Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
code share

Google Authenticator Token Verification iRule For APM

Problem this snippet solves:

This iRule adds token authentication capabilities for Google Authenticator to APM.

The implementation is described in George Watkins' article: Two Factor Authentication With Google Authenticator And APM

The iRule should be applied to an access policy-enabled virtual server. In order to provide two-factor authentication, a AAA server must be defined to verify user credentials. The users' Google Authenticator secrets can be mapped to individual users using a data group, an LDAP schema attribute, or an Active Directory attribute. The storage method can be defined in the beginning section of the iRule. Here are a list of all the configurable options:

  • lockout_attempts - number of attempts a user is allowed to make prior to being locked out temporarily
  • lockout_period - duration of lockout period
  • ga_code_form_field - name of HTML form field used in the APM logon page, this field is define in the "Logon Page" access policy object
  • ga_key_storage - key storage method for users' Google Authenticator shared keys, valid options include: datagroup, ldap, or ad
  • ga_key_ldap_attr - name of LDAP schema attribute containing users' key
  • ga_key_ad_attr - name of Active Directory schema attribute containing users' key
  • ga_key_dg - data group containing user := key mappings
Comments on this Snippet
Comment made 13-Jul-2015 by Rosieodonell 368
Been using this code for awhile now and one of the things i noticed is some of the time on people's device are off by a few seconds that can mess with the token on their end. Is it possible to modify this code so that its checks what they enter, fail it and then run the code again but this time run the code with "time-30 seconds" so that it basically approves the token that is valid right now and the token that was valid before.
Comment made 22-Apr-2017 by Sebastien6 57

tried it and always return the error message : Rule evaluation failed with error: missing close-brace I looked at the irule and all close-brace seems to be in place.

Anyone had this error before? Do you know how to fix it?

Comment made 27-Aug-2018 by roracz 3

I know this post is over year old but to anyone who encounter "missing close-brace" problem (like me): Look at your Expressions in Branch Rules in VPE. iRule is ok, propably you miss close-brace in one of expressions eg.: expr { [mcget {session.custom.ga_result} ] == 1 }