I want to know if I can configure FreeIPA's native OTP solution to require an
account to use OTP when authenticating from a specific app (OpenVPN or
StrongSwan) but not require 2FA when logging into a system/server or the IPA
My (not completely baked) thought is to provision the VPN solution by setting
up a role or group in IPA that I'd add accounts into. The VPN would allow users
of that group to auth, using userid and password+OTP to successfully.
I've been reading through docs on the freeipa and red hat sites, e.g.,
http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine if or
how that might be doable.
>From what I read, an alternate approach from FreeIPA's built-in OTP might be
>to set up a stand-alone OTP solution and use radius and/or a PAM module to
>handle the VPN auth.
I've DL'd the source, but there's so much there it'll take me some time to
figure out what's happening.
Any pointers on what approach I should take or where to find some notes and
examples on how this might be accomplished would be greatly appreciated.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project