WebUI first login without token

Hey, I have PrivacyIDEA connected to my LDAP server and acting as a RADIUS server for my FortiGate VPN.
I currently have two policies inside PrivacyIDEA related to the issue.
One is in authentication scope - otppin = userstore (so users need to use AD password instead of PINs)
And the other one is in webui scope - login_mode = PrivacyIDEA (that way users have to use a token whenever they login to the self service portal)

What I’m trying to achieve is that users will never be able to sign into the VPN without a token, and this scenario happens now with the current policies.
But when users try to sign into the self service without a token they can’t.
What I found out is that there’s another authentication action you can use called passthru = userstore, and while it makes users be able to sign into the self service for the first time, it also makes users be able to sign into the VPN without a token.

I want to make it so users can never log into the VPN without a token while permitting them to use the self service portal for the first time to enroll a token for themselves.

I haven’t found a native way to do it in the UI.
Any ideas?

You described it in your prosa text:

You wand users to require a 2nd factor, if logging in to the VPN.

But if the user logs in to the selfservice, you want them to be able to login with userstore password (passthru), if they have no token.

Note, that policies support conditions and that these conditions can also be client IP.

Take a look at the audit log, how auth requests from the VPN and logins to the UI differ.

You might be also interested in this: