"There is no way to define per-service target 2FA yet in FreeIPA."

Oh, man... there you go using the "yet" word!   ;-)
Thanks to you and Ben for the ideas. I'll hack around to see what makes


On 5/27/15, 12:33 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:

>On Wed, 27 May 2015, Bendl, Kurt wrote:
>>I want to know if I can configure FreeIPA's native OTP solution to
>>require an account to use OTP when authenticating from a specific app
>>(OpenVPN or StrongSwan) but not require 2FA when logging into a
>>system/server or the IPA app.
>>My (not completely baked) thought is to provision the VPN solution by
>>setting up a role or group in IPA that I'd add accounts into. The VPN
>>would allow users of that group to auth, using userid and password+OTP
>>to successfully.
>>I've been reading through docs on the freeipa and red hat sites, e.g.,
>>https://www.freeipa.org/page/V4/OTP/Detail and
>>http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to
>>determine if or how that might be doable.
>>>From what I read, an alternate approach from FreeIPA's built-in OTP
>>>might be to set up a stand-alone OTP solution and use radius and/or a
>>>PAM module to handle the VPN auth.
>>I've DL'd the source, but there's so much there it'll take me some time
>>to figure out what's happening.
>>Any pointers on what approach I should take or where to find some notes
>>and examples on how this might be accomplished would be greatly
>There is no way to define per-service target 2FA yet in FreeIPA.
>Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who
>can access there.
>As for forcing 2FA for such access, my only suggestion right now is to
>have separate user accounts for this purpose. Let's say, they would be
>prefixed with vpn- (vpn-userfoo, for example), and then tokens can be
>assigned to them.
>/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to