TLS-EAP with Yubikey module
Alan DeKok
aland at deployingradius.com
Thu May 24 13:40:42 CEST 2018
On May 23, 2018, at 4:52 PM, Michael Ströder <michael at stroeder.com> wrote:
>
> Jeroen van Kessel wrote:
>> I am trying to setup FreeRADIUS 3.0.12 ARM (Pi3) with Yubikeys to
>> authenticate on the 802.1X TP-Link EAP245 access point.
> Despite Alan's hints about having to use EAP-TTLS with PAP in inner
> tunnel I really wonder whether that works in real life.
OTP without challenge/response can work, in theory. But most end-user systems will cache the password and use that forever.
There's EAP-GTC, which is *supposed* to do challenge-response. But I think no one has implemented it properly inside of TTLS or PEAP.
i.e. PEAP does allow for EAP-GTC inside of the tunnel, but I don't think Windows will prompt the user for anything.
> My own attempts (based on my Æ-DIR with OATH-LDAP and yubikey) were
> rather unpleasant because my Wifi client UI does not prompt again for
> new OTP or other client UIs might prompt too often.
Yup.
> I'd like to read the experience of others here with using OTP for
> protecting Wifi access.
It's terrible. Largely because the clients are terrible.
I've been recommending (and installing) EAP-TLS instead. It's simpler, and works everywhere.
Alan DeKok.
More information about the Freeradius-Users
mailing list