[Freeipa-users] Fwd: 2-Factor and services

Dmitri Pal dpal at redhat.com
Thu Feb 26 22:09:45 UTC 2015 

On 02/26/2015 12:40 PM, Matt Wells wrote:
> Had an error on my options for the list and the replies failed to get
> to me. We'll see if this reply works.  :)
>
> @Dmitri - Anyone coming through this service/host (OpenVPN with pam)
> will be required to use 2-Factor.  Their normal logins at their desk
> are not required for 2-factor, it's ok if they use it but it's not
> required at all.
> This VPN service is as assumed, exposed to the internet.  We're
> wanting to protect ourselves as best we can with AAA.

If we just talking about managing users in IdM and having tokens for 
them managed in IdM too then the recommendation is:

- Set users to use OTP or password (set both check boxes)
- Configure VPN to use Kerberos authentication against IPA - that will 
force use of 2FA with the policy above
- Configure computers at the desk to use LDAP (you loose Kerberos SSO) - 
that would allow single factor with the policy above

What are your desktops? Lunux? Mac?
Is there any AD involved?



>
>
> -------------------------------
> I've got many of users setup with 2-Factor and I'd like to enforce it
> with some services.
> For example.
> Server vpn.example.com is an openvpn servers setup to use PAM.
> Since he's tied to my 4.X IDM servers I can use 2-Factor with him.
> However I want to enforce that users from this system/service require
> 2-Factor.
> Can anyone point me in the right direction?  My Google Foo is showing
> to be poor on this one and any guidance would be appreciated.
>
> As always thanks for taking the time to read over this.
>
>
> So do you want to use 2FA for some users and 1FA for others or do you
> want to have flexibility to use 2FA for the same user on one system
> and not another?
> Do you plan to use external tokens like RSA or you plan to use native
> OTP support in IPA?
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list