Suppress MFA for a period of time
Problem this snippet solves: This code snippet can be used if you want to suppress MFA for a period of time. This solution uses an encrypted persistent cookie, that will be set at a successful MFA l...
Published Jul 16, 2019
Version 1.0
wbrowne
Altostratus
AltostratusNiels thank you for your response.
I have put my entire iRule here. I just entered the HTTP_RESPONSE originally because that is what I am having problems with. I am not sure what you mean by saying I removed the conditional 'set cookie'. I have the
if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 } . I also have the line in there that sets it to ACCESS::session data set session.custom.suppressmfa.setauthtable 0 after the first response. Really the only thing that I have added was that I am creating a table called tab_amia [IP::client_addr] and added a value "Authed" and added that to the cookie check in the when ACCESS_POLICY_AGENT_EVENT. All this seems to be working accept for the actual cookie creation
when RULE_INIT {
# set the cookie encryption passphrase
# set the cookie name
# set the encrypted value in the cookie
# set seconds after which the peristent cookie expires
# To see debug logs set to 1, turn off with 0. Logs can be viewed in /var/log/apm or in the TMUI under System -> Logs -> Local Traffic
set static::AMIADEV_Cookie_debug 1
array set static::suppress_mfa {
passphrase "pw for decryption"
cookie "AMIA_MFA"
value "amia"
seconds "300"
}
}
when ACCESS_SESSION_STARTED {
# store hash from cookie in APM variable
if { [HTTP::cookie exists $static::suppress_mfa(cookie)] } {
log local0. "amia cookie exists for [IP::client_addr]"
set hash [HTTP::cookie decrypt $static::suppress_mfa(cookie) $static::suppress_mfa(passphrase)]
if {$static::AMIADEV_Cookie_debug } {log local0. "cookie decrypted $hash"}
ACCESS::session data set session.custom.suppressmfa.hash $hash
}
else {
table delete tab_amia:[IP::client_addr]
if {$static::AMIADEV_Cookie_debug } {log local0. "no cookie found"}
if {$static::AMIADEV_Cookie_debug } {log local0. "cookie name expected $static::suppress_mfa(cookie)"}
}
}
when ACCESS_POLICY_AGENT_EVENT {
# check if hash from cookie matches encrypted value
switch [ACCESS::policy agent_id] {
"checkauthed" {
set checked [table lookup tab_amia:[IP::client_addr]]
if { [ACCESS::session data get session.custom.suppressmfa.hash] equals $static::suppress_mfa(value) and $checked contains "Authed" } {
ACCESS::session data set session.custom.suppressmfa.skip 1
}
}
}
}
when HTTP_RESPONSE {
# if table shoud be set then take record of the ClientIP and set encrytped cookie
if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 } {
table set tab_amia:[IP::client_addr] Authed $static::suppress_mfa(seconds)
set taba [table lookup tab_amia:[IP::client_addr]]
if {$static::AMIADEV_Cookie_debug } {log local0. "$taba"}
HTTP::cookie insert name $static::suppress_mfa(cookie) value $static::suppress_mfa(value) path "/"
HTTP::cookie expires $static::suppress_mfa(cookie) $static::suppress_mfa(seconds) relative
HTTP::cookie secure $static::suppress_mfa(cookie) enable
HTTP::cookie httponly $static::suppress_mfa(cookie) enable
HTTP::cookie encrypt $static::suppress_mfa(cookie) $static::suppress_mfa(passphrase)
HTTP::header "Cache-Control" "max-age=$static::suppress_mfa(seconds)"
HTTP::close
ACCESS::session data set session.custom.suppressmfa.setauthtable 0
}
}