On May 24, 2018, at 2:52 AM, Michael Ströder <michael@stroeder.com> wrote:
Jeroen van Kessel wrote:
I am trying to setup FreeRADIUS 3.0.12 ARM (Pi3) with Yubikeys to authenticate on the 802.1X TP-Link EAP245 access point. Despite Alan's hints about having to use EAP-TTLS with PAP in inner tunnel I really wonder whether that works in real life.
My own attempts (based on my Æ-DIR with OATH-LDAP and yubikey) were rather unpleasant because my Wifi client UI does not prompt again for new OTP or other client UIs might prompt too often.
Yeah and MSCHAPv2 (which could prompt for retries) isn't going to work because yubikey requires the plaintext, so you're left with EAP-TTLS and PAP. You could probably get something working with wpa_supplicant, maybe with macOS which is pretty good at re-prompting for passwords on auth failure. I think there's also options in the Microsoft supplicant to *not* store the password, which would probably be your best bet on that platform. If I were designing this as a service for a customer, i'd make heavy use of session-resumption to avoid prompting repeatedly for the token, so they'd only need to use it maybe once a week or once a month. There is value in multi-factor authentication for bootstrapping, but the pain of entering an OTP every single time you need to get on the wireless network would be too much even if you did get this working reliably. Generally the trend in application security is to apply security policies using a reverse proxy of some kind, right before the application. That way you get the same level of security if the user is connecting in from the office as if they're coming in via a VPN. In that scenario you'd check the OTP at the reverse proxy (something like NGINX), which is much better supported. -Arran