I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space. It was hard to get it to work as well as we did. I’m not surprised that others would not be successful. Dave. Sent from Mail for Windows 10 From: Michael Ströder Sent: Thursday, May 24, 2018 8:01 AM To: FreeRadius users mailing list; Alan DeKok Subject: Re: TLS-EAP with Yubikey module Alan DeKok wrote:
On May 23, 2018, at 4:52 PM, Michael Ströder <michael@stroeder.com> wrote:
I'd like to read the experience of others here with using OTP for protecting Wifi access.
It's terrible. Largely because the clients are terrible.
So this exactly matches the result of my tests.
I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere.
In a project I have implemented a small web component which issues short-time OpenSSH certs (not X.509) for SSH logins with 2FA. Something similar like this could also be used for issuing short-time EAP-TLS client certs if the client is temporarily connected to an enrollment network. Success depends on how easy it is to get the client key and cert installed on various platforms. Ciao, Michael.