Odyssey is a wireless LAN access control and security solution that not only provides strong security over the wireless link, but also can be easily and widely deployed and managed across an enterprise network.

Odyssey includes client and server software. It secures the authentication and connection of wireless LAN (WLAN) users, ensuring that only authorized users can connect, that connection credentials will not be compromised, and that data privacy will be maintained.

Odyssey is based on the IEEE security standard 802.1x, and supports a wide variety of 802.1x security methods, including the strong and easily managed security method EAP-TTLS.

EAP-TTLS offers the significant benefit of not requiring the set up and management of client certificates on each WLAN user's PC. Instead, the WLAN user is safely authenticated to the network using ordinary password-based credentials, whose use is made proof against active and passive attack by enclosing it in a TLS security wrapper. You'll be able to safely deploy WLAN access against your existing authentication infrastructure, significantly alleviating your management burden and allowing users to connect with the credentials they're accustomed to using.

In addition, Odyssey supports a wide variety of WLAN environments. Odyssey Client runs on multiple Windows platforms, so you'll be able to set up your users for WLAN access, whether they're running new or legacy equipment. Plus, both Odyssey Client and Server support all 802.1x-capable access equipment, for unsurpassed multi-vendor compatibility.

Step up to the most secure, easily managed WLAN access – with Odyssey.

Overview

In brief, here's how Odyssey works: When an Odyssey Client connects to the WLAN access point (AP), the AP requests an identity from the Client. The Client responds to the request, with just the user-name. The AP then forwards an Access-Request with the Client's identity to Odyssey Server. Odyssey Server responds with a challenge – which indicates which EAP (security) type should be used – to the AP, which forwards the challenge to the Client. If the Client agrees to security type, it attempts to authenticate using the agreed upon EAP type. The Client and Server exchange messages until the authentication finishes with an accept or reject. Upon a successful authentication, the Client is allowed a connection on the AP, and the keying information, if generated and required, is used to establish the connection.

Odyssey is available as a Client/Server system, and as a stand-alone Client.

Multiple Security Types

For the strongest security, we recommend the use of EAP-TTLS, EAP-PEAP, or EAP-TLS.

EAP-TTLS, the Best Choice for Secure, Manageable WLAN Access

Not all EAP authentication types are created equal. Unlike other EAP types, EAP-TTLS doesn't force you to make a trade-off between security and ease of management.

EAP-TTLS provides the following benefits.

Completely protects connection credentials from attack

One of the primary benefits of EAP-TTLS is that it provides complete security for users' connection credentials (i.e., user name and password) as they're being authenticated to the network.

With EAP-TTLS, a WLAN user's identity and password-based credentials are tunneled during authentication negotiation, and are therefore not observable in the communications channel. This strong security prevents dictionary attacks, man-in-the-middle attacks, and hijacked connections by wireless eavesdroppers – and protects your network from the havoc an attacker who's connecting with valid credentials can wreak.

EAP-PEAP and EAP-TLS also provides this high level of credential security; LEAP does not. With LEAP, passwords which are short or insufficiently random are vulnerable to dictionary attack.

Supports all password protocols, for compatibility with your existing authentication scheme

A second major benefit of EAP-TTLS is that it supports all major password protocols, including PAP, CHAP, MS-CHAP, MS-CHAP-V2, EAP-MD5Challenge, and EAP-TokenCard.

So, with EAP-TTLS, WLAN users can safely connect – without danger of cryptographic attack on password – using the connection credentials they're accustomed to using. This lets you use consolidate the management of your wired and WLAN users, and allows WLAN users to connect using the credentials they're accustomed to using, simplifying their access process.

Odyssey Server can authenticate WLAN users directly against Windows NT Domains or Windows 2000 Native Domains. It can also forward EAP-TTLS requests to other RADIUS servers, including Funk Software's Steel-Belted Radius, for authentication of WLAN users against non-Windows databases such as token systems or SQL/LDAP.

Neither EAP-TLS, EAP-PEAP, nor LEAP offers this level of compatibility with existing authentication schemes.

Does not require the use of client certificates

A third major benefit of using EAP-TTLS is that – unlike EAP-TLS – it does not require the use of client certificates to provide strong credential security.

EAP-TTLS and EAP-TLS are similar in that both use TLS (Transport Layer Security, the successor to SSL) as the underlying strong cryptography. However, EAP-TTLS differs in that only the RADIUS servers, not the users, are required to have certificates. The user is authenticated to the network using ordinary password-based credentials, whose use is made proof against active and passive attack by enclosing it in the TLS security wrapper.

Users of EAP-TTLS are, therefore, spared the administrative burden associated with setting up and maintaining a certificate infrastructure. Because EAP-TLS requires that each user have a certificate, organizations that deploy it can look forward to a substantial administrative burden in operating a certificate authority to distribute, revoke, and otherwise manage user certificates.

While EAP-TLS provides strong security and is appropriate for organizations which have already deployed a PKI infrastructure, EAP-TTLS provides equally strong security and requires little additional administration beyond what you're already doing to administer your Windows users.

Provides data security, plus strong mutual authentication of client and server

Beyond its strong credential security and ease of management, EAP-TTLS provides additional security techniques to further protect the security of a WLAN user's connection.

With EAP-TTLS, dynamic per-session keys are generated to encrypt the wireless connection and protect data privacy. Odyssey Server can be configured to re-authenticate and thus re-key at any interval; frequent re-keying thwarts known attacks against the encryption method used in wireless communications (WEP).

In addition, EAP-TTLS provides strong mutual authentication of Client and Odyssey Server, preventing an intrusion onto the network by an unauthorized user, and ensuring that the client is connecting to the right server.

EAP-PEAP, EAP-TLS, and LEAP also provide these safeguards.

With its strong security and compatibility with existing authentication databases and infrastructure, EAP-TTLS puts secure WLAN authentication within any organization's reach.

Authenticates against Windows, or Forwards to Other Authentication Systems

Odyssey can safely authenticate WLAN users directly against your existing Windows 2000 Native Domain or NT Domain authentication database, and includes full support for user and group designations.

And, for seamless integration into networks which aren't exclusively Windows-based, Odyssey can also forward EAP-TTLS authentication requests to other RADIUS servers, including Funk Software's Steel-Belted Radius, for safe authentication against non-Windows authentication schemes.

Designed for Compatibility

Odyssey is an end-to-end solution which provides unsurpassed security and ease of management when using EAP-TTLS. That said, Odyssey was designed to be compatible in a wide variety of WLAN environments, and to be compatible with other 802.1x solutions.

First, Odyssey supports the widest variety of WLAN network adapter cards and access points – including those from 3Com, Agere, Avaya, Cisco, Enterasys, Proxim, and Symbol – for ensured compatibility in your network environment.

Odyssey Server can manage connections from Microsoft (via EAP-PEAP or EAP-TLS) or Cisco (via EAP-PEAP or EAP-LEAP) 802.1x clients you may have already deployed.

Odyssey Client is compatible with Odyssey Server, Steel-Belted Radius, and other EAP-compatible RADIUS servers already in place on your network and, since it runs with equivalent security functionality and interface on more Windows platforms, is an excellent complement to the XP-only Microsoft client.

Plus, Odyssey gives you the flexibility to easily migrate from one security methodology to another. For example, you may wish to beef up the security on your network and migrate from LEAP to EAP-TTLS. Odyssey Server can easily support both methods while you transition your WLAN clients to Odyssey/EAP-TTLS.

Easily Deploy Across the Enterprise

Odyssey lets you rapidly set up secure WLAN access for your organization.

Odyssey Client incorporates numerous conveniences for end users, and many deployment tools for network managers. This powerful combination of features allows rapid adoption by the end user population, to significantly reduce support and training costs; and enables rapid deployment of a configured client across all the wireless devices in your organization.

Refer to the separate Odyssey Client data sheet for more information on these features.

Odyssey Server – a RADIUS server specially designed to manage WLAN access – reflects the simple set-up, reliable and high-performance operation, and multi-vendor compatibility that are the hallmarks of Steel-Belted Radius, our market-leading RADIUS/AAA server.

Odyssey Server writes a log file detailing all WLAN access activity, for easy reporting and diagnostics.

System Requirements

Odyssey Server runs on Windows 2000 Server/Professional and Windows XP Professional. It is compatible with a wide variety of 802.1x-capable WLAN access points.

Odyssey Client runs on Windows XP, 2000, 98, Me, Pocket PC 2002, and Windows Mobile 2003 for Pocket PC. It supports any 802.1x-capable WLAN adapter card.