How to terminate a second APM session using the same MFA account with OTP
Hi,
We have an access policy in place where users log in in two steps, first with a radius username and an OTP generated by a hardware token, and second with their AD account. Our security team wants us to ensure that only one session can exist for which the hardware token was used; if it is used a second time then the already existing session has to be terminated.
I have used the post https://devcentral.f5.com/s/articles/big-ip-apm-max-sessions-per-user-enable-users-to-terminate-a-specified-session as a starting point.
The problem I'm running into is that the username logged for the session is the second one, but the session has to be identified by the first one. I haven't been able to come up with a way to achieve this.
I assigned a variable in the policy after the first authentication step:
otp_username = expr { "[mcget {session.logon.last.username}]" }. Logging shows that this is working.
In the next step I try to create a custom uuid with this new variable, but this is not possible; the uuid is always formed as [policy name].[session.logon.last.username]
This is what I have come up with so far:
when ACCESS_POLICY_COMPLETED {
if { [ACCESS::session data get "session.server.landinguri"] starts_with "/uri1" }{
set radius_username [ACCESS::session data get otp_username]
log local0. "[PROFILE::access name].$radius_username"
set apm_cookie_list [ACCESS::uuid getsid "[PROFILE::access name].$radius.username"]
for {set i 0} {$i < [llength $apm_cookie_list]} {incr i} {
log local0. "Session => [ lindex $apm_cookie_list $i]"
}
log local0. "Length of cookie list is now [llength $apm_cookie_list]"
}
if { ([ACCESS::session data get "session.server.landinguri"] starts_with "/uri1")
&& ([llength $apm_cookie_list] >= 1)}{
set _sessionid[ACCESS::session data get -sid [lindex $apm_cookie_list 0] session.user.sessionid]
log local0. "Found sesion $_sessionid"
ACCESS::session remove -sid $_sessionid
log local0. "[PROFILE::access name].$radius_username => session number $_sessionid terminated"
}
}
Does anyone have an idea how to get this to work?