2015-06-23 23:28 GMT+02:00 Jochen Demmer <jochen.demmer@peakwork.com>:
So EAP-TTLS windows 7 doesn't support out of the box, right? I actually don't feel very comfortable with the idea of installing third party software on all machines.
The required software is used for many years by many people. For example various universities provide it with their eduroam program to enable their students and employees to use EAP-TTLS. Just do a quick google for "SecureW2" and even the first two pages list plenty of known universities. But if you still don't want to use it: Why not using EAP-TLS? It's not tunneled but supported by nearly everything, even Windows XP. And if you want it to be very secure you could require users to enter the private key password every time they use it and additionally store the key/cert on a smartcard (yubikey neo).
What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background? What about revocation lists? How do I take care of them?
You can add your own OID to your client certificates as Certificate Policies (https://www.openssl.org/docs/apps/x509v3_config.html#Certificate-Policies) and those can be used by RADIUS / LDAP.