For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

yves_werniers_1's avatar
yves_werniers_1
Icon for Nimbostratus rankNimbostratus
Sep 25, 2014

APM with OTP to identify 'trusted client'

Hello,

 

I have been asked to figure out if we can use APM for the following scenario. If someone wants to log in to our systems (secured by APM), don't just use username and password. Use an OTP solution, but not for every login/session. The idea is to set a cookie after successful authentication (username-password + OTP). The expiration on the cookie would be several weeks (exact number still under discussion). As long as the cookie is there and valid, the client would send it along, and the APM would thus identify the browser as 'trusted' and be satisfied with only username-password authentication. If no cookie is present in the request (cookie expired or no cookie present), the OTP authentication would be required.

 

I know that APM can work with OTP, but I have no idea how to implement what I just described. Knowing the power of iRules, I suppose something like that can be conceived, but my limited iRule skills are failing me on this.

 

Any help, directives, hints, tips, ... are welcome.

 

Thanks in advance, Yves

 

BIG-IP Access Policy Manager (APM)
design
security

3 Replies

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Sep 26, 2014

    yes you should be able to do that.

     

    • you need in your VPE to create two irule_event agents.
    • first one before logon page is triggering and event in irule looking for your cookie if cookie present and valid you branch to a logon page with just simple auth. to play with cookie in irule have look here :https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx
    • if cookie is not valid or not present you branch to the full otp process
    • the way you create your branch could be by setting an apm session variable in the irule and checking the value in an empty box just after the irul_event agent. to set or read APM variable from irule have a look here : https://devcentral.f5.com/wiki/iRules.ACCESS__session.ashx
    • the second irule_event in the VPE should happen after the successful full authentication process in this irule you craft your cookie.
    • now the good question is what do i put in my cookie, i would say anything proper to the session with some variance, so you could try to hash username + apm session id with md5 irule command :https://devcentral.f5.com/wiki/iRules.md5.ashx
    • once you have your hash you put in a irule tablehttps://devcentral.f5.com/wiki/iRules.table.ashx with a lifetime, and you compare in the first irule_event agent the cookie sent by user and the table content to find a match.

    good luck !

     

  • Simon_Waters_13's avatar
    Simon_Waters_13
    Icon for Cirrostratus rankCirrostratus
    Sep 29, 2014

    Some of the 3rd party services do this sort of thing.

     

    Duo for example has a "remember my browser", and typically these can be integrated cleanly using either supplied code or as radius server (although I think Duo uses an additional machine which is not elegant).

     

    Having just been down a similar route and thinking a third party service might have been quicker, simpler and easier to maintain. Although sometimes it is desirable not to rely on third party services.