Security, the successor to SSL) as the underlying strong cryptography. However, EAP-TTLS differs in that only the RADIUS servers, not the users, are required to have certificates. The user is authenticated to the network using ordinary password-based credentials, whose use is made proof against active and passive attack by enclosing it in the TLS security wrapper.
Users of EAP-TTLS are spared the administrative burden associated with setting up and maintaining a certificate infrastructure. Because EAP-TLS requires that each user have a certificate, organizations that deploy it can look forward to a substantial administrative burden in operating a certificate authority to distribute, revoke, and otherwise manage user certificates.
While EAP-TLS provides strong security and is appropriate for organizations which have already deployed a PKI infrastructure, EAP-TTLS provides equally strong security and requires little additional administration beyond what you’re already doing to administer your Windows users.
Additional Security Features
With EAP-TTLS, dynamic per-session keys are generated to encrypt the wireless connection and protect data privacy. Odyssey Server can be configured to re-authenticate and thus re-key at any interval; frequent re-keying thwarts known attacks against the encryption method used in wireless communications (WEP).
EAP-TTLS also provides strong mutual authentication of Client and Odyssey Server, preventing an intrusion onto the network by an unauthorized user, and ensuring that the client is connecting to the right server.
EAP-PEAP, EAP-TLS, and LEAP also provide these safeguards.
Odyssey can safely authenticate WLAN users directly against your existing Windows 2000 Native Domain or NT Domain authentication database, and includes full support for user and group designations.
And, for seamless integration into networks which aren’t exclusively Windows-based, Odyssey can also forward EAP-TTLS authentication requests to other RADIUS servers, including Funk Software’s Steel-Belted Radius, for safe authentication against non-Windows authentication schemes.
If you set up Odyssey to forward EAP-TTLS authentication requests to Steel-Belted Radius, you’ll be able to authenticate WLAN users against:
. Token systems (RSA Security’s ACE/Server SQL/LDAP databases)
· Solaris NIS, NIS+
· NT Domains/Windows 2000 Native Domains
· Any combination of the above
Designed for Compatibility
Odyssey is an end-to-end solution which provides unsurpassed security and ease of management when using EAP-TTLS. It was designed to be compatible in a wide variety of WLAN environments, and with other 802.1x solutions.
Odyssey supports the widest variety of WLAN network adapter cards and access points – including those from 3Com, Agere, Avaya, Cisco, Enterasys, Proxim, and Symbol – for ensured compatibility in your network environment.
Odyssey Server can manage connections from Microsoft (via EAP-PEAP or EAP-TLS) or Cisco (via EAP-PEAP or EAP-LEAP) 802.1x clients you may have already deployed.
Odyssey Client is compatible with Odyssey Server, Steel-Belted Radius, and other EAP-compatible RADIUS amd since it runs with equivalent security functionality and interface on more Windows platforms, it is an excellent complement to the XP-only Microsoft client.
Odyssey gives you the flexibility to easily migrate from one security methodology to another. Odyssey Server can easily support both LEAP and EAP-TTLS methods while you transition your WLAN clients to Odyssey/EAP-TTLS.
Easily Deploy Across the Enterprise
Odyssey Client incorporates numerous conveniences for end users, and many deployment tools for network managers. This powerful combination of features allows rapid adoption by the end user population, to significantly reduce support and training costs; and enables rapid deployment of a configured client across all the wireless devices in your organization.
Odyssey Server – a RADIUS server specially designed to manage WLAN access – reflects the simple set-up, reliable and high-performance operation, and multi-vendor compatibility that are the hallmarks of Steel-Belted Radius, our market-leading RADIUS/AAA server.
Odyssey Server writes a log file detailing all WLAN access activity, for easy reporting and diagnostics.