I am trying to setup Cloudflareaccess to an application. The domain is hosted on Cloudflare (DNS wize). I get the access page from Cloudflare, but the user who is listed under Cloudflare teams does not get an OTP in their email.
Am I missing something ? Currently it’s just a DNS entry which does nothing so you can have a look at https://testapp.itsec.works
Hi @itsecworks,
Can you double check that the policy is in place to allow that specific email and ideally post a screenshot of your access policy (you can blank out the email).
If you’re trying it with a corporate email address, can you test it with a public provider address (like Gmail, for example) allowed, to rule out an issue with the receiving mail?
Hi @itsecworks,
Can you double check that the policy is in place to allow that specific email and ideally post a screenshot of your access policy (you can blank out the email).
If you’re trying it with a corporate/custom email address, can you test it with a public provider address (like Gmail, for example) allowed, to rule out an issue with the receiving mail?
@domjh It’s actually a very open policy. But all help is welcome: attached is a screenshot.
The rule looks OK. Have you tried it with different email addresses using different providers?
@domjh let me try. I havent yet. (the policy was more complicated but I needed to work first).
Question: do you need WARP/1.1.1.1 installed and a root CA and VPN ? that kinda makes it useless for my usecase.
Just to use Access with One Time Pin? No, that should just work as it is.
Well it doesnt 
@domjh The teams enrollment for WARP did work. I got an OTP. But plain OTP does not work
something must be configured wrong, but I can’t spot what. It works fine on my test site.
Can you share some of you settings and where you did them (if you want). It doesn’t seem too hard. I actually did the same thing on DUO and it worked in one go.
Can you take out the ‘require’ part and see if it works?
Well that is weird… I am still asked for an OTP… and not getting one.
Selecting OTP is done under Authentication → Identity Providers rather than using Require in rules.
I created a new test application with a policy to allow everyone and the identity provider set to OTP and it works OK for me.
That is still set to the default built-in OTP provider of CF. But it’s not required. However I am not getting any. So what am I missing ?
Let’s make sure we are following the same steps to test this. Can you create a new application following the same steps as me that I just checked worked?
This is exactly what I tried and what worked for me.
Exactly what I did… but I only have 1 user. The owner of the account. That is what I am using to login to the teams app. That user is also listed under Users. Is that also what you do? Or a second user account ?
I got it working… Now to find a better OTP provider… that is not too expensive @domjh
What was wrong and how did you manage to get it working in the end?
