TLS-EAP with Yubikey module
Michael Ströder
michael at stroeder.com
Thu May 24 14:00:50 CEST 2018
Alan DeKok wrote:
> On May 23, 2018, at 4:52 PM, Michael Ströder <michael at stroeder.com> wrote:
>> I'd like to read the experience of others here with using OTP for
>> protecting Wifi access.
>
> It's terrible. Largely because the clients are terrible.
So this exactly matches the result of my tests.
> I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere.
In a project I have implemented a small web component which issues
short-time OpenSSH certs (not X.509) for SSH logins with 2FA.
Something similar like this could also be used for issuing short-time
EAP-TLS client certs if the client is temporarily connected to an
enrollment network. Success depends on how easy it is to get the client
key and cert installed on various platforms.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180524/8c4d9491/attachment.bin>
More information about the Freeradius-Users
mailing list