Hey, I have PrivacyIDEA connected to my LDAP server and acting as a RADIUS server for my FortiGate VPN.
I currently have two policies inside PrivacyIDEA related to the issue.
One is in authentication scope - otppin = userstore (so users need to use AD password instead of PINs)
And the other one is in webui scope - login_mode = PrivacyIDEA (that way users have to use a token whenever they login to the self service portal)
What I’m trying to achieve is that users will never be able to sign into the VPN without a token, and this scenario happens now with the current policies.
But when users try to sign into the self service without a token they can’t.
What I found out is that there’s another authentication action you can use called passthru = userstore, and while it makes users be able to sign into the self service for the first time, it also makes users be able to sign into the VPN without a token.
I want to make it so users can never log into the VPN without a token while permitting them to use the self service portal for the first time to enroll a token for themselves.
I haven’t found a native way to do it in the UI.