The following is an example pam_radius_acl.conf file:
upm:*
telnet:
:john
*:sally
login:david
In this example, all users accessing the service upm or telnet must authenticate via Defender. Users john and sally must authenticate via Defender for every service. User david must authenticate via Defender for the login service only. Any servicename:username combination not listed in the file does not require users to authenticate via Defender.
At this time, it is not possible to define an exclusion for an account in the conf file. The option available is to manually specify all the username that requires 2FA in the conf file.
Enhancement Request 772013 for PAM Defender has been submitted to Development for consideration in a future release of Defender.