| *** ldralves (~support@201.29.199.180) has joined #wikid | 01:13 | |
| *** husaragi (456ab9e0@gateway/web/freenode/ip.69.106.185.224) has joined #wikid | 01:31 | |
| husaragi | anyone home? | 01:31 |
|---|---|---|
| ldralves | ye | 01:33 |
| ldralves | yes | 01:33 |
| husaragi | coolies. quick question | 01:34 |
| husaragi | i want to OpenVPN through my pfsens firewall and authenticate against my AD server inside...can i do that with wikid? | 01:34 |
| husaragi | i know i can get the openvpn part all set up no prob | 01:35 |
| husaragi | but i want my AD users to be authenticated to the internal AD server so they can have access without having to put in their AD username and password after authenticating to wikid | 01:35 |
| husaragi | ill be honest. i havent read a word of documentation yet | 01:36 |
| ldralves | i think that it's possible in paid version, because you will need radius module | 01:39 |
| husaragi | ahh ok so i cant do radius with the free one? | 01:40 |
| husaragi | looks like radius is available in the community version also, but with the enterprise one you get the built in java radius server | 01:42 |
| husaragi | i am guessing i can set this up and get it to work even with the community edition. | 01:42 |
| husaragi | thanks | 01:42 |
| *** ldralves has parted #wikid ("Ex-Chat") | 01:47 | |
| *** husaragi has quit (Quit: Page closed) | 02:19 | |
| *** husaragi (45ec8930@gateway/web/freenode/ip.69.236.137.48) has joined #wikid | 02:55 | |
| *** husaragi has quit (Quit: Page closed) | 03:10 | |
| *** manonst (4a697126@gateway/web/freenode/ip.74.105.113.38) has joined #wikid | 05:24 | |
| *** manonst has quit (Quit: Page closed) | 05:30 | |
| *** husaragi (0cbdd50a@gateway/web/freenode/ip.12.189.213.10) has joined #wikid | 15:13 | |
| husaragi | hey guys | 16:10 |
| husaragi | i am trying to install from a USB key i made using the pendrivelinux installer | 16:10 |
| husaragi | when it gets to the part where it wants the image file...it says it cant find it on the disk | 16:11 |
| husaragi | what folder should i be looking in for the image file at that point? | 16:11 |
| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 16:26 | |
| husaragi | morning nowen | 16:27 |
| husaragi | are my questions visible to you right now? or was the buffer cleared when you logged in | 16:28 |
| nowen | morning | 16:28 |
| nowen | buffer cleared, I'm afraid | 16:28 |
| husaragi | np. here it is again | 16:28 |
| husaragi | i made a USB installer from the pendrivelinux USB stick creator | 16:28 |
| husaragi | the installer starts but when it gets to the part where it wants the CD images....it says it cant find them on any of the disks in the system | 16:29 |
| husaragi | what folder should i be looking in for the image file? | 16:29 |
| nowen | is this a usb installer for the server? | 16:29 |
| husaragi | I downloaded the .iso CentOS installer and created a USB stick installer from it | 16:30 |
| husaragi | so it should basically be just the contents of that CDROM installer but on a USB key | 16:30 |
| nowen | ok | 16:30 |
| husaragi | the device in the system is /SDA1 but if i point at just that location the installer says it cant find any images on that disk | 16:31 |
| husaragi | 15 min meeting. back in a few | 16:32 |
| husaragi | back | 16:47 |
| husaragi | got anything for me? can i point that installer at a specific folder? | 16:47 |
| husaragi | all i have to do is tell it local CD rom and it finds everything correctly if i am actually using a cdrom | 16:47 |
| husaragi | im curious why it is unable to find the images on the HD | 16:47 |
| nowen | ok - why aren't you doing that? | 16:47 |
| nowen | why are you using a usb? | 16:48 |
| husaragi | there is NO CDROM available on the server where i am doing the production install | 16:48 |
| nowen | ok | 16:48 |
| husaragi | i think it might work if i just give it the correct folder | 16:49 |
| husaragi | but i dont know which folder it is wanting to look in | 16:49 |
| husaragi | or more specifically which image file it wants | 16:49 |
| husaragi | if you can just tell me that i can point it at the right file and see if it works | 16:49 |
| husaragi | if it doesnt work i will open the box and temporarily connect a CDROM. | 16:49 |
| nowen | i'm not really sure. I assume boot.iso | 16:50 |
| husaragi | oh...are you not a WiKID team member? i thought i was talking to a dev lol | 16:51 |
| nowen | I am a team member, but I don't know the answer to that | 16:51 |
| nowen | I'm sorry - I meant mages/diskboot.img | 17:24 |
| nowen | this might help: http://wiki.centos.org/HowTos/InstallFromUSBkey | 17:25 |
| *** mwpeterson (~mwpeterso@99-14-173-232.lightspeed.ftwotx.sbcglobal.net) has joined #wikid | 20:08 | |
| mwpeterson | is there a "bulk add" tool for loading and configuring a passel of network clients? | 20:09 |
| nowen | not at this time | 20:09 |
| mwpeterson | patches welcome, I assume :) | 20:09 |
| nowen | indeed! | 20:09 |
| mwpeterson | from looking at the schema, it appears it could be done with postgresql updates | 20:11 |
| nowen | certainly | 20:11 |
| nowen | what | 20:11 |
| nowen | is your fav language? | 20:11 |
| mwpeterson | any guidance on that laying around in /opt/WiKID some place? | 20:11 |
| mwpeterson | perl. what else is there? | 20:11 |
| nowen | hehe | 20:11 |
| nowen | these all radius? | 20:13 |
| mwpeterson | yep. | 20:13 |
| mwpeterson | we have the main bastion server that is the chokepoint, but we configure the rest of our servers to allow wikid in case the LDAP server rolls its white belly to the sky | 20:14 |
| mwpeterson | being able to sudo with a token has saved my bacon a couple of times | 20:15 |
| nowen | should be pretty basic for radius. just a sql insert | 20:15 |
| nowen | or two | 20:15 |
| mwpeterson | main data goes in full_network_client | 20:17 |
| mwpeterson | and the host_nc_map needs updating | 20:17 |
| nowen | yeah | 20:17 |
| mwpeterson | anything else? | 20:18 |
| mwpeterson | other than a wikid restart | 20:18 |
| nowen | I'm double checking | 20:19 |
| mwpeterson | rockstar! | 20:19 |
| nowen | well- I'm double checking with the rockstar ;) | 20:19 |
| mwpeterson | ah. you're just the API. | 20:20 |
| nowen | haha | 20:20 |
| nowen | if that | 20:20 |
| nowen | also, too lazy to check the code myself | 20:20 |
| mwpeterson | ideally, I can get this into something puppet can drive, and then new servers "just work" | 20:20 |
| nowen | ooh,. that's cool | 20:21 |
| mwpeterson | <aside>I highly recommend puppet if you have more than two servers to manage</aside> | 20:22 |
| nowen | nc_return_attrib for any radius attirbutes.. | 20:24 |
| nowen | i want to play with puppet at some point | 20:24 |
| nowen | just no time | 20:24 |
| mwpeterson | 0 rows in that now, and I don't see that changing in the future. | 20:25 |
| mwpeterson | but good to know. | 20:25 |
| nowen | The insert should technically go into network_client. The triggers in the DB will auto update full_network_client. Probably won't matter but that's how WiKIDAdmin does it. | 20:27 |
| husaragi | you guys know of anyone who has tried to run this under FreeBSD? | 20:27 |
| nowen | mmm, it's come up from time to time, but I don't know for sure | 20:28 |
| mwpeterson | network_client... | 20:28 |
| husaragi | is there a tarball available? | 20:28 |
| husaragi | that could be compiled on freebsd? | 20:28 |
| nowen | husaragi: wikid uses java and tomcat | 20:29 |
| mwpeterson | ah. forgot to look at views. | 20:29 |
| husaragi | oh its all java? | 20:29 |
| husaragi | cool | 20:29 |
| husaragi | so it should run under anything then | 20:29 |
| husaragi | that supports those packages | 20:29 |
| nowen | should, yes | 20:29 |
| husaragi | and bsd does so | 20:29 |
| nowen | husaragi: documentation accepted! | 20:29 |
| husaragi | hahaha! i didnt say i was gonna *try* it....but i might at some point | 20:30 |
| husaragi | i run most of my network monitors and security stuff on BSD | 20:30 |
| husaragi | so i wanted to see if i could get this running too | 20:30 |
| husaragi | oh btw that diskboot.img or bootdisk.img was not the correct file. the installer bailed out on me when i tried to tell it that was the image file | 20:33 |
| mwpeterson | doing networking and security on BSD and not using OpenBSD? | 20:33 |
| mwpeterson | for shame. | 20:34 |
| husaragi | well the pfsense firewall was built on freebsd but my zabbix and nessus boxes also my snort reporters are all openbsd | 20:34 |
| husaragi | just going to connect a USB cdrom and see if it will install from that | 20:35 |
| husaragi | the usb key is not working for whatever reason. the file structure looks identical to the file structure on the install CD but no dice when you actually run the installer from the usb key | 20:36 |
| nowen | mwpeterson: http://pastebin.com/H6f0KyMS | 20:40 |
| mwpeterson | so insert/update/delete through the network_client view so delete can be a flag, rather than an action | 20:52 |
| nowen | basically | 20:52 |
| mwpeterson | and maintain the host_nc_map | 20:53 |
| mwpeterson | since I don't see that being touched by that view. | 20:53 |
| nowen | yes | 20:53 |
| mwpeterson | that y'all used views was probably the key detail I was missing. | 20:53 |
| *** mwpeterson has parted #wikid (None) | 21:37 | |
| *** mwpeterson (~mwpeterso@99-14-173-232.lightspeed.ftwotx.sbcglobal.net) has joined #wikid | 21:52 | |
| mwpeterson | do the token clients need 443 access, or just 80 | 21:52 |
| SEJeff_work | mwpeterson, I believe they do diffie hellman key exchange over 80 | 21:58 |
| SEJeff_work | No point to encrypt twice | 21:58 |
| nowen | mwpeterson: just 80 | 21:58 |
| mwpeterson | good. that might make my LB config simplier. | 22:04 |
| husaragi | so is there updated readme on the CD or something? im reading the install instructions you have posted online... | 22:10 |
| husaragi | says i just need to install from the .iso and configure networking | 22:10 |
| husaragi | by running wikidctl setup | 22:10 |
| husaragi | but when i try to run wikidctl its not found | 22:10 |
| nowen | it's in /opt/WiKID/bin | 22:10 |
| husaragi | there nothing in opt whatsoever | 22:11 |
| nowen | there are a couple of scripts | 22:11 |
| husaragi | cd /opt | 22:11 |
| husaragi | ls -a | 22:11 |
| nowen | then it didn't install | 22:11 |
| husaragi | . | 22:11 |
| husaragi | .. | 22:11 |
| husaragi | wonderful | 22:11 |
| husaragi | brb | 22:11 |
| husaragi | so i put the .iso burned CD into the machine and boot. run the installer and it completes.... | 22:13 |
| husaragi | but theres nothing in /opt.... | 22:14 |
| husaragi | what did i do wrong? | 22:14 |
| nowen | if you do an 'rpm -qa | grep wikid | 22:14 |
| nowen | ' | 22:14 |
| nowen | does it show anything? | 22:14 |
| husaragi | server is in the other room. no IP kvm. back in a min | 22:15 |
| nowen | no ssh? | 22:15 |
| husaragi | returns blank | 22:16 |
| husaragi | oh i didnt even think to try ssh. i didnt tell it to specifically start that service but maybe its default in that installer | 22:17 |
| nowen | how big is your iso? | 22:17 |
| nowen | did you check the md5 sum? | 22:17 |
| husaragi | 675mb | 22:17 |
| husaragi | no i did not check the hash | 22:18 |
| husaragi | i trusted your download server was not compromised. my bad i guess | 22:18 |
| nowen | I don't think it is | 22:18 |
| * SEJeff_work watches with popcorn | 22:18 | |
| nowen | i show the iso as 661M | 22:18 |
| husaragi | well thats probably right. im looking at a byte count | 22:19 |
| husaragi | 675,000 | 22:19 |
| SEJeff_work | du -h perhaps | 22:19 |
| husaragi | it reads as 660mb | 22:19 |
| nowen | did you type 'install' at the install screen? | 22:20 |
| husaragi | unless i typo'd it as instal or something | 22:20 |
| husaragi | i did it without typing anything once too | 22:20 |
| husaragi | thinking it may default to 'install' | 22:21 |
| nowen | it doesn't because someone once complained about that | 22:22 |
| husaragi | going to check the hash. if its good i will try the install on a different box. if its bad i will redownload | 22:22 |
| nowen | eaaa3a969ec5b76a049f030fb529e5ec | 22:22 |
| husaragi | thanks | 22:22 |
| husaragi | match. i will re-run the install and verify that i type 'install' correctly | 22:22 |
| husaragi | it IS possible i fatfingered it | 22:22 |
| nowen | seems odd | 22:23 |
| husaragi | afk | 22:23 |
| husaragi | i suspect it was due to attempting the install from the USB stick i created from the .iso | 22:29 |
| husaragi | something is a little off with that, so it doenst seem to work right. like when it could not find the image file it needed for install | 22:30 |
| nowen | hmm | 22:30 |
| husaragi | i booted from the CD and the installation is proceeding differently this time | 22:30 |
| husaragi | just FYI when i created the USB stick from the .iso | 22:31 |
| husaragi | i originally tried to tell the USB stick creator program that it was a CentOS .iso image | 22:31 |
| nowen | it mostly is | 22:31 |
| husaragi | but the USB stick maker did not recognize your .iso as CentOS | 22:31 |
| husaragi | so i had to tell it to "use some other distro" | 22:31 |
| husaragi | i suspect it was not able to do it correctly | 22:31 |
| husaragi | and subsequently my installation attempt failed | 22:32 |
| *** CMatthews (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid | 22:39 | |
| husaragi | yeah there were definitely issues with the USB thing. it was trying to load ks-install.sh from CDROM: still. even though i had created the USB key | 22:39 |
| CMatthews | So... I'm completely new to the wikid product / two factor auth concepts and have a couple questions about how it will work for my environment. Okay to ask here, right place to inquire? | 22:40 |
| nowen | please do | 22:40 |
| CMatthews | First of all this is required for us for PCI DSS compliance... I'm sure thats not the first time you heard that... | 22:41 |
| CMatthews | We are a restaurant chain. | 22:41 |
| nowen | haha, no | 22:41 |
| CMatthews | We have checkpoint firewalls at all of our sites. | 22:41 |
| nowen | ok | 22:42 |
| CMatthews | We are primarily a microsoft shop.. but I don't care what types of servers I run. | 22:42 |
| CMatthews | So say I download the VM or ISO and get it operational. | 22:42 |
| CMatthews | Radius server up and running. | 22:42 |
| nowen | yeah - do you using vm esx? if so, I recommend getting the iso | 22:42 |
| CMatthews | yeah ESX 4.x | 22:43 |
| CMatthews | kk will do ISO route | 22:43 |
| nowen | we just build the vmware with the free server version. | 22:43 |
| nowen | do your checkpoints talk radius to AD or ldap now? | 22:43 |
| CMatthews | AD now. | 22:43 |
| CMatthews | So how will I limit user connectivity to our restaurant networks without two factor auth.. We have a internal helpdesk and a small IT staff. | 22:44 |
| CMatthews | We use pcanywhere, vnc, direct unc connections, etc etc... | 22:44 |
| CMatthews | all of this I want to lock without the two factor. | 22:44 |
| nowen | ok - so the checkpoints all talk back to AD? centrally? | 22:44 |
| CMatthews | Yes | 22:44 |
| nowen | does it all go through the vpns? | 22:45 |
| nowen | I mean, you can lock your vpn down with 2FA and then let all the other stuff go on top of that | 22:46 |
| CMatthews | one second I'm catching up another IT guy with this conversation so I can ensure I'm providing the right details. | 22:47 |
| nowen | ok - just note that i have to go soon, I have a commitment | 22:49 |
| nowen | at a bar with a friend ;) | 22:49 |
| CMatthews | yes through the VPN | 22:50 |
| nowen | ok, so the best way to set this up, IMO, is to have the checkpoints talk radius to the AD radius plugin IAS (now nps) | 22:50 |
| CMatthews | ok | 22:50 |
| nowen | IAS will proxy the users to the WIKID server | 22:50 |
| nowen | ias is a free add on | 22:51 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-ias-to-support-two-factor-authentication/?searchterm=ias | 22:51 |
| CMatthews | yeah ty | 22:51 |
| nowen | the big benefit is that a user can be controlled in AD alone. | 22:51 |
| nowen | just remove them from the group and no more access | 22:51 |
| nowen | also, you can set it to only proxy certain people, so testing is easy | 22:51 |
| CMatthews | good ncie | 22:52 |
| husaragi | nowen, can i have AD users and locally authenticated users on the same wikid box? | 22:52 |
| nowen | yes | 22:52 |
| nowen | but | 22:52 |
| husaragi | i have a staff at this location with AD accounts. but staff in china i want to VPN in but they dont have AD accounts | 22:52 |
| nowen | that should work. one network client is the IAS server, the other is your VPN | 22:53 |
| nowen | you might have to have two domains | 22:53 |
| husaragi | thats fine. | 22:53 |
| husaragi | thanks | 22:53 |
| nowen | CMatthews: see the install doc sections here: http://www.wikidsystems.com/support/wikid-support-center | 22:53 |
| CMatthews | Okay so what is it that the user is entering the second factor id code into that grants them access to a client, is this through the wikis server webpage? | 22:54 |
| nowen | some are short and pictureless some are long and picture full | 22:54 |
| nowen | the users get a software token. the two-factors are possession of the (private key embedded in the) software token and knowledge of the PIN | 22:54 |
| nowen | the software tokens get an OTP from the WiKID server | 22:55 |
| husaragi | I have confirmed that i was the USB creator that fubar'd the installer | 22:55 |
| CMatthews | okay like the iphone or blackberry client will give the code, where do the users put the code in order to get auth? | 22:55 |
| CMatthews | and | 22:55 |
| CMatthews | And the licensing, we have about 20ish users who will be able to access the 400ish clients, so this is the 25 user client pack / 1 seat 1 domain, licensing plan? | 22:56 |
| husaragi | it failed to change all thereferences to CDROM: and left the installer in a broken state. just FYI | 22:56 |
| nowen | into the vpn's password box | 22:56 |
| nowen | husaragi: I don't see us ever creating a usb version, though it's possible if we can automate it | 22:56 |
| nowen | and have time to set it up | 22:56 |
| nowen | CMatthews: yes that works | 22:57 |
| husaragi | oh i wasnt asking you to. just letting you know for future reference if others try to do it | 22:57 |
| nowen | there are no limited to the domains | 22:57 |
| nowen | husaragi: oh, i know. i was thinking that if we start getting a lot of requests, we would | 22:57 |
| husaragi | if i get time I will figure out why the creator coudnt tell what distro the .iso was and fix it | 22:57 |
| husaragi | if i get a good USB stick image i will send it to you | 22:57 |
| nowen | that would be good | 22:57 |
| nowen | you know, the problem is maintenance - what do we do for the next release | 22:58 |
| nowen | you could also create a centos usb drive, boot it and then install wikid | 22:58 |
| husaragi | copy the scripts i change into that new relase? | 22:58 |
| nowen | just download the rpms and install | 22:59 |
| husaragi | my issue is that i have a lot of pizza boxes without CDROMS | 22:59 |
| husaragi | the USB CDROM works fine, but its more convenient to carry a 1 inch USB stick than a usb CDROM drive | 23:00 |
| nowen | oh sure | 23:00 |
| SEJeff_work | It is more convienient to use scp and ssh :) | 23:00 |
| husaragi | also true =) | 23:00 |
| nowen | what about puppet? | 23:00 |
| CMatthews | nowen, thanks for your input. I'll start down this path of destruction and come back after I | 23:00 |
| CMatthews | get stuck. | 23:00 |
| nowen | ok - I'm usually here eastern hours | 23:00 |
| husaragi | im sort of in between that wonderful world of beginnerism and intermediary skill levels with linux | 23:01 |
| husaragi | so some of this stuff i just havent discovered yet or know how to do very well | 23:01 |
| nowen | husaragi: yeah - I haven't played with puppet yet, but it seems like it might be worthwhile for you to dig in to | 23:01 |
| husaragi | will check it out tonight | 23:01 |
| nowen | ok - I gotta check out. later peopel | 23:02 |
| SEJeff_work | later | 23:02 |
| husaragi | later man. have a shot for me ;) | 23:02 |
| nowen | will od | 23:02 |
| *** nowen has quit (Quit: Leaving.) | 23:02 | |
| *** CMatthews has quit (Quit: Page closed) | 23:07 | |
| husaragi | hrm whats the default login for a fresh wikid install from the .iso? | 23:10 |
| husaragi | found it | 23:13 |
| husaragi | hrm. or not | 23:15 |
| husaragi | anyone know? | 23:19 |
| husaragi | machine rebooted after install and i see a login prompt but i cant find anywhere that says what the default login should be | 23:19 |
| *** SEJeff_work has parted #wikid ("Leaving") | 23:19 | |
| *** husaragi has quit (Quit: Page closed) | 23:26 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!