22.3. Restricting Access to Services and Hosts Based on How Users Authenticate

The authentication mechanisms supported by IdM vary in their authentication strength. For example, authentication using a one-time password (OTP) in combination with a standard password is considered safer than authentication using a standard password only. This section shows how to limit access to services and hosts based on how the user authenticates.

For example, you can configure:

services critical to security, such as VPN, to require a strong authentication method
noncritical services, such as local logins, to allow authentication using a weaker, but more convenient authentication method

Figure 22.8. Example of Authenticating Using Different Methods

Authentication Indicators

Access to services and hosts is defined by authentication indicators:

Indicators included in a service or host entry define what authentication methods the user can use to access that service or host.
Indicators included in the user's ticket-granting ticket (TGT) show what authentication method was used to obtain the ticket.

If the indicator in the principal does not match the indicator in the TGT, the user is denied access.

22.3.1. Configuring a Host or a Service to Require a Specific Authentication Method

To configure a host or a service using:

Web UI: Configuring a Host or a Service to Require a Specific Authentication Method

Select Identity → Hosts or Identity → Services.
Click the name of the required host or service.
Under Authentication indicators, select the required authentication method.
- For example, selecting OTP ensures that only users who used a valid OTP code with their password will be allowed to access the host or service.
- If you select both OTP and RADIUS, either OTP or RADIUS will be sufficient to allow access.
Click Save at the top of the page.

Command Line: Configuring a Host or a Service to Require a Specific Authentication Method

Optional. Use the ipa host-find or ipa service-find commands to identify the host or service.
Use the ipa host-mod or the ipa service-mod command with the --auth-ind option to add the required authentication indicator. For a list of the values accepted by --auth-ind, see the output of the ipa host-mod --help or ipa service-mod --help commands.
For example, --auth-ind=otp ensures that only users who used a valid OTP code with their password will be allowed to access the host or service:
```
$ ipa host-mod server.example.com --auth-ind=otp
---------------------------------------------------------
Modified host "server.example.com"
---------------------------------------------------------
  Host name: server.example.com
  ...
  Authentication Indicators: otp
  ...
```
If you add indicators for both OTP and RADIUS, either OTP or RADIUS will be sufficient to allow access.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Red Hat Training