I’m following this because I’m having same issue. Since the OpenVPN client won’t prompt twice for the second factor I know you have to do the whole “password+otp” (without the +) but keep getting invalid password.

-Kevin

> On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

> Hello everyone,

> I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled.

> FreeIPA Setup:

> CentOS 7.5

> FreeIPA 4.5.4

> HBAC Service: openvpn

> HBAC Rule:

> [root@ipa ~]# ipa hbacrule-show openvpn_access

> Rule name: openvpn_access

> Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.

> Enabled: TRUE

> Users: <users>

> Hosts: vpnhost.localdomain.local

> Services: openvpn

> User account:

> [root@ipa ~]# ipa user-show <omitted>

> User login: <omitted>

> First name: <omitted>

> Last name: <omitted>

> Home directory: /home/<omitted>

> Login shell: /bin/bash

> Principal name: <omitted>

> Principal alias: <omitted>

> Email address: <omitted>

> UID: 1909600003

> GID: 1909600003

> User authentication types: otp

> Certificate: <omitted>

> Account disabled: False

> Password: True

> Member of groups: vpn_users

> Member of HBAC rule: openvpn_access

> Indirect Member of HBAC rule: user_ipa_access

> Kerberos keys available: True

> OpenVPN server:

> /etc/pam.d/openvpn

> #%PAM-1.0

> # This file is auto-generated.

> # User changes will be destroyed the next time authconfig is run.

> auth required pam_env.so

> auth required pam_faildelay.so delay=2000000

> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet

> auth [default=1 ignore=ignore success=ok] pam_localuser.so

> auth sufficient pam_unix.so nullok try_first_pass

> auth requisite pam_succeed_if.so uid >= 1000 quiet_success

> auth sufficient pam_sss.so forward_pass

> auth required pam_deny.so

> account required pam_unix.so

> account sufficient pam_localuser.so

> account sufficient pam_succeed_if.so uid < 1000 quiet

> account [default=bad success=ok user_unknown=ignore] pam_sss.so

> account required pam_permit.so

> password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

> password sufficient pam_sss.so use_authtok

> password required pam_deny.so

> session optional pam_keyinit.so revoke

> session required pam_limits.so

> -session optional pam_systemd.so

> session optional pam_oddjob_mkhomedir.so umask=0077

> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

> session required pam_unix.so

> session optional pam_sss.so

> server.conf

> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

> Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts.

> Eric

> _______________________________________________

> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html

> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org