I’ve gotten various aspects of this working…
And If I had a large enterprise WLAN community to cater for this might be worth while but I dunno?
The cred provider can run locally without a server>client setup so i MIGHT look at that!
The problem is in my honest opinion is the sync…. between AD and RADIUS. If I’m going to do that I may as well either just run a linux LDAP server or move to Azure where it’s officially supported ,etc.
Don’t get me wrong here guys… the team at MULTIOTP have done a fantastic job! especially with their scripts, binaries, dockers, OVA’s, etc. so good! But I feel I’m trying to implement better security by opening more security holes ,etc?
I can hear all you sysadmins yelling at me saying dude just use DUO! And don’t get me wrong… I LOVE cisco. CCNA was one of my proudest moments. But it’s expensive yeah?
Not to mention all the addons I believe like securing end users and the RDS gateway and terminal/apps servers ,etc.
I just don’t think we are there yet….
Which is hard because microsoft is forcing this on some of us/you. That’s right they are literally picking at “random” clients to test forced OAuth on. hence the recent printernightmare which is a whole extra shit show on it’s own.
Don’t submit me a printer ticket… seriously….
I’m digressing as usual but that’s OK because it’s MY blog!
It might honestly be easier to just get hardware keys and incorporate that software into our SOE for now? I have some for my PC’s/laptop ,etc and it works great…
TrueCrypt asks for the passphrase first.. once the bootloader is unlocked then the windows login asks for creds (user/pass) but if my yubi-key nano isn’t plugged in you simply can’t log in! I’ll do more research but like i said.. On prem AD and MFA is still JUST not there yet sorry 🙁