Cryptocards and freeradius

[Greg Woods]

If I get yelled at for asking this here, so be it; it will be just one
more stumbling block in a long research project.

What I want to do, in a nutshell, is use the rlm_x99_token module to
authenticate users with Cryptocards. But everything I've tried so far
comes down to needing to know the DES key that is programmed into the
card. 

Obviously, there can't be an easy way to get the key out of the card, or
the card would be useless. So this means you need to program the card
with a known key. My problem is that I cannot figure out a way to do
this. This isn't really a freeradius question (which is why I might get
yelled at), but it is clearly relevant to anyone who wants to use
freeradius to authenticate via Cryptocards. This list is a likely source
of people who have successfully done this. But my question is, how do I
program the cards with a known key? I tried setting the randomkey = no
parameter in the cryptocard.cfg file and restarting the cadmind but the
CAClient still seems to use an internally-generated key when
initializing. 

I am using freeradius 1.0.1 from RPM on CentOS 4 (based directly on Red
Hat Enterprise 4) and cadmin 5.1 if it matters. Also, we have the RB-1
"calculator" style tokens.

Another possibility might be to find a way to extract the key from the
very long hex string stored in the MySQL database by the cadmind server,
called the "encrypted key", but I haven't found any way to do that
either.

Is anybody using freeradius with rlm_x99_token module and Cryptocard
RB-1 tokens successfully? How do you initialize your cards and sync them
with freeradius?

For what it's worth, I have gotten basic functionality of the x99_token
module to work with our Cisco VPN 3000 concentrator, authenticating via
freeradius. I have gotten as far as having the special password "resync"
generate a display of the challenge, but without the proper keys for the
cards in the x99passwd file, I can't actually authenticate users with
them.

Thanks,
--Greg