We've found it easier to integrate a 2FA solution into OpenVPN and local
login separately. If you go with a solution that works with PAM, setting it
up with OpenVPN Access Server (the commercial product) and local login
(FreeIPA-backed) is pretty straightforward. The only thing it won't protect
is the FreeIPA web UI, but if you put that behind a VPN or IP whitelist it
should be less of an issue.
On Wed, May 27, 2015 at 10:53 AM, Bendl, Kurt <kurt.be...@nrel.gov> wrote:
> I want to know if I can configure FreeIPA's native OTP solution to require
> an account to use OTP when authenticating from a specific app (OpenVPN or
> StrongSwan) but not require 2FA when logging into a system/server or the
> IPA app.
> My (not completely baked) thought is to provision the VPN solution by
> setting up a role or group in IPA that I'd add accounts into. The VPN would
> allow users of that group to auth, using userid and password+OTP to
> I've been reading through docs on the freeipa and red hat sites, e.g.,
> https://www.freeipa.org/page/V4/OTP/Detail and
> http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine
> if or how that might be doable.
> >From what I read, an alternate approach from FreeIPA's built-in OTP might
> be to set up a stand-alone OTP solution and use radius and/or a PAM module
> to handle the VPN auth.
> I've DL'd the source, but there's so much there it'll take me some time to
> figure out what's happening.
> Any pointers on what approach I should take or where to find some notes
> and examples on how this might be accomplished would be greatly appreciated.
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project