Forum Discussion
Can the access policy variable session.logon.last.password be passed to a per-request policy subroutine?
Can the access policy variable session.logon.last.password be passed to a per-request policy subroutine?
Version 13.1.0
I am attempting to pass the username and password from the Access Policy to the Per-Request-Policy subroutine for use after URL branching, without adding another logon prompt.
Similar to this thread but without the OTP logon prompt. https://devcentral.f5.com/questions/is-accessing-session-variables-from-per-request-subroutine-possible-58789 The mentioned thread solution works. It creates a logon prompt for the OTP as the password. This is still a prompt for a user to enter a "password" although it is an OTP. I can successfully pass the user name but not the originating session.logon.last.password from the access-policy.
After the user logs on the site, I want to enable Radius MFA Push for specific URL paths. The user is already logged on the access policy. I don't feel they need another logon prompt during the per-request policy.
I have tried many methods without success (per-request policy; subroutine, subroutine macro, access policy; decrypt password). Either I haven't found the right combination or it doesn't work this way. Am I missing something?
mcget -secure {session.logon.last.password} https://devcentral.f5.com/questions/how-can-i-see-a-password-session-variable-47462
mcget {session.logon.last.password}
subsession.logon.last.password
I am also trying other avenues such as using iRule LX to submit the request to the MFA API. I was just hoping radius would be an easier route.
- James_Hu_141729Historic F5 Account
This use case was addressed in the upcoming 15.0 release.
- Stanislas_Piro2Cumulonimbus
Why do you want to execute auth in subroutine and get it in per session policy???
As I already answered in previous thread, check password the more close to the logon page you can!!!
The problem with your request is with password expiration...
If you want an OTP auth, the password may be not valid when you hit the subroutine condition!!!
I recommend to authenticate in per session policy, but with only fallback branch —> the user can have entered a wrong password,
then check if the authentication result variable is 1 in subroutine, then prompt for another password if first auth failed.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com