Hi all,
Been playing with the software for few days and I am impressed how broad the features are.
However, I have encountered a problem when planning the setup to our environment. Our plan is to enforce the VPN-login with MFA which should be rather easy to set up, but after being authenticated with proper password+MFA, it would not require the OTP anymore in the internal networks behind the firewall inside the VPN-network.
So, the internal systems (Linux and Windows machines) would take username+userstore password without the PIN, even if the user would have a token assigned. It would be even better to verify that the user really does have a token assigned but still allow the user to authenticate with userstore password. We currently rely on SQL userstore and resolver only, no AD or LDAP.
Has anyone worked out this kind of setup before? I have tried to create various policies with the client address being the VPN-subnet, but for example the otppin:userstore action requires the same user to not have a token thus fails to work. Is there a policy action of “skip-OTP” that I have just not discovered?