"There is no way to define per-service target 2FA yet in FreeIPA."
Oh, man... there you go using the "yet" word! ;-)
Thanks to you and Ben for the ideas. I'll hack around to see what makes
On 5/27/15, 12:33 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
>On Wed, 27 May 2015, Bendl, Kurt wrote:
>>I want to know if I can configure FreeIPA's native OTP solution to
>>require an account to use OTP when authenticating from a specific app
>>(OpenVPN or StrongSwan) but not require 2FA when logging into a
>>system/server or the IPA app.
>>My (not completely baked) thought is to provision the VPN solution by
>>setting up a role or group in IPA that I'd add accounts into. The VPN
>>would allow users of that group to auth, using userid and password+OTP
>>I've been reading through docs on the freeipa and red hat sites, e.g.,
>>determine if or how that might be doable.
>>>From what I read, an alternate approach from FreeIPA's built-in OTP
>>>might be to set up a stand-alone OTP solution and use radius and/or a
>>>PAM module to handle the VPN auth.
>>I've DL'd the source, but there's so much there it'll take me some time
>>to figure out what's happening.
>>Any pointers on what approach I should take or where to find some notes
>>and examples on how this might be accomplished would be greatly
>There is no way to define per-service target 2FA yet in FreeIPA.
>Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who
>can access there.
>As for forcing 2FA for such access, my only suggestion right now is to
>have separate user accounts for this purpose. Let's say, they would be
>prefixed with vpn- (vpn-userfoo, for example), and then tokens can be
>assigned to them.
>/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project