Re: [Freeipa-users] OTP vs VPN
"There is no way to define per-service target 2FA yet in FreeIPA." Oh, man... there you go using the "yet" word! ;-) Thanks to you and Ben for the ideas. I'll hack around to see what makes sense. Thanks, Kurt On 5/27/15, 12:33 PM, "Alexander Bokovoy" wrote: >On Wed, 27 May 2015, Bendl, Kurt wrote: >>Hi, >> >>I want to know if I can configure FreeIPA's native OTP solution to >>require an account to use OTP when authenticating from a specific app >>(OpenVPN or StrongSwan) but not require 2FA when logging into a >>system/server or the IPA app. >> >>My (not completely baked) thought is to provision the VPN solution by >>setting up a role or group in IPA that I'd add accounts into. The VPN >>would allow users of that group to auth, using userid and password+OTP >>to successfully. >> >>I've been reading through docs on the freeipa and red hat sites, e.g., >>https://www.freeipa.org/page/V4/OTP/Detail and >>http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to >>determine if or how that might be doable. >> >>>From what I read, an alternate approach from FreeIPA's built-in OTP >>>might be to set up a stand-alone OTP solution and use radius and/or a >>>PAM module to handle the VPN auth. >> >>I've DL'd the source, but there's so much there it'll take me some time >>to figure out what's happening. >> >>Any pointers on what approach I should take or where to find some notes >>and examples on how this might be accomplished would be greatly >>appreciated. >There is no way to define per-service target 2FA yet in FreeIPA. > >Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who >can access there. > >As for forcing 2FA for such access, my only suggestion right now is to >have separate user accounts for this purpose. Let's say, they would be >prefixed with vpn- (vpn-userfoo, for example), and then tokens can be >assigned to them. >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP vs VPN
On Wed, 27 May 2015, Bendl, Kurt wrote: Hi, I want to know if I can configure FreeIPA's native OTP solution to require an account to use OTP when authenticating from a specific app (OpenVPN or StrongSwan) but not require 2FA when logging into a system/server or the IPA app. My (not completely baked) thought is to provision the VPN solution by setting up a role or group in IPA that I'd add accounts into. The VPN would allow users of that group to auth, using userid and password+OTP to successfully. I've been reading through docs on the freeipa and red hat sites, e.g., https://www.freeipa.org/page/V4/OTP/Detail and http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine if or how that might be doable. From what I read, an alternate approach from FreeIPA's built-in OTP might be to set up a stand-alone OTP solution and use radius and/or a PAM module to handle the VPN auth. I've DL'd the source, but there's so much there it'll take me some time to figure out what's happening. Any pointers on what approach I should take or where to find some notes and examples on how this might be accomplished would be greatly appreciated. There is no way to define per-service target 2FA yet in FreeIPA. Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who can access there. As for forcing 2FA for such access, my only suggestion right now is to have separate user accounts for this purpose. Let's say, they would be prefixed with vpn- (vpn-userfoo, for example), and then tokens can be assigned to them. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP vs VPN
We've found it easier to integrate a 2FA solution into OpenVPN and local login separately. If you go with a solution that works with PAM, setting it up with OpenVPN Access Server (the commercial product) and local login (FreeIPA-backed) is pretty straightforward. The only thing it won't protect is the FreeIPA web UI, but if you put that behind a VPN or IP whitelist it should be less of an issue. Ben On Wed, May 27, 2015 at 10:53 AM, Bendl, Kurt wrote: > Hi, > > I want to know if I can configure FreeIPA's native OTP solution to require > an account to use OTP when authenticating from a specific app (OpenVPN or > StrongSwan) but not require 2FA when logging into a system/server or the > IPA app. > > My (not completely baked) thought is to provision the VPN solution by > setting up a role or group in IPA that I'd add accounts into. The VPN would > allow users of that group to auth, using userid and password+OTP to > successfully. > > I've been reading through docs on the freeipa and red hat sites, e.g., > https://www.freeipa.org/page/V4/OTP/Detail and > http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine > if or how that might be doable. > > >From what I read, an alternate approach from FreeIPA's built-in OTP might > be to set up a stand-alone OTP solution and use radius and/or a PAM module > to handle the VPN auth. > > I've DL'd the source, but there's so much there it'll take me some time to > figure out what's happening. > > Any pointers on what approach I should take or where to find some notes > and examples on how this might be accomplished would be greatly appreciated. > > Thanks, > Kurt > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OTP vs VPN
Hi, I want to know if I can configure FreeIPA's native OTP solution to require an account to use OTP when authenticating from a specific app (OpenVPN or StrongSwan) but not require 2FA when logging into a system/server or the IPA app. My (not completely baked) thought is to provision the VPN solution by setting up a role or group in IPA that I'd add accounts into. The VPN would allow users of that group to auth, using userid and password+OTP to successfully. I've been reading through docs on the freeipa and red hat sites, e.g., https://www.freeipa.org/page/V4/OTP/Detail and http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine if or how that might be doable. >From what I read, an alternate approach from FreeIPA's built-in OTP might be >to set up a stand-alone OTP solution and use radius and/or a PAM module to >handle the VPN auth. I've DL'd the source, but there's so much there it'll take me some time to figure out what's happening. Any pointers on what approach I should take or where to find some notes and examples on how this might be accomplished would be greatly appreciated. Thanks, Kurt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project