Hi all, I do acknowledge that this topic has been discussed in various threads, but I am struggling to get it working and to understand the concepts. My use cases are to use OTP 2FA with for example Google Authenticator as additional security measure for 1. access to the freeipa server itself for selected users (typically admins) 2. access to selected linux servers enrolled in FreeIPA . All users with any access to these ,should always use OTP on these servers. No requirement for OTP for access to other servers. 3. access to applications using LDAP integrations to FreeIPA The first use case works right out of the box. I have managed to configure individual users for OTP in the User Auth settings, assign tokens and get it working using Google Authenticated. I am struggling with the second use case for server access. Instead of diving into all the detailed configs and logs and to understand why it is not working I would rather start with how it is supposed to work at the high level, to ensure I have gotten the basics correct first. Is the use case supported at all? How should I configure the selected users FreeIPA ? How should I configure the selected hosts in FreeIPA ? How should I configure on the selected hosts, i.e with respect to SSSD, PAM etc. regards, Ole