we want to configure MFA/2FA using Google Authenticator (or at least the underlying time-based one-time password (TOTP) solution).
We found several articles and guides here on DevCentral, but as some of them are quite some years old and also referenced links seems to not working anymore, I have some questions:
Is it really necessary to have the APM-module activated for this? Because based on one of the initial articles, it seems to be possible just with the LTM authentication profile? But when checking the options, I don't have the mentioned "LDAP"-type available. I see only "SSL client certificate LDAP" (and two others).
What are pros and cons of an implementation with/without APM-module?
Based on the preferred solution is there any current/up-to-date configuration guide available, how to configure this?
Ok, I got at least the APM-solution to work. And I want to share with you the combined iRule based on:
Google Authenticator Token Verification iRule For APM
Google Authenticator Verification iRule (TMOS v11.1+ optimized)
Maybe this is helpful for someone out there.
I made some testings and it looks fine so far, but maybe the experts can have a look on it as well. I tested this with version 13.0.0
But besides this, I would still be interested in the options to get this working even without APM at all. Is this still be possible via an Authentication-profile or are these features no more available in latest TMOS versions?
Special thanks here to George Watkins and Kai Wilke for the good work!!!
Many thanks for updating and optimizing the code. as I am looking at implementing such solution.
Unfortunately, there is one important missing part in all the documentation I read this far: how to automate user registration. I have over 500 users, it is not possible and not sustainable to manually add them in the local datagroup. Provisioning should be self-service.
Anyone has a solution for implementing auto-provisioning of users and passcode or, did you all use the same passcode for all users?
it's quit some months ago and I currently can't remember exactly, but I think I used the code provided from Niels above as well.
In general our logic now works as follows:
User gets APM Login-Page displayed, where normal AD-credentials need to be entered
Credentials will be checked via AAA-profile
If successful a newly created AD-attribute for the shared secret will be checked
If available, the OTP will be created via iRule and requested in parallel from the user on a second APM-page -> if both are identical access is granted
If not available, APM via iRule/iRuleLX will create a new shared secret for that user and displays the result on a second APM-page -> once the user confirms that he's activate this key on his mobile-app, APM will update the AD and saves the shared key for that user -> additionally the OTP will be created and requested from the user as mentioned above
So each user has to initialize his own OTP-app the first time he uses a MFA-protected VS. APM will manage all the users automatically via AD-Attribute.
