Hi, I want to know if I can configure FreeIPA's native OTP solution to require an account to use OTP when authenticating from a specific app (OpenVPN or StrongSwan) but not require 2FA when logging into a system/server or the IPA app.
My (not completely baked) thought is to provision the VPN solution by setting up a role or group in IPA that I'd add accounts into. The VPN would allow users of that group to auth, using userid and password+OTP to successfully. I've been reading through docs on the freeipa and red hat sites, e.g., https://www.freeipa.org/page/V4/OTP/Detail and http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine if or how that might be doable. >From what I read, an alternate approach from FreeIPA's built-in OTP might be >to set up a stand-alone OTP solution and use radius and/or a PAM module to >handle the VPN auth. I've DL'd the source, but there's so much there it'll take me some time to figure out what's happening. Any pointers on what approach I should take or where to find some notes and examples on how this might be accomplished would be greatly appreciated. Thanks, Kurt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project