Before you start this task, configure an access profile and configure a form action that uses an external SMS to send the one-time password.
Create an access policy like this when you need to generate and send a one-time password as a text message and you do not want to send it using email.
Note: The macro, AD auth query OTP by HTTP and resources, is available from the visual policy editor and might be useful to configure an access policy similar to this one.
- On the Main tab, click . The Access Profiles List screen opens.
- In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
- Add actions to authenticate the user and find a mobile phone number.
- Click the (+) icon anywhere in your access profile to add a new action item. An popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select AD Auth and click Add Item. A pop-up properties screen displays.
- From the Server list, select a server and click Save. The properties screen closes.
- On the Successful branch after the previous action, click the (+) icon. An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- On the Authentication tab, select AD Query and click Add Item. A pop-up properties screen displays.
- From the Server list, select a server.
- Click Add new entry. An empty entry displays under Required Attributes (optional).
- Type mobile into the Required Attributes (optional) field
- Click Save. The properties screen closes.
- Generate a one-time password.
- On the Successful branch after the previous action, click the (+) icon. An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select OTP Generate and click Add Item.
- Click Save. The properties screen closes and the visual policy editor is displayed.
- Make the OTP secure.
- On the Successful branch after the previous action, click the (+) icon. An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Assignment tab, select Variable Assign and click Add Item. A properties screen opens.
- Click Add new entry. An Empty entry displays.
- Click the change link in the new entry. A popup screen opens.
- From the Unsecure list, select Secure.
- In the Custom Variable text box, type session.user.otp.pwd.
- In the Custom Expression text box, type expr { [mcget {session.user.otp.pw}]}.
- Click Finished. The popup screen closes.
- Send the OTP through the HTTP Auth agent.
- On the Successful branch after the previous action, click the (+) icon. An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select HTTP Auth and click Add Item.
- From the AAA server list, select the HTTP form-based server that you configured previously.
- Click Save. The properties screen closes and the visual policy editor is displayed.
- Add a Logon Page action that requests only the one-time password.
- On the Successful branch after the previous action, click the (+) icon. An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Logon Page tab, select Logon Page and click Add Item. A pop-up properties screen displays.
- From the Logon Page Agent area, on line 1 select password from the Type column and change the post and session variable names. The variable name password is acceptable.
- From the Customization area in Logon Page Input Field # 1, type a prompt for the field. For example, type One-Time Passcode.
- Click Save. The properties screen closes and the visual policy editor is displayed.
- Verify the one-time password.
- On the Successful branch after the previous action, click the (+) icon. An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select OTP Verify and click Add Item.
- Click Save. The properties screen closes and the visual policy editor is displayed.
- Optional: Add any other branches and actions that you need to complete the access policy.
- Change the Successful rule branch from Deny to Allow and click the Save button.
- At the top of the window, click the Apply Access Policy link to apply and activate your changes to this access policy.
- Click the Close button to close the visual policy editor.
You have an access policy that uses HTTP authentication to provide a user with a one-time time-based password over SMS.
To put the access policy into effect, you must attach it to a virtual server.