Forum Discussion

Altostratus

Mar 23, 2021

How to terminate a second APM session using the same MFA account with OTP

Hi, We have an access policy in place where users log in in two steps, first with a radius username and an OTP generated by a hardware token, and second with their AD account. Our security team wa...

BIG-IP Access Policy Manager (APM)

iRules

security

Nikoolayy1

MVP

Mar 23, 2021

This is real complex and I may not be able to help but after the first authentication and saving the seesion variable otp_username and after the second authentication has passed did you try to change/rewrite session.logon.last.username with the value of variable otp_username with a variable assign agent? In a way to make session.logon.last.username after the second authentication to be the same like in the first authentication so the UUID to match what you want.

if this breaks something you can also try to use the ACCESS_POLICY_AGENT_EVENT not ACCESS_POLICY_COMPLETED and placing this event right after you saved otp_username. The ACCESS_POLICY_COMPLETED is when the policy is done so it has session.logon.last.username set to the second authentication, so this seem the issue from what you have written.

https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html

This are my all ideas, if someone knows something else please share it.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)