You might find authentication indicators [1][2] useful in the use case you are describing.
[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#auth-indicators [2]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#enforcing-a-specific-authentication-indicator-when-obtaining-a-ticket-from-the-kdc On Fri, Jul 3, 2020 at 10:04 PM Max Muller via FreeIPA-users < [email protected]> wrote: > Thanks for reply. > > I carefully read the documentation and realized that this function is for > other tasks. > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/otp#migrating-proprietary-otp > > And now I have another problem. I have L2TP/IPSec server on my Mikrotik > router. I want use LDAP credentials (login + pass from FreeIPA) + FreeIPA > OTP to authenticate on my L2TP/IPSec server (on Mikrotik router). I deploy > FreeRADIUS and it connect to LDAP (FreeIPA), find user+pass and permit > login in VPN. > But Mikrotik's radius client use only MS-CHAPv2 and I must add NT Hash for > each LDAP-user. And with NT hash I can not use FreeIPA OTP (NT hash static > generated from password only). > > Is there way to use FreeIPA LDAP with OTP + FreeRADIUS for authenticate on > VPN server witch use MS-CHAPv2? > So I want use LDAP credentials for local login to system and LDAP > credentials + FreeIPA OTP for login to VPN. > > I really want use FreeIPA OTP, because FreeIPA provides a personal area > for each user. User can change own pass, add OTP by himself, etc. > > I hope that I can be understood. :-) > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
