On Wed, 27 May 2015, Bendl, Kurt wrote:

I want to know if I can configure FreeIPA's native OTP solution to
require an account to use OTP when authenticating from a specific app
(OpenVPN or StrongSwan) but not require 2FA when logging into a
system/server or the IPA app.

My (not completely baked) thought is to provision the VPN solution by
setting up a role or group in IPA that I'd add accounts into. The VPN
would allow users of that group to auth, using userid and password+OTP
to successfully.

I've been reading through docs on the freeipa and red hat sites, e.g.,
https://www.freeipa.org/page/V4/OTP/Detail and
http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to
determine if or how that might be doable.

From what I read, an alternate approach from FreeIPA's built-in OTP
might be to set up a stand-alone OTP solution and use radius and/or a
PAM module to handle the VPN auth.

I've DL'd the source, but there's so much there it'll take me some time
to figure out what's happening.

Any pointers on what approach I should take or where to find some notes
and examples on how this might be accomplished would be greatly
There is no way to define per-service target 2FA yet in FreeIPA.

Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who
can access there.

As for forcing 2FA for such access, my only suggestion right now is to
have separate user accounts for this purpose. Let's say, they would be
prefixed with vpn- (vpn-userfoo, for example), and then tokens can be
assigned to them.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to