000030035 - RBA authentication on Cisco ASA redirects to wrong URL /%20webvpn%20/index.html

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030035
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 SP1
Platform: Suse Linux
Platform (Other): Cisco ASA ver. 9.3.1, 9.3(1)
O/S Version: Red Hat Linux 6.2
Product Name: RSA-0010810
Product Description: RSA-0010810
IssueAttempting to authenticate with RBA on an ASA appliance. The successful authentication response from the RBA webtier appears to be going to an invalid url on the ASA. it is going to /%20webvpn%20/index.html, and it should be going to /+webvpn+/index.html, so ASA authentication fails.
The RSA integration script no longer correctly interprets plus signs  +   (ascii %2B) but instead interprets them as spaces (ascii %20)
It could be the Web Tier that is interpreting this, we are not sure as we have only seen it with RBA and Cisco ASA 9.3.1 through Web Tier (only 3 customers reported this particular problem)
re-direct, SSL VPN portal, 
adaptive security appliance
 
Cause

Cisco ASA  uses plus signs in their login URL, /+webvpn+/index.html 
The am_integration.js script at SP1 mistakenly interrprets the + signs as spaces and then redirects to  /%20webvpn%20/index.html or  / webvpn index.html instead of  /+webvpn+/index.html (changes the plus signs + to spaces  '%20'  so ASA authentication fails

ResolutionNo resolution or Bug fix yet, use workaround below
WorkaroundThe original downloaded integration script has a variable origActionURL with a procedure called toAbsolutePath(logonForm.action) which interprets your sites Cisco ASA URL:
      // add new input containing the original action URL
        var origActionURL = document.createElement('input');
        origActionURL.setAttribute('type', 'hidden');
        origActionURL.setAttribute('name', 'ORIG_ACTION_URL');
        origActionURL.setAttribute('value', toAbsolutePath(logonForm.action));
        logonForm.appendChild(origActionURL);
You will want to hardcode the origActionURL path with your Return URL with your Cisco VPN name, replacing the + characters with html code %2B.  This only appears to affect this variable the Return URL where the webtier is replacing the + signs with %20 instead of %2B.  The referringURL is ok and not affected.
      // add new input containing the original action URL
        var origActionURL = document.createElement('input');
        origActionURL.setAttribute('type', 'hidden');
        origActionURL.setAttribute('name', 'ORIG_ACTION_URL');
        origActionURL.setAttribute('value', 'https://<Cisco_ASA>.<Domain>.com/%2Bwebvpn%2B/index.html');
        logonForm.appendChild(origActionURL);
Hardcode the /%20webvpn%20/index.html
as
                /%2Bwebvpn%2B/index.html
Note: Do not hardcode the plus sign + and do not use lower case b for the ASCII %2B
NotesTypical dowloaded am_integratio.js script contains a sections a section that creates a redirect back to the RBA agent after authentication:
function toAbsolutePath(url) {
if (url.search('://') != -1) {
return url;
}
if (url.indexOf('/') == 0) {
var loc = location.href + "/";
return loc.replace(/(.*?:\/\/[^\/]*?)\/.*/, '$1' + url);
}
return location.href.replace(/(.*\/).*/, '$1' + url); }

Which you can look at in your browser too, 
<html>
<head>
<script>
<!--
    function getActionURL() {
        var protocol = 'https';
        var shortHostname = '192';
        var domainName = '168.60.99';
        var port = 444;
        var path = '/ webvpn /index.html';
        return protocol + '://' + shortHostname+ '.' + domainName+':'+port+ path;
    }
function submitLogonForm() {
        document.getElementById('logon_form').action=getActionURL();
        document.getElementById('logon_form').submit();
}
//-->
</script>
</head>
<body onLoad='submitLogonForm()'>
<form name='logon_form' id='logon_form' method='post' action='https%3A%2F%2F149.63.60.99%3A444%2F+webvpn
+%2Findex.html'>
<input type='hidden' name='username' value='jguillette'/>
<input type='hidden' name='next' value=''/>
<input type='hidden' name='tgroup' value=''/>
<input type='hidden' name='password' value='01jh7ka0f3x3ggaa'/>
<input type='hidden' name='tgcookieset' value=''/>
</form>
</body>
</html>

Due a a bug somewhere, the redirect creation interprests the "+" in a Cisco ASA URL as a blank space

Attachments

    Outcomes