TLS-EAP with Yubikey module
Stefan.Paetow at jisc.ac.uk
Thu Jun 21 15:43:19 CEST 2018
What *was* the alternative approach, if you don't mind sharing?
Consultant, Trust and Identity
t: +44 (0)1235 822 125
xmpp: stefanp at jabber.dev.ja.net
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 18/06/2018, 10:00, "Freeradius-Users on behalf of Jeroen K" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on behalf of krabbedoelie at hotmail.com> wrote:
Inner and outer tunnel now work according to RFC specifications. The conceptual overview of Arran helped with integrating everything into a working production environment by using an alternative approach.
Great community package. Keep up the great work team!
> On 24 May 2018, at 14:40, David Mitton <david at mitton.com> wrote:
> I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space.
> It was hard to get it to work as well as we did.
> I’m not surprised that others would not be successful.
> Sent from Mail for Windows 10
> From: Michael Ströder
> Sent: Thursday, May 24, 2018 8:01 AM
> To: FreeRadius users mailing list; Alan DeKok
> Subject: Re: TLS-EAP with Yubikey module
> Alan DeKok wrote:
>> On May 23, 2018, at 4:52 PM, Michael Ströder <michael at stroeder.com> wrote:
>>> I'd like to read the experience of others here with using OTP for
>>> protecting Wifi access.
>> It's terrible. Largely because the clients are terrible.
> So this exactly matches the result of my tests.
>> I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere.
> In a project I have implemented a small web component which issues
> short-time OpenSSH certs (not X.509) for SSH logins with 2FA.
> Something similar like this could also be used for issuing short-time
> EAP-TLS client certs if the client is temporarily connected to an
> enrollment network. Success depends on how easy it is to get the client
> key and cert installed on various platforms.
> Ciao, Michael.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users