I want to know if I can configure FreeIPA's native OTP solution to require an 
account to use OTP when authenticating from a specific app (OpenVPN or 
StrongSwan) but not require 2FA when logging into a system/server or the IPA 

My (not completely baked) thought is to provision the VPN solution by setting 
up a role or group in IPA that I'd add accounts into. The VPN would allow users 
of that group to auth, using userid and password+OTP to successfully.

I've been reading through docs on the freeipa and red hat sites, e.g., 
https://www.freeipa.org/page/V4/OTP/Detail and 
http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine if or 
how that might be doable.

>From what I read, an alternate approach from FreeIPA's built-in OTP might be 
>to set up a stand-alone OTP solution and use radius and/or a PAM module to 
>handle the VPN auth.

I've DL'd the source, but there's so much there it'll take me some time to 
figure out what's happening.

Any pointers on what approach I should take or where to find some notes and 
examples on how this might be accomplished would be greatly appreciated.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to