Forum Discussion

Jon_Ole_Nome_46's avatar
Jon_Ole_Nome_46
Icon for Nimbostratus rankNimbostratus
Jan 14, 2011

2-factor code via SMS iRule

We have a need for 2-factor auth on some of our external services, and are looking at alternatives to the current SecurID setup. Would it be possible to have an iiRule to generate a random code, send out via SMS provider, and wait for the user to receive the code on his mobile phone, enter as part of the APM login and compare the codes for accept/deny. Thanks for any feedback!

 

 

Jon Ole

 

6 Replies

  • Hi Jon,

     

     

    There isn't any native support for triggering an SMS from LTM. However, this might make an interesting feature request for APM. What kind of API or protocol do you imagine wanting to use to trigger an SMS?

     

     

    Aaron
  • We are currently using Clickatell for SMS distribution, and the SMS is sent by sending a http request to the provider that includes our login/password and phone number and message (code), I believe many mobile operators support this type of functionallity.
  • You could potentially do that now using HTTP::retry:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=105

     

     

    I am not sure how easy it would be to combine the logic from Deb's article with APM, but it might be possible. If you give it a try and get stuck try replying back here to get help. It would also make an interesting request for enhancement. You could make the request officially by opening a case with F5 Support.

     

     

    Aaron
  • Thank you, Aaron! The HTTP::retry looks very promising. The wiki for HTTP::retry (http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP__retry.html) had exactly the example I have been looking for. If that works as advertised we only need a random number generator within the irule to complete the job.

    Btw. we have opened an RFE with F5, and were told that they were working on getting this functionality into future versions of the APM. For a short-term solution we were asked to use the forums at DevCentral, and they were right :-)

     

     

     

    Here is a short description of how Checkpoint has integrated the same thing into their Connectra product: http://updates.checkpoint.com/files...katell.pdf

     

  • Hi Jon,

     

     

    Actually Per Boe an F5 FSE and Jason Rahm from DC, just posted a solution on using APM to implement an SMS based one time password solution:

     

     

    One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086432/One-Time-Passwords-via-an-SMS-Gateway-with-BIG-IP-Access-Policy-Manager.aspx

     

     

    Aaron
  • Hi Aaron,

     

     

    have you found the solution yet. I am stuck in similar issue, I need to send the OTP code to SMS server matching the below string.

     

    http://smsserver:8011/POST?Source=F5&Dest=4563726393&Text=[pin1]&Submit+Query

     

    Any ideas .. pls...

     

     

    I have used similar solution as OTP but cant use API ..."https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086432/One-Time-Passwords-via-an-SMS-Gateway-with-BIG-IP-Access-Policy-Manager.aspx "

     

    thanks AJ