Self-Hosted Cloudflareaccess unable to get it working

I am trying to setup Cloudflareaccess to an application. The domain is hosted on cloudflare (DNS wize). I get the access page from cloudflare, but the user who is listed under Cloudflare teams does not get an OTP in their email.

Am I missing something ? Currently it’s just a DNS entry which does nothing so you can have a look at https://testapp.itsec.works

Hi @itsecworks,

Can you double check that the policy is in place to allow that specific email and ideally post a screenshot of your access policy (you can blank out the email).

If you’re trying it with a corporate email address, can you test it with a public provider address (like Gmail, for example) allowed, to rule out an issue with the receiving mail?

Hi @itsecworks,

Can you double check that the policy is in place to allow that specific email and ideally post a screenshot of your access policy (you can blank out the email).

If you’re trying it with a corporate/custom email address, can you test it with a public provider address (like Gmail, for example) allowed, to rule out an issue with the receiving mail?

@domjh It’s actually a very open policy. But all help is welcome: attached is a screenshot.

The rule looks OK. Have you tried it with different email addresses using different providers?

@domjh let me try. I havent yet. (the policy was more complicated but I needed to work first).

Question: do you need WARP/1.1.1.1 installed and a root CA and VPN ? that kinda makes it useless for my usecase.

Just to use Access with One Time Pin? No, that should just work as it is.

Well it doesnt :frowning:

@domjh The teams enrollment for WARP did work. I got an OTP. But plain OTP does not work

:thinking: something must be configured wrong, but I can’t spot what. It works fine on my test site.

Can you share some of you settings and where you did them (if you want). It doesn’t seem too hard. I actually did the same thing on DUO and it worked in one go.

Can you take out the ‘require’ part and see if it works?

Well that is weird… I am still asked for an OTP… and not getting one.

Selecting OTP is done under Authentication → Identity Providers rather than using Require in rules.

I created a new test application with a policy to allow everyone and the identity provider set to OTP and it works OK for me.

That is still set to the default built-in OTP provider of CF. But it’s not required. However I am not getting any. So what am I missing ?

Let’s make sure we are following the same steps to test this. Can you create a new application following the same steps as me that I just checked worked?

  1. On dash.teams.cloudflare.com, go to Access → Applications
  2. Click ‘Add an application’
  3. Select ‘self-hosted’
  4. Create an application that looks like this:
  5. Click ‘next’
  6. Under Add Policies, make sure the action is ‘Allow’
  7. Create a rule to allow everyone:
  8. Click ‘next’
  9. Click ‘Add application’
  10. Navigate to the new test page and try a few emails to check they receive the OTP.

This is exactly what I tried and what worked for me.

Exactly what I did… but I only have 1 user. The owner of the account. That is what I am using to login to the teams app. That user is also listed under Users. Is that also what you do? Or a second user account ?

I got it working… Now to find a better OTP provider… that is not too expensive @domjh

What was wrong and how did you manage to get it working in the end?