[Freeipa-users] OTP vs VPN
Benjamen Keroack
benjamen at dollarshaveclub.com
Wed May 27 18:21:11 UTC 2015
We've found it easier to integrate a 2FA solution into OpenVPN and local
login separately. If you go with a solution that works with PAM, setting it
up with OpenVPN Access Server (the commercial product) and local login
(FreeIPA-backed) is pretty straightforward. The only thing it won't protect
is the FreeIPA web UI, but if you put that behind a VPN or IP whitelist it
should be less of an issue.
Ben
On Wed, May 27, 2015 at 10:53 AM, Bendl, Kurt <Kurt.Bendl at nrel.gov> wrote:
> Hi,
>
> I want to know if I can configure FreeIPA's native OTP solution to require
> an account to use OTP when authenticating from a specific app (OpenVPN or
> StrongSwan) but not require 2FA when logging into a system/server or the
> IPA app.
>
> My (not completely baked) thought is to provision the VPN solution by
> setting up a role or group in IPA that I'd add accounts into. The VPN would
> allow users of that group to auth, using userid and password+OTP to
> successfully.
>
> I've been reading through docs on the freeipa and red hat sites, e.g.,
> https://www.freeipa.org/page/V4/OTP/Detail and
> http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine
> if or how that might be doable.
>
> >From what I read, an alternate approach from FreeIPA's built-in OTP might
> be to set up a stand-alone OTP solution and use radius and/or a PAM module
> to handle the VPN auth.
>
> I've DL'd the source, but there's so much there it'll take me some time to
> figure out what's happening.
>
> Any pointers on what approach I should take or where to find some notes
> and examples on how this might be accomplished would be greatly appreciated.
>
> Thanks,
> Kurt
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Benjamen Keroack
*Infrastructure/DevOps Engineer*
benjamen at dollarshaveclub.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150527/4c7535d4/attachment.htm>
More information about the Freeipa-users
mailing list