Forum Discussion
Try block for One Time Passcodes via APM
I have one-time-passcodes working with APM in an access policy successfully. Basically what I want to be able to accomplish is in AD their be a phone attribute lets say its 800-324-5678. I want to be able to strip out the dashes and then I want to try that phone number against X number of choices like the following.
AT&T: number@txt.att.net T-Mobile: number@tmomail.net Verizon: number@vtext.com Sprint: number@messaging.sprintpcs.com or number@pm.sprint.com
If one ends up being successfull do not proceed to the next carrier to try. Is this something that could be accomplished within my AP via an iRule or some other magical rainbow and unicorns configuration?
Any help is appreciated.
Thanks, techntactical
5 Replies
Max_Q_factorCirrocumulus
I believe that stripping out the dashes is something you can easily accomplish using a regular expression and a variable assign.
The Second part of your question seems like it needs a bit more clarification. How are you planning to "try that phone number against X number of choices" sending each of the carriers an e-mail addressed to that phone number?I would personally look into a SIP broker ENUM lookup service and a HTTP sideband iRule. I did a quick google and here is an example of a sipbroker ENUM lookup service:
http://www.sipbroker.com/sipbroker/action/webServicesI found the answer for the first part via a post:
when ACCESS_POLICY_AGENT_EVENT { expr srand([clock clicks]) set otp [string range [format "%08d" [expr int(rand() * 1e9)]] 1 6 ] set mail [ACCESS::session data get "session.ldap.last.attr.mail"] set mobile [ACCESS::session data get "session.ldap.last.attr.mobile"] set mobile2 [string map {"." "" " " "" "-" "" "(" "" ")" "" "+" ""} $mobile] ACCESS::session data set session.user.otp.pw $otp ACCESS::session data set session.user.otp.mobile $mobile2 ACCESS::session data set session.user.otp.username [ACCESS::session data get "session.logon.last.username"] }
The second part basically there is an attribute in AD called phone number. The above iRule will normalize the data to provide it in the right format. Then I need something else (I'm thinking more irule magic) to append @vtext.com and other carriers included above in my original post.
So user logs in gets APM logon page with username and password. User enters in username and password gets Auth'd against AD and then gets a OTP logon page to enter in the logon page. At that point the F5 is utilizing the SMTP config to send an email (email to text) to the user keying off of the Phone number attirbute in AD. The attribute in AD today is just a phone number but I want them to get that OTP via text. So when APM sees the phone number it knows the first 10 digits and then proceeds to try each one of the carriers to send the textmessage to as our users might have any one of the above carriers and I don't want to have to manually figure that out by asking or by putting that data in AD. If F5 could dynamically handle that via an irule or some other method where it tried each one of the carriers above by appending those @addresses to the phone number it would make it pretty nifty.
Thanks, TechNTactical
- Max_Q_factor
You may also consider adding an AD attribute where the user can specify the mobile carrier, then just do a simple case statement to match the carrier to the e-mail domain and format required to send the OTP.
Would you happen to know what that would look like via example within the APM policy or the match statement via iRule?
- Max_Q_factor
I think you should be able to scrape one together with the following links:
https://devcentral.f5.com/questions/apm-controlling-access-policy-from-irule
https://devcentral.f5.com/articles/irules-101-04-switch
