Scribd Logo
Upload

Welcome to Scribd!

  • Configure Odyssey For Smart Card Logon Using A Smart Card Certificate

    Uploaded by

    vivek
    11 views2 pages
    KB10696: Configure Odyssey for Smart Card logon using a Smart Card certificate. You can use the Smart Card configuration of Odyssey Client to perform GINA time authentication (prior to Windows logon) using EAP-TLS. In order to configure certificate-based Smart Card authentication, you must have already installed and registered your smart card.

    Original Description:

    Original Title

    Configure Odyssey for Smart Card Logon Using a Smart Card Certificate

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    KB10696: Configure Odyssey for Smart Card logon using a Smart Card certificate. You can use the Smart Card configuration of Odyssey Client to perform GINA time authentication (prior to Windows logon) using EAP-TLS. In order to configure certificate-based Smart Card authentication, you must have already installed and registered your smart card.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views2 pages

    Configure Odyssey For Smart Card Logon Using A Smart Card Certificate

    Uploaded by

    vivek
    KB10696: Configure Odyssey for Smart Card logon using a Smart Card certificate. You can use the Smart Card configuration of Odyssey Client to perform GINA time authentication (prior to Windows logon) using EAP-TLS. In order to configure certificate-based Smart Card authentication, you must have already installed and registered your smart card.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Juniper Networks - Configure Odyssey for smart card logon using a smart card certific...

    Page 1 of 2

    Configure Odyssey for smart card logon using a smart card certificate
    [KB10696] Show KB Properties

    Logged In
    VINAYAK PATIL
    Logout
    My Account

    SUMMARY:
    Configure Odyssey for smart card logon using a smart card certificate

    My Subscriptions

    PROBLEM OR GOAL:
    SOLUTION:
    Overview
    You can configure Odyssey Client for smart card logon using certificate credentials (EAP-TLS). You can use the smart
    card configuration of Odyssey Client to perform GINA time authentication (prior to Windows logon) using EAP-TLS. You
    can also configure profiles that use smart card certificates (and EAP-TLS) when your users have smart cards, while
    password-based protocols are used when smart cards are not present at authentication time prior to Windows logon.

    ASK THE KB
    Question or KB ID:
    Ask

    Before you begin


    In order to configure any mutually authenticating protocols such as EAP-TLS or EAP-TTLS you must first install and
    configure the trusted server certificate for use with Odyssey Client. See KB10484.
    In order to configure certificate-based smart card authentication, you must have already installed and registered your smart
    card. You must also have exported a certificate to the smart card while it is installed on your Odyssey Client machine.

    Back to Answers
    Printer Friendly
    Knowledge Center Home

    Create a profile for smart card authentication


    Browse Popular Content
    You can configure Odyssey client for smart card authentication in a number of ways:
    You can configure a profile for single-protocol authentication using EAP-TLS and the certificate from the smart card.
    You can configure a profile for single-protocol authentication using EAP-TTLS and the certificate from the smart card.
    You can optionally configure a profile for multiple protocol authentication using either a smart card with its certificate,
    along with a certificate-based authentication method, or using a password-based protocol such as EAP-TTLS, EAPPEAP or EAP-FAST in the event that you do not use the Smart Card for logon with prior to Windows logon
    authentication..
    To create a profile for smart card EAP-TLS authentication with no other protocols, follow these steps:
    1.
    2.
    3.
    4.
    5.
    6.

    7.
    8.
    9.
    10.

    Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator
    if you are configuring settings for first time users or for a custom installer).
    Click Add. Add Profile appears.
    Type in a name for the profile and leave the login name blank.
    Un-check Permit login using password on the Password tab of User Info.
    Select the Certificate tab of User Info.
    Check Permit login using my Certificate, and select Use the certificate from my Smart Card Reader. If you
    have more than one reader, select a specific reader from the list. Otherwise, leave the default reader (any
    reader) unchanged.
    Select the Authentication tab.
    Select EAP-TTLS from the list of protocols, and click Remove.
    Click Add, select EAP-TLS to add it the protocol list, and click OK to close the Add EAP Protocol dialog.
    Leave all other settings unchanged, and click OK to save the profile.

    To create a profile for smart card EAP-TTLS authentication for certificate-based authentication, follow these
    steps:
    1.
    2.
    3.
    4.
    5.
    6.

    7.
    8.

    Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator
    if you are configuring settings for first time users or for a custom installer).
    Click Add. Add Profile appears.
    Type in a name for the profile and leave the network the login name blank.
    Un-check Permit login using password on the Password tab of User Info.
    Select the Certificate tab of User Info.
    Check Permit login using my Certificate, and select Use the certificate from my Smart Card Reader. If you
    have more than one reader, select a specific reader from the list. Otherwise, leave the default reader (any
    reader) unchanged.
    Select TTLS Settings. Select Use only my certificate for authentication.
    Leave all other settings unchanged, and click OK to save the profile.

    To create a profile that negotiates either certificate-based smart card authentication, or password-based
    EAP-TTLS (or other password based) authentication prior to Windows logon, follow these steps:
    1.
    2.
    3.
    4.

    8.
    9.

    10.
    11.

    Browse All
    Knowledge Center News
    J-Net Search
    PR Search
    Create a Support Case
    Knowledge Center Feedback
    Report a Security Vulnerability
    Subscribe

    ARTICLE FEEDBACK
    *Selection Required
    *This article solved my problem
    Yes
    No
    Partially
    Just browsing
    *Please rate this article
    Great
    Good
    Average
    Fair
    Poor
    Comments?

    Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator
    if you are configuring settings for first time users or for a custom installer).
    Click Add. Add Profile appears.
    Type in a name for the profile, and type in the network login name.
    Keep Permit login using password checked on the Password tab of User Info, and select a password
    option.
    If you select Prompt for password, you are prompted for the Windows password if you negotiate passwordbased authentication at logon.

    5.
    6.
    7.

    Browse Recently Updated

    Note that if you select Use Windows password, you should have the GINA module installed, even if you do
    not use the profile for GINA time login. (Network administrators must do this). See KB10659 for general
    information on GINA, and installing GINA. In particular, see GINA installation.
    Select the Certificate tab of User Info.
    Check Permit login using my Certificate, and select Use the certificate from my smart card Reader.
    If you have more than one reader, select a specific reader from the list. Otherwise, leave the default reader
    (any reader) unchanged.
    Select the Authentication tab.
    Click Add to add EAP-TLS to the list of authentication protocols. Select EAP-TLS, as well as any other
    password-based authentication protocol you require if you do not plan to use EAP-TTLS as your sole
    password-based authentication method. Click OK.
    Reorder the protocols according to your preference. If you prefer to rely on smart card certificates for
    authentication, move EAP-TLS to the top of the list of authentication methods on the Authentication tab.
    Follow either of these procedures depending on your choice of password-based protocol(s):
    For EAP-TTLS password-based authentication, select TTLS Settings. Select and order any required
    inner protocols.
    For EAP-PEAP password-based authentication, select PEAP Settings. Select and order any required
    inner protocols.

    Your response will be used to improve


    our document content.
    Submit

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10696&actp=search&vie... 29-09-2013

    Juniper Networks - Configure Odyssey for smart card logon using a smart card certific... Page 2 of 2

    12.

    Click OK to save the profile.

    Note: You are required to enter a login name for all password-based protocols (except if you are creating a GINA
    profile in Initial Settings of the Odyssey Client Administrator.
    Configure Trusted Servers, Networks, Adapters, and Connection panels
    See any of the following topics for specifics on configuring Trusted Servers, Networks, Adapters, and the Connection
    panels (follow step 1, and steps 3 - 5 in any of these notes):
    KB10663 for EAP-TTLS password-based authentication
    KB10662 for EAP-TLS authentication
    KB10661 for EAP-PEAP authentication
    Notes on configuring Smart Card authentication at GINA time
    To configure Smart Card authentication at GINA time, follow these steps:
    1.
    2.
    3.
    4.
    5.

    Create a Smart Card profile (such as one of the four described above) in Initial Settings of the Odyssey
    Client Administrator. Leave the login name blank in each case, however.
    Follow the steps for configuring the Trusted Servers, Networks, Adapters, and the Connection panels,
    except configure these in Initial Settings of the Odyssey Client Administrator.
    Follow the instructions for installing GINA and specifying connection settings in See KB10659.
    Test your connections according to KB10659.
    Note the following behavior if you create a GINA profile that uses both smart card certificates and some
    password based protocols:
    If your users log into their client machines using the smart card PIN, then the certificate-based
    authentication is used, while all other profile protocols are ignored.
    If your users log into their client machines using their Windows password, then the password-based
    protocols are used, and the smart card settings are ignored.

    Connection time prompts


    Note: Your users may be prompted for the Smart Card PIN at logon.

    PURPOSE:
    Troubleshooting

    RELATED LINKS:

    Site Map / RSS Feeds / Careers / Accessibility / Feedback / Privacy & Policy / Legal Notices

    Copyright 1999-2012 Juniper Networks, Inc. All rights reserved.

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10696&actp=search&vie... 29-09-2013

    You might also like