Two-Factor Authentication With Google Authenticator And APM

Introduction Two-factor authentication (TFA) has been around for many years and the concept far pre-dates computers. The application of a keyed padlock and a combination lock to secure a sing...
Published Feb 21, 2012
Version 1.0
adn
BIG-IP
BIG-IP Access Policy Manager (APM)
news
security
tech tip
Sohaib_Atta_251's avatar
Sohaib_Atta_251
May 14, 2018

Hi Leonard, Yes I was able to solve the problem after looking at the LTM logs. There were two issues in my case:

 

  1. although devices were synced with a local NTP (Active Directory) but still there as some offset of like 3 seconds so the codes were expiring. I took care of this by syncing NTP with a local router for testing and it worked fine.

     

  2. It may sound weird, the iRule related to token generation had some issue. I copied the irule from the link in above post. BAM its not working...always getting 000000 as the verification code where as it was some other 6 digit value in the google authentication app. Since it didn't match so it always directed to the fallback branch and hence a deny.

     

Found the same irule on a website from a techi and copied that and it started working (I could see the authentication codes matching and expiring in the LTM logs). Copied both the working irule from my device and the one in this post; compared them in a text editor; Everything matches. Not even a single character is different. Took it a step further. Made another irule again using the one in above post. Attached it to the VS...BAM it stopped working...000000 as code in LTM logs. reverted back to the working irule; working fine.