Thanks for reply.

I carefully read the documentation and realized that this function is for other tasks.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/otp#migrating-proprietary-otp

And now I have another problem. I have L2TP/IPSec server on my Mikrotik router. I want use LDAP credentials (login + pass from FreeIPA) + FreeIPA OTP to authenticate on my L2TP/IPSec server (on Mikrotik router). I deploy FreeRADIUS and it connect to LDAP (FreeIPA), find user+pass and permit login in VPN.
But Mikrotik's radius client use only MS-CHAPv2 and I must add NT Hash for each LDAP-user. And with NT hash I can not use FreeIPA OTP (NT hash static generated from password only).

Is there way to use FreeIPA LDAP with OTP + FreeRADIUS for authenticate on VPN server witch use MS-CHAPv2?
So I want use LDAP credentials for local login to system and LDAP credentials + FreeIPA OTP for login to VPN.

I really want use FreeIPA OTP, because FreeIPA provides a personal area for each user. User can change own pass, add OTP by himself, etc.

I hope that I can be understood. :-)
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org