Forum Discussion
Dennis_Kloosterman
Altostratus
AltostratusHow to terminate a second APM session using the same MFA account with OTP
Hi, We have an access policy in place where users log in in two steps, first with a radius username and an OTP generated by a hardware token, and second with their AD account. Our security team wa...
Dennis_KloostermanAltostratus
AltostratusI have decided to stick with the original idea, after finding out that it is possible to manipulate the UUID. That was the missing piece of the puzzle.
Two variables are assigned in the policy:
- After login step 1 (Radius username + OTP), custom variable otp_username is set with Custom expression expr { "[mcget {session.logon.last.username}]" }
- At the end of the policy, the UUID is set with Predefined variables -> Group Per-Session variable -> Variable UIID, Custom expression expr { "OTP.[mcget {otp_username}]"}
The end result:
when ACCESS_POLICY_COMPLETED {
if { [ACCESS::session data get "session.server.landinguri"] starts_with "/otp" }{
set radius_username [ACCESS::session data get otp_username]
set apm_cookie_list [ACCESS::uuid getsid "OTP.$radius_username"]
for {set i 0} {$i < [llength $apm_cookie_list]} {incr i} {
log local0. "uuid [ lindex $apm_cookie_list $i] is listed for Radius user $radius_username during session [ACCESS::session data get session.user.sessionid]"
}
log local0. "Length of cookie list for Radius user $radius_username is now [llength $apm_cookie_list]"
}
if { ([ACCESS::session data get "session.server.landinguri"] starts_with "/otp") && ([llength $apm_cookie_list] >= 2)}{
set session_term [ACCESS::session data get -sid [lindex $apm_cookie_list 0] session.user.sessionid]
log local0. "Selected session $session_term for radius user $radius_username for termination"
ACCESS::session remove -sid [lindex $apm_cookie_list 0]
log local0. "session number $session_term terminated for Radius user $radius_username"
}
}
