TLS-EAP with Yubikey module

Jeroen K krabbedoelie at
Mon Jun 18 18:27:54 CEST 2018

Inner and outer tunnel now work according to RFC specifications. The conceptual overview of Arran helped with integrating everything into a working production environment by using an alternative approach. 

Great community package. Keep up the great work team!

> On 24 May 2018, at 14:40, David Mitton <david at> wrote:
> I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space.
> It was hard to get it to work as well as we did.   
> I’m not surprised that others would not be successful.
> Dave.
> Sent from Mail for Windows 10
> From: Michael Ströder
> Sent: Thursday, May 24, 2018 8:01 AM
> To: FreeRadius users mailing list; Alan DeKok
> Subject: Re: TLS-EAP with Yubikey module
> Alan DeKok wrote:
>> On May 23, 2018, at 4:52 PM, Michael Ströder <michael at> wrote:
>>> I'd like to read the experience of others here with using OTP for
>>> protecting Wifi access.
>> It's terrible.  Largely because the clients are terrible.
> So this exactly matches the result of my tests.
>> I've been recommending (and installing) EAP-TLS instead.  It's simpler, and works everywhere.
> In a project I have implemented a small web component which issues
> short-time OpenSSH certs (not X.509) for SSH logins with 2FA.
> Something similar like this could also be used for issuing short-time
> EAP-TLS client certs if the client is temporarily connected to an
> enrollment network. Success depends on how easy it is to get the client
> key and cert installed on various platforms.
> Ciao, Michael.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list