Re-enabling the Cisco VPN client PIN prompt

If you use a recent Cisco VPN Client with the RSA SecurID integration, you only have to enter your PIN instead of a passcode.  At some point one of the VPN concentrators I connect to changed its configuration and my PIN prompt changed back to Password1.

I did some digging into how the RSA integration works and discovered that the magic begins with stauto32.dll.  stauto32.dll is the RSA SecurID Software Token API which allows third-party vendors to retrieve passcodes from a token.

There are also two very important entries you can modify in your PCF file which affect the VPN Client's integration with the SecurID soft token.

SDIUseHardwareToken Enables a connection entry to avoid using RSA soft token.
0 = Yes, use RSA SoftID (default)
1 = No, ignore RSA SoftID software installed on the PC.
RadiusSDI Tell the VPN client to assume Radius SDI is being used for extended authentication (XAuth).
0 = No (default)
1 = Yes

My .pcf file was missing the RadiusSDI parameter.  Once I added it I was able toggle the Cisco VPN Client PIN/Password prompt by changing the value of RadiusSDI in my .pcf file to 1/0.

So if you only want to be prompted for your PIN with a Cisco VPN Client, make sure that in your .pcf file you have:

RadiusSDI=1
SDIUseHardwareToken=0

Files

  • vpnclient.ini (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\
  • .pcf profile file (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\Profiles

Resources

  1. Actually I found an old email with the new .pcf file and a warning that if I didn't start using it my VPN client would stop working, but I assumed I'd installed the new profile everywhere. [back]

Tags: , , , , , ,
Posted in Software, Technology on July 14th, 2009 at 11:07am

Add Comment »  | 

A CLEAR case of fraud?

I originally wasn't thrilled with the registered traveler program Clear, but as they worked out the kinks (and my free-month Clear referrals grew) I began to enjoy the convenience of having someone else carry all my crap to the x-ray machines for me.

And then on Monday night at 8PM PST I received an email from Clear Customer Service.

Subject: Clear to Cease Operations

At 11:00 p.m. PST today, Clear will cease operations. Clear's parent company, Verified Identity Pass, Inc. has been unable to negotiate an agreement with its senior creditor to continue operations.

After today, Clear lanes will be unavailable.

3 hours notice that a company is closing? Forget the fact that I had free service through October, 2011 (which Nick suggested may be part of the problem), 4 days earlier Clear was pushing the card as a gift for Father's Day, with a $30 Brooks Brothers gift certificate in return.

On their website Clear claims they aren't currently issuing refunds.

Will I receive a refund for membership in Clear?

At the present time, because of its financial condition, Verified Identity Pass, Inc. cannot issue refunds.

I wonder if those Brooks Brothers gift certificates will ever arrive?  Based on their email marketing you would never have suspected anything was awry.

Clear - Email Marketing

Over at GigaOM, Om agrees that things are a bit shady.

At least my shaky eyes ensured I didn't contribute any iris data to be sold off.

Tags: , , ,
Posted in Personal on June 23rd, 2009 at 11:06pm

Add Comment »  | 

Pushing RSA SecurID Tokens to a BlackBerry

I had to resort to this after upgrading to the leaked beta of BlackBerry OS 4.5 on my Curve the email-import method did not work. It's a perfectly legitimate method of importing a SecurID token on your handheld, and now I actually prefer it because it is significantly less problematic than emailing the seed file to yourself. For more information see the RSA BlackBerry Soft Token page.

What you need

  • RSA SecurID Token for BlackBerry Utilities (bb302_utils.zip)
  • SecurID Soft Token for BlackBerry – the app itself, if not installed (bb302.zip)
  • Your soft token seed file (.SDTID file)
  • BES 4.1.3 or newer
  • BB OS 4.2.2 or newer. IMPORTANT: OS 4.3 is not supported, upgrade to 4.5, preferably one of the latest leaked releases.
  • Java Runtime Environment 1.4 or newer

If your BES' MDS Connection Service port (default is 8080) is open you do not need to run this on the BES. Mine is not, so I pushed my soft token out from my BES.

Preparing your BlackBerry

Install the SecurID 3.0 software.You can install it from your desktop, from an internal server or using OTA links from RSA.  Install version 3.0.2 Standard OTA from http://rsa.com/bb302

Launch it, accept the EULA and open the Settings. Make sure that Listen for Token is set to Yes. When the security prompt appears choose Yes to allow the application to run as a server.

Pushing out the Soft Token with PushToken

  1. Download and unzip bb300_utils.zip
  2. Make sure your .SDTID is on the same disk
  3. Open a command prompt (Start > Run > cmd)
  4. From the command prompt:
    java -classpath <path_to_bb300utils>\PushToken.jar PushToken -e<email address or pin> -h<BES address> <path to .sdtid file>
    In my case I ran:
    java -classpath bb300_utils\PushToken.jar PushToken -ecorey@mydomain.com -hlocalhost x-rimdevice-xxxxxxxx.sdtid
  5. If the .sdtid file was valid and you gave the SecurID application permission to run as a server on your BB you should see a prompt on your handheld about receiving a token.
  6. You may be prompted for a password, if so enter the password you were given with the token.
  7. If you entered the correct password you will receive notification of the token being imported. You can rename the token by choosing Manage Tokens from the menu.
  8. That's it. When you open the application you'll be prompted for your passphrase and PIN, and then be shown the generated token. One nice change between versions 2.x and 3.x of the SecurID application is that the numbers are much larger and split into two groups. Think 14 point font instead of 10.

PushToken Command Line Options

java -classpath PushToken.jar PushToken [options] file
 
Options:
-e      E-mail or device ID of BlackBerry
-h                  Address of BES host (default: localhost)
-p
                  Port on which BES is listening (default: 8080)
Examples:
java -classpath PushToken.jar PushToken -h123.45.67.89 -p8765 -ejsmith@company.com token.sdtid

Archived Versions

Older versions of the RSA Soft Token for BlackBerry app and server utilities.

UPDATED Jan 29, 2009: Links to token app and utilities changed from version 3.0.0 to version 3.0.1.

UPDATED Mar 06, 2009: Links to token app and utilities changed from version 3.0.1 to version 3.0.2, added Archived Versions, OTA installation links.

Tags: , , , , ,
Posted in BlackBerry, Software, Technology on July 11th, 2008 at 11:07am

Comments (27)  | 

CLEARly Disappointed

Since I had plenty of time (>1 hour) before my flight to Vegas this afternoon I decided to try out my new CLEAR card. There were probably 30 people in the normal security line, no one in the premier lane and two people in the CLEAR lane.

Here's how it went down:

  1. Wait while the CLEAR attendant deals with an angry customer in front of me who has a broken card.
    Time: 3 minutes
  2. Listen while the angry customer curses and whines about how she should have used her Northwest Platinum status. She loudly says "Northwest Platinum" 11 times during her rant in case anyone within 20 feet has any doubt that she's a really obnoxious bitch.
    Time: 2 minutes
  3. Present my ID, boarding pass and CLEAR card to the attendant, who looks at them and hands them back to me, and then tells me how she just watched 21 and it was great, and hey, am I going to gamble?
    Time: 2 minutes
  4. Insert my CLEAR pass into one of only two kiosks, scan my fingerprint.
    Time: 30 seconds
  5. The attendant asks for my boarding pass and ID back and hands them to a screener. The screener asks me if I'm going to Vegas to gamble.
    Time: 45 seconds
  6. The second CLEAR attendant (leaving only one attendant for two kiosks) walks me to a table to load my carry-on items into a bin. She picks them up and walks me over to the security lines.
    Time: 1 minute
  7. We both stand there awkwardly while she looks for someone who looks like they've had a lifetime of abuse and torment.
    Time: 2 minutes
  8. She steps in front of a doleful looking fellow and informs him that a Registered Traveler will be stepping in front of him.
    Time: 30 seconds
  9. I apologize to him, explain how this was just an experiment. We talk about CLEAR, it comes up I'm flying to Vegas, the passenger behind him asks me if I'm going to gamble.
    Time: 1 minute
  10. At this point it's the normal wait where I go through the metal detector and wait for my bags. Another TSA attendant starts talking to me, asks me where I'm flying to, asks if I've seen the movie 21 and suggests I gamble like the math geniuses and then give him a couple thousand dollars.

Total time: About 12 minutes, 45 seconds. Questioned three times about gambling, twice about seeing 21.

Verdict

Total waste as long as I have status. Typically it's less than 10 minutes from the moment I enter the airport until I arrive at my gate. And while the CLEAR attendant who chatted me up was friendly, I really didn't want to talk. While I'm traveling and between destinations I don't want pleasantries, I want pure cold efficiency. In other words, I'm happy to talk while I wait, but I don't want to wait while I talk.

Two kiosks is also not enough, nor is two attendants. Also if you're going to have a dedicated line it should include a dedicated metal detector so I don't have to apologize for cutting in front of someone – Steve was also uncomfortable with this as I suspect most everyone would be (except the charming lady with Northwest Platinum status).

And the next person to ask me if I'm going to Vegas to gamble is going to get kicked in the knee.

Tags: , , ,
Posted in Personal, Technology on April 13th, 2008 at 01:04pm

Comments (2)  | 


© 2007-2010, Corey Gilmore | Posts RSS Feed | Comments RSS Feed | Contact

 

The views expressed on these pages are mine alone and not those of any past or present employer. All information presented on this site was obtained lawfully and not through disclosure under the terms of an NDA.