generic x99 DES parity question

Greg Woods woods at ucar.edu
Wed Nov 16 20:47:02 CET 2005 

I am still trying to get the rlm_x99_token to work. I am now testing
with a SecureNet Key token (A "generic" in the x99passwd file). This
token I know how to manually program, so I can guarantee that I know the
DES key and have entered it properly in the x99passwd file.

The user interface is, I enter my username and the pseudo-password
"challenge" into the VPN client's authentication dialog box.  A new box
is presented containing the 8-digit challenge. I enter this challenge
into the token and enter the response into the Password field of the
dialog box. This is properly transmitted back to freeradius, but
freeradius denies access each time. I think I'm pretty close, but I
can't figure out what I'm doing wrong. 

I have used the "crcalc" program that comes with the rlm_x99_token
module to verify that the calculated response to the challenge, which
requires entering the DES key as stored in the x99passwd file, matches
the one generated by the token and the one in the freeradius debug
output, so I can rule out typing the response incorrectly. The
freeradius logs do show that the correct response is presented, but
access is still denied. 

Here is the x99.conf file (with comments stripped):

x99_token {
        pwdfile = /etc/x99passwd
        syncdir = /etc/x99sync.d
        challenge_prompt = "Challenge: %s\n Response: "
        challenge_length = 8
        challenge_delay = 180
        softfail = 5
        hardfail = 0
        allow_sync = yes
        fast_sync = yes
        allow_async = yes
        challenge_req = "challenge"
        resync_req = "resync"
        ewindow_size = 5
        ewindow2_size = 5
        ewindow2_delay = 60
}

Here are the logs produced by the x99 module code. I am wondering if the
"incorrect parity" message is why this isn't working (I've tried a
number of randomly-generated keys and they all get the parity
complaint). "crcalc" also complains about the parity but nevertheless
calculates the correct response. Or is there something in my config file
that I'm missing?

Module: Instantiated x99_token (x99_token) 
  modcall[authorize]: module "x99_token" returns noop for request 0
rlm_x99_token: pw_present: found password attributes 2, 2
rlm_x99_token: Sending Access-Challenge.
  modcall[authorize]: module "x99_token" returns handled for request 1
rlm_x99_token: autz: Found response to access challenge
  modcall[authorize]: module "x99_token" returns ok for request 2
  rad_check_password:  Found Auth-Type x99_token
auth: type "x99_token"
rlm_x99_token: pw_present: found password attributes 2, 2
rlm_x99_token: x99_mac: DES key has incorrect parity
rlm_x99_token: auth: unable to calculate async response for [woods], to
challenge DISABLED
  modcall[authenticate]: module "x99_token" returns fail for request 2
Login incorrect (rlm_x99_token): [woods/cf229d55] (from client vpn-spare
port 1051 cli 128.117.8.131)
  modcall[authorize]: module "x99_token" returns noop for request 3
rlm_x99_token: pw_present: found password attributes 2, 2
rlm_x99_token: Sending Access-Challenge.
  modcall[authorize]: module "x99_token" returns handled for request 4

More information about the Freeradius-Users mailing list