Inner and outer tunnel now work according to RFC specifications. The conceptual overview of Arran helped with integrating everything into a working production environment by using an alternative approach. Great community package. Keep up the great work team!
On 24 May 2018, at 14:40, David Mitton <david@mitton.com> wrote:
I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space. It was hard to get it to work as well as we did. I’m not surprised that others would not be successful.
Dave.
Sent from Mail for Windows 10
From: Michael Ströder Sent: Thursday, May 24, 2018 8:01 AM To: FreeRadius users mailing list; Alan DeKok Subject: Re: TLS-EAP with Yubikey module
Alan DeKok wrote:
On May 23, 2018, at 4:52 PM, Michael Ströder <michael@stroeder.com> wrote:
I'd like to read the experience of others here with using OTP for protecting Wifi access.
It's terrible. Largely because the clients are terrible.
So this exactly matches the result of my tests.
I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere.
In a project I have implemented a small web component which issues short-time OpenSSH certs (not X.509) for SSH logins with 2FA.
Something similar like this could also be used for issuing short-time EAP-TLS client certs if the client is temporarily connected to an enrollment network. Success depends on how easy it is to get the client key and cert installed on various platforms.
Ciao, Michael.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html