For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Sep 29, 2015

clientless-mode, session-cookie and policy re-evaluation

Hi Everyone,   I am trying to use the inbuilt OTP functions within APM, so that they can be consumed by other systems that want to use OTP.   I have managed to use clientless-mode and have a sy...
BIG-IP Access Policy Manager (APM)
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Oct 06, 2015

So, does it work???

APM session cannot be re-evaluated... if you want to store OTP password, you can create a table value in the generate branch and read it in the verify branch:

when ACCESS_POLICY_AGENT_EVENT {
    switch -glob [string tolower [HTTP::header "User-Agent"]] {
    "otpgenerate" { table add -subtable "OTP" [ACCESS::session data get "session.logon.last.username"] [ACCESS::session data get "session.otp.assigned.val"] indef 60 }
    "otpverify" { ACCESS::session data set "session.otp.assigned.val" [table lookup -subtable "OTP" [ACCESS::session data get "session.logon.last.username"]] }
    }
}

you must add irule event boxes in the VPE to raise this irule with IDs otpgenerate or otpverify.