Forum Discussion

Jon_Ole_Nome_46's avatar
Jon_Ole_Nome_46
Icon for Nimbostratus rankNimbostratus
Jan 14, 2011

2-factor code via SMS iRule

We have a need for 2-factor auth on some of our external services, and are looking at alternatives to the current SecurID setup. Would it be possible to have an iiRule to generate a random code, send out via SMS provider, and wait for the user to receive the code on his mobile phone, enter as part of the APM login and compare the codes for accept/deny. Thanks for any feedback!

 

 

Jon Ole

 

application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 14, 2011
    Hi Jon,

     

     

    There isn't any native support for triggering an SMS from LTM. However, this might make an interesting feature request for APM. What kind of API or protocol do you imagine wanting to use to trigger an SMS?

     

     

    Aaron
  • Jon_Ole_Nome_46's avatar
    Jon_Ole_Nome_46
    Icon for Nimbostratus rankNimbostratus
    Jan 14, 2011
    We are currently using Clickatell for SMS distribution, and the SMS is sent by sending a http request to the provider that includes our login/password and phone number and message (code), I believe many mobile operators support this type of functionallity.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 14, 2011
    You could potentially do that now using HTTP::retry:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=105

     

     

    I am not sure how easy it would be to combine the logic from Deb's article with APM, but it might be possible. If you give it a try and get stuck try replying back here to get help. It would also make an interesting request for enhancement. You could make the request officially by opening a case with F5 Support.

     

     

    Aaron
  • Jon_Ole_Nome_46's avatar
    Jon_Ole_Nome_46
    Icon for Nimbostratus rankNimbostratus
    Jan 14, 2011
    Thank you, Aaron! The HTTP::retry looks very promising. The wiki for HTTP::retry (http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP__retry.html) had exactly the example I have been looking for. If that works as advertised we only need a random number generator within the irule to complete the job.

    Btw. we have opened an RFE with F5, and were told that they were working on getting this functionality into future versions of the APM. For a short-term solution we were asked to use the forums at DevCentral, and they were right :-)

     

     

     

    Here is a short description of how Checkpoint has integrated the same thing into their Connectra product: http://updates.checkpoint.com/files...katell.pdf

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 08, 2011
    Hi Jon,

     

     

    Actually Per Boe an F5 FSE and Jason Rahm from DC, just posted a solution on using APM to implement an SMS based one time password solution:

     

     

    One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086432/One-Time-Passwords-via-an-SMS-Gateway-with-BIG-IP-Access-Policy-Manager.aspx

     

     

    Aaron
  • AJ_6093's avatar
    AJ_6093
    Icon for Nimbostratus rankNimbostratus
    Nov 28, 2012
    Hi Aaron,

     

     

    have you found the solution yet. I am stuck in similar issue, I need to send the OTP code to SMS server matching the below string.

     

    http://smsserver:8011/POST?Source=F5&Dest=4563726393&Text=[pin1]&Submit+Query

     

    Any ideas .. pls...

     

     

    I have used similar solution as OTP but cant use API ..."https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086432/One-Time-Passwords-via-an-SMS-Gateway-with-BIG-IP-Access-Policy-Manager.aspx "

     

    thanks AJ