What *was* the alternative approach, if you don't mind sharing? With Regards Stefan Paetow Consultant, Trust and Identity t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. On 18/06/2018, 10:00, "Freeradius-Users on behalf of Jeroen K" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of krabbedoelie@hotmail.com> wrote: Inner and outer tunnel now work according to RFC specifications. The conceptual overview of Arran helped with integrating everything into a working production environment by using an alternative approach. Great community package. Keep up the great work team! > On 24 May 2018, at 14:40, David Mitton <david@mitton.com> wrote: > > I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space. > It was hard to get it to work as well as we did. > I’m not surprised that others would not be successful. > > Dave. > > Sent from Mail for Windows 10 > > From: Michael Ströder > Sent: Thursday, May 24, 2018 8:01 AM > To: FreeRadius users mailing list; Alan DeKok > Subject: Re: TLS-EAP with Yubikey module > > Alan DeKok wrote: >> On May 23, 2018, at 4:52 PM, Michael Ströder <michael@stroeder.com> wrote: >>> I'd like to read the experience of others here with using OTP for >>> protecting Wifi access. >> >> It's terrible. Largely because the clients are terrible. > > So this exactly matches the result of my tests. > >> I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere. > > In a project I have implemented a small web component which issues > short-time OpenSSH certs (not X.509) for SSH logins with 2FA. > > Something similar like this could also be used for issuing short-time > EAP-TLS client certs if the client is temporarily connected to an > enrollment network. Success depends on how easy it is to get the client > key and cert installed on various platforms. > > Ciao, Michael. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html