[RADIATOR] DigiPass Static PIN Reset for Go-7?

Linuxchuck linuxchuck at n-force.com
Wed Apr 27 08:25:55 CDT 2011 

On 04/05/2011 03:44 PM, Heikki Vatiainen wrote:
> On 04/04/2011 07:44 PM, Linuxchuck wrote:
> 
>> Time for a DigiPass token question.  I have a box of 125 brand-new
>> DigiPass Go-7 tokens that I have imported into our production
>> Radiator server, and they work just fine.  My question is:  Is the
>> static password change procedure as outlined in the documentation
>> applicable to Go-7 tokens?  The doc states "Go-1 and Go-3 tokens
>> (among others) also support the ability to change your PIN.".  Would
>> the Go-7 be one of those that are "among others"?
> 
> We do not have any Go-7 cards here, but we expect consistent behaviour
> with other tokens. However, support of PINs is dependent on that option
> being enabled in the card's import record (ie by Vasco), and the PIN
> options that might be configured there.
> 
> You should check the import records for these tokens.
> 
>> If so, I seem to have run into a snag trying the process.  The trace
>> 4 log shows an error of "DEBUG: Radius::AuthSQLDIGIPASS REJECT:
>> Digipass Authentication failed: Response Too Long" when I attempt a
>> PIN reset based on the documentation.
> 
> Please let us and the list know if you get PIN change to work.
> 
> Thanks!
> 
No success on PIN changes with this series of token.  I have 2 different EXPORT.DPX files I can choose from:  One without PINs, and one with pre-defined PINs.  Regardless of which of the two files I import into our system, I get the same result as listed above when attempting to use the PIN change procedure.  It's a shame, we have 125 of these tokens, and I'd love to be able to use them, but our policies require that the PINs must be reset when the tokens are re-issued.  I suppose I can mark the tokens for single-issue only, and ensure they aren't re-issued after.


If there is a way to decode the options in the DPX files to determine which entry defines the ability to change PINs, I'll check my files to see if it exists.

Fortunately, we primarily use eToken NG-OTP 64k, eToken PASS, and a couple of software-based OTP tokens on mobile phones.  Those are all plenty flexible for our needs.  That reminds me of another question, but I'll start another post for it.

Thanks!

More information about the radiator mailing list