Forum Discussion
MichaelJordan_1
Nimbostratus
NimbostratusTrim Mobile Number
Hi
The SMS Company does not accept more than 10 caracters in http request as of MobileNumber. And also they don't accept these "+" sign or "+90". So it should look like "5431231020". This is the...
MichaelJordan_1Nimbostratus
NimbostratusThis is weird. I started to this implementation with a guide which is written by Jason Rahm. This guide did not mention this requirements. (https://devcentral.f5.com/articles/one-time-passwords-via-an-sms-gateway-with-big-ip-access-policy-manager)
By the way, the iRule is working right now. Thanks Timo
THiWell, he may have taken it as granted. I don't think it is well mentioned anywhere in the documentation. But anyway an iRule is a resource for the virtual servert like a server pool and needs to be associated with it. Think I mentioned it in my first reply. I had another comment on the variable assign earlier in the thread. I think the session.logon.last.password should not be prepopulated with the OTP value. It should be entered by the user and then compared against the generated value (session.otp.assigned.val).- MichaelJordan_1Well, let me ask that do you know which variable holding otp value on the APM? I mean, I should replace a value with the "text" string in URL. In the SMS request URL, there must be a "text" string which is carrying/holding the value of the One Time Password. This is the requirement. If I don't replace "session.logon.last.password" with OTP message, APM sends user's password.
- THiYou were referring to Jason's article from 2011 I believe. It is partially obsolete as OTP is now available as a macro in the VPE. There is an enhanced article with more features, if you haven't seen it, here is the link: https://devcentral.f5.com/s/articles/you-down-with-otp Unfortunately only the first part is available yet.. APM sends out whatever you define in the HTTP Auth AAA server used in the macro. The OTP variable which is sent out to SMS gateway is defined in the SMS gateway AAA server configuration in the hidden parameters. The macro stores it into session.otp.assigned.val. Jason used session.logon.last.password and needed a variable assignment, as initially in the past the OTP generation was done with an iRule. I would send out OTP directly from the session.otp.assigned.val, and read what the user types in into a different variable (session.logon.last.password) to really keep them separate. Using same variable for both works, but still in my paranoid security thinking I would not prefill the OTP variable which I would read in from the user. I would keep these variables separate. Just to avoid of comparing prefilled correct value with same correct value if some kind of error occurred..
- MichaelJordan_1I agree with you. You are right about direct assignment. I am going to play with "iRule Event" and "Variable Assignment" objects. Thanks for everything
