Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Gathering HTTP Form Data

72-17

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Application Helper

Figure72-3 SSO Authentication Using HTTP Forms

While you would expect to configure form parameters that let the ASA include POST data such as the

username and password, you initially might not be aware of additional hidden parameters that the web

server requires. Some authentication applications expect hidden data which is neither visible to nor

entered by the user. You can, however, discover hidden parameters the authenticating web server expects

by making a direct authentication request to the web server from your browser without the ASA in the

middle acting as a proxy. Analyzing the web server response using an HTTP header analyzer reveals

hidden parameters in a format similar to the following:

Some hidden parameters are mandatory and some are optional. If the web server requires data for a

hidden parameter, it rejects any authentication POST request that omits that data. Because a header

analyzer does not tell you if a hidden parameter is mandatory or not, we recommend that you include all

hidden parameters until you determine which are mandatory.

Gathering HTTP Form Data

This section presents the steps for discovering and gathering necessary HTTP Form data. If you do not

know what parameters the authenticating web server requires, you can gather parameter data by

analyzing an authentication exchange using the following steps:

Prerequisites

These steps require a browser and an HTTP header analyzer.

Detailed Steps

Step1 Start your browser and HTTP header analyzer, and connect directly to the web server login page without

going through the ASA.

Step2 After the web server login page has loaded in your browser, examine the login sequence to determine if

a cookie is being set during the exchange. If the web server has loaded a cookie with the login page,

configure this login page URL as the start-URL.

Step3 Enter the username and password to log in to the web server, and press Enter. This action generates the

authentication POST request that you examine using the HTTP header analyzer.

An example POST request—with host HTTP header and body—follows:

148147

Web VPN

server

1

4

5

3

2Auth Web

server

Other protected

web server

Tunnel

Cisco Systems Gathering HTTP Form Data

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505

1

4

5

5

3