000030035 - Risk-Based Authentication from Cisco ASA 9.3.1 redirects to wrong URL for RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 6, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030035
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
Platform (Other): Cisco ASA ver. 9.3.1, 9.3(1)
IssueWhen attempting to authenticate with risk-based authentication (RBA) on a Cisco ASA appliance, the successful authentication response from the RBA webtier appears to be going to an invalid url on the ASA. It is going to /%20webvpn%20/index.html, and it should be going to /+webvpn+/index.html, so the ASA authentication fails.

The RSA integration script no longer correctly interprets plus signs (+, ASCII %2B), but instead interprets them as spaces (ASCII %20).

It could be that the web tier that is interpreting this incorrectly.  We are not sure as to cause, as we have only seen it with RBA and Cisco ASA 9.3.1 through Web Tier.
 
Cause

Cisco ASA  uses plus signs in their login URL (that is, /+webvpn+/index.html). 

The am_integration.js script for RSA Authentication Manager 8.1 SP1 mistakenly interprets the + signs as spaces and then redirects to  /%20webvpn%20/index.html or  / webvpn index.html instead of  /+webvpn+/index.html.

ResolutionNo resolution or bug fix yet, use workaround below
WorkaroundThe original downloaded integration script has a variable origActionURL with a procedure called toAbsolutePath(logonForm.action) which interprets your sites Cisco ASA URL:

// add new input containing the original action URL
var origActionURL = document.createElement('input');
origActionURL.setAttribute('type', 'hidden');
origActionURL.setAttribute('name', 'ORIG_ACTION_URL');
origActionURL.setAttribute('value', toAbsolutePath(logonForm.action));
logonForm.appendChild(origActionURL);


You will want to hardcode the origActionURL path with your Return URL with your Cisco VPN name, replacing the + characters with HTML code %2B.  

This only appears to affect this variable the Return URL where the webtier is replacing the + signs with %20 instead of %2B.  The referringURL is OK and not affected.

// add new input containing the original action URL
var origActionURL = document.createElement('input');
origActionURL.setAttribute('type', 'hidden');
oorigActionURL.setAttribute('name', 'ORIG_ACTION_URL');
oorigActionURL.setAttribute('value', 'https://<Cisco_ASA>.<Domain>.com/%2Bwebvpn%2B/index.html');
logonForm.appendChild(origActionURL);


Hardcode the /%20webvpn%20/index.html as /%2Bwebvpn%2B/index.html

Note: Do not hardcode the plus sign + and do not use lower case b for the ASCII %2B.
NotesTypical dowloaded am_integratio.js script contains a sections a section that creates a redirect back to the RBA agent after authentication:

function toAbsolutePath(url) {
if (url.search('://') != -1) {
return url;
}
if (url.indexOf('/') == 0) {
var loc = location.href + "/";
return loc.replace(/(.*?:\/\/[^\/]*?)\/.*/, '$1' + url);
}
return location.href.replace(/(.*\/).*/, '$1' + url); }

Which you can look at in your browser too, 

<html>
<head>
<script>
<!--
    function getActionURL() {
        var protocol = 'https';
        var shortHostname = '192';
        var domainName = '168.60.99';
        var port = 444;
        var path = '/ webvpn /index.html';

        return protocol + '://' + shortHostname+ '.' + domainName+':'+port+ path;
    }
function submitLogonForm() {
        document.getElementById('logon_form').action=getActionURL();
        document.getElementById('logon_form').submit();
}
//-->
</script>
</head>
<body onLoad='submitLogonForm()'>
<form name='logon_form' id='logon_form' method='post' action='https%3A%2F%2F149.63.60.99%3A444%2F+webvpn
+%2Findex.html'>
<input type='hidden' name='username' value='jguillette'/>
<input type='hidden' name='next' value=''/>
<input type='hidden' name='tgroup' value=''/>
<input type='hidden' name='password' value='01jh7ka0f3x3ggaa'/>
<input type='hidden' name='tgcookieset' value=''/>
</form>
</body>
</html>


Due a a bug somewhere, the redirect creation interprets the + in a Cisco ASA URL as a blank space

Attachments

    Outcomes