For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Sep 29, 2015

clientless-mode, session-cookie and policy re-evaluation

Hi Everyone,   I am trying to use the inbuilt OTP functions within APM, so that they can be consumed by other systems that want to use OTP.   I have managed to use clientless-mode and have a sy...
BIG-IP Access Policy Manager (APM)
security
Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Oct 06, 2015

It does work. Because the APM policy can not be re-evaluated thats why we connect back with MRH cookie and then compare the OTP code to verify from the ext system via header variable and compare this to the session.otp.assigned.val value that was generated (this is done in the http request section)

 

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Oct 07, 2015
When I look in your configuration, everything is allowed... there is no reject if the OTP code is wrong or the client does not provide a OTP code. If the first request contains generate, the APM allow the connection... if in the following requests, there is no generate or verify, the irule allow connection. the decision to allow or not the connection is not made by APM but by the client which receive the OTP status.