Before you start this task, configure an access profile and configure a form action that uses an external SMS to send the one-time password.
Create an access policy like this when you need to generate and send a one-time password as a text message and you do not want to send it using email.
Note: The macro, AD auth query OTP by HTTP and resources, is available from the visual policy editor
and might be useful to configure an access policy similar to this one.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
3. Add actions to authenticate the user and find a mobile phone number.
a) Click the (+) icon anywhere in your access profile to add a new action item.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
b) From the Authentication tab, select AD Auth and click Add Item. A pop-up properties screen displays.
c) From the Server list, select a server and click Save. The properties screen closes.
d) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
e) On the Authentication tab, select AD Query and click Add Item. A pop-up properties screen displays.
g) Click Add new entry.
An empty entry displays under Required Attributes (optional). h) Type mobile into the Required Attributes (optional) field i) Click Save.
The properties screen closes.
4. Generate a one-time password.
a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) From the Authentication tab, select OTP Generate and click Add Item. c) Click Save.
The properties screen closes and the visual policy editor is displayed.
5. Make the OTP secure.
a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) From the Assignment tab, select Variable Assign and click Add Item. A properties screen opens.
c) Click Add new entry. An Empty entry displays.
d) Click the change link in the new entry. A popup screen opens.
e) From the Unsecure list, select Secure.
f) In the Custom Variable text box, typesession.user.otp.pwd.
g) In the Custom Expression text box, typeexpr { [mcget {session.user.otp.pw}]}. h) Click Finished.
The popup screen closes.
6. Send the OTP through the HTTP Auth agent.
a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) From the Authentication tab, select HTTP Auth and click Add Item.
c) From the AAA server list, select the HTTP form-based server that you configured previously. d) Click Save.
The properties screen closes and the visual policy editor is displayed.
7. Add a Logon Page action that requests only the one-time password. a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) From the Logon Page tab, select Logon Page and click Add Item. A pop-up properties screen displays.
c) From the Logon Page Agent area, on line 1 select password from the Type column and change the post and session variable names.
The variable name password is acceptable.
d) From the Customization area in Logon Page Input Field # 1, type a prompt for the field. For example, type One-Time Passcode.
165 BIG-IP®Access Policy Manager®: Authentication and Single Sign-On
e) Click Save.
The properties screen closes and the visual policy editor is displayed.
8. Verify the one-time password.
a) On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
b) From the Authentication tab, select OTP Verify and click Add Item. c) Click Save.
The properties screen closes and the visual policy editor is displayed.
9. (Optional) Add any other branches and actions that you need to complete the access policy.
10.Change the Successful rule branch from Deny to Allow and click the Save button.
11.At the top of the window, click the Apply Access Policy link to apply and activate your changes to this access policy.
12.Click the Close button to close the visual policy editor.
You have an access policy that uses HTTP authentication to provide a user with a one-time time-based password over SMS.