"There is no way to define per-service target 2FA yet in FreeIPA."
Oh, man... there you go using the "yet" word! ;-) Thanks to you and Ben for the ideas. I'll hack around to see what makes sense. Thanks, Kurt On 5/27/15, 12:33 PM, "Alexander Bokovoy" <[email protected]> wrote: >On Wed, 27 May 2015, Bendl, Kurt wrote: >>Hi, >> >>I want to know if I can configure FreeIPA's native OTP solution to >>require an account to use OTP when authenticating from a specific app >>(OpenVPN or StrongSwan) but not require 2FA when logging into a >>system/server or the IPA app. >> >>My (not completely baked) thought is to provision the VPN solution by >>setting up a role or group in IPA that I'd add accounts into. The VPN >>would allow users of that group to auth, using userid and password+OTP >>to successfully. >> >>I've been reading through docs on the freeipa and red hat sites, e.g., >>https://www.freeipa.org/page/V4/OTP/Detail and >>http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to >>determine if or how that might be doable. >> >>>From what I read, an alternate approach from FreeIPA's built-in OTP >>>might be to set up a stand-alone OTP solution and use radius and/or a >>>PAM module to handle the VPN auth. >> >>I've DL'd the source, but there's so much there it'll take me some time >>to figure out what's happening. >> >>Any pointers on what approach I should take or where to find some notes >>and examples on how this might be accomplished would be greatly >>appreciated. >There is no way to define per-service target 2FA yet in FreeIPA. > >Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who >can access there. > >As for forcing 2FA for such access, my only suggestion right now is to >have separate user accounts for this purpose. Let's say, they would be >prefixed with vpn- (vpn-userfoo, for example), and then tokens can be >assigned to them. >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
