Alan DeKok wrote:
On May 23, 2018, at 4:52 PM, Michael Ströder <michael@stroeder.com> wrote:
I'd like to read the experience of others here with using OTP for protecting Wifi access.
It's terrible. Largely because the clients are terrible.
So this exactly matches the result of my tests.
I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere.
In a project I have implemented a small web component which issues short-time OpenSSH certs (not X.509) for SSH logins with 2FA. Something similar like this could also be used for issuing short-time EAP-TLS client certs if the client is temporarily connected to an enrollment network. Success depends on how easy it is to get the client key and cert installed on various platforms. Ciao, Michael.