F5 APM HTTP-Auth

Question

Hello Everyone,&nbsp;
I am using SMSGlobal to send the OTP to users. I am facing a strange issue I can see in the reports in current session that its been picking up the right mobile number from AD and assigning different OTP every time but the issue is when multiple user are trying to access the SSL VPN then randomly one out of these multiple users keep receiving the same OTP repeatedly and other users doesn't receive any.&nbsp;
For instance user A for the first time tries to login to ssl vpn, he receives the OTP. Now when user B tries to login to ssl vpn, user A receives the same OTP again and later when user C tries to access ssl VPN, user A receives the same OTP again on his mobile. where as user C and B doesn't receive any OTP on there mobiles.&nbsp;
But if I go and check the sessions under reports on F5 APM I can see there appropriate phones numbers and different new OTP is assigned to all three users.&nbsp;
This the form action http://www.smsglobal.com/http-api.php&nbsp;
Hidden Parameters- action=sendsms&amp;user=xxxxx&amp;password=xxxxx&amp;&amp;api=1&amp;to="%{session.user.otp.mobile}"&amp;text="%{session.user.otp.pwd}"&nbsp;
LTM Model- BIG-IP 2000
Version- 11.4.1&nbsp;
Any help will be highly appreciated.&nbsp;
Thanks, LD&nbsp;

jonas_karlsson2 · Answer

Hello, I have exactly the same problem in BigIP v12.1.1HF1. Using the built in OTP generate and verify. Different SMS gateway (Telia) in the HTTP Auth. The same old OTP reappears on the first users phone when the second or third user tries to sign in. When adding logging and looking at the ´session.otp.assigned.val´ the OTP Generate is generating a new value and pairing this to the new user session. It looks like the HTTP Auth module is not picking up the new session variable and resends an old cache..&nbsp;
Form Method GET
Form Action http://A.B.C.D/aps/APSmsg
Hidden Form Parameters/Valuesid=XXXXXX&amp;passwd=YYYYYYY&amp;recipients=%{session.ad.last.attr.otherMobile}&amp;flash=yes&amp;msg=%{session.otp.assigned.val}&amp;null&nbsp;
Any Idea how to get the HTTP Auth module to update or clear itself and pick the new session variable? &nbsp;
//Jonas&nbsp;

jonas_karlsson2 · Answer

The solution was to type the values in the box "Hidden Form Parameters" of HTTP server on separate lines and with a space instead of the equal sign.&nbsp;
id XXXXXX&nbsp;
passwd YYYYYYY&nbsp;
recipients %{session.ad.last.attr.otherMobile}&nbsp;
flash yes&nbsp;
msg %{session.otp.assigned.val}&nbsp;

//Only one Carrige Retur above, the forum will not show it correctly//&nbsp;

Forum Discussion

F5 APM HTTP-Auth

2 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

Related Content

HTTP auth - Calling external API with parameters

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

HTTP Auth fails

Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service