This article can also be found in the Premium Editorial Download "Information Security magazine: 12 security lessons for CISOs they don't teach you in security school."
Download it now to read this article plus other related content.
The Odyssey Server verifies users against a central authority, and provides encryption keys used by 802.1X clients and APs to secure wireless connections. It also supports the EAP-TTLS, PEAP, EAP-TLS and LEAP 802.1X protocols. The next version will support WPA2 (which uses AES), EAP-FAST and EAP-SIM.
Odyssey Client runs on Windows 98/ME/2000/XP/ Pocket PC and works with all major wireless cards, including Cisco Systems, Dell and IBM. The RADIUS server runs on Windows 2000/XP and is customized to work with 802.1X-compliant APs.
Installation of the client and server is straightforward. Client deployment is made easy by a custom installation tool that also configures settings; updated files and customized configuration scripts can be pushed to remote clients. The interfaces and documentation are excellent.
Odyssey provides a range of client options through a well-designed GUI. Multiple profiles, each containing specific network authentication information, can be
created from a base template to allow easy roaming among wireless networks. The profile can include login name, password and/or certificate, and the protocols by which the user can be authenticated. The client can also be configured to allow a computer to be authenticated using a machine's fingerprint (MAC address, known configurations, etc.) rather than user credentials; this can be useful if a computer must always be connected to a wireless network, such as a laptop on a hospital rolling cart.
Security managers can also restrict client settings. For example, they can prohibit peer-to-peer connections or disable specific authentication types, such as LEAP.
Using a Cisco Aironet wireless card and AP, we connected to our wireless network after an initial failure that was unrelated to the Funk application. We were stymied at first because there are no client log files to use for troubleshooting connection attempts. (Funk says its next client release will have logging capabilities.) Funk's excellent tech support got us back in business.
Using EAP-TTLS, the server authenticated users against our Windows domain and Active Directory databases. EAP-TTLS can be configured to forward authentication requests to other RADIUS servers, allowing authentication against token systems (e.g., RSA ACE), TACACS+, SQL/LDAP databases and Solaris NIS/NIS+.
Using multiple profiles, we also established EAP-TLS, PEAP and LEAP connections. For additional security, we configured the client to perform session resumption (to distribute fresh keys to the client and AP) and automatic reauthentication at set intervals.
For each supported authentication type, we established a variety of policies on the Odyssey Server that specified whether a user or group could authenticate to our wireless network and how often they must be reauthenticated. User/group information is granular and can be im-ported or referenced from AD and LDAP; you just click from a list to add users and groups. The server correctly enforced all policies and maintained solid wireless connections. It can provide detailed logging information, including raw packet traces and AP accounting data.
Flexible architecture, variable authentication types and useful deployment tools make Funk's Odyssey a strong choice for securing an 802.1X-based wireless network.
This was first published in February 2005