Article Number | 000030035 |
Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.1 SP1 Platform (Other): Cisco ASA ver. 9.3.1, 9.3(1) |
Issue | When attempting to authenticate with risk-based authentication (RBA) on a Cisco ASA appliance, the successful authentication response from the RBA webtier appears to be going to an invalid url on the ASA. It is going to /%20webvpn%20/index.html, and it should be going to /+webvpn+/index.html, so the ASA authentication fails.
The RSA integration script no longer correctly interprets plus signs (+, ASCII %2B), but instead interprets them as spaces (ASCII %20).
It could be that the web tier that is interpreting this incorrectly. We are not sure as to cause, as we have only seen it with RBA and Cisco ASA 9.3.1 through Web Tier. |
Cause | Cisco ASA uses plus signs in their login URL (that is, /+webvpn+/index.html).
The am_integration.js script for RSA Authentication Manager 8.1 SP1 mistakenly interprets the + signs as spaces and then redirects to /%20webvpn%20/index.html or / webvpn index.html instead of /+webvpn+/index.html. |
Resolution | No resolution or bug fix yet, use workaround below |
Workaround | The original downloaded integration script has a variable origActionURL with a procedure called toAbsolutePath(logonForm.action) which interprets your sites Cisco ASA URL:
// add new input containing the original action URL var origActionURL = document.createElement('input'); origActionURL.setAttribute('type', 'hidden'); origActionURL.setAttribute('name', 'ORIG_ACTION_URL'); origActionURL.setAttribute('value', toAbsolutePath(logonForm.action)); logonForm.appendChild(origActionURL);
You will want to hardcode the origActionURL path with your Return URL with your Cisco VPN name, replacing the + characters with HTML code %2B.
This only appears to affect this variable the Return URL where the webtier is replacing the + signs with %20 instead of %2B. The referringURL is OK and not affected.
// add new input containing the original action URL var origActionURL = document.createElement('input'); origActionURL.setAttribute('type', 'hidden'); oorigActionURL.setAttribute('name', 'ORIG_ACTION_URL'); oorigActionURL.setAttribute('value', 'https://<Cisco_ASA>.<Domain>.com/%2Bwebvpn%2B/index.html'); logonForm.appendChild(origActionURL);
Hardcode the /%20webvpn%20/index.html as /%2Bwebvpn%2B/index.html
Note: Do not hardcode the plus sign + and do not use lower case b for the ASCII %2B. |
Notes | Typical dowloaded am_integratio.js script contains a sections a section that creates a redirect back to the RBA agent after authentication:
function toAbsolutePath(url) { if (url.search('://') != -1) { return url; } if (url.indexOf('/') == 0) { var loc = location.href + "/"; return loc.replace(/(.*?:\/\/[^\/]*?)\/.*/, '$1' + url); } return location.href.replace(/(.*\/).*/, '$1' + url); }
Which you can look at in your browser too,
<html> <head> <script> <!-- function getActionURL() { var protocol = 'https'; var shortHostname = '192'; var domainName = '168.60.99'; var port = 444; var path = '/ webvpn /index.html';
return protocol + '://' + shortHostname+ '.' + domainName+':'+port+ path; } function submitLogonForm() { document.getElementById('logon_form').action=getActionURL(); document.getElementById('logon_form').submit(); } //--> </script> </head> <body onLoad='submitLogonForm()'> <form name='logon_form' id='logon_form' method='post' action='https%3A%2F%2F149.63.60.99%3A444%2F+webvpn +%2Findex.html'> <input type='hidden' name='username' value='jguillette'/> <input type='hidden' name='next' value=''/> <input type='hidden' name='tgroup' value=''/> <input type='hidden' name='password' value='01jh7ka0f3x3ggaa'/> <input type='hidden' name='tgcookieset' value=''/> </form> </body> </html>
Due a a bug somewhere, the redirect creation interprets the + in a Cisco ASA URL as a blank space |