TLS-EAP with Yubikey module

David Mitton david at mitton.com
Thu May 24 14:40:28 CEST 2018


I developed the RSA SecurID EAP implementation for several years, and Windows provides interesting “challenges” for EAP modules that want to interact with the user, particularly in the WiFi space.
It was hard to get it to work as well as we did.   
I’m not surprised that others would not be successful.

Dave.

Sent from Mail for Windows 10

From: Michael Ströder
Sent: Thursday, May 24, 2018 8:01 AM
To: FreeRadius users mailing list; Alan DeKok
Subject: Re: TLS-EAP with Yubikey module

Alan DeKok wrote:
> On May 23, 2018, at 4:52 PM, Michael Ströder <michael at stroeder.com> wrote:
>> I'd like to read the experience of others here with using OTP for
>> protecting Wifi access.
> 
> It's terrible.  Largely because the clients are terrible.

So this exactly matches the result of my tests.

> I've been recommending (and installing) EAP-TLS instead.  It's simpler, and works everywhere.

In a project I have implemented a small web component which issues
short-time OpenSSH certs (not X.509) for SSH logins with 2FA.

Something similar like this could also be used for issuing short-time
EAP-TLS client certs if the client is temporarily connected to an
enrollment network. Success depends on how easy it is to get the client
key and cert installed on various platforms.

Ciao, Michael.




More information about the Freeradius-Users mailing list