Juniper Networks - How to configure Odyssey Client for secure EAP-PEAP authentic...

Page 1 of 2

How to configure Odyssey Client for secure EAP-PEAP authentication

[KB10661] Show KB Properties

Logged In
VINAYAK PATIL
Logout
My Account

SUMMARY:
How to configure Odyssey Client for secure EAP-PEAP authentication

My Subscriptions

SOLUTION:
Overview
You can configure Odyssey Client for secure password-based authentication using EAP-PEAP. You log in anonymously
while your credentials and other data are encrypted. You can use one of a number of inner RADIUS protocols with the
tunneled authentication.
Before you begin
In order to configure Odyssey Client for EAP-PEAP network authentication you must verify the following information with
your network administrator:
You must have a wireless adapter installed and enabled on your client machine.
You must know the exact name (SSID) of the access point network to which your credentials are authenticated. If
you do not know the exact name of the access point network, you must be in its vicinity at the time of configuration.
You must know how the access point association and encryption is configured. It is typical for EAP-PEAP
authentication that access points are configured in open association mode and for WEP encryption with dynamic key
generation. The instructions below reflect this scenario. If this is not the case, you can modify the association and
encryption choices in step 3g below. For example, your access point might be configured for WPA2 association with
AES encryption.
You must know the name of the appropriate CA-issued certificate to be used for EAP-PEAP authentication. (Note:
CA = Certificate Authority)
You must already have the appropriate CA-issued certificate installed on your client machine. See KB10484 for
information on installing a CA-issued certificate on the client machine if you do not already have one installed.
You must already know the name of the inner authentication method(s) your EAP-PEAP authentication server
accepts. The Inner authentication protocol is used to authenticate against the particular backend database in which
the user's credentials are stored.
If you are configuring Odyssey Client for EAP-PEAP authentication using machine account or prior to Windows logon
(GINA), then all certificates for trusted server validation must be installed in the local machine store (as opposed to the
current user store). Follow the instructions in procedure III of KB10484 for installing CA-issued certificates in the trusted
root store of the local machine. Follow the instructions in KB10483 configuring machine account. See KB10659 for
instructions for configuring prior to Windows logon connections.

ASK THE KB
Question or KB ID:
Ask

Knowledge Center Home

Browse Popular Content
Browse Recently Updated
Browse All
Knowledge Center News
J-Net Search
PR Search
Create a Support Case
Knowledge Center Feedback
Report a Security Vulnerability

Configuring Odyssey Client

Browse Knowledge Base

Categories

Follow these steps in order to configure Odyssey Client for secure EAP-PEAP authentication:

Subscribe

1.

Add a wireless adapter:

A.
Select the Adapters panel in Odyssey Client Manager.
B.
Click Add. Add Adapter appears.
C.
Click the Wireless tab of Add Adapter, and select the adapter that you want to use for wireless authentication.
D.
Click OK. The wireless adapter appears on the Adapters panel.

2.

Create a user profile to specify your desired authentication options:

A.
Select the Profiles panel in Odyssey Client Manager.
B.
Click Add. Add Profile appears.
C.
Create a name for the profile, and type it next to Profile name.
D.
On the User Info tab of Add Profile, enter the login name. If you are already on your enterprise network when
you configure Odyssey Client, then Odyssey Client picks up your network login name by default.
E.
Permit login using password is checked by default on the Password subtab of the User Info tab of Add
Profile. Keep this checked, and select a method for entering the password. If you select the default password
connection option (Use Windows password), or, if you type in a password to use (Use the following
password), then you will have the least amount of interaction at connection time.
F.
Select the Authentication tab. Click Add in order to add EAP-PEAP to the list of authentication methods.
Select EAP-PEAP on the list that appears, and click OK. Select the default authentication method (EAPTTLS) from the list of authentication methods, and click Remove. Keep Validate Server Certificate checked in
order to validate the server prior to sending the user's credentials to the RADIUS server.

G.

H.
3.

Note that when you check this option, you must configure a CA certificate for use with Odyssey Client. (See
step 4. below). Keep the default value anonymous in the Anonymous name field, unless your network
requires some other anonymous login name.
Select the PEAP Settings tab, and click Add to add an inner authentication protocol from the list (the default
inner authentication protocol is EAP-MS-CHAP-V2, implementing Microsoft EAP-PEAP v0). You can remove
any method from the list by selecting the method and clicking Remove. Note: It may be that your
authentication server allows for EAP-GenericTokenCard as an inner authentication method for EAP-PEAP
using a password instead of prompting for token information. This is the case if you are using CISCO EAPPEAP v1. This is the default behavior for EAP-PEAP with EAP-GenericTokenCard as the inner
authentication method. To change this option (and be prompted for token information), return to the
Authentication tab and select Prompt for token information.
Click OK to close Add Profile. The profile appears in the Profiles panel.

Add a network:
A.
Select the Networks panel in Odyssey Client Manager.
B.
Click Add. Add Network appears.
C.
Enter the name of the wireless network (SSID) to which Odyssey Client authenticates the user. If you do not
know the name of the access point network, and you are in the vicinity of the network, click Scan. Available
Networks appears, displaying the results of a scan for the wireless access points in your vicinity. Select the
correct network, and click OK to close Available Networks.
D.
Do not check Connect to any available network.
E.
Optionally enter a description for the network. You might want to use this option when you connect to two
networks of the same name, but with different configurations.
F.
Select Access Point (Infrastructure mode) for the Network type. This is the default value.
G.
Select the Association mode (Open) and then select the related Encryption option (WEP). The values you
select depend on how your network access point is configured. See your network administrator to verify the
correct access point association and encryption options.
H.
Check Authenticate using profile and select the profile that you created in the Profiles panel in step 2.
I.
Check Keys will be generated dynamically for data privacy. (Once you complete step 3h, this is checked by
default).
J.
Click OK. The network appears in the Networks panel.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10661

ARTICLE FEEDBACK
*Selection Required
*This article solved my problem
Yes
No
Partially
Just browsing
*Please rate this article
Great
Good
Average
Fair
Poor
Comments?

Your response will be used to improve

our document content.
Submit

29-09-2013

Juniper Networks - How to configure Odyssey Client for secure EAP-PEAP authentic... Page 2 of 2

4.

Configure Odyssey Client with the trusted server certificate:

A.
Select the Trusted Servers panel in Odyssey Client Manager.
B.
Click Add. Add Trusted Server Entry appears.
C.
Check Trust any server with a valid certificate regardless of its name.
D.
Click Browse. Select Certificate appears.
E.
Select the Trusted Root Certificate Authorities tab, and select the required CA certificate and click OK. See
your network administrator if you have any questions about which certificate to select.
F.
Click OK to close Add Trusted Server Entry. The trusted server entry appears in the Trusted Servers panel.

5.

Connect to the wireless network:

A.
Select the Connection panel in Odyssey Client Manager.
B.
Select the adapter that you configured in step 1.
C.
Select the wireless network that you created in step 3.
D.
Check Connect to network.
E.
You can optionally check the status of the connection under Connection information on the Connection panel:
If the Status field appears as open and authenticated, then you have successfully authenticated to the
wireless network using EAP-PEAP with the Odyssey Client.
If the Status field does not appear as open and authenticated, verify your Odyssey Client configuration. Also
verify that the your EAP-PEAP Odyssey Client configuration is correct for the configuration of your access
point and RADIUS server.

You may elect not to add the trusted server (as in step 4) during the configuration of the Odyssey Client. If you
complete all steps except step 4, after completing step 5d, then, Odyssey Client prompts you to validate your trust of the
RADIUS server prior to sending the your credentials to the RADIUS server during the authentication process. When
prompted, check Add this trusted server to the database, and click Yes in order to continue with the EAP-PEAP
authentication. By checking Add this trusted server to the database, you configure Odyssey Client to trust this server for all
future authentication attempts.

PURPOSE:
Troubleshooting

RELATED LINKS:

Site Map / RSS Feeds / Careers / Accessibility / Feedback / Privacy & Policy / Legal Notices

Copyright 1999-2012 Juniper Networks, Inc. All rights reserved.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10661

29-09-2013