Oac Td Ag47w

8/19/2019 Oac Td Ag47w

http://slidepdf.com/reader/full/oac-td-ag47w 1/98

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: OAC-TD-AG47W

Juniper NetworksOdyssey Access Client

Administration Guide

Enterprise Edition

FIPS Edition

Release 4.7

October 2007

8/19/2019 Oac Td Ag47w


Copyright© 2002-2007 Juniper Networks, Inc. All rights reserved. Printed in USA.

Odyssey, Juniper Networks, and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and

other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their

respective owners. All specifications are subject to change without notice.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org ) and

cryptographic software written by Eric Young ([email protected] ).

Juniper Networks, Inc. assumes no responsibility for any inaccuracies in this document. Juniper Networks, Inc. reserves the right tochange, modify, transfer, or otherwise revise this publication without notice.

http://www.openssl.org/

http://www.openssl.org/

8/19/2019 Oac Td Ag47w


ii

Table of Contents

About This Guide vii

Audience........................................................................................................ viiConventions.................................................................................................. viiiDocumentation ............................................................................................... ix

Release Notes and Product Documentation ..............................................ixContext-Sensitive Help.............................................................................. ix

Contacting Customer Support ......................................................................... ix

Chapter 1 Administration Overview 1

OAC Network Authentication Overview ...........................................................1Planning an OAC Configuration .......................................................................2Overview of Odyssey Access Client Administrator Tools..................................4

Connection Settings...................................................................................4Initial Settings............................................................................................5Machine Accounts .....................................................................................5Permissions Editor.....................................................................................5Merge Rules...............................................................................................5Custom Installer ........................................................................................6Script Composer ........................................................................................6

PAC Manager.............................................................................................6Opening the Odyssey Access Client Administrator Tools .................................6

Chapter 2 Configuring Network Connection Settings 7

Connection Settings Tool .................................................................................7About Network Connection Timing............................................................8

Machine-Level Connection Options .....................................................8User-Level Connection Options ...........................................................8

Configuring a User Account..............................................................................9Using a Prior to Windows Login Connection .............................................9Specifying Initial Settings for a Network Configuration............................ 10Connecting After the Windows Desktop Appears ....................................11

Configuring a Machine Account .....................................................................11Configuring Machine Account Connection Settings..................................12Configuring Machine-Only Connections...................................................13Configuring Machine Connections that Switch to User Connections ........13

Configuring a Network Connection with GINA ...............................................14Using a Third-Party GINA Module and Odyssey GINA ..............................15Installing the Odyssey GINA Module........................................................15Removing the Odyssey GINA Module ......................................................15GINA Compatibility with Other Modules Running at Windows Login.......15Using GINA with Smart Cards..................................................................16

Configuration Notes ..........................................................................16

8/19/2019 Oac Td Ag47w


iv

Odyssey Access Client Administration Guide

Chapter 3 Configuring Initial Settings 19

Overview .......................................................................................................19Configuring User Authentication with No Machine Connection ......................20

Connecting Before Windows Login..........................................................21Connecting After Windows Login ............................................................21

Using the Initial Settings Tool.........................................................................21Managing Windows Login Settings ..........................................................22

Configuring Network Connection Timing ..........................................23Prior-to-Windows-Login Behavior and Smart Cards...........................24

Caution on Overriding Default Windows Login Settings...........................25Configuring Prior to Windows Login Connections....................................25Options for Login Name Format..............................................................26

Specifying a Custom Login Name Format .........................................27Domain-Decorated or Undecorated Login Names .............................27

Testing Configuration Settings........................................................................28Testing User Connection Settings ............................................................28

Testing Machine Connection Settings ......................................................28Controlling Network Adapters and Other WiFi Supplicants ............................29

Chapter 4 Setting Up a Machine Account 31

Overview .......................................................................................................31Enabling a Machine Account Connection .......................................................32

Machine Account Profile Options.............................................................33Setting Machine Account Password Credentials ................................33Setting Automatic Certificate Selection for EAP-TLS ..........................33Trust Configuration Requirements for Machine Authentication......... 33Restrictions for Machine Account Settings.........................................33Configuring a Machine Password ......................................................33EAP Methods that Support Machine Credentials................................34

Chapter 5 Using the Permissions Editor 35

Overview .......................................................................................................35Option Categories in the Permissions Editor ..................................................35

Authentication Protocols..........................................................................36TTLS Inner Authentication Protocols........................................................36TTLS Inner EAP Protocols........................................................................36PEAP Inner Authentication Protocols.......................................................36Profile Properties.....................................................................................36Options....................................................................................................36Network Properties..................................................................................36Odyssey Control......................................................................................37User Interface Settings.............................................................................37User Interface—Hide Configuration Sections ...........................................37User Interface—Disable and Hide Configuration Sections........................37

Using Permissions Editor Settings ..................................................................37

Chapter 6 Setting Merge Rules 41

Overview .......................................................................................................41How Merge Rules Apply to User Configurations .............................................41

Use Cases for Merge Rules.......................................................................41Merge Rule Settings .................................................................................42

Using the Merge Rules Tool ...........................................................................43

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


vi


Appendix A Glossary 71

Index 85

8/19/2019 Oac Td Ag47w


Audience vi

About This Guide

This guide describes how to use Odyssey Access Client Administrator tools toconfigure, update, and deploy Odyssey Access Client (OAC) to users for secure wiredor wireless network access. There are two licensed editions of OAC for this release:

OAC Enterprise Edition (EE)

OAC FIPS Edition (FE)

Where there are differences in product features or options based on licenses or thetype of network where OAC is deployed, this guide identifies those differenceswhere they apply.

OAC can be deployed in a network that includes Juniper’s Unified Access Controlsecurity solution where authenticated access to protected network resources ismanaged by an Infranet Controller. OAC can also be deployed in a traditionalnetwork where OAC negotiates directly with a AAA server for authenticated access.You can read this manual in PDF format. It is on the Juniper Networks web site at:

http://www.juniper.net/techpubs/

Audience

This manual is for network administrators whose responsibilities include managingsecure wired and wireless network access for corporate users. It is particularlydirected to those administrators who are responsible for configuring and deployingOAC to users, for configuring EAP authentication protocols, and for configuringwhich OAC features users can view or configure.

OAC offers a broad range of configuration options and controls, both foradministrators and for individual users. It is the administrator who determines howmuch flexibility and control users should have based on corporate security policiesand on the configurations settings in Odyssey Access Client Administrator. Alladministrators who are responsible for managing OAC should be familiar with usingOAC and with the Odyssey Access Client User Guide.

Some of the information in this document pertains to configuration tasks that relatespecifically to the Juniper Unified Access Control security solution and to connectingto and using Infranet Controllers. If you use OAC on a network that includes Juniper’s Unified Access Control security solution, refer to the Unified Access Control Administration Guide available on the Web at:




8/19/2019 Oac Td Ag47w



viii Conventions

Conventions

Table 1 defines notice icons used in this guide. Table 2 defines text conventionsused throughout the book.

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates that you might risk losing data or damaging yourhardware.

Warning Alerts you to the risk of personal injury.

Table 2: Text Conventions (Except for Command Syntax)

Convention Description Examples

Bold typeface Indicates buttons, field names, dialogbox names, and other user interfaceelements.

Use the Scheduling and Appointment tabs toschedule a meeting.

Plain sans serif typeface Represents:

Code, commands, and keywords

URLs, file names, and directories

Examples:

Code:certAttr.OU = 'Retail Products Group'

URL:Download the JRE application from:http://java.sun.com/j2se/

Italics Identifies:

Terms defined in text

Variable elements

Book names

Examples:

Defined term:An Infranet Controller is a server that verifiesyour identity and your computer’s compliancewith security requirements before you canaccess protected resources.

Variable element:When adding a trust server, specify the servername using as domain_name.com.

Book name:

See the Odyssey Access Client User Guide.

http://java.sun.com/j2se





8/19/2019 Oac Td Ag47w


Documentation ix

About This Guide

Documentation

Here is how to access copies of the product documentation and the latestinformation about the release.

Release Notes and Product Documentation

You can access the product release notes, the Odyssey Access Client Quick StartGuide, and the Odyssey Access Client User Guide on the Web at:


Release notes provide the latest information about features, changes, knownproblems, and resolved problems. If the information in the Release notes differsfrom the information found in the documentation set, follow the Release notes.

Context-Sensitive Help

Odyssey Access Client Administrator includes online help that you can access fromyour computer. To invoke the help system, select the Help > Help Topics menucommand.

To access context-sensitive help for the Odyssey Access Client Administrator, pressF1 on the keyboard. The resulting help provides information that is relevant to yourcurrent OAC context.

Contacting Customer Support

For technical support, contact Juniper Networks at [email protected] or at1-888-314-JTAC (within the United States) or 408-745-9500 (from outside the UnitedStates).

8/19/2019 Oac Td Ag47w



x Contacting Customer Support

8/19/2019 Oac Td Ag47w


OAC Network Authentication Overview 1

Chapter 1

Administration Overview

This chapter is an overview of Odyssey Access Client Administrator—a suite of toolsfor configuring, updating, and deploying Odyssey Access Client (OAC) to users andfor controlling which features users can access. To open the Odyssey Access ClientAdministrator, go to Tools > Odyssey Access Client Manager.

Also included is an overview of the components and processes required for securenetwork authentication and a summary of topics to consider when planning forconfiguring and deploying OAC to users.

OAC Network Authentication Overview

When OAC attempts a secure network connection, a series of negotiatedtransactions takes place before that connection is complete. Figure 1 summarizesthe basic network components and transactions involved in such a connection.

Figure 1: Network Authentication Events

(Layer 3)(Layer 2)

8/19/2019 Oac Td Ag47w



2 Planning an OAC Configuration

A user or a machine (computer) must be recognized and authenticated beforegaining access to protected network resources. Such a connection requires a seriesof events to occur before a user completes the Windows login process. In an802.1X network, this includes user or machine authentication using EAP(Extensible Authentication Protocol) methods. In a UAC network, both the user andthe machine must be authenticated.

The basic events required for authenticated network access include:

Attempt an authenticated network connection. Depending on the corporatenetwork infrastructure, the network connection can include a Layer 2connection to an 802.1X switch or wireless access point or a Layer 3connection to an Infranet Controller or to a switch that does not support802.1X authentication.

For a wired OAC client, authentication occurs through authentication ports onan 802.1X switch (at Layer 2) to the authentication server. For a network

switch that does not support 802.1X, the network connection occurs at Layer 3.

A wireless OAC client communicates with the authentication server through an802.1X access point. The client and the authentication server conduct apublic/private key exchange.

An authentication server then sets up an encrypted tunnel used to negotiatesecure wireless authentication.

Successful wired or wireless authentication gives the user access to a VLAN andthe appropriate protected network resources.

Planning an OAC ConfigurationConsider the following questions when you plan an OAC configuration:

Which outer EAP authentication protocols do you need? In a UAC network, youcan use either TTLS or PEAP. In a traditional network, check your corporatesecurity policy or ask your CIO about which protocols are supported.

If you use TTLS or PEAP, which inner authentication protocols do you need? Ina UAC network, you must use JUAC.

Which encryption method(s) apply? The encryption methods available to youdepend on the access points deployed on your network and on the association

mode you select (WEP, WPA, or WPA2). If you are using the OAC FIPS Edition(FE), there are specific constraints on encryption methods, based on whetherFIPS Mode is selected. Contact your network security officer if you are unsureabout which methods your network supports.

Should you allow users to access and update network auto-scan lists? Auto-scanlists might pose risks of man-in-the-middle attacks or other applicationsdesigned to attract wireless connections. Consider using preemptive networksas part of your wireless network configuration

8/19/2019 Oac Td Ag47w


Planning an OAC Configuration 3

Chapter 1: Administration Overview

For wireless networks, what are the SSIDs for your wireless access points andshould you broadcast them? The SSIDs that you use to configure wirelessnetworks must match those of the wireless access points on your network.Without the SSID, OAC can detect a wireless network but cannot connect to it.

Does wireless suppression make sense for your users? Wireless suppressiondisables wireless connections as long as the client has a wired networkconnection. A wired connection usually provides greater network bandwidthand preserves the wireless network bandwidth for users who need a wirelessconnection.

Should you allow users to access ad hoc networks? While access to ad hocnetworks might be useful for some users, it can present an added security riskto a corporate network.

Should you allow users to modify any of the configuration settings after youdeploy them? The degree of flexibility that you allow users reflects your

corporate security policy and the technical sophistication of your users. You canset up OAC with as many or as few options for users as you like. One benefit ofthis flexibility is that you can provide a simpler set of controls and options formany users whom you do not want to change configuration settings. Theadministrative tools allow you to hide, disable, and lock configuration settings.

Should you allow users to add, remove, or modify trusted servers andcertificates? You can prevent users from modifying trust configuration settingsby turning off access to trust settings so that they do not appear in OdysseyAccess Client Manager.

If your network includes Infranet Controllers, what network profileconfiguration settings apply? Should these settings be locked so that users

cannot change them? Each Infranet Controller requires a separate profile. Should you allow Fast User Switching for Vista users? Fast User Switching is

enabled for Windows Vista and is not disabled by default for domain users as itis for Windows 2000 and Windows XP.

This means that all concurrent user sessions on a given Windows Vista systemcan access the current desktop connections to networks and InfranetControllers. Thus, if one user has a current network connection, other userslogged in on the same machine can access the same network connections. Thiscan be a security risk. A background process running in one user session canpiggyback onto the network access granted to another session and accessresources to which the user should not have access rights. You might want todisable Fast User Switching for Windows Vista users.

If you want to restrict and simplify the OAC configuration for most of yourusers, what configuration is best? Which optional settings should you hide andwhich ones should you disable so that they cannot be accessed?

Should you allow access to other wireless supplicant programs or do you preferto enforce the use of OAC? You can configure OAC to manage all networkadapters and prevent users from exiting OAC, thus preventing them from usingother WiFi supplicant programs.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


Overview of Odyssey Access Client Administrator Tools 5

Chapter 1: Administration Overview

Connect to the network before Windows login. This connection type requiresthat you install GINA. See “Using a Prior to Windows Login Connection” onpage 9 and “Installing the Odyssey GINA Module” on page 15. This connectiontype requires user login credentials.

See “Using a Prior to Windows Login Connection” on page 9.

Connect to the network at the machine hardware level (not at the user level) atWindows startup time. See “Configuring a Machine Account” on page 11.

Install and use GINA. See “Configuring a Network Connection with GINA” onpage 14.

Initial Settings

Use this tool to perform one or more of the following tasks:

Preconfigure OAC for groups of users (basic users, advanced users, or specificdepartments). See “Using the Initial Settings Tool” on page 21.

Set up the networks and authentication profiles for users before deploying OAC.

Create and test preconfigured settings before creating a new custom installer oran update file. See “Using the Custom Installer” on page 59.

Manage SIM cards and SIM card PIN settings. Refer to Chapter 4 in the Odyssey Access Client User Guide for details.

Machine Accounts

Use this tool to configure an authenticated network connection for the physicalmachine rather than for a user. Machine accounts provide a persistent networkconnection when no user is logged in. See “Configuring a Machine Account” onpage 11.

Permissions Editor

Use this tool to apply customized feature-by-feature restrictions on users’ ability touse or modify OAC specific features in the configuration. This tool lets you disablesettings that you do not want users to change and, in some cases, hide rather thandisable some features that users can choose to turn on from a View menu on thetool bar.

Merge RulesUse this tool to specify the rules for creating a settings update file or a new custominstaller file. Merge rules determine how configuration items are added to existinguser configurations. You can assign rules that modify current configurations or thatprevent users from editing the configurations. You can also use this tool to lockprofiles, networks, auto-scan lists, Infranet Controllers, and other settings so thatusers cannot modify them.

8/19/2019 Oac Td Ag47w



6 Opening the Odyssey Access Client Administrator Tools

Custom Installer

Use this tool to create a preconfigured installer (.msi) file or a settings update filefrom the initial user or machine settings that you have configured with Odyssey

Access Client Administrator tools. Use custom installer files for upgrades and newuser installations. Once you have the .msi file, you can deploy the OACconfiguration to users with a variety of mass-distribution deployment tools.

You can also use Custom Installer to merge updated configuration settings withexisting machine account (only) settings.

Script Composer

Use this tool to create configuration scripts to update OAC configurations that addnew settings, replace existing settings, or remove settings.

PAC Manager

Use this tool to manage (view or delete) Protected Access Credentials (PACs) forEAP-FAST.

Opening the Odyssey Access Client Administrator Tools

The Odyssey Access Client Administrator tools appear as individual icons in theOdyssey Access Client Administrator management interface.

To use the Odyssey Access Client Administrator, select Tools > Odyssey AccessClient Administrator from the Odyssey Access Client Manager. You can alsodouble-click the odClientAdministrator.exe application in the directory where OAC is

installed.

8/19/2019 Oac Td Ag47w


Connection Settings Tool 7

Chapter 2

Configuring Network ConnectionSettings

Use the Connection Settings tool to configure options that control the type andtiming of OAC network connections.

By default, OAC connects to a network after the Windows desktop appears.However, in some cases you might need to establish an authenticated connectionearlier. For example, it might be necessary to enable domain authentication beforea user logs in or to execute scripts at specific times during the startup process.

There are three categories of configuration options for this tool:

Configure the timing for when authentication to the network occurs. You canconfigure network connection timing settings to take place at various points:before, during, or after the Windows login process.

Choose whether to connect to the network at the machine level or at the user

level. At the machine level, the network connection uses the credentials ofeither a user or of a physical computer. A machine connection persists as longas the machine (computer) is running Windows.

At the user level, the network connection requires a user’s login credentials andpersists as long as the user is logged in.

Use the Odyssey Graphical Identification and Authentication (GINA) module tocontrol before Windows startup. See “Configuring a Network Connection withGINA” on page 14.

Connection Settings Tool

To open the Connection Settings tool, double-click Connection Settings in OdysseyAccess Client Administrator.

The Connection Settings tab categories are:

User Account —Use these settings to configure the default timing of usernetwork connections.

Machine Account —Use these settings to configure a machine-level networkconnection at Windows startup time using machine credentials.

8/19/2019 Oac Td Ag47w



8 Connection Settings Tool

GINA—GINA is the OAC Graphical Identification and Authentication module, areplaceable DLL (dynamic link library). GINA runs before the Windows loginprocess to gather user credentials. It is instrumental in enabling a networkconnection to occur before Windows login. Use GINA to connect to the networkbefore Windows login. Various vendors have their own versions of GINA. TheOdyssey GINA module is designed to interact with OAC and is compatible withGINA modules from other vendors.

About Network Connection Timing

You can control when network connections occur based on events such asWindows startup and authentication. Connection timings can apply at either themachine connection level or the user login level and are mutually exclusive. Thesettings described in this section show the options available for configuring when toconnect.

Machine-Level Connection OptionsA machine connection to the network can use either the physical computer’s logincredentials or the user’s.

The following configuration options are available for a machine connection:

A machine-level connection to the network occurs when Windows starts up.With this connection type, the machine remains accessible over the networkeven if the user is not logged in, as long as the machine is still running. Thisoption is useful for deploying update scripts and backups whether or not theuser is logged in.

A machine-level connection to the network occurs at Windows startup time andswitches to a user-level connection and authentication immediately before theuser logs in to Windows.

A machine-level connection to the network occurs at Windows startup time andswitches to user-level connection and authentication after the user logs in toWindows but before the desktop appears.

A machine-level connection to the network occurs at Windows startup time andswitches to user-level connection and authentication after the desktop appears.

User-Level Connection Options

A user-level connection to the network occurs based on user credentialsimmediately before the user logs in to Windows.

A user-level connection to the network occurs based on user credentials afterthe user logs in to Windows but before the desktop appears.

A user-level connection to the network occurs based on user credentials afterthe Windows desktop appears.

Note that some of these configurations are enabled or disabled based on otherfeatures that you select.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w



10 Configuring a User Account

Specifying Initial Settings for a Network Configuration

If your network configuration requires a profile that specifies a password-basedauthentication method, select Use Windows password on the Password subtab of

the User Info tab in the Profile Properties dialog.

If your network configuration requires a profile that specifies EAP-TLS or any othercertificate-based authentication method, select Use the login certificate from mysmart card reader on the Certificate subtab of the User Info tab in the ProfileProperties dialog.

The available options are:

Use alternate settings on failure—Provide an alternate wired 802.1X adapterand profile (or wireless adapter network) for connections that take place beforeWindows login. The alternate configuration applies if a connection attemptusing the displayed adapter/network pair fails.

A practical use of this option is to provide an alternate 802.1X wired adapter(and profile) for connections that occur before Windows login.

Configure the alternative adapter and profile in the Initial Settings tool beforeyou configure alternate settings for this option.

After selecting this option:

a. Select Use alternate settings on failure.

b. Select Edit Alternate Settings.

c. Select the alternative adapter and profile.

Prompt to connect—Require a prompt screen to appear before the networkconnection at login time based on one of the following choices:

Never—Select this option if you do not want your users to be prompted toconnect, even if the connection attempt fails.

On connection failure—Select this option if you want your users only tobe prompted when a connection attempt fails.

Prior to connecting to the network—Select this option if you want yourusers to be prompted each time they log on to Windows.

Wait until the user’s desktop appears before using Odyssey Access Client toconnect to the network—Override the prior to Windows login connectionsetting when users can connect with a network adapter.

Select Any wired adapter. When you do so, OAC connects after the desktopappears.

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w


Configuring a Machine Account 11

Chapter 2: Configuring Network Connection Settings

Connecting After the Windows Desktop Appears

There are two choices for the conditions under which the connection takes placeafter the Windows desktop appears:

Defer the connection whenever users of this machine are connected to yournetwork through a wired adapter. Do this by selecting Any wired adapter isalready connected. This option applies even if the wired adapter is notconnected to an 802.1X hub or switch.

Defer the connection whenever users are connected to your network throughone or more specified adapters. Do this by selecting One of the followingadapters. This option is valid for any adapter listed.

To edit the list of adapters:

a. Select Edit . The Select Adapters dialog appears.

b. Select any adapters that you want used for network connections that occurafter the desktop appears.

c. Select OK to close the Select Adapters dialog.

The selected adapters appear in the list next to the Edit button on the UserAccount tab of the Connection Settings tool.

Configuring a Machine Account

The purpose of a machine account is to connect and authenticate a physical

machine (the computer), rather than a user, to the network. This process includeshaving an IP address assigned to the machine (a Layer 2 network connection). Thenetwork connection and IP address assignment occurs before the user logs in. Thisis useful for setting up domain-level resources and drive mappings before a userconnects.

User authentication is different from authenticating a machine because differentcredentials are required to connect to the network. While the physical machinemight have network access, a separate process is needed for a user to log on and beauthenticated. Thus, a machine account and a user account are mutually exclusive.

To connect to the network at machine startup time with machine (rather than user)credentials, select Enable network connection using machine account from theMachine Account tab on the Connection Settings tool.

When you configure machine account connections, you must also configureauthentication profile options (such as the credentials and network to use) formachine account connections. (See “Machine Account Profile Options” onpage 33.) Once you select Enable network connection using machine account ,select one of the following mutually exclusive options:

8/19/2019 Oac Td Ag47w



12 Configuring a Machine Account

Leave the machine connection active; users are connected via the machineconnection—Maintains the machine-level network connection after a user logsin. This option gives users less control of their network connections but theystill have access to the network resources. They can view status informationand reconnect to the network but cannot change the existing OACconfiguration.

A use case for this option is an environment where multiple users performsimilar tasks, such as in a travel agency, and use any available computer in theoffice to do work. The machine must be authenticated but the users do not.

Drop the machine connection; users must connect with their owncredentials—Drops the machine connection and automatically establishes anetwork connection based on the user’s Windows credentials when the userlogs in. With this connection type, users have less restricted network accessthan when the machine connection is still active. Once authenticated, users canmodify or view connection settings using the Odyssey Access Client Manager.

A use case for this option is that the endpoint machine must be connected evenwhen no one is logged in. The machine connection is used to support remoteadministrative tasks or system service scripts that run during off hours. A userwho needs network access from that machine must provide his or her owncredentials.

When the user logs off, the connection reverts to a machine account.

If you select this option, set the timing for the user connection under the UserAccount tab.

Select one of the following timing options:

After the user’s desktop appears

After Windows login, before the desktop appears

Prior to Windows Login, use the following settings

Configuring Machine Account Connection Settings

To configure your connection settings based on your selections:

1. Open the Connection Settings tool.

2. Select a machine network connection option from the Machine Account tab.

3. Configure the network connection settings for machine connections in theMachine Account tool.

4. To let users connect with their own credentials after the machine connection isestablished, open the Initial Settings tool to configure new user accountsettings.

8/19/2019 Oac Td Ag47w


Configuring a Machine Account 13


Configuring Machine-Only Connections

To identify a client machine on the network without relying on user credentials, youcan connect all client machines to the network using machine authentication. This

can be useful if you have any machine-related startup processes. You can use thisfeature to maintain network connections for the client machine even when usersare logged off. In this way, the machine is always connected to the network, even ifno user is logged in, as long as the machine is on and Windows is running. This isuseful for running scripts at off hours and for remote administrative tasks.

To configure a machine-only connection, follow these steps:

1. Open the Connection Settings tool.

2. On the Machine Account tab of Connection Settings, select Enable networkconnection using machine account

3. Select leave the machine connection active.

4. Select OK.

5. Open the Machine Account tool. The Machine Account dialog appears. Use thedialog settings that are required for setting up your machine networkconnection, including Networks, Adapters, and Profiles, and close the MachineAccount tool. See “Configuring a Machine Password” on page 33 for detailsabout specifying machine account profiles.

Configuring Machine Connections that Switch to User Connections

You can connect all client machines to the network using machine credentials andthen require user authentication when the user logs in. This option lets you perform

network tasks at Windows startup, before users log in, and then switch to anauthenticated user-level network connection when the user logs in. This means thatyou can run maintenance scripts and backups at night or during hours when usersare typically not in the office.

To configure a machine connection that can switch to a user connection:

1. Open the Connection Settings tool in the Odyssey Access Client Administrator.

2. On the Machine Account tab of Connection Settings, select Enable networkconnection using machine account .

3. Select drop the machine connection.

4. Select one of the available user authentication timing options under the UserAccount tab of Connection Settings and select OK.

Select either authenticate at the desktop or authenticate after login butbefore the desktop

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w



14 Configuring a Network Connection with GINA

5. Open the Machine Account tool. The Machine Account dialog appears. Use thedialog settings to configure your machine network connection. This includesthe Networks dialog, the Trusted Servers dialog, the Adapters dialog, and theProfiles dialog. See “Configuring a Machine Password” on page 33 for detailsabout specifying machine account profiles.

6. Close the Machine Account tool.

7. Open the Initial Settings tool. The Initial Settings tool dialog appears. Use thedialog settings needed to configure your user network connection. Thisincludes the Networks dialog, the Trusted Servers dialog, the Adapters dialog,and the Profiles dialog.

8. Lock any configuration features that require locking using the Merge Rules tool.

9. Close the Initial Settings tool when you are done.

Configuring a Network Connection with GINA

GINA is the OAC Graphical Identification and Authentication module. GINA is areplaceable DLL (dynamic link library) that runs before the Windows login processcompletes. As soon as a user enters Windows login credentials, GINA captures anduses them to authenticate the user before the login process and the networkconnection are complete. In this way, users are authenticated on the network beforethey have a connection.

GINA is instrumental in enabling a network connection to occur before Windowslogin. It captures user login credentials from the Windows login dialog and delaysthe actual Windows login to enable other setup processes and scripts to run first.

Connecting before Windows login can be helpful when users have startup processesthat require network connections. This is also a useful tool if your company usesActive Directory as a user database.

Odyssey GINA is an advanced configuration tool intended for administrators whoare familiar with the Windows GINA module and who understand how to use it. TheOdyssey GINA module preempts Windows GINA and is intended for use with OACconnection and authentication only.

NOTE: You must install the Odyssey GINA module to be able to use this type ofnetwork connection.

NOTE: On Windows Vista systems, the capabilities described here for GINA areprovided by Credential Providers. For this release the OAC GINA screens areidentical on both platforms; that is, the dialog boxes refer to the CredentialProvider tool as GINA.

There is a separate login tile (icon) for GINA accounts on Vista machines. The tileshows the OAC icon .

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w


Configuring a Network Connection with GINA 15


Using a Third-Party GINA Module and Odyssey GINA

To use a third-party GINA module in addition to the Odyssey GINA module, installthe Odyssey GINA module after you install the third-party GINA module.

If you install the Odyssey GINA module before installing a third-party GINA module:

1. Remove the Odyssey GINA module using the directions in “Removing theOdyssey GINA Module” on page 15.

2. Install the third-party GINA module.

3. Install the Odyssey GINA module using the instructions in “Installing theOdyssey GINA Module” on page 15.

4. Reboot your computer. The GINA module installation is not complete until youreboot the machine.

Installing the Odyssey GINA Module

To install the GINA module, enable the Install Odyssey GINA module button in theGINA tab of the Connection Settings tool. Once GINA is installed, you can configureprior to Windows login connection settings under the User Account tab of theConnection Settings tool.

Removing the Odyssey GINA Module

To remove the Odyssey GINA module, select the Remove Odyssey GINA module button from the GINA tab of the Connection Settings tool.

The GINA module removal is not complete until you reboot the machine.

GINA Compatibility with Other Modules Running at Windows Login

The Odyssey GINA module works by running before the Windows GINA modulethat presents the Windows Login dialog.

Note the following about the interaction between OAC and other login modules:

You might be prompted for credentials by OAC for some applications thatreplace the Microsoft Windows login screen.

OAC is compatible with a number of login modules, preserving single sign onbehavior.

In the case of Novell Client for Windows, OAC uses your Novell credentials atlogin time without prompting for credential information.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


Configuring a Network Connection with GINA 17


You can configure all of the machine account network settings in the MachineAccounts tool. The restricted options are disabled for you in the MachineAccount tool.

The password, token, and PIN prompt restrictions apply to the listed protocolswhenever they are in use (either as inner or outer authentication protocols).

You can configure a prior to Windows login machine authentication thatincludes both EAP-TLS with smart card certificates and a password-basedprotocol such as EAP-TTLS. In this case, the authentication method depends onwhether the user chooses to use a smart card or a Windows password to log on.The login prompts with both options and the user must select one.

If the user logs in with a Windows password, a password-based protocol such asTTLS is negotiated according to the protocol ordering on the Authentication tab of the Profile Properties dialog. See “Using GINA with Smart Cards” onpage 16 for information about smart card multi-protocol configuration details.

8/19/2019 Oac Td Ag47w



18 Configuring a Network Connection with GINA

8/19/2019 Oac Td Ag47w


Overview 19

Chapter 3

Configuring Initial Settings

The Initial Settings tool lets you preconfigure OAC and deploy a configuration to oneor more users. For example, you can deploy a simple and restricted configuration tobasic users and a separate configuration with fewer restrictions to more advancedusers.

When a user launches OAC the first time, the Odyssey Access Client Manager openswith the predefined settings. You can specify initial settings for any or all OdysseyAccess Client Manager configuration options. When you preconfigure OAC, use adedicated computer or a lab machine to set up the configuration settings. You willsave these settings later to an .msi installation file using the Custom Installer tool.

The machine you use to create the initial configuration must be the same machinethat you use to deploy it because you are pushing out the configuration image(settings) using that copy of OAC.

You can also use the Initial Settings tool to define the network connections part of aconfiguration image for a custom installer or a settings update file. The Permissions

Editor tool and the Merge Rules tool might also factor into either of these types ofconfiguration.

The settings you choose in the Initial Settings tool become the configurationsettings for the rules that you apply in the Merge Rules tool. Similarly, the rules thatyou set in the Merge Rules tool apply to those user configurations deployed throughcustom installers for update files. See “Setting Merge Rules” on page 41 and “Usingthe Custom Installer” on page 59 for more information. You can use the InitialSettings tool to configure features before you apply any merge rules to them.

Overview

The Initial Settings tool looks very much like the Odyssey Access Client Manager.The side bar is identical in either view, so you can configure each of the settings forprofile, networks, auto-scan lists, trusted servers, adapters, and Infranet Controllersthe same way. There are some differences in the options, however.

The File menu in the Initial Settings tool does not include the Forget Password orForget Temporary Trust options available in Odyssey Access Client Manager. Theseare local user options that do not apply for a configuration distributed to multipleusers.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


Using the Initial Settings Tool 21

Chapter 3: Configuring Initial Settings

Connecting Before Windows Login

To have users connect to the network prior to Windows login time:

1. Select Install the Odyssey Access Client GINA Module, if it is not installedalready.

2. Select Prior to Windows Login and select a wireless adapter and network (or awired adapter and profile) that you have already configured

3. Select OK.

You might use this option to run scripts before the login process completes.

Connecting After Windows Login

To require users to connect to the network after Windows login time, independentof whether you install the Odyssey GINA module:

1. Select one of the two available user authentication timing options under theUser Account

tab.

2. Select OK.

You can have the users authenticate to the network before or after the desktopappears.

Using the Initial Settings Tool

To open the Initial Settings tool, double-click Initial Settings in the Odyssey AccessClient Administrator.

You configure the following configuration features in the Initial Settings tool sidebarin much the same way that you configure them in the Odyssey Access ClientManager. You can do this for a single user or for a group of users to which youdeploy a common configuration image. You can create more than one configurationimage if different groups of users require different settings or if you need to applymore restrictions to one group than for another.

Profiles—Preconfigure the authentication settings that correspond to a specificnetwork that requires authenticated access.

Networks—Configure the default networks that are accessible for this user orfor a configuration image to deploy to multiple users.

Auto-Scan Lists—Preconfigure and order the networks for an auto-scan list forthis user or for a configuration image to deploy to multiple users. This mightinclude configuring preemptive networks and enabling wireless suppression.

Trusted Servers—Preconfigure the trusted root CA or intermediate CAcertificate in the local machine certificate store of the machine that you use forconfiguration. Then configure a trusted server for users in the Initial Settingstool.

8/19/2019 Oac Td Ag47w



22 Using the Initial Settings Tool

Adapters—Preconfigure the wired or wireless adapters users can have. Usersare not required to have exactly the same adapter you have (the names andmodels can differ), as long as you install a similar type (wired or wireless) ofadapter on their machines.

Infranet Controllers—Preconfigure one or more Infranet Controllers.

Refer to the Odyssey Access Client User Guide for a discussion of how to configureand manage the categories of settings available in the sidebar.

When users run OAC for the first time, they see the settings that are preconfiguredin the Initial Settings tool. You can also use the same configuration settings for:

A custom installer

A settings update file

Managing Windows Login Settings

Use the Tools > Windows Login Settings option to override the default setting fornetwork connection timing. This option supports users whose configuration isbased on a preconfigured GINA connection timing and provides the ability tooverride the default timing. A use case for this option is the need to connect to anetwork other than the default connection configured for OAC.

The Windows login options are:

Connect prior to logging on to Windows. This option allows user to access adomain controller and have full access to the network at login time. Withoutthis option, users who have not logged in previously to a given machine cannotlog on. This setting also allows login scripts to run.

Connect after logging on to Windows, but before your desktop appears. Thisoption prevents users without cached credentials from logging on to a machine.

Connect after your desktop appears. This is the default option for OAC. Thisoption gives a user access to the network after the Windows desktop starts.

Any of these options can be configured as your default network connection timing,depending on how your network administrator sets up OAC. Additionally, yournetwork administrator might allow you to modify the timing of default networkconnection settings. In this case, you can override the default network connectionsettings.

NOTE: Before you create a custom installer or a settings update file, use the MergeRules tool to specify how the Initial Settings tool configuration applies to updatedor new user configurations.

NOTE: Changing your login timing may affect other startup processes. Check withyour administrator before using this option.

8/19/2019 Oac Td Ag47w




For example, if users can log on to a domain with cached credentials and if thenetwork connection is configured to occur prior to Windows login, users canchange the connection timing to connect to the network after the desktop appears.

Configuring Network Connection Timing

To modify your network connection timing, select Tools > Windows LoginSettings to open the Windows Login Settings dialog. Your network administratormight have disabled some of the Windows login features.

To modify the default timing for network connections through Odyssey AccessClient, select from the following Windows login timing options (if they areavailable):

Select After my desktop appears to establish your network connection after allWindows startup, login, and desktop processes are completed. This is the latestpossible time that you can make a network connection.

Select After Windows login, before the desktop appears to establish yournetwork connection after your Windows startup and Windows login processesare completed but before your desktop processes take place.

Select Prior to Windows Login to establish your network connection prior toWindows login.

If you select Prior to Windows Login, then perform the following required tasksand options:

Select the adapter and network (or profile, in the case of a wired connection)from the lists provided. Note the following:

Associate a profile with any network that you configure. You can configureprofiles in the Authentication tab in the Profile Properties dialog. OAC usesyour Windows login credentials.

Select Validate server certificate on the Authentication tab in the ProfileProperties dialog for the selected profile.

You cannot assign a profile that uses a stored password for this networkconnection.

If you configure the network to encrypt your data using WEP, select Keyswill be generated automatically for data privacy on the NetworkProperties dialog for the selected network.

If you select the Use alternate settings on failure option, you can provide analternate wired 802.1X adapter and profile (or wireless adapter) to use forconnections that take place prior to Windows login when a connection attemptusing the displayed adapter/network pair fails.

A practical use of this option is to provide an alternate 802.1X wired adapterand profile for connections that take place prior to Windows login. Afterselecting this option, enable Edit Alternate Settings to select the alternativeadapter and profile. Configure the alternative adapter and profile before youconfigure alternate settings for this option.

8/19/2019 Oac Td Ag47w




Select one of the following prompt options for making the network connectionat login time:

Select Never if you do not want to be prompted to connect, even if theconnection attempt fails.

Select On connection failure if you want to be prompted only onconnection failure. This can be useful if you experience networkauthentication problems, as it gives you the option to opt out of connectingto the network at login time.

Select Prior to connecting to the network if you want to be promptedevery time that you connect.

If you select either of the prior to desktop connection timing options, you can deferthe timing of such connections under certain circumstances. To do so, select Waituntil my desktop appears before using Odyssey to connect to the network. You

have two options that depend on the adapter type for a connection that takes place:after the desktop appears:

To connect after the desktop appears when you are connected to your networkthrough a wired adapter, select any wired adapter. You can use this optioneven if your wired adapter is not connected to an 802.1X hub or switch.

To connect after the desktop appears when you are connected to your networkthrough one or more selected adapters, select one of the following adapters.This option applies to any adapter listed on the Windows Login Settings dialog.

To edit the list of adapters:

1. Click Edit to open the Adapters dialog.

2. Select any adapters that you want to use for a network connection that occursafter the desktop appears.

3. Click OK to close the Select Adapters dialog.

4. Click OK to close the Windows Login Settings dialog.

Prior-to-Windows-Login Behavior and Smart Cards

If you are connecting prior to Windows login with a profile that is configured forsmart card certificate use with EAP-TLS, as well as one or more password-basedauthentication protocols, then Odyssey Access Client behaves differently if you log

on with your smart card PIN:

If you log in to Windows with your smart card PIN, the smart card certificate isused with EAP-TLS throughout the session. None of the password-basedprotocols are negotiated.

If you log in to Windows with your password, the password-based protocols arenegotiated based on their order in the profile and EAP-TLS is never negotiated.

8/19/2019 Oac Td Ag47w




Caution on Overriding Default Windows Login Settings

The Tools > Windows Login Settings menu in the Odyssey Access Client Managergives users the option to override the default network connection timing. This is

normally set up using the Connection Settings tool. The purpose of this setting is toaccommodate users who have different connectivity requirements at login time. Forexample, an OAC configuration distributed to users might contain predefinednetworks for most corporate users. However, users in a remote location may needto connect to other networks and the requirements for login timing may differ. Thisoption lets those users override the default login setting without needingadministrative privileges. This option is not commonly used.

If default login settings are overridden and if you use the OAC GINA module, userscan configure a network connection that takes place before Windows login. If youdo not install the GINA module, users have only the two post-login connectionoptions available to them. Users can override default network connection settingsthat you configure unless you have restricted them with the Permissions Editor.

Users cannot override trusted server configuration OAC is set up to connect beforeWindows login. The only way to change the trust setting for a Windows loginconnection is to modify those settings in the Trusted Servers dialog of the InitialSettings tool.

Configuring Prior to Windows Login Connections

When you install OAC on Windows, you can enable automatic network connectionsthat occur when the user logs in to Windows. This can be helpful when users havestartup processes that require network connections. You can accomplish this usingthe OAC Windows login settings.

Note the following regarding any user account connections that you might configureto occur before Windows login:

You must associate a profile and an adapter for wired connections or associatea network or auto-scan list and an adapter for wireless connections with aWindows login configuration. When you configure a prior to Windows loginnetwork configuration, select items from the Network (or Profile) and Adapterlists on the User Account tab in the Connection Settings tool. The items inthese lists reflect the adapters, networks, auto-scan lists, and profiles that you

specify in the Initial Settings tool.

When you are setting up user defaults for your machine or for a new custominstaller file, you do not need to associate a profile with any network that youconfigure in the Initial Settings tool.

If you select a profile for a network connection that occurs before Windowslogin and that uses EAP-TTLS, EAP-TLS, or EAP-PEAP, the server certificate isvalidated automatically during user authentication.

NOTE: Do not select Override default settings for Windows login in the InitialSettings tool unless you intend to let users override the network connectionsettings you configure in the GINA tab of the Connection Settings tool.

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w




OAC uses a user’s default login name. If you specify a name, OAC uses thename you enter instead of the user’s default login name.

You cannot assign a profile that uses a stored password.

You must install a trusted root CA or intermediate CA in the local machine storein the Trusted Servers dialog of the Initial Settings tool. The trust relationshipthat you configure must include a certificate authority in the signing chain ofthe trusted server. If you have not already installed the certificate in themachine store on your machine, you must do so prior to configuring this trust.

Options for Login Name Format

From the Tools > Options Default Login Name tab, you can specify the defaultlogin for all new OAC users. The default login name option that you specify mightrequire user input if you specify a custom format. In that case, the user is promptedonce for the custom login name. See “Specifying a Custom Login Name Format” onpage 27.

The resulting user default login name, which can be viewed when the user selectsTools > Options Default Login Name from the Odyssey Access Client Manager,applies under the following circumstances:

The default login name appears automatically in the Login Name field of anynew Odyssey Access Client Manager authentication profile the user creates.

If you preconfigure authentication profiles for deployment to multiple users,you can leave the Login name field blank. When a user to whom you deploythe profile runs OAC, the Login name field will be populated with the individualuser’s Windows login name.

The default login name is populated automatically for profiles when a userimports an OAC script that includes a profile with a blank user name.

You can specify the login name format from the Options dialog. Refer to followingtopics:

“Specifying a Custom Login Name Format” on page 27—Use this for insertingtext to prompt the user with the correct login name format the first time theyuse OAC.

“Domain-Decorated or Undecorated Login Names” on page 27—Use this forspecifying the Windows login name format to use in all profiles.

NOTE: The OAC login feature might be incompatible with similar features in otherproducts.

NOTE: You do not need the Merge Rules tool to lock the default login name that isused by a custom installer or settings update file. The default login name optionthat you specify in the Initial Settings tool is automatically used in any custominstaller or settings update file.

8/19/2019 Oac Td Ag47w




Specifying a Custom Login Name Format

You can configure a prompt to show users the login name format to use the firsttime that they run OAC for user authentication. The login name that the user enters

is populated automatically for the following profiles:

All new authentication profiles that the user creates.

Any authentication profiles that you configure with blank login names fordistribution to your users through settings update files and custom installers.

For example, you could require users to use the following format for the login name:

UserName@Domain

To specify instructional text that prompts a new user for a login name when thenew user logs in, follow these steps:

1. Select Tools > Options from the Initial Settings toolbar. The Options dialogappears. Select the Default Login Name tab.

2. Select Prompt for login name using the following prompt .

3. Enter the prompt text to instruct users how to enter the login name.

4. Select OK.

Domain-Decorated or Undecorated Login Names

To specify the default login name for all user profiles as the domain-decorated orundecorated Windows login name, follow these steps:

1. Select Tools > Options. The Options dialog appears. Select the Default LoginName tab.

2. Select one of the following Windows login name formats:

Decorated Windows login name, to use the default domain-decoratedWindows login name format of Domain_name\Login_Name.

Undecorated Windows login name, to use the Windows login namewithout any domain name decoration.

3. Select OK.

NOTE: When you specify the login name prompt text, the Default Login Name tabappears on the Tools > Options Default Login Name menu of Odyssey AccessClient Manager. This enables users to modify the default login name that appearsin all profiles that they create.

8/19/2019 Oac Td Ag47w



28 Testing Configuration Settings

Testing Configuration Settings

This following section talk about how to test the configuration for users or machineconnections before you create a custom installer to deploy the configuration.

Testing User Connection Settings

This option loads the configuration defined in Initial Settings to Odyssey AccessClient Manager and attempts a network connection. If the connection fails, try totroubleshoot the failure like any other failed connection, based on error messagesand the entries in the log file.

To test your user connection settings, follow these steps:

1. Open the Initial Settings tool.

2. Select Tools > Reload and test user defaults from the Initial Settings tool.

3. Select OK. This will permanently delete your current Odyssey Access ClientManager settings and loads your settings from the Initial Settings tool into theOdyssey Access Client Manager.

4. Test all the connections through the Connection dialog of Odyssey Access ClientManager. Any modifications that you make in the Odyssey Access ClientManager are not reflected in the Initial Settings tool.

5. Return to the Initial Settings tool to correct any connection problems and retestthe connections as necessary.

Testing Machine Connection Settings

The network connections you want to test must be configured and set forconnection in the Connection dialog of Machine Accounts. See the Odyssey AccessClient User Guide and “Configuring User Authentication with No MachineConnection” on page 20 for configuration information.

To test machine connection settings:

1. Select the Machine Accounts

tab in Connection Settings.

2. Select leave the machine connection active.

3. Select OK.

4. Double-click the system tray icon to open the Odyssey Access Client Manager,and select the status of your connection(s).

5. Return to Machine Accounts

to correct any connection problems and retestthese connections again, if necessary.

6. If you modified your connection settings, select the Machine Accounts tab inConnection Settings and restore the previous settings.

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w


Controlling Network Adapters and Other WiFi Supplicants 29


Controlling Network Adapters and Other WiFi Supplicants

You can control the degree of flexibility users have to manage network adapters orto use other WiFi supplicant programs. By default, users can add or removenetwork adapters from the OAC configuration and exit from OAC.

In many cases, it may be beneficial to allow users this type of flexibility. Forexample, users can use adapters with third-party wireless supplicants to access testnetworks.

However, this flexibility can also be used to defeat corporate network policies. Usinga wireless access client other than OAC may allow users to bypass restrictions set inOdyssey Access Client Administrator. For example, users could use a WiFi adapterwith another wireless supplicant program to access non-corporate networks usingnon-approved protocols in a locked-down configuration. Users could also use

unapproved protocols that are disabled in OAC.

A user with a non-802.1X wired network card that is not managed by OAC couldtransmit non-encrypted data.

You can manage this risk as follows:

You can prevent such scenarios by configuring OAC to automatically manageany wired or wireless adapter present on the user’s endpoint computer andthen lock this setting in the Merge Rules tool before deploying OAC.

Use the Tools > Options > Interfaces options in the Initial Settings tool andconfigure OAC to automatically configure and bind to any wired or wirelessnetwork adapter on the machine. As long as OAC is running, it configures anynetwork adapter attached to the user’s machine.

Use the Permission Editor to prevent users from exiting OAC. The setting is Donot allow users to exit Odyssey.

OAC has a feature that allows external programs to disable the OAC service.

Youcan use the Permission Editor to prevent external programs from disablingOAC. The setting is Disable external Odyssey disable. You can also use theMerge Manager to lock settings and prevent users from changing them.

8/19/2019 Oac Td Ag47w



30 Controlling Network Adapters and Other WiFi Supplicants

8/19/2019 Oac Td Ag47w


Overview 31

Chapter 4

Setting Up a Machine Account

Use a machine account configuration to authenticate a physical machine to anetwork, rather than a user. This type of configuration uses either a staticallydefined user account or the machine credentials that were created when themachine ID was set up in an Active Directory. A statically defined user account

constitutes any valid login credentials whether or not they exist in Active Directory.

A machine account connection is the earliest time that OAC can connect to thenetwork and is useful for administrative tasks such as nightly backups or updateprocesses that take place whether or not the user is not logged in. It is also used forActive Directory domain policy scripts that run during startup.

A machine (computer) has a name and password that is transmitted to the networkbefore a user logs in. With a machine connection enabled, a network IP connectionpersists even if a user is not logged in, as long as the machine is running.

Machine authentication and user authentication are not the same. However, youcan configure a machine connection to transition to a user-level connection once

the user logs in to the network and then resume a machine connection after theuser logs out.

Overview

To open the Machine Account tool, double-click Machine Account in the OdysseyAccess Client Administrator.

The Machine Account tool is similar to the Odyssey Access Client Manager. Thesidebar is identical in either view, so you can configure each of the settings forprofile, networks, auto-scan lists, trusted servers, adapters, and Infranet Controllersthe same way. There are some differences in the options, however.

The File menu in the Machine Account tool does not include the Forget Password orForget Temporary Trust options available in Odyssey Access Client Manager. Theseare local user options that do not apply for a broad-based configuration.

8/19/2019 Oac Td Ag47w



32 Enabling a Machine Account Connection

The Tools menu options in the Machine Account tool has fewer options than theOdyssey Access Client Manager Tools menu.

The Options menu the Machine Accounts tool has only three tab categories:

Security Interfaces

Preemptive Networks

The options in each of these categories are the same as for Odyssey AccessClient Manager.

The following options that are present in Odyssey Access Client Manager do notappear in the Initial Settings tool:

The Odyssey Access Client Administrator option does not appear.

There is no Survey Airwaves option because this is a local user option.

There is no Diagnostics option because this is a local user option.

There is no Run Script option because this is a local user option.

There is no Check New Scripts option because this is a local user option.

Enabling a Machine Account Connection

To set up a machine account configuration in the Connection Settings tool:

1. Go to the Connection Settings > Machine Account tab.

2. Select Enable network connection using machine account .

3. Select Leave the machine connection active; users are connected via themachine connection. In this case, the machine account is active even whenthe user is not logged into Windows.

After you configure a machine-level network connection in the Connection Settingstool, use the Machine Account tool to configure the machine network connectionsettings for a profile. This type of configuration is similar to how you configureconnection settings for Odyssey Access Client Manager.

A machine account can be assigned to a different VLAN from the one set up for auser account. If you configure the machine account to transition to a user accountwhen the user logs in, the IP address for the machine might change because of adifferent VLAN assignment. Similarly, when the user logs off, if the account isconfigured to transition back to a machine account, the IP address and VLANassignments might change back again.

NOTE: The Enable server temporary trust and Prompt for smartcard PIN aregrayed out in the Machine Accounts tool because they do not apply for a machineaccount.

8/19/2019 Oac Td Ag47w


Enabling a Machine Account Connection 33

Chapter 4: Setting Up a Machine Account

Machine Account Profile Options

You can configure networks, profiles, auto-scan lists, trusted server, adapters, andInfranet Controllers for a Machine Account. The only networks, profiles, adapters,

or Infranet Controllers that are used for machine connections are those for whichyou select Connect to network (for wireless connections) or Connect using profile (for wired connections) on the Connection dialog of Machine Account.

Setting Machine Account Password Credentials

If you enter a password in a machine account profile and intend to create a custominstaller, the credentials that you enter are used by all copies of OAC that use thisinstaller. It is better to enter credentials on each client machine manually if usercredentials are required.

Setting Automatic Certificate Selection for EAP-TLS

If you require EAP-TLS for authentication and plan to distribute this configuration to

multiple users, select Use automatic certificate selection on the profile you use forthe machine connection. Refer to the directions in Chapter 5, “Managing Profiles,”in the Odyssey Access Client User Guide.

Trust Configuration Requirements for Machine Authentication

Configure a trusted root CA or intermediate CA certificate for a machine connectionfrom the Trusted Servers dialog of the Machine Account tool. Before you do so,make sure that you have the certificate installed in the certificate store on the

machine that you use for configuration. See Chapter 9, “Managing TrustedServers,” in the Odyssey Access Client User Guide for information about how to addcertificates.

Restrictions for Machine Account Settings

Default login name and EAP-FAST options do not apply for machine accountsettings nor are authentication methods that require user interaction, such as thoseassociated with tokens. Thus, the Profile Properties dialog in the Machine Accounttool varies slightly from that of the Odyssey Access Client Manager.

Configuring a Machine Password

You can configure machine credentials (machine name and machine domain

password) when authenticating the machine to RADIUS servers that check themachine credentials against an Active Directory listing. The machine credentialsare created automatically when the machine joins the domain.

NOTE: For GINA authentication, only client certificates based on smart cards arevalid.

8/19/2019 Oac Td Ag47w



34 Enabling a Machine Account Connection

To use machine credentials for authentication:

1. Create a profile from the Profiles dialog box in the Machine Account tool andselect Use machine credentials on the User Info tab of the Add Profile dialog.

If you select Use machine credentials, OAC uses the machine credentialscreated when the computer is joined to a domain for authentication. If you donot select this option, OAC uses whatever user name is provided as a loginname.

2. If you require that a realm name to decorate the machine credentials, type thename of the realm in the Realm (optional): @ field (located just below the Usemachine credentials field). Otherwise, leave this field blank.

You might require a realm name decoration if the RADIUS authentication serveris set up to support RADIUS proxies.

3. Keep Permit login using password enabled unless you are authenticating withTLS.

When you have configured the machine credentials, open the Connection Settingstool. Select the Machine Account tab and select Enable network connection usingmachine account .

EAP Methods that Support Machine Credentials

Machine credentials are valid only with EAP-TTLS or EAP-PEAP. Select at least oneof these authentication methods for the profile. Then configure the authenticationoptions on the TTLS Settings

tab or PEAP Settings

tab of the Profiles Properties dialog, as necessary. See Chapter 5, “Managing Profiles,” in the Odyssey AccessClient User Guide for information about selecting authentication protocols for a

machine account profile.

8/19/2019 Oac Td Ag47w


Overview 35

Chapter 5

Using the Permissions Editor

The Permissions Editor lets you enable, disable, or hide individual OACconfiguration settings and control which features users can see or access.Permissions Editor allows you to decide which authentication protocols aresupported on your network, control which wireless network properties your

network will support, and disable parts of the Odyssey Access Client Managerinterface to provide a simple interface for users who only need to connect anddisconnect from a network or Infranet Controller.

You can give advanced users access to more features, such as the ability to createand configure networks or change trust settings. In this case, create and deploy aseparate predefined configuration tailored for those users and use PermissionsEditor to enable the options appropriate to that group of users. The range of optionsis extensive, so you can control configurations with the flexibility you need.

Overview

Use this tool to apply customized feature-by-feature restrictions on users’ ability touse or modify OAC specific features in the configuration. This tool lets you disablesettings that you do not want users to change and, in some cases, hide rather thandisable some features that users can choose to turn on from a View menu on thetool bar.

Option Categories in the Permissions Editor

The settings that you configure in the Permissions Editor are applied automaticallyto the machine you use to preconfigure OAC for deployment. You can also create afile to export the permissions configuration to one or more users. See “Configuring

OAC Updates for Mass Distribution to Users” on page 63

Options that you disable in Permissions Editor that are not specific to controllingthe appearance of the Odyssey Access Client Manager still appear in a menu ordialog box. If users attempt to access disabled options, a dialog box instructs theuser that the administrator has disabled that option.

The following sections summarize the categories of options that you can controlusing Permissions Editor.

8/19/2019 Oac Td Ag47w



36 Option Categories in the Permissions Editor

Authentication Protocols

Use this settings category to enable or disable individual outer EAP protocols, suchas EAP-SIM. When individual protocols are disabled, they still appear in the list of

protocol choices. However, when a user attempts to save the profile settings byclicking OK, an error message will identify which protocols are invalid and preventthe save operation from succeeding until all the settings have been validated.

TTLS Inner Authentication Protocols

Use this settings category to enable or disable individual protocols, such asMS-CHAP. When individual protocols are disabled, they still appear in the list ofprotocol choices. However, when a user attempts to save the profile settings byclicking OK , an error message will identify which protocols are invalid and preventthe save operation from succeeding until all the settings have been validated.

TTLS Inner EAP Protocols

Use this settings category to enable or disable individual inner EAP protocols, suchas EAP-GenericTokenCard. When individual protocols are disabled, they still appearin the list of protocol choices. However, when a user attempts to save the profilesettings by clicking OK, an error message will identify which protocols are invalidand prevent the save operation from succeeding until all the settings have beenvalidated.

PEAP Inner Authentication Protocols

Use this settings category to enable or disable individual inner PEAP protocols, suchas EAP-POTP. When individual protocols are disabled, they still appear in the list ofprotocol choices. However, when a user attempts to save the profile settings byclicking OK, an error message will identify which protocols are invalid and preventthe save operation from succeeding until all the settings have been validated.

Profile Properties

Use this settings category to enable or disable the requirement for a valid certificateas part of login authentication.

Options

Use this settings category to enable or disable temporary trust for users. This optionstill appears in the Security tab of the Tools > Options menu even after it has beendisabled. Users cannot change it as long as it is disabled.

Network Properties

Use this settings category to enable or disable specific network options, such aspeer-to-peer networks or specific encryption protocols. One of the options in thiscategory lets you disable access to networks that do not broadcast an SSID. Thissetting turns off access to any wireless network that does not broadcast an SSID,even if that network has been configured in OAC with an SSID. The PermissionsEditor settings overrides it.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w



38 Using Permissions Editor Settings

To restrict permissions for Odyssey Access Client Manager features:

1. Enable the check box to set the indicated restriction, such as Disable EAP-SIM.(Some features, such as the Odyssey Access Client Administrator, are not visibleto users if they are disabled.)

2. After selecting the features to restrict, select OK.

To remove a restriction, clear the check box.

Note the following:

Any features that you restrict (lock) in the Merge Rules tool are exempt fromconstraints that you configure in the Permissions Editor tool.

Features or options that you restrict might remain visible to your users, eventhough they cannot configure or use them.

If you select Disable [any] networks, users cannot connect to unspecifiednetworks using the [any] network feature. See Chapter 6, “Managing NetworkAccess,” in the Odyssey Access Client User Guide for a description of this feature.

If you select Disable ad-hoc networks, users cannot make peer-to-peerconnections.

If you select Remove Odyssey Client Administrator from Settings menu, userscannot access the Odyssey Access Client Administrator from the OdysseyAccess Client Manager. Thus, you can restrict access to Odyssey Access ClientAdministrator, which is usually available to users in the EE and FE licenses.

If you select Remove License Keys from Help menu, users cannot modify orview license keys.

If you select any of the Disable unauthenticated options, users cannot create anetwork configuration using the specified encryption protocol if they do notassign a profile to the network connection.

The Disable unauthenticated clear connections option applies to networkdescriptions configured for no encryption (none is selected as the encryptionmethod on the Network Properties dialog).

If you select any of the Disable authenticated options, users cannot create anetwork configuration using the specified encryption protocol when they assigna profile to the network connection.

If you hide (rather than disable) settings, the Odyssey Access Client Managermenu bar displays a View menu showing the hidden settings. Users can toggleoptions on or off by selecting them. When there are no hidden settingsconfigured, the View menu does not appear.

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w


Using Permissions Editor Settings 39

Chapter 5: Using the Permissions Editor

You can prevent users from exiting OAC by enabling Do not allow users to exitOdyssey. Enabling this settings removes the Exit selection from the OAC icon inthe system tray. You can use this setting along with the options to Manage allwireless (WiFi) adapters and Manage all wired (Ethernet) adapters to preventusers from using a different wireless supplicant program and potentiallybypassing the network access security policy.

NOTE: You can also lock individual categories of configuration settings to preventusers from changing them. To lock settings, use the Merge Rules tool.

8/19/2019 Oac Td Ag47w



40 Using Permissions Editor Settings

8/19/2019 Oac Td Ag47w


Overview 41

Chapter 6

Setting Merge Rules

Merge rules determine how configuration items are added to existing userconfigurations. You can assign rules that modify current configurations or thatprevent users from editing the configurations. You can also use this tool to lockprofiles, networks, auto-scan lists, Infranet Controllers, and other settings so that

users cannot modify them.

Overview

The Merge Rules tool lets you add new authentication profiles or InfranetControllers to existing user configurations if the user does not have those settingsalready. You can replace current profile configurations with updated settings andeven lock them so that they cannot be modified by users.

Setting merge rules lets you to add, set, or lock features that you configure in theInitial Settings tool that apply to authentication profiles, networks, auto-scan lists,Infranet Controllers, and other options. Use merge rules to control and manageOAC update configuration settings when you use custom installers or update files tocreate a settings update file or a new custom installer file.

The Merge Rules tool helps maintain the transparency of OAC administration andconfiguration to users.

How Merge Rules Apply to User Configurations

Merge rules can apply to the profile on any individual user’s machine for whichmerge rules have been configured. They can alsoapply to configurations for anymachine to which you use the Custom Installer tool to apply a settings update file

for any number of users.

Use Cases for Merge Rules

This section shows some sample use cases in which you might configure rules forusing your OAC Administrator configuration to update current user configurations.

Provide periodic OAC updates to a group of users and their machines.

8/19/2019 Oac Td Ag47w



42 How Merge Rules Apply to User Configurations

Add networks, profiles, auto-scan lists, or Infranet Controllers to userconfigurations. You might also want to lock an Infranet Controller or thecorresponding profile configuration, particularly if users are required to connectto a specific Infranet Controller.

When you create a new custom installer file to upgrade users with a newerversion of OAC, merge rules let you specify how updated settings are mergedinto existing user configurations.

You can create a new custom installer file for configuring OAC for newmachines. In this case, you have the option to lock the configured features asthey are installed on a new machine using the Merge Rules tool. (The defaultsetting is to enable all configuration settings.)

Merge Rule Settings

Use merge rules to control the current the Initial Settings configuration for all users

of your current machine (or to a new custom installer file or to a configurationupdate file). Select one of the following modes:

None—Configure settings for new users of a given client PC on your networkbased on selected items that you configure in the Odyssey Access ClientAdministrator. This is the default for some items on the Other tab (described in“Other Merge Rules Settings” on page 46). You could use this mode, forexample, if you have recently updated your license and you want to update aconfiguration for all new user settings on client machines with settings for thelatest features. This mode has no effect on the configurations of current users ofan OAC installation. After a user begins to use OAC, the user can modify any ofthese settings.

Add if not present —Add the selected Odyssey Access Client Administratorsettings to the current settings of your users without overwriting settings withthe same names. This is the default option for all tabs of the Merge Rules toolexcept for the items on the Other tab for which this option is not available. Thismode affects the configurations for new users, as well as current users of yourOAC installations. All users are able to modify these settings.

Set, replace if present —Add the selected Odyssey Access Client Administratorsettings to the current settings of your users and overwrite settings with thesame names if they already exist. This mode affects the configurations for newusers as well as current users of your OAC installations. All users are free tomodify these settings.

Lock except user info—Overwrite all current user settings with selectedOdyssey Access Client Administrator settings, except for user credentialinformation (username, password, or user certificate) associated with a profile.This option is only available for profiles. This prevents your users from editingany portions of a locked profile except for their credentials. Do not specify ausername and password or user certificate for any profile that you create in theInitial Settings tool to which you plan to apply this type of profile locking.

http://-/?-

http://-/?-

http://-/?-

http://-/?-

8/19/2019 Oac Td Ag47w


Using the Merge Rules Tool 43

Chapter 6: Setting Merge Rules

Lock—Set or replace all current user settings with selected Odyssey AccessClient Administrator settings and prevent your users from editing them. Whenyou lock a feature, OAC deletes all current user settings for features with thesame name and prevents new and current users from editing this feature. Usersof Odyssey Access Client Manager see one of the following indicators for lockedfeatures:

Title bars of dialogs are marked as read-only if every feature shown on thedialog is locked.

Information text that appears on a tab of a dialog indicates that the featureson the selected tab are locked.

The settings that you make in Merge Rules affect settings for all users of themachine that you are configuring. The changes take effect as soon as you closeMerge Rules. You can then use these merge rules when you provide configurationupdates to your users or when creating a new installer file.

Using the Merge Rules Tool

Use the Merge Rules tool to assign rules for applying the initial settings andWindows login configuration to the current machine or to a configuration file youcreate in Custom Installer. Merge rules apply to the following categories of userconfiguration settings:

Profiles

Networks

Auto-scan lists

Infranet Controllers

Other merge rules for profiles

To begin setting merge rules:

1. Open the Merge Rules tool. The Merge Rules dialog box appears.

2. To manage updates for one or more profiles, select the Profiles tab. (Similarly,to manage updates for networks, auto-scan lists, or Infranet Controllers, selectthe appropriate tab in the dialog.)

3. Select Permit only the following profiles to manage updates for the profileslisted. This option affects configurations as follows:

Users can use only the profiles that you configure through the InitialSettings tool.

All options (aside from user credentials) for all user profiles are locked.

Users cannot add new profiles to their configurations.

8/19/2019 Oac Td Ag47w



44 Using the Merge Rules Tool

Users can edit their credentials for each of the locked profiles that youconfigure.

Profiles configured previously are hidden from users and are disabled.

To make these visible to your users, clear Permit only the followingprofiles.

If, in addition to locking all profiles, you want to lock user credentials forone or more of these locked profiles, select the profiles whose usercredentials you want to lock, use the mouse button to select Lock.

4. Select OK.

Setting Merge Rules for Profiles

To set merge rules for one or more profiles, follow these steps:

1. Use the right mouse button to select one or more profile configurations fromthe list, select a profile, and select Set Merge Rules. A context menu listing allavailable merge modes appears.

2. Select one of the five configuration modes (None; Add if not present ; Set,replace if present ; Lock except user info; Lock) from the menu.

Repeat these steps for as many of the other merge rule modes that you want toapply to any profile(s) that you configure in the Initial Settings tool.

Setting Merge Rules for Networks

To set merge rules for a network configuration:1. Select the Networks tab of the Merge Rules tool. You can lock all networks or

set merge rules for individual networks.

2. Select Permit only the following networks to lock all networks listed. Whenyou do so, the following changes apply:

Users can use only those networks configured with the Initial Settings tool.

All components of all user networks are locked.

Users cannot add new networks to their configurations.

Any networks that were configured previously in OAC are hidden from yourusers and disabled. The only way to make these visible to your users againis to clear Permit only the following networks.

8/19/2019 Oac Td Ag47w




Setting Merge Rules for Individual Networks

To set merge rules for one or more networks:

1. Select one or more network configurations from the list.

2. Select one of the five configuration modes (None; Add if not present ; Set,replace if present ; Lock except user info; Lock) from the menu.

3. Select OK.

Repeat these steps for as many of the other merge rule modes that you want toapply to any profile(s) that you configure in the Initial Settings tool.

Setting Merge Rules for Auto-Scan Lists

To set merge rules for auto-scan lists:

1. Select the Auto-Scan Lists tab of the Merge Rules tool. You can lock allauto-scan lists or set merge rules for individual auto-scan lists.

2. Select Permit only the following auto-scan lists to lock all auto-scan lists. Theconsequences of locked auto-scan lists are as follows:

Your users can use only the auto-scan lists that you configure through theInitial Settings tool.

All components of all user auto-scan lists are locked.

Users cannot add new auto-scan lists to their configurations.

Any auto-scan lists that were configured previously in OAC are hiddenfrom your users and disabled. To make these visible to your users again,clear the setting for Permit only the following auto-scan lists.

To set merge rules for one or more individual auto-scan lists:

1. Select one or more auto-scan lists from the list.

2. Use the right mouse button to select one of the four configuration modes(None; Add if not present ; Set, replace if present ; Lock) from the menu that

appears.

3. Repeat this step for as many of the other merge rule modes that you want toapply to any auto-scan list(s) that you configure in Initial Settings tool.

NOTE: Lock any networks for which FIPS mode is required. (FE Only)

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w




(FE Only) FIPS mode settings that you configure in the Initial Settings tool. Seethe Odyssey Access Client User Guide for information about these settings. If yourequire FIPS mode connections in your network, it is recommended that youset FIPS Mode On in the Initial Settings tool and lock FIPS mode in the MergeRules tool, so that all user connections attempt to connect in FIPS mode.

Windows login settings that you configure in Initial Settings. See the Odyssey Access Client User Guide for information about the Windows login settings.

For each of these items, use the right mouse button to select one of the threeconfiguration modes (None; Set, replace if present ; Lock) from the menu thatappears.

See “Configuring OAC Updates for Mass Distribution to Users” on page 63 forinformation about applying your merge rules to a set of users.

NOTE: A warning or error message might appear when you select OK to close theMerge Rules tool. For example, if you attempt to assign an invalid merge rule, anerror message appears. These error messages contain helpful information toaddress merge rule errors or inconsistencies.

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w



48 Using the Merge Rules Tool

8/19/2019 Oac Td Ag47w


Overview 49

Chapter 7

Using Scripts

Use the Script Composer to distribute updated configuration settings to users. Theupdates apply to networks, profiles, and auto-scan lists. After you have set up anddeployed an initial configuration using the Custom Installer tool, the ScriptComposer tool lets you update existing configuration settings. You can use a single

script to distribute updates for profiles, networks, scan-lists. The data format of ascript is XML.

Overview

Use this tool to create configuration scripts to update OAC configurations that addnew settings, replace existing settings, or remove settings. The Script Composeruses the Odyssey Access Client Manager settings on the machine where thosesettings have been configured.

You can also use scripts to modify settings for trusted servers, security andEAP-FAST, wireless suppression, preemptive networks, and Windows login timingsettings.

The tasks you can accomplish with scripts are:

Add—Add settings that are not currently defined in the user configuration.Those updates are applied when the script runs—only if the user’sconfiguration does not have components with the same name. Theconfiguration settings that you can select to add must be ones that are in thecopy of OAC on your local machine.

Set —Set or replace current settings. The configuration settings that you canselect to add or replace must be ones that are in the copy of OAC on your localmachine.

Remove—Remove any configuration settings. The settings do not have to bepart of the configuration on your local machine.

Connect —Enable automatic connections. You select a profile for a wiredconnection or a network or auto-scan list for a wireless connection.The adapterused is the first appropriate adapter configured in OAC for the user.

Alternatively, you can use a command line interface to export the entireconfiguration to a script.

8/19/2019 Oac Td Ag47w



50 Creating Scripts with Script Composer

After you create and distribute a script file, users can access this script from the Commands > Check New Scripts

menu command on the Odyssey Access ClientManager. See “Creating Scripts for Incremental Updates” on page 55 for moreinformation.

After you distribute a script file, users can access the script from Tools >Configuration Scripts > Check New Scripts

on the Odyssey Access Client

Manager.

Creating Scripts with Script Composer

To create scripts with Script Composer:

1. Set up the configuration to include the settings that you want to add or modify.See the Odyssey Access Client User Guide for more information about theindividual configuration settings.

2. Open the Script Composer tool. The Script Composer dialog appears.

3. For each script that you want to generate, configure all items that you want toadd, remove, or modify using the Connection Settings, Initial Settings,Permissions Editor, and Merge Rules tools (as needed).

4. Select Generate Script . The Select Destination File dialog appears.

5. Specify the file format for your script. You can save scripts in one of twoformats:

To save your script as an autoscript so that OAC executes the script withoutuser intervention, select the .odyClientScriptAuto file type.

To save your script so that your users have the choice of running the script,

select the.odyClientScript

file type.6. Enter a name for the file after selecting a file type.

7. Select Save.

8. Select Done.

9. Put the scripts in the correct directory on your users’ machines.

NOTE: If there is a configuration setting (such as a network) in a script with thesame name and type as a setting that is locked by a merge rule in the current

client configuration, the update setting in the script is not updated in the clientuntil that setting is unlocked in Merge Rules. Once the setting is unlocked, theupdated values imported in the script become visible and take effect. Thissituation might occur if the user has access to the Odyssey Access ClientAdministrator and has locked some settings locally.

8/19/2019 Oac Td Ag47w


Creating Scripts with Script Composer 51

Chapter 7: Using Scripts

Adding or Setting Profiles with Scripts

You can add or set any number of profiles that you have configured in OdysseyAccess Client Manager in the same script.

To add or set profiles, follow these steps:

1. Select Profiles under the action category (Add or Set ). All profiles that youconfigured in Odyssey Access Client Manager appear listed on the right.

2. Select all of the profiles that you want to include in this action category.

3. Select Done when you have made your changes.

Note the following:

If you include user identity information such as names or passwords in yourselected profiles, these are conveyed to the users who run the resulting script.Passwords are encrypted.

If you leave the user identity information in your selected profiles blank, thenOAC attempts to replace the name and/or password with the user’s Windowsidentity when the script is run. If this is not possible, the user is prompted foridentity credentials the first time the user connects to the network OAC.

Certificate information is not passed on through the script.

Removing a Profile

You can remove any profiles that your users have configured as long as you havethe names of the profiles that you want to remove.

To remove a profile, follow these steps:

1. Under Remove in the action category, select Profiles.

2. Enter the name of any profile you want to remove in the text area provided.

Activating a Profile for a Wired Connection

To activate a profile for OAC wired connections:

1. Select the profile under Connect .

2. Select Done.

8/19/2019 Oac Td Ag47w



52 Creating Scripts with Script Composer

Adding or Setting Networks with Scripts

You can add or set (replace if present) one or more networks that you haveconfigured in Odyssey Access Client Manager in the same script.

To add or set networks, follow these steps:

1. Select Networks under the desired category (Add or Set ). All networks that youhave configured in Odyssey Access Client Manager appear listed on the right.

2. Select all of the networks that you want to include in this category.


Removing a Configured Network

You can remove any configured networks as long as you have the correct names(SSIDs) and corresponding descriptions. Alternatively, you can remove all networkswith the same SSID and you do not have to separately specify each of thedescriptions.

You can remove any configuration components. You do not have to configurecomponents to be removed in Odyssey Access Client Manager. Components whosenames you enter for removal by a script are removed from the user configurationwhen the resulting script is run.

To remove one or more networks, follow these steps:

1. Select Networks under Remove.

2. Enter the name (SSID) and corresponding description (if there is any) of the

network that you want to remove in the text area provided. You must use thespecial network description syntax that appears on Odyssey Access ClientManager. You must provide the name/description pair in the following format:

description SSID

3. To enter additional networks to remove with this script, press Enter after typingthe name and description of each network you want to remove.

You can remove only those networks with descriptions that do not containangled brackets in their definitions. Use Removing Networks Using SSIDs toremove networks in this case.


Activating a Network for a Wired Connection

To activate a network for OAC wireless connections:

1. Select the network under Connect in Script Composer.

2. Select Done.

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w


Creating Scripts with Script Composer 53


Adding or Setting Auto-Scan Lists

To add or set auto-scan lists that you configured in Odyssey Access Client Manager:

1. Select Auto-Scan Lists under Add or Set in Script Composer. All auto-scan listsyou have configured in Odyssey Access Client Manager appear on the right.

2. Select all of the auto-scan lists that you want to include in this category.

3. Select Done.

Removing Auto-Scan Lists

To remove one or more auto-scan lists:

1. Select Auto-Scan Lists under Remove.

2. Enter the name of any auto-scan list that you want to remove in the text areaprovided.

3. To enter additional names of auto-scan lists to remove with this script, pressEnter after typing the name of each auto-scan list that you want to remove.

4. Select Done.

To activate an auto-scan list to be used for OAC wireless connections, select theauto-scan list under Connect in Script Composer.

Managing Other Setting with Scripts

Depending on which Script Composer action categories you select (Add or Set ), you

have one or more options for modifying trusted servers and security settings.

You can create a script to replace trusted servers, Windows login settings, andAdding or Setting Other Options in the Script Composer Tool if you select Other inScript Composer.

Adding or Setting a Trust Tree

To add or set the complete trust tree that you configured in the Trusted Serversdialog of Odyssey Access Client Manager:

1. Select Other under the action category (Add or Set ) in Script Composer.

2. Select Trusted servers. Note that when users run the resulting script for trusttrees that you add , new trust entries are inserted in an existing trust tree. Whenusers run the resulting script for trust trees that you set , the entire trust tree isreplaced.

3. Select Done.

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


Creating Scripts for Incremental Updates 55


Creating Scripts for Incremental Updates

You can update OAC configurations for one or more users. For example, if you addnew SSIDs to a network, you can configure the network once with Odyssey AccessClient Administrator and then create a script that deploys the updated configurationto one or more users.

There are two types of configuration scripts for updating OAC settings for users:

You can deliver a script that runs automatically whenever OAC polls for newscripts.

You can deliver a script that the user can select to run. See Odyssey Access ClientUser Guide for more information about user interaction with scripts.

To provide configuration scripts to update user configurations:

1. Generate one or more scripts using the Script Composer tool or thecommand-line interface.

See “Using Scripts” on page 49 for information about creating scripts usingthe Script Composer tool. Make sure that you save your scripts with thecorrect extension for autoscripts or regular scripts.

See “Command-Line Method to Create and Load OAC Scripts” on page 56.Users cannot run encrypted scripts that you create using the command-lineinterface.

2. Deliver the script(s) to the directory described by the following path on your

user’s computer:

<Application Data>\Funk Software\Odyssey Client\newScripts

where < Application Data> is typically

volume:\Documents and Settings\ username\Application Data

This may differ for non-English versions of the OS.

OAC polls this directory for new scripts frequently. New scripts are treated asfollows:

Autoscripts run automatically when detected by OAC.

Users can run or delete other scripts when they select Tools > Configuration

Scripts > Check New Scripts.

If the script is not an autoscript—that is, if it must be run manually—thereis no specific location in the file system where the script must be stored.

NOTE: In order to view the Application Data directory, you must make hidden filesand folders visible.

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

http://usage.pdf/

8/19/2019 Oac Td Ag47w



56 Creating Scripts for Incremental Updates

Note that if you want merge rules or permission restrictions to apply to your userconfigurations, follow the directions in “Configuring OAC Updates for MassDistribution to Users” on page 63.

Notes on the Directory for Scripts

Depending on your operating system, the physical path to the Application Data folder described in Step 2 of “Creating Scripts for Incremental Updates” on page 55 might vary. It is always the CSIDL_APPDATA path used by Windows shellprogrammers. Once you locate the Application Data folder, you can place the scriptsin this folder under Odyssey Access Client\newScripts.

Command-Line Method to Create and Load OAC Scripts

You can use a command-line interface to create scripts that export the entireOdyssey Access Client Manager configuration. The syntax is as follows:

odClientAdministrator arguments

The arguments that you can use to save (export) the Odyssey Access Client Managerconfiguration or restore (import) a saved configuration to Odyssey Access ClientManager are:

/E[xport]= filename/I[mport]= filename/Key= encryptionKey /N[oSavePrivateData]/S[ilent]

You can use any of the following argument combinations:

/E= filename

/E= filename /N

/E= filename /S

/E= filename /K=encryptionKey /N

/E= filename /K=encryptionKey /N /S

/E= filename /K=encryptionKey

/E= filename /K=encryptionKey /S

/I= filename

/I= filename /S

/I= filename /K=encryptionKey

/I= filename /K=encryptionKey /S

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w



58 Creating Scripts for Incremental Updates

8/19/2019 Oac Td Ag47w


Overview 59

Chapter 8

Using the Custom Installer

You can deploy the settings that you configure with the Initial Settings, MachineAccount, Permissions Editor, and Merge Rules tools to your users as:

A preconfigured copy of OAC to one or more users and machines.

Updated OAC configurations for existing users and machines.

License updates.

Preconfigured settings can be distributed as a Microsoft installer (.msi) file for a newinstallation or as a settings update file.

Use the Custom Installer to create an .msi file to deploy the configuration templateto client machines. An .msi file can contain any configuration options defined usingInitial Settings, Machine Account, Permissions Editor, and Merge Rulestools—including the OAC license key.

To use this tool to update the settings for machine accounts, see “Merging UpdateSettings for Machine Accounts” on page 64.

You can also configure the custom installer file to install “silently” (without requiringinteraction by the client system user).

Overview

Use this tool to create a preconfigured installer (.msi) file or a settings update filefrom the initial user or machine settings that you have configured with OdysseyAccess Client Administrator tools. Use custom installer files for upgrades and newuser installations. Once you have the .msi file, you can deploy the OAC configuration

to users with a variety of mass-distribution deployment tools.

Using the Custom Installer Tool

Double-click Custom Installer in the Odyssey Access Client Administrator to openthe Custom Installer tool.

Custom installer files and updated user configuration files derive their configurationfrom the features you set using the Odyssey Access Client Administrator tools, notin the Odyssey Access Client Manager.

8/19/2019 Oac Td Ag47w



60 Using the Custom Installer Tool

After configuring and testing your custom installer template in the Odyssey AccessClient Administrator, open the Custom Installer tool in the Odyssey Access ClientAdministrator to create a new OAC installer file with the defaults that are configuredfrom your template. See “Testing User Connection Settings” on page 28 and“Testing Machine Connection Settings” on page 28 for more information on testingconfiguration settings. Refer also to “Configuring OAC Updates for MassDistribution to Users” on page 63.

Creating a Custom Update File

A custom update file contains the updated configuration template settings. Thedifference between a settings update file and a new installer file is that the newinstaller file also contains the software for installing OAC.

To create a custom installer update file:

1. Select Settings update file.

2. Specify the source installer (.msi) file. Enter the file name (and path) or selectthe top Browse button. The Select Source File dialog appears.

3. Use the Files of type drop-down list at the bottom of the Select Source Filedialog to search for the correct file type. You can use the original OAC installerfile from any current or previous release (OdysseyClient.msi) as the source file.Locate this file in the Client directory on the product CD if you have notarchived it. Double-click the source file in the window or select Open.

4. Select Browse to find the desired destination directory if required. The SaveDestination File dialog appears. Select the name of the new (destination) .msi

file. Enter the name of the file or select an existing file in the current directory,

and then select Save.5. Optionally, select Export license key and enter a license key that is valid for the

number of copies that you intend to distribute.

6. Optionally, select Silent install if you want the installation to run withoutdisplaying any dialogs during the install process.

7. Select OK to create the custom installer file.

Creating a New Installer File

To create an installer file:

1. Select New installer file.

2. Specify the source installer (.msi) file. This file must be a full product installerfile for OAC. You can enter the file name (along with its path) or select the topBrowse button. The Select Source File dialog appears.

3. Use the Files of type drop-down list at the bottom of the Select Source Filedialog to search for the correct file type. You can use the original OAC installerfile from any current or previous release (OdysseyClient.msi ) as the source fi le.Locate this file in the Client directory on the product CD if you have notarchived it.Double-click your source file in the window or select Open.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


Preconfiguring OAC for a Group of Users 63

Chapter 8: Using the Custom Installer

OAC supports automatic certificate selection; that is, if a user has only onecertificate, OAC uses it silently, without prompting. If the user has no certificateinstalled or has more than one, OAC prompts the user to specify a certificate. Ifthe user has only one certificate but it is expired, OAC searches for a certificatewith the same common name.

You cannot preconfigure stored passwords or login names.

Configuring OAC Updates for Mass Distribution to Users

You can update OAC configurations for a large number of users. For example, if youwant to update user configurations with new OAC features, you can create anupdated customized configuration file through the Settings Update file option ofCustomer Installer.

When you create a customized OAC configuration setup file using this option, youcan distribute this file to users to update their configurations. You cannot, however,

use this option for version upgrades of OAC. Before you create an OAC updateconfiguration file, you can configure merge rules to specify how your updated OACconfiguration is applied to user machines.

You can create an updated configuration file that is based on your connectionsettings from the Connection Settings tool, machine account settings in theMachine Accounts tool, user settings in the Initial Settings tool, lock options in theMerge Rules tool, and set specific feature constraints in the Permissions Editor tool.

To create the update configuration file:

1. Open the Custom Installer

tool.

2. Select Settings update file.3. Select Browse to locate a destination directory. The Select Destination File

dialog appears.

4. Type the name of the configuration file that you want to save next toDestination File.

5. Select Save.

6. Select OK to close the Custom Installer tool.

7. Install the file on your user machines. Only users with administrative privilegeson their machines can run the custom update file on their own machines.

8/19/2019 Oac Td Ag47w



64 Preconfiguring OAC for a Group of Users

Merging Update Settings for Machine Accounts

The Merge Machine Settings option allows you to update OAC configurationsettings for users so that settings are merged with the existing configuration, thus

preserving specific parts of the existing OAC configuration. When creating apreconfigured installer for an upgrade or settings update on a system with existingmachine account settings configured, you can enable the Merge machine settings check box to merge the existing machine settings for Networks, Profiles, InfranetControllers, and Auto-Scan Lists with the new settings from the Custom Installer.For any duplicate names, the new setting overwrites the old setting. Auto-scan listshave a slightly different behavior. In the case of matching auto-scan lists, thenetworks in the new auto-scan list will be added to the bottom of the list.

This option applies only when creating a custom installer or settings update file.The Merge Machine Settings option allows you to:

Add new auto-scan lists, Infranet Controllers, networks, or authenticationprofiles on the target system.

When a updating network, if the SSIDs and network names match thecorresponding settings in the current network, the updated network replacesthe current version.

The updated configuration overrides individual settings in the current networkconfiguration. Thus if the current network uses AES encryption and the updatespecifies TKIP, the updated encryption setting replaces the existing one.

Replace existing Infranet Controllers, networks, or profiles on the targetsystem.

For authentication profiles and Infranet Controllers, if the profile or InfranetController name in the update matches the current profile or InfranetController name, the update replaces the current version.

The updated configuration overrides individual settings in the current networkconfiguration. Thus if the current profile uses TLS authentication and theupdate specifies PEAP, the updated authentication setting replaces the existingone.

Merge auto-scan lists from the installer with those on the target machine. If thename of an auto-scan list matches the name of a current auto-scan list, thecontents of the update are merged with the current one, thus preserving anyexisting networks in the current file that are not contained in the update.

This option does not apply to adapters or adapter settings nor does it pertain to theconfiguration settings defined in the Initial Settings tool.

To enable this option, enable the Merge Machine Settings check box.

NOTE: This feature applies to machine accounts only.

8/19/2019 Oac Td Ag47w


Refreshing the PAC Manager Display 65

Chapter 9

Using PAC Manager

Use this tool to manage (view or delete) Protected Access Credentials (PACs) forEAP-FAST.

Protected Access Credentials (PAC) are used to perform mutual authentication with

an ACS (Secure Access Control Server) authentication server during EAP-FASTauthentication. PACs have a randomly-generated encryption key to set up a TLStunnel and are used instead of certificates.

Consult your ACS documentation for discussions of Protected Access Credentialsand how they are created and provisioned on the server.

Refreshing the PAC Manager Display

To update the display for a selected PAC listing, select Refresh.

Deleting a PAC

To delete one or more selected PACs from the list, select Delete.

Exiting from the PAC Manager

To exit from the PAC Manager tool, select Close.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


Configuring Single Sign On for TTLS or PEAP 67

Chapter 10

Sample Administrative Workflows

This chapter presents common administrative tasks and provides the workflowsteps for accomplishing them. These tasks require familiarity with the OAC Managerand the Odyssey Access Client Administrator.

Configuring Single Sign On for TTLS or PEAP

Connecting prior to Windows login can be helpful when users have start-upprocesses that require network connections. You can configure OAC for EAP-TTLSor EAP-PEAP authentication with prior to Windows login using the Odyssey AccessClient Administrator and the OAC GINA module. Use the OAC GINA module toenable Windows users to connect to the network using Windows login credentialsbefore login.

Prerequisites

You must have installed (and know the name of) the Certificate Authority (CA)certificate that is used for server validation. The certificate must be installed in thetrusted root certificate store on the local machine.

To configure OAC for prior to Windows login connections:

1. Create the network configuration with the Initial Settings tool.

2. Set up a user account and GINA connection settings using Connection Settings.

3. Test the connection settings and update any configuration settings in the InitialSettings tool and/or Connection Settings as necessary.

NOTE: You cannot use this feature without installing the OAC GINA module.

8/19/2019 Oac Td Ag47w



68 Configuring Single Sign On for TTLS or PEAP

Setting Up a Prior to Windows Login Configuration Using GINA

Before you can complete the connection settings for prior to Windows login, youmust first define the network configuration in the Initial Settings tool.

The network configuration steps for are identical to those for OAC Manager:

1. Set up an adapter.

2. Create a profile. Leave the login name blank when you create a profile for usewith GINA.

3. Add a network.

4. Set up a trusted server certificate.

5. Connect to the network.

See the Odyssey Access Client User Guide for instructions for each of these steps.

Specifying User Account Connection Settings and Installing OAC GINA

To configure the Connection Settings and install Odyssey GINA:

1. Open the Connection Settings in Odyssey Client Administrator.

2. Select the GINA tab and select Install Odyssey GINA Module. If the GINAmodule is installed, skip this step.

3. Select the User Account tab and select prior to Windows login, using thefollowing settings.

4. Select OK after you complete the configuration settings.

If you require authentication at machine startup time, you can configure machineaccount settings to have users connect to the network using the machine account atmachine startup time and then drop that connection to connect to the network withuser credentials prior to Windows login. In this case, configure machine accountsettings on the Machine Account tab of Connection Settings before you select OK.

If you intend to use OAC for single sign on authentication to an external databaseother than Windows, select Prompt before connecting to the network before youselect OK to close Connection Settings.

Testing Prior to Windows Login SettingsTo test prior to Windows login settings:

1. Select Commands > Reload and Test Initial Settings.

2. Open OAC Manager.

3. Select the connection status on the Connection dialog.

4. Modify any settings in the Initial Settings or Connection Settings tool and re-testas necessary from the Initial Settings tool.

8/19/2019 Oac Td Ag47w


Configuring Required FIPS Mode Connections (FE Only) 69

Chapter 10: Sample Administrative Workflows

Configuring Required FIPS Mode Connections (FE Only)

If your enterprise network is FIPS-compliant, you can require that all connections toyour enterprise network use OAC FIPS mode.

Follow this procedure to secure required FIPS mode connections to your network:

1. Configure FIPS mode connections that are authenticated with machine or usercredentials (or first machine, and then user credentials):

a. Follow the instructions in the Initial Settings tool to configureFIPS-compliant connections that the user sets through user credentials.Remember to select FIPS mode required for the FIPS-compliant networkdescriptions that you create.

b. Follow the instructions in the Machine Account tool to configureFIPS-compliant connections for the machine using machine credentials.Remember to select FIPS mode required for the FIPS-compliant networkdescriptions you create.

2. Configure the connection settings in the Connection Settings tool using one ofthe following procedures:

a. “Configuring Single Sign On for TTLS or PEAP” on page 67

b. “Configuring Machine Connections that Switch to User Connections” onpage 13

3. Lock the FIPS-compliant networks that you create in Step 1 under the Networks

category in the Merge Rules tool. In addition, lock FIPS Mode On under theOther category in the Merge Rules tool. See “Use Cases for Merge Rules” onpage 41 for more information.

4. Create a custom installer or settings update file with these custom configurationsettings using Custom Installer. See “Preconfiguring OAC for a Group of Users”on page 61.

5. Distribute the custom installer files to computers on which you have not yetinstalled the FIPS Edition of OAC. Use settings update files for computer onwhich the FIPS Edition of OAC is installed.

8/19/2019 Oac Td Ag47w



70 Configuring Required FIPS Mode Connections (FE Only)

8/19/2019 Oac Td Ag47w


71

Appendix A

Glossary

A

AAA—Authentication, Authorization, and Accounting.

Access Control List (ACL)—A listing of users and their associated access rights.Used to implement discretionary and or mandatory access control betweensubjects and objects.

Accounting—Tracking users’ access to resources primarily for billing purposes. Seealso AAA.

Advanced Encryption Standard (AES)—Standard approved by NIST for the next20-30 years of use.

Advanced Research Projects Agency (ARPA)—An agency of the US Department ofDefense that promotes exploratory research in areas that carry long-term promisefor military applications. ARPA funded the major packet-switching experiments in

the US that lead to the formation of the Internet.

Algorithm—A set of sequenced steps that are repeated each time. In encryption,the algorithm is used to define how the encryption is applied to the data.

Alias—An assumed name (dummy) mail address that routes messages to all realaddresses associated with the assumed name.

American National Standards Institute (ANSI)—Represents the US in the ISO. Aprivate standards body that develops, endorses, and publishes industry standards.

Application programming interface (API)—Provides means to take advantage ofsoftware features.

ARP—Acronym for Address Resolution Protocol.

ASCII—American Standard Code for Information Exchange. ASCII is a code torepresent letters, numerals, punctuation marks and control signals as seven-bitgroups. It is used as a standard code by the transmission of data.

Association—The method by which a client establishes a relationship with anaccess point.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


73

Appendix A: Glossary

Certificate Authority (CA)—An online system that issues, distributes, andmaintains currency information about digital certificates. Abbreviated as CA.

Certificate policy—A statement that governs the use of digital certificates.

Certificate revocation—The act of invalidating a digital certificate.

Certificate revocation list (CRL)—A list generated by a CA that enumerates digitalcertificates that are no longer valid and the reason they are no longer valid.

Certificate suspension—The act of temporarily invalidating a certificate while itsvalidity is being verified.

Challenge Handshake Authentication Protocol (CHAP)—A session-based two-waypassword authentication scheme. Widely used authentication method in which ahashed version of a user’s password is transmitted during the authenticationprocess (instead of passing the password itself). Using CHAP, a remote access

device transmits a challenge string, to which the client responds with a messagedigest (MD5) hash based on the challenge string and the users’ password. Uponreceipt, the remote access repeats the same calculation and compares the valuesent to that value; if the values match, the client credentials are deemed authentic.

Cipher—A method of encrypting text. The term is also used to refer to anencrypted message (although the term cipher text is preferred). Any cryptographicsystem in which arbitrary symbols or groups of symbols represent units of plaintextor in which units of plaintext are rearranged, or both.

Clear text —Characters in a human-readable form or bits on a machine-readableform. Also called plaintext.

COMSEC—Communications security.

Compliance—In a UAC network, compliance means that the user and endpointcomputer meet network authentication and security requirements and are,therefore, allowed to access protected resources on the network.

Cookie—A file or token of sorts passed from the Web server to the Web client (yourbrowser) that is used to identify you and could record personal information such asID and password, mailing address, credit card number, and so on. Also called HTTPcookie.

Credentials—Information passed from one entity to another and used to establishthe sending entity’s access rights—commonly a user name and a password.

Cross certification—When two or more Certificate Authorities choose to trust oneanother and issue credentials on each other’s behalf.

Cryptographic module—Any combination of hardware, firmware, or software thatimplements cryptographic functions such as encryption, decryption, digitalsignatures, authentication techniques, and random number generation.

8/19/2019 Oac Td Ag47w


8/19/2019 Oac Td Ag47w


75


Encryption hash—A method in which a selection of data is mixed into a sectiondata based on an algorithm. The result is called a hashed value.

Encryption keys—A sequence of characters that an encryption algorithm uses tomake plain text unreadable unless you share the same encryption key needed todecode the encrypted message.

Extensible Authentication Protocol (EAP)—An IETF standard that provides formutual authentication between a client and a AAA authentication server.

EAP-JUAC—JUAC is an EAP authentication protocol specific to Juniper UnifiedAccess Control networks and is required when connecting to a Juniper InfranetController.

EAP-LEAP—Cisco Wireless. With LEAP, mutual authentication relies on a sharedsecret and the user's login password, which is known by the client and the network.

EAP-TLS—Uses digital certificates for both user and server authentication andsupports the three key elements of 802.1X/EAP.

EAP-TTLS— Tunneled Transport Layer Security extends the authenticationnegotiation by using the secure connection established by the TLS handshake toexchange additional information between client and server.

EAP-PEAP—Uses a digital certificate for server authentication. For userauthentication, PEAP supports various EAP-encapsulated methods within aprotected TLS tunnel. PEAP supports the three main elements of 802.1X/EAP.

Endpoint —An endpoint refers to the computer (desktop, laptop, or other mobilewireless computing device) that you use to access resources on a network.

Extensible Markup Language (XML)—Like HTML, this flexible markup language isbased on standards from the World Wide Webb Consortium. XML can be used togenerate standard or fully customized content rich Web pages, documents, andapplications.

Extranet —A special internetwork architecture wherein a company’s ororganization’s external partners and customers are granted access to some parts ofits intranet and the services it provides in a secure, controlled fashion.

F

False negative—False negative acknowledgements of intrusion in an intrusiondetection system, which means an intrusion has occurred but the IDS discardedrelative events or traces as false signals.

False positive—False affirmative acknowledgment of intrusion, which meansintrusion detection has incorrectly identified certain events or traces as signaling anattack or intrusion when no such attack or intrusion is underway. Thus a falsepositive is a false alarm.

FIPS—Federal Information Processing Standards. Created for the evaluation ofcryptographic modules.

8/19/2019 Oac Td Ag47w



76

Firewall—A hardware device or software application designed to filter incoming oroutgoing traffic based on predefined rules and patterns. Firewalls can filter trafficbased on protocol uses, source or destination address, and port addresses and caneven apply state-based rules to block unwanted activities or transactions.

G

Granularity—The relative fineness to which an access control mechanism can beadjusted.

H

Hash value—The resultant output of data generated from an encryption hash whenapplied to a specific set of data. If computed and passed as part of an incomingmessage and then recomputed upon message receipt, a hash value can be used toverify the authenticity of the received data if the two hash values match.

Hashing—A methodology used to calculate a short, secret value from a data set ofany size (usually for an entire message or for individual transmission units). Thissecret value is recalculated independently on the receiving end and compared tothe submitted value to verify the sender’s identity.

Host Checker—A software component of OAC that checks your computer forcompliance to the security policies that your Infranet Controller administratorspecifies. Examples of compliance might be that you have the correct antivirussoftware version and security setting or that you have the latest operating systempatch level installed.

Host Enforcer—A software component of OAC that protects your computer fromattacks from other computers by allowing only the incoming and outgoing traffic

that your Infranet Controller administrator specifies for your assigned role. (A role defines settings for your user account, such as which resources you can access).

Hotspot —A wireless access zone, could be used for public or private networkaccess.

HTML—Hypertext Markup Language.

HTTP—Hypertext Transfer Protocol. Used by WWW servers and clients to exchangehypertext data.

I

IEEE—Abbreviation for the Institute of Electrical and Electronics Engineers.

Infranet Controller—A server that verifies your identity and your computer’scompliance with security requirements before allowing you to access protectedresources.

Infranet Enforcer—A Juniper Networks security device that operates with theInfranet Controller to enforce security policies. The Infranet Enforcer is deployed infront of the servers and protected resources.

8/19/2019 Oac Td Ag47w


77


Integrity—A monitoring and management system that performs integrity checksand protects systems from unauthorized modifications to data, systems, andapplications files. Normally, performing such checks requires access to a prior scanor original versions of the various files involved.

Internet —The global set of networks interconnected using TCP/IP.

Internet Key Exchange—A method used in the IPsec protocol suite for public keyexchange, security association parameter negotiation, identification, andauthentication.

Intranet —A portion of the information technology infrastructure that belongs toand is controlled by the company in question.

Intrusion Detection System (IDS)—A sophisticated software or hardware networkprotection system designed to detect attacks in progress, but not prevent potentialattacks from occurring.

IP—Abbreviation for Internet protocol. A protocol that moves packets of data fromnode to node. Works above layer 3 (network) of the OSI reference model.

IP address—The standard way to identify a computer connected to the Internet.Each IP address consists of 8 octets expressed as 4 numbers between 0 and 255separated by periods. For example: 129.86.8.1.

IP Security (IPsec)—Used for encryption of TCP/IP traffic, IP Security providessecurity extensions to the version of TCP/IP known as Ipv4. IPsec definesmechanisms to negotiate encryption between pairs of hosts that want tocommunicate with one another at the IP layer and can therefore handle allhost-to-host traffic between pairs of machines. In a UAC network, access to

protected resources behind an Infranet Enforcer can be configured to use IPsec toencrypt data. For details about using IPsec in a UAC network, refer to the UAC Administration Guide.

ISDN—Abbreviation for Integrated Services Digital Network. A network thatsupports transmission of voice, data, and imaged based communications in anintegrated form.

ISP—Internet Service Provider.

IT—Information technology.

K

Kerberos—A trusted third party authentication protocol developed at MIT. Takes itsname from the 3-headed beast that guards the gates of hell in Greek mythology.Currently a default security setting for Microsoft.

Key—A sequence of symbols that when used with a cryptographic algorithmenables encryption and decryption. The security of the cryptographic systems isdependent on the security of the key itself.

Key exchange—A technique in which a pair of keys is generated and thenexchanged between 2 systems (typically and client and server) over a networkconnection to allow a secure connection to be established between them.

8/19/2019 Oac Td Ag47w



78

Key Pair—A public key and its corresponding private key as used in public keycryptography.

Key recovery—A mechanism for determining the key used to encrypt some data.

L

Layer 2 Tunneling Protocol (L2TP)—A technology used with VPN to establish acommunication tunnel between communicating parties over insecure media. L2TPpermits a single logical connection to transport multiple protocols between a pair ofhosts. L2TP is a member of the TCP/IP protocol suite and is defined in RFC 2661.

Lightweight Directory Access Protocol (LDAP)—A TCP/IP protocol that enablesclient systems to access directory services and related data. LDAP is defined inRFCs 1777 and 2559.

Local Area Network (LAN)—A network that consists of a single type of data link

and that can reside entirely within a physically protected area.

M

Man-in-the-Middle—An attack in which a hacker attempts to intercept data in anetwork stream and then inserts their own data into the communications with thegoal of disrupting or taking over communications.

Mandatory Access Control (MAC)—A centralized security method that does notallow users to change permissions on objects.

MD4—Message digest algorithm 4.

MD5—Message digest algorithm 5.

Message digest —A unique snapshot image of data that can be used for altercomparisons. Change a single character in the message and the message will have adifferent message digest. Also called a hash code.

Multifactor authentication—An authentication process that uses more than oneauthentication method to establish a users identity. (RSA SecurID is a multifactorauthentication method with a pin and passcode required for authentication.)

N

Network—An organization of stations capable of intercommunications serviced by

a single switching or processing station.

Network Address Translation (NAT)—TCP/IP protocol technology that mapsinternal IP addresses to one or more external IP addresses through the of a NATserver. NAT enables conversation of public IP address space by mapping private IPaddresses used in an internal LAN to one or more external public IP addresses tocommunicate with the external world. NAT also provides address-hiding services sothat NAT adds both security and simplicity to network addressing.

Network Intrusion Detection Systems—An IDS system that monitors traffic andactivity on one or more network segments.

8/19/2019 Oac Td Ag47w


79


Node—A point of concentrated communications; a central point ofcommunications.

Nonrepudiation—The condition when a receiver knows or has assurance that thesender of some data did in fact send the data, even though the sender later mightwant to deny ever having sent the data.

O

OSI—Abbreviation for the Open Systems Interconnection. Usually refers to the7-layered protocol model for the exchange of information between open systems.The 7 layers in order are physical, data-link, network, transport, session,presentation, and application.

P

Packet —A sequence of data and control characters (binary digits) in a specifiedformats that is switched/transferred as a whole.

PAP—Acronym for Password Authentication Protocol. An authentication protocolthat enables PPP peers to authenticate one another; it does not preventunauthorized access but merely identifies the remote end.

PCMCIA card—A credit card size memory or PC card that meets the PC CardStandard developed jointly by the Personal Computer Memory Card InternationalAssociation (PCMCIA) and the Japan Electronic Industry Development Association(JEIDA).

PKCS—Abbreviation for Public Key Cryptography Standard. A set of standards forpublic key cryptography developed in cooperation with an informal consortium

(Apple, DEC, Lotus, Microsoft, MIT, RSA, and Sun) that includes algorithm specificand algorithm independent implementation standards.

Point-to-Point Tunneling Protocol (PPTP)—A TCP/IP technology used to createvirtual private networks or remote access links between sites or remote access.PPTP is the work of a vendor group that includes Microsoft, 3Com, and CooperMountain Networks. It is generally regarded as less secure than L2TP and is usedless frequently for that reason.

Policy—A broad statement of views and position. A policy states high-level intentwith respect to a specific area of security and is more properly called a securitypolicy.

Port number—A number carried in Internet transport protocols to identify whichservice or program is supposed to receive an incoming packet. Examples are Webservices us port 80, email port 25, RADIUS uses either ports 1648-1649 or1811-1812.

Pretty Good Privacy (PGP)—A shareware encryption technology forcommunication that uses both public and private encryption technology to speedup encryption without compromising security.

8/19/2019 Oac Td Ag47w



80

Private key—A piece of data generated by an asymmetric algorithm that’s used bythe host to decrypt data encrypted with a coresponding public key. This techniquemakes digital signatures and nonrepudiation possible.

Protocol—The procedures that two or more computer systems use so they cancommunicate with each other.

Proxy—A facility that indirectly provides some service for another facility.

Public branch exchange (PBX)—A telephone switch used on a company’s ororganizations premises to create a local telephone network.

Public key—A key used in public key cryptography that belongs to an individualentity and is distributed publicly. Others can use this key to encrypt data that onlythe key’s owner can decrypt.

Public Key Infrastructure (PKI)—The framework established to issue, maintain,

and revoke public key x.509 certificates.

R

RC4—Rivest cipher 4.

RC5—Rivest cipher 5.

Remediation—Remediation is the process of bringing an endpoint (computer) intocompliance with an organization’s security policies.

Remote Authentication Dial-in User Services (RADIUS)—An Internet protocoldescribed in RFC 2138 used for remote access services. It conveys user

authentication and configuration data between a centralized authentication serverand a remote access device to permit the remote access device to authenticaterequests to use its network access ports. Users present the remote access devicewith credentials, which are in turn passed to the RADIUS server for authentication.

Remote monitoring (RMON)—An Internet protocol that extends the SimpleNetwork Management Protocol (SNMP) functionality to include messages about andtechniques for exchanging data between network systems and devices and acentralized network management application.

Role—A role defines settings for your user account, such as which resources youcan access.

Router—An Internetworking switch operating at the OSI level 3 (network layer) thatconnects multiple network segments and routes packets between them. Routersalso split broadcast domains.

RSA—Referring to the principles: Ron Rivest, Adi Shamir, and Len Adleman. TheRSA algorithm is used in cryptography and is based on the fact that it is easy tomultiple two large prime numbers together, but hard to factor them out of theproduct.

8/19/2019 Oac Td Ag47w


81


S

Secure channel—A means of conveying information from one entity to another

such that an adversary does not have the ability to reorder, delete, insert, or read.(Examples are SSL and IPSEC.)

Secure Hypertext Transfer Protocol (HTTPS)—An Internet protocol that encryptsindividual messages used for Web communications rather than establishing asecure channel, like in SSL.

Secure Multipurpose Internet Mail Extensions (S/MIME)—An Internet protocolgoverned by RFC 2633 and used to secure email communications throughencryption and digital signatures for authentication.

Secure Shell (SSH)—A protocol designed to support secure remote login, along withsecure access to other services across an insecure network. SSH includes a securetransport layer protocol that provides server authentication, confidentiality, and

integrity, along with a user authentication protocol and a connection protocol thatruns on top of the user authentication protocol.

Secure Sockets Layer (SSL)—An Internet protocol originally created by NetscapeCorp. that uses connection oriented, end-to-end encryption to ensure thatclient/server communications are confidential and meet integrity constraints. SSLoperates between the HTTP application layer protocol and reliable transport layerprotocol. (usually TCP)

SHA, SHA-1—Secure Hash Algorithm. SHA-1 is considered more secure.

Simple Network Management Protocol (SNMP)—A UDP based application layerInternet protocol used for network management, SNMPO is governed by RFC 2570

and 2574.

Single sign on (SSO)—The concept or process of using a single login authority togrant users access to resources on a network regardless of what operating system orapplication is used to make or handle a request for access. The concept behind theterm is that users need to authenticate only once but can then access any resourcesavailable on a network.

Smart card—A credit card sized device that contains an embedded chip. On thischip, varying and multiple types of data can be stored, such as a driver’s licensenumber, medical information, passwords or other authentication data, and evenbank account data.

Spoofing—A technique for generating network traffic that contains a differentsource address from that of the machine actually generating the traffic. It foilsidentification of the true source.

Switch—A hardware device that manages multiple, simultaneous pairs ofconnections between communicating systems.

Symmetric encryption—An encryption technique in which a single encryption keyis generated and used to encrypt data.

8/19/2019 Oac Td Ag47w



82

T

TACACS+—An enhanced version of Terminal Access Controller Access Control

System. TACACS+ is TCP based authentication and access control Internet protocolgoverned by RFC 1492.

TCP—Abbreviation for Transmission Control Protocol. Verifies correct delivery ofdata from client to server; uses virtual circuit routing. Occupies layer 4 of the OSIreference model.

TCP/IP—Abbreviation for Transmission Control Protocol/Internet Protocol.

Token—This is hardware or software based system for authentication wherein twoor more sets of matched devices or software generate matching random passwordswith a high degree of complexity.

Transport Layer Security (TLS)—An end-to-end encryption protocol originally

specified in ISO standard 10736 that provides security services as part of thetransport layer in a protocol stack. TLS refers to an Internet protocol defined also inRFC 2246. TLS is based on and similar to SSL v3.0, it is really misnamed because itoperates at the application layer not the transport layer.

Tunnel—A secure virtual connection through the Internet.

U

Unified Access Control (UAC)—An IP-based enterprise infrastructure thatcoordinates network, application, and endpoint intelligence and provides thecontrol required to support network applications, manage network use, and reducethreats.

UDP—Abbreviation for User Datagram Protocol.

V

Validation—The process of applying specialized security test and evaluationprocedures, tools, and equipment needed to establish acceptance for joint usage ofan IS by one or more departments or agencies and their contractors.

Virtual Local Area Network (VLAN)—A software technology that enables groupingof network nodes connected to one or more network switches into a single logicalnetwork.

Virtual Private Network (VPN)—A private network built atop a public network.Hosts within the private network use encryption to talk to other hosts.

Vulnerability—A weakness in hardware or software that can be used to gainunauthorized or unwanted access to or information from a network or computer.

8/19/2019 Oac Td Ag47w


83


W

Wired Equivalent Privacy (WEP)—A security protocol used in 802.11 wireless

networking, WEP is designed to provide security equivalent to that found in regularwired networks. This is achieved by using basic symmetric encryption to protectdata sent over wireless connections, so that sniffing or wireless transmissions doesnot produce readable data and so drive-by attackers cannot access a wireless LANwithout additional efforts and attacks.

WPA—Protocol enhancing the service and security offering delivered in WEP andbasic 802.11. Includes support for TKIP and MIC encryption, a median step tosupporting a true cryptographic algorithm such as AES.

WPA2 (or 802.11i)—Recently ratified protocol enhancing the service and securityoffering delivered in WEP and 802.11. Includes support for 128bit AES encryptionand support for access point pre-authentication fast roaming capability.

WLAN—Wireless Local Area Network.

Wireless Transport Layer Security (WTLS)—A security level for applications basedon the Wireless Application Protocol (WAP). WTLS is based on transport layersecurity (TLS) but has been modified to work with the low-bandwidth, high latency,and limited-processing capabilities found in many wireless networkingimplementations.

X

X.509 digital certificate—A digital certificate that uniquely identifies a potentialcommunications party or participant. An X.509 certificate includes a party’s nameand public key, but it can also include organizations affiliation, service or access

restriction, and a host of other access and security related information.

8/19/2019 Oac Td Ag47w



84

8/19/2019 Oac Td Ag47w


Index 85

Index

AActive Directory

machine account .......................................................33administrative tools

overview......................................................................4alternate adapter

wired 802.1X.............................................................10alternate settings

edit............................................................................10authenticationcertificate-based ........................................................10flow of events..............................................................2Layer 2 ........................................................................2Layer 3 ........................................................................2no machine logon......................................................20password-based.........................................................10

auto-scan listadd with script ..........................................................53hide ...........................................................................45lock ...........................................................................45

autoscriptcreating .....................................................................50delivery .....................................................................55

Ccertificate

automatic selection for machine account ..................33CA for machine account ............................................33machine account .......................................................33scripting ....................................................................51smart card

with GINA...........................................................17client updates ...................................................................63command-line

export scripts ............................................................56scripts from...............................................................56

compatibility

GINA..........................................................................15configuration

alternate....................................................................10client update..............................................................63custom

installer, creating................................................59deploy settings ..........................................................42lock settings ..............................................................42machine connection..................................................31machine name ..........................................................33new users only ..........................................................42planning ......................................................................2

push ..........................................................................63remove settings .........................................................49replace settings..........................................................42restrictions

set ......................................................................37set or replace settings................................................49testing settings...........................................................28

connection

control Windows logon timing.....................................9settingsGINA requirement ................................................9

test ............................................................................28without machine logon ..............................................20

Connection Settingsoverview......................................................................7uses .............................................................................4

constraintsuser ...........................................................................37

create script ......................................................................50credentials

machine ....................................................................33Custom Installer

administrative tools ...................................................59

settings update file.....................................................63uses .......................................................................6, 59

Ddefaults

set for initial users .....................................................21deploy

configuration update..................................................59license update............................................................59new configuration......................................................59

disableconfiguration options.................................................35features .....................................................................37

domain password

machine ....................................................................33

EEAP methods

for machine credentials.............................................34EAP-FAST options

for machine account..................................................33export

command line ...........................................................56license key.................................................................60restrictions.................................................................35scripts........................................................................56

8/19/2019 Oac Td Ag47w



86 Index

F FIPS mode

configuration.............................................................69lock ...........................................................................47

GGINA

compatibility with other products..............................15install ..................................................................14, 15Novell Client credentials............................................ 15overview ............................................................... 8, 14remove......................................................................15with smart cards .......................................................16

Graphical Identification and AuthenticationSee GINA

Iimport scripts

command-line........................................................... 56Infranet Controller

lock .....................................................................42, 46initial configuration

machine requirement................................................ 19Initial Settings

administrative tools...................................................21and customer installer...............................................22and Merge Rules........................................................19options......................................................................10overview ...................................................................19uses.............................................................................5

installGINA ......................................................................... 14

silent ......................................................................... 60installercreate and customize ................................................59new file .....................................................................60update file .................................................................60

Llicense keys

OAC editions ............................................................. viiremove from help menu ...........................................38

lockauto-scan list .............................................................45features

Merge Rules .......................................................43FIPS mode setting .....................................................47Infranet Controller.....................................................46network.....................................................................44OAC features.............................................................35profile .......................................................................43trusted servers ..........................................................46Windows logon setting..............................................47

logoncapture credentials....................................................14configure default name .............................................26custom name ............................................................27Windows

compatibility with other modules....................... 21

configuration notes ............................................25features..............................................................21override defaults ................................................25trust, setting.......................................................25

Mmachine account

administrative tools...................................................31certificates.................................................................33connection

before user logon ...............................................13without user logon .............................................13

connection settings .............................................11, 32connections

configuring.........................................................31credentials.................................................................33domain password......................................................33enable .......................................................................32

overview....................................................................31password credentials.................................................33restrictions ................................................................33test connection..........................................................28uses...........................................................................31

Machine Accountsuses.............................................................................5

machine nameconfiguration.............................................................33

machine-level connectionpurpose .......................................................................8settings......................................................................11timing..........................................................................8

Merge Rulescustom installers .......................................................62

for auto-scan lists ......................................................45for EAP-FAST options ................................................46for Infranet Controllers..............................................46for networks..............................................................44for profiles.................................................................44for security options....................................................46for trusted servers .....................................................46for wireless suppression ............................................46overview....................................................................41periodic updates........................................................41set .............................................................................43settings......................................................................42use cases ...................................................................41uses.......................................................................5, 43

Nnetwork

add or replace with script..........................................52disable ad-hoc ...........................................................38disable any ................................................................38enable automatic connection.....................................49lock or restrict ...........................................................44machine authentication.............................................11remove with script ....................................................52scripts........................................................................52

network connection

8/19/2019 Oac Td Ag47w


Index 87

Index

before Windows logon ................................................9control timing of..........................................................8earliest ......................................................................31machine and user......................................................13

machine-level ..............................................................8options.................................................................8

machine-only ............................................................13require prompt screen...............................................10set timing ..................................................................22timing options .............................................................9user, without machine...............................................20

Novell Client for Windowscompatibilty with GINA .............................................15

OodClientAdministrator.exe...................................................6odyClientScriptAuto ..........................................................50Odyssey Access Client Administrator

disable.......................................................................38Odyssey GINA...................................................................14OdysseyClient.msi............................................................60online help......................................................................... ixoverride

default connection settings........................................25Windows logon .........................................................10

PPAC Manager

uses.............................................................................6password

for machine account..................................................33machine ....................................................................33

permissionsenable or disable .......................................................37set user......................................................................37

Permissions Editoroption controls ..........................................................35uses.............................................................................5

preconfigured settings ......................................................21prior-to-Windows logon

override.....................................................................10product documentation ..................................................... ixprofile

activate with script ....................................................51configure with scripts ................................................51restrict or lock ...........................................................43

prompt to connect

options ......................................................................10push

configurations ...........................................................63

Rrealm

machine credentials ..................................................33release notes...................................................................... ixremove auto-scan list

with script .................................................................53restrictions

logon settings ............................................................16

OAC features .............................................................35password...................................................................17PIN prompt................................................................17remove......................................................................38

token .........................................................................17user account settings .................................................17

Ssave

custom installer .........................................................59scripts........................................................................50settings update files ...................................................63

scriptactivate a profile ........................................................51add auto-scan list.......................................................53add or replace network..............................................52add or set profile .......................................................51automatic ..................................................................50

certificates.................................................................51command-line, from..................................................56data format................................................................49deliver files to users...................................................55destination file...........................................................50directions...................................................................55networks ...................................................................52profiles ......................................................................51remove auto-scan list.................................................53remove network ........................................................52remove profile ...........................................................51save...........................................................................50SSIDs, removing........................................................54

Script Composerdefined ......................................................................49

options ......................................................................49uses .............................................................................6

settingsinitial user defaults ....................................................21Merge Rules...............................................................43predefined.................................................................19update files................................................................63

silentinstall.........................................................................61script export ..............................................................56

Single sign-on .....................................................................4SSID

removing with scripts ................................................54

Ttemplatecustom installer, for...................................................59

testadministrative settings...............................................28user connections .......................................................28

trustmachine account requirements .................................33

trusted serveroverride.....................................................................25

trusted serverslock ...........................................................................46

8/19/2019 Oac Td Ag47w



Merge Rules for .........................................................46

Uupdate ..............................................................................19

connection settings ...................................................49EAP-FAST settings .....................................................49preemptive network setting ......................................49profile .......................................................................49scan list .....................................................................49security settings ........................................................49trusted server settings ...............................................49user configuration ...............................................59, 63user licenses.............................................................. 59Windows logon timing settings .................................49wireless suppression setting......................................49

upgradecustom installers for..................................................59

user account

restricted options ......................................................16user-level connectionmanage timing of ........................................................8options........................................................................ 8settings........................................................................9

VVLAN

for machine account .................................................32

WWindows GINA

compatibility with Odyssey GINA ..............................15Windows logon

configuration notes ................................................... 25delay .........................................................................14lock settings ..............................................................47override defaults .......................................................25skip ...........................................................................10timing options............................................................. 9

Windows logon settings.................................................... 22wireless suppression

Merge Rules for .........................................................46