Excluding MFA for a user

[eeldivad]

Is it possible to exclude MFA for a user? I tried this ACL but it seems the MFA takes priority with the same route.

"Acls": {
    "Policies": {
        "*": {
            "Mfa": ["10.100.1.0/24"]
        },
        "testuser": {
            "Allow":[ "10.100.1.0/24"]
        }
    }
}

[eeldivad]

I need to setup a special service account user that runs in the background so it can't do MFA to access the same network

[NHAS]

Hi @eeldivad

The * policy is a special policy that applies to all users and groups. You are correct that MFA directives take priority over public routes, just as a safety precaution. I'd much prefer people make a network that is took locked down than too open.

You will need to do the following:

"Acls": {
    "Policies": {
        "group:everyone": {
              "MFA":[ "10.100.1.0/24"]
        }, 
        "testuser": {
            "Allow":[ "10.100.1.0/24"]
        }
    }
}

And thus have every other user as part of the everyone group. Unfortunately there is no way to say "these are the only routes this user has" in an ACL block.