Has anyone ran into this issue? On 11.6HF6 If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the policy and sends the user to the "allow" branch. I see this behavior when the "Prompt" for passcode page has only "fallback" branch that goes to an OTP Verify. The OTP verify has "OTP has passed" and has "OTP has failed" and "fallback". Both OTP failed and fallback point to a "failure" which results in deny...however if the user just hits refresh the access policy logs that the user followed the successful branch out of the OTP verify. If I manually at the start of a policy place a variable assign that sets session.otp.verify.last.authresult = expr { 0 } then it stops this behavior...but the issue appears to be when there isn't a value for that session variable it just passes on as success instead of 'fallback' which it seems like it should...I couldn't reproduce this on a mobile browser....but I could on chrome and IE on several different machines.

I think it may be a bug...as I said it doesn't happen on mobile devices--and in the logs I see this right before it goes on to allow the user through even though they typed nothing in. modules/Authentication/OTP/OTPVerifyAgent.cpp func: "getOTPVerifyUserInput()" line: 149 Msg: 64d04990: OTP_VERIFY Agent: getOTPVerifyUserInput(): unable to decrypt user password due to invalid ciphertext

I have a ticket in with F5. I will update here when they respond in case anyone else runs into this.

If you can please message me your ticket number with support, it would be great

It may be something specific to the steps I have. I just created a very basic new policy and wasn't able to reproduce right away. I will message you the .

I couldn't produce this on a new policy but I could reproduce on mine...if I changed my OTP login page password field from 'text' to 'password' it seemed to correct the behavior on windows pcs. The problem I guess is we have it set to text so the user can see the number they are entering...I couldn't reproduce that behavior with a new policy though and setting the password field to text...based on that log error it must be something else in the policy combined with that causing it on windows machines for me.

OTP can be bypassed by refreshing on the OTP prompt page..

14 Replies

JWhitesPro_1928
Cirrostratus
Jan 26, 2016
I think it may be a bug...as I said it doesn't happen on mobile devices--and in the logs I see this right before it goes on to allow the user through even though they typed nothing in.

modules/Authentication/OTP/OTPVerifyAgent.cpp func: "getOTPVerifyUserInput()" line: 149 Msg: 64d04990: OTP_VERIFY Agent: getOTPVerifyUserInput(): unable to decrypt user password due to invalid ciphertext
- JWhitesPro_1928
  Cirrostratus
  Jan 26, 2016
  I have a ticket in with F5. I will update here when they respond in case anyone else runs into this.
- Michael_Koyfma1
  Cirrus
  Jan 26, 2016
  If you can please message me your ticket number with support, it would be great
- JWhitesPro_1928
  Cirrostratus
  Jan 26, 2016
  It may be something specific to the steps I have. I just created a very basic new policy and wasn't able to reproduce right away. I will message you the .
JWhitesPro_1928
Cirrostratus
Jan 26, 2016

The 'failure' on the "Prompt for passcode" was purely for troubleshooting.
- Seth_Cooper
  Employee
  Jan 26, 2016
  Anything before the Prompt for Passcode?
- JWhitesPro_1928
  Cirrostratus
  Jan 26, 2016
  I will PM you my qkview and case.
- JWhitesPro_1928
  Cirrostratus
  Jan 26, 2016
  I see that. I have that set so that the http-auth form pulls the correct field for clickatell...perhaps I can rename it...either way though on the variable assign before the "Prompt for Passcode" I just added session.logon.last.password and set it to something manually there and tried it again with the same result...it's strange that it doesn't do this on mobile devices or when i change that password field type....let me run through it a few more times.
Lucas_Thompson_
Historic F5 Account
Jan 26, 2016
There is one more thing to consider here.

All of the "Auth" Policy Items expect that the password will be in an encrypted format. The Logon Page inputs can be "text" or "password". If you set it to "text", then the variable is set up to be unencrypted. If you set it to "password", then it's encrypted. The "Invalid Ciphertext" error message happens when whatever session variable that the Policy Item was trying to interrogate was NOT encrypted or was empty. If it was plaintext, the error would be produced.
Seth_Cooper
Employee
Feb 01, 2016
I believe I see the issue... in the SMS Macro you have a variable assign that sets session.logon.last.password to session.user.opt.pw so when you get to the logon page "Prompt for Password" the value is set, hitting refresh will make the logic run and since the password session var has the otp in it then you will pass. If you remove the password from that variable assign do you have the same issues?

Forum Discussion

OTP can be bypassed by refreshing on the OTP prompt page..

14 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

google-visualization-issues

Related Content

Bypass certificate check

F5 APM with OIDC Web Duo Prompt

Bypass WAF for X-forwarder IP in XC

MSM Bypass

Apple's New Rule & Google PlayStore Bypass -July 29th-4th Aug, 2023 - F5 SIRT-This Week in Security