AppleScript to generate a SecurID token and automatically connect to a Cisco VPN

Apple obviously hates copy and paste. They didn't add it to the iPhone for years, and even when they did add it, they only briefly allowed users to paste into the VPN password field, removing it with one of the first incremental updates to OS 3.0. Luckily there's an app for that – CopyPasteFix, only for jailbroken iPhones.

And then came Snow Leopard, OS X 10.6. They included built-in IPSEC VPN, freeing users from the shackles of the horrible Cisco IPSEC client. But yet again, Apple decided that users don't need to copy and paste text into the password field.

For anyone with a OTP soft token (like a RSA SecurID), this is a pain in the ass. Half the benefits of generating a passcode on the same device that you're using it on, are not having to type it.

Enter AppleScript, everyone's favorite natural language that thinks it's acceptable to use apostrophes when referencing variables. I've never actually written an AppleScript longer than tell application "iTunes" to playpause so this was new ground for me. Joe mentioned he has a similar script for junky non-RSA soft token solution he uses, but he left the country immediately after taunting me with the prospect of getting the code.

If you're doing any moderately serious AppleScript development, I highly recommend Script Debugger from Late Night Software. It was invaluable to seeing what objects and properties were really available, and troubleshooting errors.

What it does

  • Prompts for your SecurID PIN (you can save this in the script, I highly recommend you NOT do that)
  • Launches the SecurID application (it if it's running it will quit it first), generates a token, stores the token in a variable, and then quits the SecurID application
  • Kicks off the VPN connection process, types in the generated passcode when the window is available, and logs in.

If there's any type of a banner with terms to accept, it won't click OK there.

Download the script, view the source code and read more at the project page.

Tags: , , , , ,
Posted in Development, Software, Technology on February 4th, 2010 at 01:02pm

Comments (1)  | 

Re-enabling the Cisco VPN client PIN prompt

If you use a recent Cisco VPN Client with the RSA SecurID integration, you only have to enter your PIN instead of a passcode.  At some point one of the VPN concentrators I connect to changed its configuration and my PIN prompt changed back to Password1.

I did some digging into how the RSA integration works and discovered that the magic begins with stauto32.dll.  stauto32.dll is the RSA SecurID Software Token API which allows third-party vendors to retrieve passcodes from a token.

There are also two very important entries you can modify in your PCF file which affect the VPN Client's integration with the SecurID soft token.

SDIUseHardwareToken Enables a connection entry to avoid using RSA soft token.
0 = Yes, use RSA SoftID (default)
1 = No, ignore RSA SoftID software installed on the PC.
RadiusSDI Tell the VPN client to assume Radius SDI is being used for extended authentication (XAuth).
0 = No (default)
1 = Yes

My .pcf file was missing the RadiusSDI parameter.  Once I added it I was able toggle the Cisco VPN Client PIN/Password prompt by changing the value of RadiusSDI in my .pcf file to 1/0.

So if you only want to be prompted for your PIN with a Cisco VPN Client, make sure that in your .pcf file you have:

RadiusSDI=1
SDIUseHardwareToken=0

Files

  • vpnclient.ini (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\
  • .pcf profile file (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\Profiles

Resources

  1. Actually I found an old email with the new .pcf file and a warning that if I didn't start using it my VPN client would stop working, but I assumed I'd installed the new profile everywhere. [back]

Tags: , , , , , ,
Posted in Software, Technology on July 14th, 2009 at 11:07am

Comments (1)  | 

BlackBerry – Built in RSA Soft Token Generation

It pays to read the documentation – since roughly OS 4.2.2 BlackBerry OS releases have contained an embedded SecurID module.  For me this only meant I'd install a different version of the application.

In the documentation there's a section named Distributing Tokens using the BES BlackBerry Manager, and it offers an alternative to pushing tokens to the BlackBerry SecurID application.

Assigning the Software Tokens

This is a quick and dirty rundown, I highly recommend you read admin.pdf from the soft token documentation.  You can only assign 3 tokens per-user this way.

Assigning a Software Token on BES 4.1.x

On BES 4.1.x launch the BlackBerry Manager and drill down to the user for whom you want to assign the software token.  Right click and Edit Properties, and then navigate to Properties > WLAN Configuration and open the Software Tokens section.

Click New and enter the token serial number (with leading zeros) and token password.  For the Seed browse to your .sdtid file and import it.

Assigning a Software Token on BES 5.0

Search for the user account in the BAS, click the Software Tokens tab and click Edit User.

Enter the token serial number (with leading zeros), browse for the .sdtid file and type in the token password.  Click Save All to save the token to the users profile.

Generating a Passcode or Tokencode

Software Tokens assigned this way will NOT show up in the RSA SecurID application.  Read the documentation for information on deploying tokens using the PushToken utility, dynamic seed provisioning, CT-KIP and the BlackBerry Manager (this method).  I have a writeup on using the PushToken utility available.

Verify that the token is on the device by browsing to Options > Security > Software Tokens. You should see a Token # entry followed by the serial number.  Currently there is no way to rename these tokens, which makes things a tricky if you have multiple tokens.

BlackBerry - List of Software Tokens

Once you finish typing in your Token PIN a passcode will be generated.

BlackBerry - Native SecurID Token

One very cool feature of the built-in SecurID module is that you can choose to generate a Passcode or Tokencode, and the next or next-next passcode.

BlackBerry - Generated Token Options

Unfortunately you cannot copy the generated codes to the clipboard which detracts slightly from the utility (especially when generating future codes which are likely to be emailed to someone).

Tags: , ,
Posted in BlackBerry, Software, Technology on June 22nd, 2009 at 06:06pm

Comments (2)  | 

Deploying tokens to the RSA SecurID iPhone Application

OK, so you've got the SecurID soft token app installed on your iPhone, but now what? Installing a token isn't as simple as it is on the BlackBerry.

One method is to use the RSA Authentication Manager to generate CT-KIP URLs which can be sent to the end-users. You can read more about this from the RSA iPhone page after downloading the documentation and device definition file.

My preference is to use the Compressed Token Format (CTF) which will compress a .sdtid soft token file into an 81-digit string.

Clarification

I don't want there to be any confusion about the intent of this post – I'm demonstrating one possible way to install a token on your device without involving an administrator.  In most cases your ACE administrator will probably be willing to assist you with the installation of a token, and none of this will be necessary.

Preparing the Token

You can use the Token Converter application from RSA, or the web-based token converter on my projects page. Paste the contents of your .sdtid file into the form, supply your password if it requires one and create the CTF link.

Distributing the CTF SecurID Token

You can email links to the CTF token file or link to an HTML page containing the link. Both work, although the current version (1.0.5) of the RSA SecurID iPhone Application is overly sensitive to malformed links.  Sending an HTML email from Outlook will generate a malformed link, but as Phil noted in the comments composing a message in RTF format containing the link will work.

Malformed Links

Correct: com.rsa.securid.iphone://ctf?...
Malformed: com.rsa.securid.iphone://ctf/?....

If you are going to email the link make sure that it doesn't append the extra trailing slash after ctf. Do not use Outlook to send the email in HTML format as it always appends the extra slash – compose a RTF message instead.

You may need to change your Outlook options to retain RTF emails when sending to internet recipients.  In Outlook open Options > Mail Format > Internet Format. Under "When sending Outlook Rich Text messages to Internet recipients, use this format:" change the option to "Send using Outlook Rich Text format".

Outlook - Send using RTF

Emailing the CTF Link

For iPhone users running OS 2.x you can compose a plain text message with the CTF link (com.rsa.securid.iphone://ctf?ctfData=<token>) between angle brackets.

<com.rsa.securid.iphone://ctf?ctfData=200010059123075173498074908439042057320570235870932850239850433809854092834893835>

This will only work with OS 2.x, and not with the GM release of OS 3.0.

For all users running OS 2.x and OS 3.x you can send an HTML-formatted email with a hyperlink to the CTF URL, like Click here to install Token.  As mentioned above this will NOT work with Outlook, which adds an extra forward slash that the SecurID application cannot understand.

Linking to a page containing a CTF Link

The third option is to use Mobile Safari to open a web page containing a hyperlink to the CTF URL.  You can put this page somewhere on your own servers, or use my RSA CTF Hyperlink Generator to dynamically build these links. Opening http://coreygilmore.com/rsa/<CTF> will automatically  display an iPhone-ready hyperlink  to install the token.  View a sample page.

Resources

Updated 6/18/09: Added information about composing Outlook RTF emails to successfully send token installation links, brief clarification about the intent of this post.

Tags: , , , ,
Posted in iPhone, Software, Technology on June 10th, 2009 at 01:06pm

Comments (31)  | 


© 2007-2012, Corey Gilmore | Posts RSS Feed | Comments RSS Feed | Contact

 

The views expressed on these pages are mine alone and not those of any past or present employer. All information presented on this site was obtained lawfully and not through disclosure under the terms of an NDA.