| *** nowen (~nowen@adsl-66-165-228.asm.bellsouth.net) has joined #wikid | 14:49 | |
| *** ken5m1th (~ken5m1th@c-24-61-209-87.hsd1.ma.comcast.net) has joined #wikid | 17:12 | |
| ken5m1th | hey hey hey | 17:12 |
|---|---|---|
| nowen | howdy howdy | 17:12 |
| ken5m1th | hows mr owen today? | 17:13 |
| nowen | pretty good. looking forward to the weekend, despite being the solo parent | 17:13 |
| nowen | how about you? | 17:13 |
| ken5m1th | Hoping the rain stops, busy weekend ahead. not as busy as hackid was tho | 17:14 |
| nowen | I wish we would get some rain | 17:14 |
| nowen | hackid sounded pretty awesome | 17:14 |
| ken5m1th | It was full of awesome | 17:14 |
| nowen | might have to see about doing one here | 17:15 |
| ken5m1th | my kids all (4 of them) want to volunteer for the next one, wherever it might be. | 17:15 |
| ken5m1th | My wife even really enjoyed it | 17:16 |
| ken5m1th | I have a few wikid questions | 17:16 |
| nowen | ok | 17:17 |
| ken5m1th | About the types of VPN devices it supports. Work with Sonicwall firewall/vpn? | 17:17 |
| nowen | certainly! via raidius | 17:18 |
| ken5m1th | I have a scenario that includes multiple entry points into the network and each has a different VPN. | 17:18 |
| nowen | also, on our PC token you can do mutual https auth | 17:18 |
| nowen | hmm | 17:18 |
| nowen | no problem | 17:18 |
| nowen | I think | 17:19 |
| ken5m1th | Ok, so if it's something like an Internet facing web site we can | 17:19 |
| nowen | are you using AD? | 17:19 |
| ken5m1th | have the token presented to the web site as auth | 17:19 |
| ken5m1th | using AD, but here is another rub. Each of these entry points has it's own AD domain | 17:19 |
| ken5m1th | But I think they can all talk to eachother via MPLS | 17:20 |
| ken5m1th | the VPN devices that is | 17:20 |
| nowen | hmm. you should check into the MS radius server IAS/NPS and see if that can help | 17:20 |
| nowen | if you run the auth through IAS and AD, then disabling a user in AD removes their remote access capabilities too | 17:21 |
| ken5m1th | Maybe we could setup one of these that would act as a "sort of" proxy to all the other AD domains? | 17:21 |
| nowen | that's what I'm wondering | 17:21 |
| nowen | I would have to think that MS has seen this a good bit | 17:22 |
| nowen | you might need the latest, which is NPS on 2008, though | 17:22 |
| nowen | or, in the worse case, you just set up IAS on each domain server | 17:22 |
| nowen | not too bad, really | 17:22 |
| nowen | unless you have ALOT of domain servers | 17:23 |
| ken5m1th | Network Policy Server, I see. | 17:23 |
| nowen | yeah | 17:23 |
| nowen | i wrote a tutorial for it | 17:23 |
| nowen | http://www.networkworld.com/news/2010/050710-two-factor-authentication-through-windows-server.html?hpg1=bn | 17:24 |
| nowen | for Bill Brenner :) | 17:24 |
| nowen | here's what I mean by mutual https auth: http://www.wikidsystems.com/WiKIDBlog/preventing-mitm-attacks | 17:25 |
| nowen | the token checks the ssl cert for the user | 17:25 |
| ken5m1th | I think I am going to try and install wikid on a linux box here at the home lab | 17:29 |
| nowen | go for it. the iso is centos 5, btw. | 17:30 |
| ken5m1th | I played with the VM, but only way for me to test is out well is having it live. It's an existing box, I can install the packages right? | 17:30 |
| nowen | yes, rpms | 17:31 |
| ken5m1th | let me see what my dist is based on | 17:31 |
| ken5m1th | it's CentOS | 17:34 |
| ken5m1th | should be easy | 17:34 |
| nowen | yep | 17:34 |
| ken5m1th | take many resources if it's just handling auth for a few users? | 17:34 |
| nowen | not at all | 17:35 |
| ken5m1th | Maybe OpenVPN to start | 17:35 |
| nowen | it does use port 80 and 443 | 17:35 |
| nowen | so if you are running apache, you will need some re-write rules | 17:35 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-enterprise-rpms | 17:35 |
| ken5m1th | let me see if my host runs anything on 80/443 now | 17:36 |
| nowen | 80 is for the tokens and goes to /wikid/ 443 is for the WiKIDAdmin and it goes to /WiKIDAdmin | 17:36 |
| ken5m1th | and both need to be externally accesible right? | 17:37 |
| nowen | depends on if you want access to WiKIDAdmin outside the firewall | 17:37 |
| ken5m1th | Prob not | 17:37 |
| ken5m1th | just be able to auth to OpenVPN and SSH from outside | 17:38 |
| nowen | yeah. so, pam_radius | 17:38 |
| nowen | you'll have to compile it from source, but it's easy | 17:38 |
| nowen | or I can send you the .so for centos5 | 17:39 |
| ken5m1th | I'll do that. I have to go get ready for a conf call. Do I need a link for the rpm's from you or are they avail right on the site? | 17:52 |
| nowen | on the site | 17:53 |
| nowen | don't worry about getting spam | 17:53 |
| ken5m1th | ok, thanks. Have a great afternoon! | 17:53 |
| nowen | if I send you spam you can out me on twitter ;) | 17:53 |
| nowen | you too. later! | 17:53 |
| *** ken5m1th has parted #wikid (None) | 17:53 | |
| *** nowen has parted #wikid (None) | 20:39 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!