Petros wrote: Time to adopt EAP-TLS. Single-factor auth is *always* shitty. Of course, then you will have users with passphraseless TLS certs, and it turns out the CRL doesn't work in hostapd's built-in RADIUS server. Also it turns out that your enterprise-ready MFC doesn't support EAP-TLS, only fucking PSKs. And the x360 in the break room only does PSK. And the iPhones can do EAP-TLS, but only if they're jailbroken *or* you deploy a puppetmaster-type provisioning server for iDevices (which isn't an option anyway because they're BYOD). IIRC the maemo phones worked, but only if you killed their in-house wifi daemon and ran wpa-supplicant by hand, which chewed through the battery. So what I do now, to my disgust, is per-MAC PSKs - which I generate for the users (so they have full entropy), and which are all stored in plaintext on each of the APs. But at least I can revoke them by commenting them out. And the clients can be dumb as bricks. Attached is a patch that enables either approach for OpenWRT as at either backfire or aa (the script didn't change between releases). PS: yes, I know about EAP-TTLS. It's exactly as shitty as not using client-side certs for HTTPS. Also the wifi alliance only requires EAP-TLS for device branding, so in theory that's way more portable (except it isn't, see above).