TLS-EAP with Yubikey module
Jeroen K
krabbedoelie at hotmail.com
Mon Jun 18 10:56:56 CEST 2018
Inner and outer tunnel now work according to RFC specifications. The conceptual overview of Arran helped with integrating everything into a working production environment by using an alternative approach.
Great community package. Keep up the great work team!
> On 24 May 2018, at 14:40, David Mitton <david at mitton.com> wrote:
>
> I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space.
> It was hard to get it to work as well as we did.
> I’m not surprised that others would not be successful.
>
> Dave.
>
> Sent from Mail for Windows 10
>
> From: Michael Ströder
> Sent: Thursday, May 24, 2018 8:01 AM
> To: FreeRadius users mailing list; Alan DeKok
> Subject: Re: TLS-EAP with Yubikey module
>
> Alan DeKok wrote:
>> On May 23, 2018, at 4:52 PM, Michael Ströder <michael at stroeder.com> wrote:
>>> I'd like to read the experience of others here with using OTP for
>>> protecting Wifi access.
>>
>> It's terrible. Largely because the clients are terrible.
>
> So this exactly matches the result of my tests.
>
>> I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere.
>
> In a project I have implemented a small web component which issues
> short-time OpenSSH certs (not X.509) for SSH logins with 2FA.
>
> Something similar like this could also be used for issuing short-time
> EAP-TLS client certs if the client is temporarily connected to an
> enrollment network. Success depends on how easy it is to get the client
> key and cert installed on various platforms.
>
> Ciao, Michael.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list