Trim Mobile Number

The SMS Company does not accept more than 10 caracters in http request as of MobileNumber. And also they don't accept these "+" sign or "+90". So it should look like "5431231020". This is the only valid pattern.

On the other hand, in the Active Directory server, user's mobile numbers are stored with "+" sign like this "+905431231020" and they are more more than 10 caracters.

When I try to use an iRule to achieve this pattern I have used below rule.

when ACCESS_POLICY_AGENT_EVENT { log local0. "Start"

set mobile [ACCESS::session data get "session.ad.last.attr.mobile"] log local0. "Mobile is $mobile"

regexp {(5[0-9]*)} [string map -nocase {" " ""} $mobile] mobile log local0. "New Number is $mobile"

ACCESS::session data set "session.logon.last.username" $mobile

}

But, after inserting the the iRule, it was never executed. I haven't see the logging parts in the those log files /var/log/{ltm,apm}

I just change the way and put below assignment in a "Variable Assign" object and it works.

session.logon.last.username = expr { [string map -nocase {"+90" ""} [mcget {session.ad.last.attr.mobile} ]] }

But, now I could not check the OTP because it is allways true! It doesn't matter what I type. After delete above Variable Assingment from Policy Path, it comes back again.

Why I can not use my iRules (yes there are many of them and all works good) ? Why I can not use my Variable Assingment ?

BIG-IP Access Policy Manager (APM)

deployment

design

security

29 Replies

MichaelJordan_1
Nimbostratus
Jun 24, 2015
This is weird. I started to this implementation with a guide which is written by Jason Rahm. This guide did not mention this requirements. (https://devcentral.f5.com/articles/one-time-passwords-via-an-sms-gateway-with-big-ip-access-policy-manager)

By the way, the iRule is working right now. Thanks Timo
- THi
  Nimbostratus
  Jun 24, 2015
  Well, he may have taken it as granted. I don't think it is well mentioned anywhere in the documentation. But anyway an iRule is a resource for the virtual servert like a server pool and needs to be associated with it. Think I mentioned it in my first reply. I had another comment on the variable assign earlier in the thread. I think the session.logon.last.password should not be prepopulated with the OTP value. It should be entered by the user and then compared against the generated value (session.otp.assigned.val).
- MichaelJordan_1
  Nimbostratus
  Jun 24, 2015
  Well, let me ask that do you know which variable holding otp value on the APM? I mean, I should replace a value with the "text" string in URL. In the SMS request URL, there must be a "text" string which is carrying/holding the value of the One Time Password. This is the requirement. If I don't replace "session.logon.last.password" with OTP message, APM sends user's password.
- THi
  Nimbostratus
  Jun 24, 2015
  You were referring to Jason's article from 2011 I believe. It is partially obsolete as OTP is now available as a macro in the VPE. There is an enhanced article with more features, if you haven't seen it, here is the link: https://devcentral.f5.com/s/articles/you-down-with-otp Unfortunately only the first part is available yet.. APM sends out whatever you define in the HTTP Auth AAA server used in the macro. The OTP variable which is sent out to SMS gateway is defined in the SMS gateway AAA server configuration in the hidden parameters. The macro stores it into session.otp.assigned.val. Jason used session.logon.last.password and needed a variable assignment, as initially in the past the OTP generation was done with an iRule. I would send out OTP directly from the session.otp.assigned.val, and read what the user types in into a different variable (session.logon.last.password) to really keep them separate. Using same variable for both works, but still in my paranoid security thinking I would not prefill the OTP variable which I would read in from the user. I would keep these variables separate. Just to avoid of comparing prefilled correct value with same correct value if some kind of error occurred..
Stanislas_Piro2
Cumulonimbus
Jun 24, 2015
You can combine thee two assignment in only one:

session.logon.last.username = set user [expr [string map {" " ""} [mcget {session.ad.last.attr.mobile}] ]]; return [string range $user end-9 end]

To simplify future change on the VPE, do not replace variables values. create a session.logon.last.otpmobile variable and use it in the OTP delivery method.
Stanislas_Piro2
Cumulonimbus
Jun 24, 2015
the session variable session.logon.last.XXX mean:

logon : variable is provisioned by logon page
last : value of the last logon page (or the previous if the last did not have this variable defined)
XXX : value in the logon page defined in the "Session Variable Name" field

by default,session.logon.last contains:

username (username entered by the user, username part if user entered DOMAIN\user and split domain is enabled)
logonname (real username variable entered by the user)
password

you can create your own variables where you want (session.custom is a good way)but you can create authentication variables in session.logon.last for a best organisation.

Forum Discussion

Trim Mobile Number

29 Replies

Recent Discussions

Maximum throughput of f5 ltm

F5 not sending traffic to Web pool

Inquiry on F5's Maintenance Mode Feature for Pool Members

BIG-IP Next

F5 LTM HA Pair hostname name change

Related Content

Protecting Your Native Mobile Apps with F5 XC Mobile App Shield

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

Bot Defense for Mobile Apps in XC WAAP Part 1: The Bot Defense Mobile SDK

Trim parentheses via tcl

Number of DCDs