Before you start this task, configure an access profile and configure a form action that uses an external SMS to send the one-time password.
Create an access policy like this when you need to generate and send a one-time password as a text message and you do not want to send it using email.
Note: The macro, AD auth query OTP by HTTP and resources, is available from the visual policy editor and might be useful to configure an access policy similar to this one.
- On the Main tab, click .
The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
The visual policy editor opens the access policy in a separate screen.
- Add actions to authenticate the user and find a mobile phone number.
- Click the (+) icon anywhere in your access profile to add a new action item.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select AD Auth and click Add Item.
A pop-up properties screen displays.
- From the Server list, select a server and click Save.
The properties screen closes.
- On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- On the Authentication tab, select AD Query and click Add Item.
A pop-up properties screen displays.
- From the Server list, select a server.
- Click Add new entry.
An empty entry displays under Required Attributes (optional).
- Type mobile into the Required Attributes (optional) field
- Click Save.
The properties screen closes.
- Generate a one-time password.
- On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select OTP Generate and click Add Item.
- Click Save.
The properties screen closes and the policy displays.
- Make the OTP secure.
- On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Assignment tab, select Variable Assign and click Add Item.
A properties screen opens.
- Click Add new entry.
An Empty entry displays.
- Click the change link in the new entry.
A popup screen opens.
- From the Unsecure list, select Secure.
- In the Custom Variable text box, type session.user.otp.pwd.
- In the Custom Expression text box, type expr { [mcget {session.user.otp.pw}]}.
- Click Finished.
The popup screen closes.
- Send the OTP through the HTTP Auth agent.
- On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select HTTP Auth and click Add Item.
- From the AAA server list, select the HTTP form-based server that you configured previously.
- Click Save.
The properties screen closes and the policy displays.
- Add a Logon Page action that requests only the one-time password.
- On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Logon Page tab, select Logon Page and click Add Item.
A pop-up properties screen displays.
- From the Logon Page Agent area, on line 1 select password from the Type column and change the post and session variable names.
The variable name password is acceptable.
- From the Customization area in Logon Page Input Field # 1, type a prompt for the field.
For example, type One-Time Passcode.
- Click Save.
The properties screen closes and the policy displays.
- Verify the one-time password.
- On the Successful branch after the previous action, click the (+) icon.
An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, select OTP Verify and click Add Item.
- Click Save.
The properties screen closes and the policy displays.
- Optional: Add any other branches and actions that you need to complete the policy.
- Change the Successful rule branch from Deny to Allow, and click the Save button.
- At the top of the window, click the Apply Access Policy link to apply and activate your changes to this access policy.
- Click the Close button to close the visual policy editor.
You have an access policy that uses HTTP authentication to provide a user with a one-time time-based password over SMS.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.