[Freeipa-users] OTP vs VPN

[Bendl, Kurt]

"There is no way to define per-service target 2FA yet in FreeIPA."


Oh, man... there you go using the "yet" word!   ;-)
Thanks to you and Ben for the ideas. I'll hack around to see what makes
sense. 

Thanks,
  Kurt



On 5/27/15, 12:33 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:

>On Wed, 27 May 2015, Bendl, Kurt wrote:
>>Hi,
>>
>>I want to know if I can configure FreeIPA's native OTP solution to
>>require an account to use OTP when authenticating from a specific app
>>(OpenVPN or StrongSwan) but not require 2FA when logging into a
>>system/server or the IPA app.
>>
>>My (not completely baked) thought is to provision the VPN solution by
>>setting up a role or group in IPA that I'd add accounts into. The VPN
>>would allow users of that group to auth, using userid and password+OTP
>>to successfully.
>>
>>I've been reading through docs on the freeipa and red hat sites, e.g.,
>>https://www.freeipa.org/page/V4/OTP/Detail and
>>http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to
>>determine if or how that might be doable.
>>
>>>From what I read, an alternate approach from FreeIPA's built-in OTP
>>>might be to set up a stand-alone OTP solution and use radius and/or a
>>>PAM module to handle the VPN auth.
>>
>>I've DL'd the source, but there's so much there it'll take me some time
>>to figure out what's happening.
>>
>>Any pointers on what approach I should take or where to find some notes
>>and examples on how this might be accomplished would be greatly
>>appreciated.
>There is no way to define per-service target 2FA yet in FreeIPA.
>
>Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who
>can access there.
>
>As for forcing 2FA for such access, my only suggestion right now is to
>have separate user accounts for this purpose. Let's say, they would be
>prefixed with vpn- (vpn-userfoo, for example), and then tokens can be
>assigned to them.
>-- 
>/ Alexander Bokovoy