Forum Discussion
NimbostratusCapture Device ID(ASM Fingerprint) within an access policy under APM module.
Hi Team,
I need your assistance in achieving below requirement.
Currently the requirement is to utilize ASM generated device ID/ fingerprint within an access policy to achieve Multi-Factor Authentication after usual AD authentication & AD Query components are executed successfully.
I'm able to log different ASM components including fingerprint by using an iRule as below: when ASM_REQUEST_DONE { log local0. "DEBUG: ASM_REQUEST" set fp [ASM::fingerprint] set ip [ASM::client_ip] set sig [ASM::signature ] set st [ASM::status] set si [ASM::support_id] set ip [IP::client_addr] log local0. "Obtained client Fingerprint, IP Address, Signature List, Request Status & Support ID are respectively $fp, $ip, $sig, $st and $si" }
However needing assistance currently to find a way by which this fingerprint can be passed to the access policy for further verification & if it's for a new user/ device, it needs to be stored under AD further.
Can anyone suggest, how the Device Id (fingerprint) that is captured as part of a user log-in can be passed/ captured with the APM access policy & passed though the access policy further? I was looking at iRule event in an access policy, but it's event are specific & probably with this requirement can't be used. Also is there a way to create a temporary session variable to store this Device ID (fingerprint) for each session? if possible, can anyone give an example how to fetch the fingerprint & store it in custom cookie or session variable. Many thanks in advance.
Imran_AbidAltocumulus
Hi Sarthak,
You can pass the ASM Device ID as part of HTTP Header to APM.
So basically, it will be three steps process:
1) Insert ASM Device ID to HTTP Header.
Inside your existing ASM iRule, add this code:
when ASM_REQUEST_DONE {
set device_id [ASM::fingerprint]
set ip [IP::client_addr]
log local0. "Device ID: $device_id, IP: $ip"
}
when HTTP_REQUEST_SEND {
clientside {
# Need to force the host header replacement and HTTP:: commands into the clientside context
# as the HTTP_REQUEST_SEND event is in the serverside context
HTTP::header insert "device_id" "$device_id"
}
}
2) Extract Device ID from HTTP Header and set it as a custom variable in APM.
Create a new iRule and call it in your APM policy:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when ACCESS_SESSION_STARTED {
#push the device id from the HTTP header to the access policy. Below line brings the device_id value from ASM iRule to APM iRule.
set device_id [HTTP::header value "device_id"]
log "http request to [HTTP::uri] with device_id: $device_id"
ACCESS::session data set "session.custom.device_id" "$device_id"
# Above line defines the custom device_id variable for APM session because in APM device_id variable does not exist.
3) Now you can use this new APM session variable in your access policy: [ACCESS::session data get "session.custom.device_id"]
I hope it helps.
Regards