We've found it easier to integrate a 2FA solution into OpenVPN and local login separately. If you go with a solution that works with PAM, setting it up with OpenVPN Access Server (the commercial product) and local login (FreeIPA-backed) is pretty straightforward. The only thing it won't protect is the FreeIPA web UI, but if you put that behind a VPN or IP whitelist it should be less of an issue.
Ben On Wed, May 27, 2015 at 10:53 AM, Bendl, Kurt <kurt.be...@nrel.gov> wrote: > Hi, > > I want to know if I can configure FreeIPA's native OTP solution to require > an account to use OTP when authenticating from a specific app (OpenVPN or > StrongSwan) but not require 2FA when logging into a system/server or the > IPA app. > > My (not completely baked) thought is to provision the VPN solution by > setting up a role or group in IPA that I'd add accounts into. The VPN would > allow users of that group to auth, using userid and password+OTP to > successfully. > > I've been reading through docs on the freeipa and red hat sites, e.g., > https://www.freeipa.org/page/V4/OTP/Detail and > http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine > if or how that might be doable. > > >From what I read, an alternate approach from FreeIPA's built-in OTP might > be to set up a stand-alone OTP solution and use radius and/or a PAM module > to handle the VPN auth. > > I've DL'd the source, but there's so much there it'll take me some time to > figure out what's happening. > > Any pointers on what approach I should take or where to find some notes > and examples on how this might be accomplished would be greatly appreciated. > > Thanks, > Kurt > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project