on Jun 14, 2016Article Content
| Article Number | 000030035 |
| Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.1.0 SP1 Platform: Suse Linux Platform (Other): Cisco ASA ver. 9.3.1, 9.3(1) O/S Version: Red Hat Linux 6.2 Product Name: RSA-0010810 Product Description: RSA-0010810 |
| Issue | Attempting to authenticate with RBA on an ASA appliance. The successful authentication response from the RBA webtier appears to be going to an invalid url on the ASA. it is going to /%20webvpn%20/index.html, and it should be going to /+webvpn+/index.html, so ASA authentication fails. The RSA integration script no longer correctly interprets plus signs + (ascii %2B) but instead interprets them as spaces (ascii %20) It could be the Web Tier that is interpreting this, we are not sure as we have only seen it with RBA and Cisco ASA 9.3.1 through Web Tier (only 3 customers reported this particular problem) re-direct, SSL VPN portal, adaptive security appliance |
| Cause | Cisco ASA uses plus signs in their login URL, /+webvpn+/index.html |
| Resolution | No resolution or Bug fix yet, use workaround below |
| Workaround | The original downloaded integration script has a variable origActionURL with a procedure called toAbsolutePath(logonForm.action) which interprets your sites Cisco ASA URL: // add new input containing the original action URL var origActionURL = document.createElement('input'); origActionURL.setAttribute('type', 'hidden'); origActionURL.setAttribute('name', 'ORIG_ACTION_URL'); origActionURL.setAttribute('value', toAbsolutePath(logonForm.action)); logonForm.appendChild(origActionURL); You will want to hardcode the origActionURL path with your Return URL with your Cisco VPN name, replacing the + characters with html code %2B. This only appears to affect this variable the Return URL where the webtier is replacing the + signs with %20 instead of %2B. The referringURL is ok and not affected. // add new input containing the original action URL var origActionURL = document.createElement('input'); origActionURL.setAttribute('type', 'hidden'); origActionURL.setAttribute('name', 'ORIG_ACTION_URL'); origActionURL.setAttribute('value', 'https://<Cisco_ASA>.<Domain>.com/%2Bwebvpn%2B/index.html'); logonForm.appendChild(origActionURL); Hardcode the /%20webvpn%20/index.html as /%2Bwebvpn%2B/index.html Note: Do not hardcode the plus sign + and do not use lower case b for the ASCII %2B |
| Notes | Typical dowloaded am_integratio.js script contains a sections a section that creates a redirect back to the RBA agent after authentication: function toAbsolutePath(url) { if (url.search('://') != -1) { return url; } if (url.indexOf('/') == 0) { var loc = location.href + "/"; return loc.replace(/(.*?:\/\/[^\/]*?)\/.*/, '$1' + url); } return location.href.replace(/(.*\/).*/, '$1' + url); } Which you can look at in your browser too, <html> <head> <script> <!-- function getActionURL() { var protocol = 'https'; var shortHostname = '192'; var domainName = '168.60.99'; var port = 444; var path = '/ webvpn /index.html'; return protocol + '://' + shortHostname+ '.' + domainName+':'+port+ path; } function submitLogonForm() { document.getElementById('logon_form').action=getActionURL(); document.getElementById('logon_form').submit(); } //--> </script> </head> <body onLoad='submitLogonForm()'> <form name='logon_form' id='logon_form' method='post' action='https%3A%2F%2F149.63.60.99%3A444%2F+webvpn +%2Findex.html'> <input type='hidden' name='username' value='jguillette'/> <input type='hidden' name='next' value=''/> <input type='hidden' name='tgroup' value=''/> <input type='hidden' name='password' value='01jh7ka0f3x3ggaa'/> <input type='hidden' name='tgcookieset' value=''/> </form> </body> </html> Due a a bug somewhere, the redirect creation interprests the "+" in a Cisco ASA URL as a blank space |