Professional Documents
Culture Documents
Page 1 of 2
Configure Odyssey for smart card logon using a smart card certificate
[KB10696] Show KB Properties
Logged In
VINAYAK PATIL
Logout
My Account
SUMMARY:
Configure Odyssey for smart card logon using a smart card certificate
My Subscriptions
PROBLEM OR GOAL:
SOLUTION:
Overview
You can configure Odyssey Client for smart card logon using certificate credentials (EAP-TLS). You can use the smart
card configuration of Odyssey Client to perform GINA time authentication (prior to Windows logon) using EAP-TLS. You
can also configure profiles that use smart card certificates (and EAP-TLS) when your users have smart cards, while
password-based protocols are used when smart cards are not present at authentication time prior to Windows logon.
ASK THE KB
Question or KB ID:
Ask
Back to Answers
Printer Friendly
Knowledge Center Home
7.
8.
9.
10.
Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator
if you are configuring settings for first time users or for a custom installer).
Click Add. Add Profile appears.
Type in a name for the profile and leave the login name blank.
Un-check Permit login using password on the Password tab of User Info.
Select the Certificate tab of User Info.
Check Permit login using my Certificate, and select Use the certificate from my Smart Card Reader. If you
have more than one reader, select a specific reader from the list. Otherwise, leave the default reader (any
reader) unchanged.
Select the Authentication tab.
Select EAP-TTLS from the list of protocols, and click Remove.
Click Add, select EAP-TLS to add it the protocol list, and click OK to close the Add EAP Protocol dialog.
Leave all other settings unchanged, and click OK to save the profile.
To create a profile for smart card EAP-TTLS authentication for certificate-based authentication, follow these
steps:
1.
2.
3.
4.
5.
6.
7.
8.
Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator
if you are configuring settings for first time users or for a custom installer).
Click Add. Add Profile appears.
Type in a name for the profile and leave the network the login name blank.
Un-check Permit login using password on the Password tab of User Info.
Select the Certificate tab of User Info.
Check Permit login using my Certificate, and select Use the certificate from my Smart Card Reader. If you
have more than one reader, select a specific reader from the list. Otherwise, leave the default reader (any
reader) unchanged.
Select TTLS Settings. Select Use only my certificate for authentication.
Leave all other settings unchanged, and click OK to save the profile.
To create a profile that negotiates either certificate-based smart card authentication, or password-based
EAP-TTLS (or other password based) authentication prior to Windows logon, follow these steps:
1.
2.
3.
4.
8.
9.
10.
11.
Browse All
Knowledge Center News
J-Net Search
PR Search
Create a Support Case
Knowledge Center Feedback
Report a Security Vulnerability
Subscribe
ARTICLE FEEDBACK
*Selection Required
*This article solved my problem
Yes
No
Partially
Just browsing
*Please rate this article
Great
Good
Average
Fair
Poor
Comments?
Select the Profiles panel of Odyssey Client Manager (or Initial Settings in the Odyssey Client Administrator
if you are configuring settings for first time users or for a custom installer).
Click Add. Add Profile appears.
Type in a name for the profile, and type in the network login name.
Keep Permit login using password checked on the Password tab of User Info, and select a password
option.
If you select Prompt for password, you are prompted for the Windows password if you negotiate passwordbased authentication at logon.
5.
6.
7.
Note that if you select Use Windows password, you should have the GINA module installed, even if you do
not use the profile for GINA time login. (Network administrators must do this). See KB10659 for general
information on GINA, and installing GINA. In particular, see GINA installation.
Select the Certificate tab of User Info.
Check Permit login using my Certificate, and select Use the certificate from my smart card Reader.
If you have more than one reader, select a specific reader from the list. Otherwise, leave the default reader
(any reader) unchanged.
Select the Authentication tab.
Click Add to add EAP-TLS to the list of authentication protocols. Select EAP-TLS, as well as any other
password-based authentication protocol you require if you do not plan to use EAP-TTLS as your sole
password-based authentication method. Click OK.
Reorder the protocols according to your preference. If you prefer to rely on smart card certificates for
authentication, move EAP-TLS to the top of the list of authentication methods on the Authentication tab.
Follow either of these procedures depending on your choice of password-based protocol(s):
For EAP-TTLS password-based authentication, select TTLS Settings. Select and order any required
inner protocols.
For EAP-PEAP password-based authentication, select PEAP Settings. Select and order any required
inner protocols.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10696&actp=search&vie... 29-09-2013
Juniper Networks - Configure Odyssey for smart card logon using a smart card certific... Page 2 of 2
12.
Note: You are required to enter a login name for all password-based protocols (except if you are creating a GINA
profile in Initial Settings of the Odyssey Client Administrator.
Configure Trusted Servers, Networks, Adapters, and Connection panels
See any of the following topics for specifics on configuring Trusted Servers, Networks, Adapters, and the Connection
panels (follow step 1, and steps 3 - 5 in any of these notes):
KB10663 for EAP-TTLS password-based authentication
KB10662 for EAP-TLS authentication
KB10661 for EAP-PEAP authentication
Notes on configuring Smart Card authentication at GINA time
To configure Smart Card authentication at GINA time, follow these steps:
1.
2.
3.
4.
5.
Create a Smart Card profile (such as one of the four described above) in Initial Settings of the Odyssey
Client Administrator. Leave the login name blank in each case, however.
Follow the steps for configuring the Trusted Servers, Networks, Adapters, and the Connection panels,
except configure these in Initial Settings of the Odyssey Client Administrator.
Follow the instructions for installing GINA and specifying connection settings in See KB10659.
Test your connections according to KB10659.
Note the following behavior if you create a GINA profile that uses both smart card certificates and some
password based protocols:
If your users log into their client machines using the smart card PIN, then the certificate-based
authentication is used, while all other profile protocols are ignored.
If your users log into their client machines using their Windows password, then the password-based
protocols are used, and the smart card settings are ignored.
PURPOSE:
Troubleshooting
RELATED LINKS:
Site Map / RSS Feeds / Careers / Accessibility / Feedback / Privacy & Policy / Legal Notices
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10696&actp=search&vie... 29-09-2013