Discussion:
[Freeipa-users] OTP vs VPN
Bendl, Kurt
2015-05-27 17:53:24 UTC
Permalink
Hi,

I want to know if I can configure FreeIPA's native OTP solution to require an account to use OTP when authenticating from a specific app (OpenVPN or StrongSwan) but not require 2FA when logging into a system/server or the IPA app.

My (not completely baked) thought is to provision the VPN solution by setting up a role or group in IPA that I'd add accounts into. The VPN would allow users of that group to auth, using userid and password+OTP to successfully.

I've been reading through docs on the freeipa and red hat sites, e.g., https://www.freeipa.org/page/V4/OTP/Detail and http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine if or how that might be doable.
From what I read, an alternate approach from FreeIPA's built-in OTP might be to set up a stand-alone OTP solution and use radius and/or a PAM module to handle the VPN auth.
I've DL'd the source, but there's so much there it'll take me some time to figure out what's happening.

Any pointers on what approach I should take or where to find some notes and examples on how this might be accomplished would be greatly appreciated.

Thanks,
Kurt
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Benjamen Keroack
2015-05-27 18:21:11 UTC
Permalink
We've found it easier to integrate a 2FA solution into OpenVPN and local
login separately. If you go with a solution that works with PAM, setting it
up with OpenVPN Access Server (the commercial product) and local login
(FreeIPA-backed) is pretty straightforward. The only thing it won't protect
is the FreeIPA web UI, but if you put that behind a VPN or IP whitelist it
should be less of an issue.

Ben
Post by Bendl, Kurt
Hi,
I want to know if I can configure FreeIPA's native OTP solution to require
an account to use OTP when authenticating from a specific app (OpenVPN or
StrongSwan) but not require 2FA when logging into a system/server or the
IPA app.
My (not completely baked) thought is to provision the VPN solution by
setting up a role or group in IPA that I'd add accounts into. The VPN would
allow users of that group to auth, using userid and password+OTP to
successfully.
I've been reading through docs on the freeipa and red hat sites, e.g.,
https://www.freeipa.org/page/V4/OTP/Detail and
http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to determine
if or how that might be doable.
From what I read, an alternate approach from FreeIPA's built-in OTP might
be to set up a stand-alone OTP solution and use radius and/or a PAM module
to handle the VPN auth.
I've DL'd the source, but there's so much there it'll take me some time to
figure out what's happening.
Any pointers on what approach I should take or where to find some notes
and examples on how this might be accomplished would be greatly appreciated.
Thanks,
Kurt
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Benjamen Keroack
*Infrastructure/DevOps Engineer*
***@dollarshaveclub.com
Alexander Bokovoy
2015-05-27 18:33:25 UTC
Permalink
Post by Bendl, Kurt
Hi,
I want to know if I can configure FreeIPA's native OTP solution to
require an account to use OTP when authenticating from a specific app
(OpenVPN or StrongSwan) but not require 2FA when logging into a
system/server or the IPA app.
My (not completely baked) thought is to provision the VPN solution by
setting up a role or group in IPA that I'd add accounts into. The VPN
would allow users of that group to auth, using userid and password+OTP
to successfully.
I've been reading through docs on the freeipa and red hat sites, e.g.,
https://www.freeipa.org/page/V4/OTP/Detail and
http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to
determine if or how that might be doable.
From what I read, an alternate approach from FreeIPA's built-in OTP
might be to set up a stand-alone OTP solution and use radius and/or a
PAM module to handle the VPN auth.
I've DL'd the source, but there's so much there it'll take me some time
to figure out what's happening.
Any pointers on what approach I should take or where to find some notes
and examples on how this might be accomplished would be greatly
appreciated.
There is no way to define per-service target 2FA yet in FreeIPA.

Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who
can access there.

As for forcing 2FA for such access, my only suggestion right now is to
have separate user accounts for this purpose. Let's say, they would be
prefixed with vpn- (vpn-userfoo, for example), and then tokens can be
assigned to them.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Bendl, Kurt
2015-05-28 14:53:58 UTC
Permalink
"There is no way to define per-service target 2FA yet in FreeIPA."


Oh, man... there you go using the "yet" word! ;-)
Thanks to you and Ben for the ideas. I'll hack around to see what makes
sense.

Thanks,
Kurt
Post by Alexander Bokovoy
Post by Bendl, Kurt
Hi,
I want to know if I can configure FreeIPA's native OTP solution to
require an account to use OTP when authenticating from a specific app
(OpenVPN or StrongSwan) but not require 2FA when logging into a
system/server or the IPA app.
My (not completely baked) thought is to provision the VPN solution by
setting up a role or group in IPA that I'd add accounts into. The VPN
would allow users of that group to auth, using userid and password+OTP
to successfully.
I've been reading through docs on the freeipa and red hat sites, e.g.,
https://www.freeipa.org/page/V4/OTP/Detail and
http://www.freeipa.org/page/V4/OTP#Enabling_OTP_and_RADIUS, to
determine if or how that might be doable.
From what I read, an alternate approach from FreeIPA's built-in OTP
might be to set up a stand-alone OTP solution and use radius and/or a
PAM module to handle the VPN auth.
I've DL'd the source, but there's so much there it'll take me some time
to figure out what's happening.
Any pointers on what approach I should take or where to find some notes
and examples on how this might be accomplished would be greatly
appreciated.
There is no way to define per-service target 2FA yet in FreeIPA.
Setting up OpenVPN against IPA is easy. Use HBAC rules to confine who
can access there.
As for forcing 2FA for such access, my only suggestion right now is to
have separate user accounts for this purpose. Let's say, they would be
prefixed with vpn- (vpn-userfoo, for example), and then tokens can be
assigned to them.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...