x99 Token Module Problems

David Mitchell mitchell at ucar.edu
Tue Jan 10 19:59:59 CET 2006


Greetings,

I'm working on using FreeRadius to authenticate to our Cisco devices 
using CryptoCards. I've run into a couple of snags which I don't think 
can be fixed easily via configuration but will require code changes. 
Before I start doing anything code-wise, I wanted to see if anybody knew 
of a workaround.

1) Our tokens display the response in so-called 'phone number' 
formatting. FreeRadius knows about 4 different CryptoCard formattings 
according to x99passwd.sample: d7, d8, h7 and h8. Where a response would 
be formatted as '12345678' in d8 and '1235678' in d7, our tokens display 
'123-5678'. I was thinking I would either add a new CC encoding setting 
or modify the module to ignore dashes. But if there is another way I'd 
love to hear it.

2) The X99 module, if it is performing a resync, generates a State 
attribute which the authenticating device is expected to return 
unadultered in the response packet. However, the value includes NULL 
values in the middle of it. Our Cisco devices (both IOS and CatalystOS) 
appear to be using strcpy() or something similar to copy the State 
attribute and only return the value up to the embedded NULL as a result. 
Code already exists in the module to generate an ASCII state value, and 
I was planning on changing the module so that the ASCII value was always 
used. My reading of the relevant RFC tells me that this is in fact a 
Cisco bug, but I have not had good luck in the past convincing Cisco 
that my interpretation of RFC's is more correct than theirs.

If you know of a way to work around these without hacking on the code, 
I'd appreciate knowing about it. Or if you have an opinion about how to 
best fix the above issues in the code, I'd be interested in that as 
well. Thanks in advance,

-David Mitchell



-- 



More information about the Freeradius-Users mailing list