Risk-Based Authentication from Cisco ASA 9.3.1 redirects to wrong URL for RSA Authentication Manager 8.1
Originally Published: 2015-04-13
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
Platform (Other): Cisco ASA ver. 9.3.1, 9.3(1)
Issue
The RSA integration script no longer correctly interprets plus signs (+, ASCII %2B), but instead interprets them as spaces (ASCII %20).
It could be that the web tier that is interpreting this incorrectly. We are not sure as to cause, as we have only seen it with RBA and Cisco ASA 9.3.1 through Web Tier.
Cause
Cisco ASA uses plus signs in their login URL (that is, /+webvpn+/index.html).
The am_integration.js script for RSA Authentication Manager 8.1 SP1 mistakenly interprets the + signs as spaces and then redirects to /%20webvpn%20/index.html or / webvpn index.html instead of /+webvpn+/index.html.
Resolution
Workaround
// add new input containing the original action URL
var origActionURL = document.createElement('input');
origActionURL.setAttribute('type', 'hidden');
origActionURL.setAttribute('name', 'ORIG_ACTION_URL');
origActionURL.setAttribute('value', toAbsolutePath(logonForm.action));
logonForm.appendChild(origActionURL);
You will want to hardcode the origActionURL path with your Return URL with your Cisco VPN name, replacing the + characters with HTML code %2B.
This only appears to affect this variable the Return URL where the webtier is replacing the + signs with %20 instead of %2B. The referringURL is OK and not affected.
// add new input containing the original action URL
var origActionURL = document.createElement('input');
origActionURL.setAttribute('type', 'hidden');
oorigActionURL.setAttribute('name', 'ORIG_ACTION_URL');
oorigActionURL.setAttribute('value', 'https://<Cisco_ASA>.<Domain>.com/%2Bwebvpn%2B/index.html');
logonForm.appendChild(origActionURL);
Hardcode the /%20webvpn%20/index.html as /%2Bwebvpn%2B/index.html
Note: Do not hardcode the plus sign + and do not use lower case b for the ASCII %2B.
Notes
function toAbsolutePath(url) {
if (url.search('://') != -1) {
return url;
}
if (url.indexOf('/') == 0) {
var loc = location.href + "/";
return loc.replace(/(.*?:\/\/[^\/]*?)\/.*/, '$1' + url);
}
return location.href.replace(/(.*\/).*/, '$1' + url); }
Which you can look at in your browser too,
<html>
<head>
<script>
<!--
function getActionURL() {
var protocol = 'https';
var shortHostname = '192';
var domainName = '168.60.99';
var port = 444;
var path = '/ webvpn /index.html';
return protocol + '://' + shortHostname+ '.' + domainName+':'+port+ path;
}
function submitLogonForm() {
document.getElementById('logon_form').action=getActionURL();
document.getElementById('logon_form').submit();
}
//-->
</script>
</head>
<body onLoad='submitLogonForm()'>
<form name='logon_form' id='logon_form' method='post' action='https%3A%2F%2F149.63.60.99%3A444%2F+webvpn
+%2Findex.html'>
<input type='hidden' name='username' value='jguillette'/>
<input type='hidden' name='next' value=''/>
<input type='hidden' name='tgroup' value=''/>
<input type='hidden' name='password' value='01jh7ka0f3x3ggaa'/>
<input type='hidden' name='tgcookieset' value=''/>
</form>
</body>
</html>
Due a a bug somewhere, the redirect creation interprets the + in a Cisco ASA URL as a blank space
Related Articles
Workflow Decision Node takes wrong path in SecurID Governance & Lifecycle Number of Views Group owner approval is getting assigned to wrong owner in RSA Identity Governance & Lifecycle Number of Views Configure Silent Collection for a Risk-Based Authentication Policy Number of Views RSA Authentication Agent 8.0 for Web for Internet Information Services Generates HTTP Error 500.21 Number of Views Error: 'Problem processing request: message is 'Failed to connect to the ACE/Server snoopy56 with port = 5570. Wrong ACE/S… Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
