TLS-EAP with Yubikey module
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu May 24 07:50:02 CEST 2018
> On May 24, 2018, at 2:52 AM, Michael Ströder <michael at stroeder.com> wrote:
>
> Jeroen van Kessel wrote:
>> I am trying to setup FreeRADIUS 3.0.12 ARM (Pi3) with Yubikeys to
>> authenticate on the 802.1X TP-Link EAP245 access point.
> Despite Alan's hints about having to use EAP-TTLS with PAP in inner
> tunnel I really wonder whether that works in real life.
>
> My own attempts (based on my Æ-DIR with OATH-LDAP and yubikey) were
> rather unpleasant because my Wifi client UI does not prompt again for
> new OTP or other client UIs might prompt too often.
Yeah and MSCHAPv2 (which could prompt for retries) isn't going to work because
yubikey requires the plaintext, so you're left with EAP-TTLS and PAP.
You could probably get something working with wpa_supplicant, maybe with macOS
which is pretty good at re-prompting for passwords on auth failure.
I think there's also options in the Microsoft supplicant to *not* store the
password, which would probably be your best bet on that platform.
If I were designing this as a service for a customer, i'd make heavy use of
session-resumption to avoid prompting repeatedly for the token, so they'd
only need to use it maybe once a week or once a month.
There is value in multi-factor authentication for bootstrapping, but the pain
of entering an OTP every single time you need to get on the wireless network
would be too much even if you did get this working reliably.
Generally the trend in application security is to apply security policies
using a reverse proxy of some kind, right before the application.
That way you get the same level of security if the user is connecting in from
the office as if they're coming in via a VPN.
In that scenario you'd check the OTP at the reverse proxy (something like NGINX),
which is much better supported.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180524/e69af32b/attachment.sig>
More information about the Freeradius-Users
mailing list