Forum Discussion
Posterus_85681
Oct 06, 2015Nimbostratus
It does work. Because the APM policy can not be re-evaluated thats why we connect back with MRH cookie and then compare the OTP code to verify from the ext system via header variable and compare this to the session.otp.assigned.val value that was generated (this is done in the http request section)
- Stanislas_Piro2Oct 07, 2015CumulonimbusWhen I look in your configuration, everything is allowed... there is no reject if the OTP code is wrong or the client does not provide a OTP code. If the first request contains generate, the APM allow the connection... if in the following requests, there is no generate or verify, the irule allow connection. the decision to allow or not the connection is not made by APM but by the client which receive the OTP status.