On May 23, 2018, at 4:52 PM, Michael Ströder <michael@stroeder.com> wrote:
Jeroen van Kessel wrote:
I am trying to setup FreeRADIUS 3.0.12 ARM (Pi3) with Yubikeys to authenticate on the 802.1X TP-Link EAP245 access point. Despite Alan's hints about having to use EAP-TTLS with PAP in inner tunnel I really wonder whether that works in real life.
OTP without challenge/response can work, in theory. But most end-user systems will cache the password and use that forever. There's EAP-GTC, which is *supposed* to do challenge-response. But I think no one has implemented it properly inside of TTLS or PEAP. i.e. PEAP does allow for EAP-GTC inside of the tunnel, but I don't think Windows will prompt the user for anything.
My own attempts (based on my Æ-DIR with OATH-LDAP and yubikey) were rather unpleasant because my Wifi client UI does not prompt again for new OTP or other client UIs might prompt too often.
Yup.
I'd like to read the experience of others here with using OTP for protecting Wifi access.
It's terrible. Largely because the clients are terrible. I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere. Alan DeKok.