Forum Discussion
APM Radius SMS request without authentication
Hi,
I have a question about Radius SMS request in combination with the APM and Safenet.
2FA is done with a logon page for AD (username and password) and after successful AD authentication the policy goes to Radius authentication.
When a user is requesting a token code via SMS Safenet first expects a radius request with the username and no password (or 0 as the password). Once the radius request has been handled and the SMS is send it will tell the APM to present a login page with one field so the user can enter his token code. But if the user types the wrong code the APM Radius AAA agent does present the original policy logon page (which is confusing because it ask's for your AD username and password).
This could be solved by presenting the user a new logon page before requesting the SMS code via radius but this is not completely "idiot" proof. If a user types something else the nothing or a 0 in the token code field the Radius server will see this as a wrong radius authentication request.
So is there a way to send a radius request in the APM policy to the radius server without the AAA agent expecting a response.
The policy would look something like this:
Radius request (request token sms) -> logon page -> radius authentication -> successful.
Cheers,
Kees
Yann_DesmarestCirrus
Hi,
You can either use irule with sideband connection (good luck) or deploy an iruleLX if you are running bigip 12.x
I would recommend to sanitize the input before sending it to the AAA Radius server. You can just deny access to the session if you found 0, blank, invalid char or invalid encoding...