Forum Discussion

Altostratus

Mar 23, 2021

How to terminate a second APM session using the same MFA account with OTP

Hi, We have an access policy in place where users log in in two steps, first with a radius username and an OTP generated by a hardware token, and second with their AD account. Our security team wa...

MVP

Mar 23, 2021

This is real complex and I may not be able to help but after the first authentication and saving the seesion variable otp_username and after the second authentication has passed did you try to change/rewrite session.logon.last.username with the value of variable otp_username with a variable assign agent? In a way to make session.logon.last.username after the second authentication to be the same like in the first authentication so the UUID to match what you want.

if this breaks something you can also try to use the ACCESS_POLICY_AGENT_EVENT not ACCESS_POLICY_COMPLETED and placing this event right after you saved otp_username. The ACCESS_POLICY_COMPLETED is when the policy is done so it has session.logon.last.username set to the second authentication, so this seem the issue from what you have written.

https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html

This are my all ideas, if someone knows something else please share it.

Forum Discussion

How to terminate a second APM session using the same MFA account with OTP

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Create a DevCentral account

BIG-IP APM: Max Sessions Per User – Enable users to terminate a specified session

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Change admin account

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence