diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
index 2bb1bd0e9d..3c3bff99fd 100644
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -18,11 +18,10 @@ custom_rules: [
     '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
     '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT',
 ]
-#
+
+primary_auth_source: ipa
+
 # allow a bunch of sysadmin groups here so they can access internal stuff
-
-fas_client_groups: sysadmin-analysis,sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-osbs,sysadmin-odcs,sysadmin-kernel
-
 ipa_host_group: bastion
 ipa_host_group_desc: Bastion hosts
 
diff --git a/playbooks/groups/bastion.yml b/playbooks/groups/bastion.yml
index 76b96d2160..cbe08af583 100644
--- a/playbooks/groups/bastion.yml
+++ b/playbooks/groups/bastion.yml
@@ -15,8 +15,7 @@
   - rkhunter
   - nagios_client
   - hosts
-  - { role: ipa/client, when: env == "staging" }
-  - { role: fas_client, when: env != "staging" }
+  - ipa/client
   - sudo
   - collectd/base
   - openvpn/server
@@ -27,7 +26,6 @@
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
 
   tasks:
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
   - import_tasks: "{{ tasks_path }}/motd.yml"
 
   handlers:
diff --git a/playbooks/groups/bastion_stg.yml b/playbooks/groups/bastion_stg.yml
index 6ff1ceb90b..231f1dbaab 100644
--- a/playbooks/groups/bastion_stg.yml
+++ b/playbooks/groups/bastion_stg.yml
@@ -15,8 +15,7 @@
   - rkhunter
   - nagios_client
   - hosts
-  - { role: ipa/client, when: env == "staging" }
-  - { role: fas_client, when: env != "staging" }
+  - ipa/client
   - sudo
   #- collectd/base
   #- { role: openvpn/server, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
@@ -28,7 +27,6 @@
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
 
   tasks:
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
   - import_tasks: "{{ tasks_path }}/motd.yml"
 
   handlers: