Suppress MFA for a period of time
Problem this snippet solves: This code snippet can be used if you want to suppress MFA for a period of time. This solution uses an encrypted persistent cookie, that will be set at a successful MFA l...
Published Jul 16, 2019
Version 1.0
Slayer001
Cirrus
CirrusGot it to work, thanks for your help Niels.
Als added a timestamp in the cookie to avoid tampering with the expiration time of the cookie
This is what I have for the checkcookie event now:
when ACCESS_POLICY_AGENT_EVENT {
# check if hash from cookie matches current session hash (username and user-agent)
switch [ACCESS::policy agent_id] {
"checkcookie" {
set username [ACCESS::session data get session.logon.last.username]
set UA [ACCESS::session data get session.user.agent]
set hash [b64encode [md5 "c:$username:$UA"]]
set currenttime [clock seconds]
set starttime [string range [ACCESS::session data get session.custom.suppressmfa.hash] end-9 end]
if {$starttime equals ""}{
}
else {
set start_int $starttime
set diff_int $static::suppress_mfa(seconds)
set endtime [expr {$start_int + $diff_int}]
#log local0. "endtime: $endtime"
if { $currenttime <= $endtime } {
if { $hash equals [string range [ACCESS::session data get session.custom.suppressmfa.hash] 0 end-10] } {
ACCESS::session data set session.custom.suppressmfa.skip 1
}
}
}
}
}
}