Before you start this task, configure an access profile.
Create an access policy like this when you need to generate and send a one-time password over email.
Note: Look at the macro, AD query auth OTP by email and resources, to determine whether to use it to
configure an access policy similar to this one.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
3. Add actions to authenticate the user and find an email address and a mobile phone number. a) Click the (+) icon anywhere in your access profile to add a new action item.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
b) On the Authentication tab, select AD Auth and click Add Item. A popup properties screen displays.
c) From the Server list, select a server and click Save. The properties screen closes.
d) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
e) On the Authentication tab, select AD Query and click Add Item.
An AD Query is only one way to find the email address for a user. If users normally log on to your system with an email address as their username, you can get the email address using a Logon Page action.
A popup properties screen displays. f) From the Server list, select a server. g) Click Add new entry.
An empty entry displays under Required Attributes (optional). h) Type mobile into the Required Attributes (optional) field
After the query, the session.ad.last.attr.mobile variable holds the value. i) Click Add new entry.
An empty entry displays under Required Attributes (optional). j) Type mail into the Required Attributes (optional) field
After the query, the session.ad.last.attr.mail variable holds the value. k) Click Save.
The properties screen closes.
4. Generate a one-time password.
a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) On the Authentication tab, select OTP Generate and click Add Item.
c) Click Save.
The properties screen closes and the visual policy editor displays.
5. Send the OTP to the user through the Email agent.
a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) On the General Purpose tab, select Email and click Add Item. c) From the SMTP Configuration list, select a configuration.
The configuration specifies an external SMTP server to send the email. d) In the From field, type an email address on the system.
e) In the To field, type an email address, a session variable, or a session variable and a string. For example, type%{session.ad.last.attr.mobile}@providerservice.comwhere
providerservice.com is supplied by a mobile phone provider. f) Type a subject in the Subject field.
g) In the Message field, type the one-time password and anything else the user should know.
One Time Passcode: %{session.otp.assigned.val} Expires after use or in %{session.otp.assigned.ttl} seconds
h) Click Save.
The properties screen closes and the visual policy editor displays.
6. Add a Logon Page action that requests the one-time password only. a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
c) From the Logon Page Agent area, on line 1 select none from the Type column to remove the user name input field from the logon page; do not change line 2 (password).
d) From the Customization area in Logon Page Input Field # 2, type a prompt for the field. For example, type One-Time Passcode.
e) Click Save.
The properties screen closes and the visual policy editor displays.
7. Verify the one-time password.
a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) On the Authentication tab, select OTP Verify and click Add Item. c) Click Save.
The properties screen closes and the visual policy editor displays.
8. (Optional) Add any other branches and actions that you need to complete the access policy.
9. Change the Successful rule branch from Deny to Allow and click the Save button.
10.At the top of the window, click the Apply Access Policy link to apply and activate your changes to this access policy.
11.Click the Close button to close the visual policy editor.
You have an access policy that provides a user with a one-time time-based password over SMTP. To apply this access policy to network traffic, add the access profile to a virtual server.
163 BIG-IP® Access Policy Manager®: Authentication and Single Sign-On
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access
profile.
Verifying log settings for the access profile
Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and
disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. Click the name of the access profile that you want to edit. The properties screen opens.
3. On the menu bar, click Logs.
The access profile log settings display.
4. Move log settings between the Available and Selected lists.
You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
Note: Logging is disabled when the Selected list is empty.
5. Click Update.
An access profile is in effect when it is assigned to a virtual server.