For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THi's avatar
THi
Icon for Nimbostratus rankNimbostratus
Jun 24, 2015
You were referring to Jason's article from 2011 I believe. It is partially obsolete as OTP is now available as a macro in the VPE. There is an enhanced article with more features, if you haven't seen it, here is the link: https://devcentral.f5.com/s/articles/you-down-with-otp Unfortunately only the first part is available yet.. APM sends out whatever you define in the HTTP Auth AAA server used in the macro. The OTP variable which is sent out to SMS gateway is defined in the SMS gateway AAA server configuration in the hidden parameters. The macro stores it into session.otp.assigned.val. Jason used session.logon.last.password and needed a variable assignment, as initially in the past the OTP generation was done with an iRule. I would send out OTP directly from the session.otp.assigned.val, and read what the user types in into a different variable (session.logon.last.password) to really keep them separate. Using same variable for both works, but still in my paranoid security thinking I would not prefill the OTP variable which I would read in from the user. I would keep these variables separate. Just to avoid of comparing prefilled correct value with same correct value if some kind of error occurred..