[Freeipa-users] OTP vs VPN
Bendl, Kurt
Kurt.Bendl at nrel.gov
Wed May 27 17:53:24 UTC 2015
Hi,
I want to know if I can configure FreeIPA's native OTP solution to require an account to use OTP when authenticating from a specific app (OpenVPN or StrongSwan) but not require 2FA when logging into a system/server or the IPA app.
My (not completely baked) thought is to provision the VPN solution by setting up a role or group in IPA that I'd add accounts into. The VPN would allow users of that group to auth, using userid and password+OTP to successfully.
I've been reading through docs on the freeipa and red hat sites, e.g., https://www.freeipa.org/page/V4/OTP/Detail and http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine if or how that might be doable.
>From what I read, an alternate approach from FreeIPA's built-in OTP might be to set up a stand-alone OTP solution and use radius and/or a PAM module to handle the VPN auth.
I've DL'd the source, but there's so much there it'll take me some time to figure out what's happening.
Any pointers on what approach I should take or where to find some notes and examples on how this might be accomplished would be greatly appreciated.
Thanks,
Kurt
More information about the Freeipa-users
mailing list