Andrey Dudin <> writes:

> I trying to use OTP auth in Freeipa but have some problems.

OTP (with RADIUS) works for me.

> I have user *test:*
> [root@ipa-centos]# ipa user-show test

Did you enable --user-auth-type=otp with "ipa config-mod"?  I have:

[root@freeipa1 log]# ipa config-show --raw
  ipauserauthtype: otp
  ipauserauthtype: password
  ipauserauthtype: radius

Look at the mouse-over-docs in Webui -> IPA-Server -> Configuration ->
User Authentication Types for more info.

Otherwise, you need to enable --user-auth-type=otp for your user.  I
have for RADIUS both password and radius for my OTP user:

[root@freeipa1 log]# ipa user-show jochen --raw
  ipauserauthtype: password
  ipauserauthtype: radius

If you need both password and otp, use both --user-auth-type=password
and --user-auth-type=otp for "ipa user-mod" or "ipa config-mod".

When I do a "su - jochen", I get asked for "First Factor" and "Second
Factor", since sssd knows I use RADIUS for OTP.  That might be easier to
first test that you can authenticate with OTP.

> Server with FreeIpa:
> [root@ipa-centos]# ipa host-show
>   Authentication Indicators: otp

Is there a simple way to check on the command line, whether or not an
authentication indicator was set when authenticating?  I can't remember
anything from reading the docs - I expected some option for klist.


This space is intentionally left blank.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to