TLS-EAP with Yubikey module

Stefan Paetow Stefan.Paetow at
Thu Jun 21 15:43:19 CEST 2018

What *was* the alternative approach, if you don't mind sharing? 

With Regards

Stefan Paetow
Consultant, Trust and Identity

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

On 18/06/2018, 10:00, "Freeradius-Users on behalf of Jeroen K" < at on behalf of krabbedoelie at> wrote:

    Inner and outer tunnel now work according to RFC specifications. The conceptual overview of Arran helped with integrating everything into a working production environment by using an alternative approach. 
    Great community package. Keep up the great work team!
    > On 24 May 2018, at 14:40, David Mitton <david at> wrote:
    > I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space.
    > It was hard to get it to work as well as we did.   
    > I’m not surprised that others would not be successful.
    > Dave.
    > Sent from Mail for Windows 10
    > From: Michael Ströder
    > Sent: Thursday, May 24, 2018 8:01 AM
    > To: FreeRadius users mailing list; Alan DeKok
    > Subject: Re: TLS-EAP with Yubikey module
    > Alan DeKok wrote:
    >> On May 23, 2018, at 4:52 PM, Michael Ströder <michael at> wrote:
    >>> I'd like to read the experience of others here with using OTP for
    >>> protecting Wifi access.
    >> It's terrible.  Largely because the clients are terrible.
    > So this exactly matches the result of my tests.
    >> I've been recommending (and installing) EAP-TLS instead.  It's simpler, and works everywhere.
    > In a project I have implemented a small web component which issues
    > short-time OpenSSH certs (not X.509) for SSH logins with 2FA.
    > Something similar like this could also be used for issuing short-time
    > EAP-TLS client certs if the client is temporarily connected to an
    > enrollment network. Success depends on how easy it is to get the client
    > key and cert installed on various platforms.
    > Ciao, Michael.
    > -
    > List info/subscribe/unsubscribe? See
    List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list