Hi,
The required software is used for many years by many people. For example various universities provide it with their eduroam program to enable their students and employees to use EAP-TTLS. Just do a quick google for "SecureW2" and even the first two pages list plenty of known universities.
Who have all stopped doing this because SecureW2 is throwing cease-and-dedists against them for using the GPL version of the SecureW2 client. Beware. Greetings, Stefan Winter
But if you still don't want to use it: Why not using EAP-TLS? It's not tunneled but supported by nearly everything, even Windows XP. And if you want it to be very secure you could require users to enter the private key password every time they use it and additionally store the key/cert on a smartcard (yubikey neo).
What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background? What about revocation lists? How do I take care of them?
You can add your own OID to your client certificates as Certificate Policies (https://www.openssl.org/docs/apps/x509v3_config.html#Certificate-Policies) and those can be used by RADIUS / LDAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66