[Freeipa-users] OTP vs VPN
Alexander Bokovoy
abokovoy at redhat.com
Wed May 27 18:33:25 UTC 2015
On Wed, 27 May 2015, Bendl, Kurt wrote:
>Hi,
>
>I want to know if I can configure FreeIPA's native OTP solution to
>require an account to use OTP when authenticating from a specific app
>(OpenVPN or StrongSwan) but not require 2FA when logging into a
>system/server or the IPA app.
>
>My (not completely baked) thought is to provision the VPN solution by
>setting up a role or group in IPA that I'd add accounts into. The VPN
>would allow users of that group to auth, using userid and password+OTP
>to successfully.
>
>I've been reading through docs on the freeipa and red hat sites, e.g.,
>https://www.freeipa.org/page/V4/OTP/Detail and
>http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to
>determine if or how that might be doable.
>
>>From what I read, an alternate approach from FreeIPA's built-in OTP
>>might be to set up a stand-alone OTP solution and use radius and/or a
>>PAM module to handle the VPN auth.
>
>I've DL'd the source, but there's so much there it'll take me some time
>to figure out what's happening.
>
>Any pointers on what approach I should take or where to find some notes
>and examples on how this might be accomplished would be greatly
>appreciated.
There is no way to define per-service target 2FA yet in FreeIPA.
Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who
can access there.
As for forcing 2FA for such access, my only suggestion right now is to
have separate user accounts for this purpose. Let's say, they would be
prefixed with vpn- (vpn-userfoo, for example), and then tokens can be
assigned to them.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list