Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

2-factor code via SMS iRule

We have a need for 2-factor auth on some of our external services, and are looking at alternatives to the current SecurID setup. Would it be possible to have an iiRule to generate a random code, send out via SMS provider, and wait for the user to receive the code on his mobile phone, enter as part of the APM login and compare the codes for accept/deny. Thanks for any feedback!

Jon Ole
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Jon,

There isn't any native support for triggering an SMS from LTM. However, this might make an interesting feature request for APM. What kind of API or protocol do you imagine wanting to use to trigger an SMS?

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
We are currently using Clickatell for SMS distribution, and the SMS is sent by sending a http request to the provider that includes our login/password and phone number and message (code), I believe many mobile operators support this type of functionallity.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You could potentially do that now using HTTP::retry:

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=105

I am not sure how easy it would be to combine the logic from Deb's article with APM, but it might be possible. If you give it a try and get stuck try replying back here to get help. It would also make an interesting request for enhancement. You could make the request officially by opening a case with F5 Support.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thank you, Aaron! The HTTP::retry looks very promising. The wiki for HTTP::retry (http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP__retry.html) had exactly the example I have been looking for. If that works as advertised we only need a random number generator within the irule to complete the job.
Btw. we have opened an RFE with F5, and were told that they were working on getting this functionality into future versions of  the APM. For a short-term solution we were asked to use the forums at DevCentral,  and they were right :-)

Here is a short description of how Checkpoint has integrated the same thing into their Connectra product: http://updates.checkpoint.com/files...katell.pdf
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Jon,

Actually Per Boe an F5 FSE and Jason Rahm from DC, just posted a solution on using APM to implement an SMS based one time password solution:

One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086432/One-Time-Passwords-via-an-SMS-Gateway-with-BIG-IP-Access-Policy-Manager.aspx

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Aaron,

have you found the solution yet. I am stuck in similar issue, I need to send the OTP code to SMS server matching the below string.
http://smsserver:8011/POST?Source=F5&Dest=4563726393&Text=[pin1]&Submit+Query
Any ideas .. pls...

I have used similar solution as OTP but cant use API ..."https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086432/One-Time-Passwords-via-an-SMS-Gateway-with-BIG-IP-Access-Policy-Manager.aspx "
thanks AJ
0