| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 13:57 | |
| *** cmatthews_ (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid | 15:15 | |
| cmatthews_ | Nick, trying to apply the information here http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-ias-to-support-two-factor-authentication/?searchterm=ias to a win2008 NPS server... You think I can run questions by you as I'm trying to configure this? | 15:16 |
|---|---|---|
| cmatthews_ | The configuration process seems quite different. | 15:16 |
| nowen | hold on. I have one for nps | 15:18 |
| cmatthews_ | nice | 15:18 |
| nowen | http://www.networkworld.com/news/2010/050710-two-factor-authentication-through-windows-server.html | 15:19 |
| nowen | I need to put it on the site | 15:19 |
| cmatthews_ | Should still work with the checkpoint clients, nps, radius, wikid.. etc.. I mean using win2008 nps.. | 15:20 |
| cmatthews_ | That was somehow a question hope you get my meaning.... | 15:20 |
| nowen | yes, because it should all be radius | 15:20 |
| cmatthews_ | The ip address of your remote access server (RAS, VPN, etc) and create a shared secret. You will enter the same shared secret on the WiKID server. | 15:23 |
| cmatthews_ | Is this the wikid server? | 15:24 |
| nowen | is this on nps? | 15:24 |
| cmatthews_ | Yeah first step in the client radius setup. | 15:25 |
| nowen | it should go: vpn ---> nps/ad --> wikid | 15:25 |
| nowen | so the vpn gets the ip of nps, the wikid server gets the ip of the nps too | 15:25 |
| nowen | i need to upload mine. it has pictures ;) | 15:26 |
| cmatthews_ | So in NPS the radius client configuration IP address, that is the wikid servers IP, it seems. | 15:26 |
| nowen | hmm | 15:27 |
| nowen | I think the vpn is the client and wikid is the server | 15:27 |
| nowen | "Next we add a new RADIUS Client - The SSH Gateway in this case." | 15:27 |
| nowen | so that would be the vpn or whatever service | 15:27 |
| nowen | "Add a new Radius Server - The WiKID Strong Authentication Server" | 15:28 |
| cmatthews_ | We have 400 VPN's, would that mean we would need 400 defined radius clients? | 15:28 |
| nowen | ugh. yes. | 15:28 |
| cmatthews_ | ouchie... but whatever works. | 15:28 |
| cmatthews_ | I'll start with 1... shall we... ahahah | 15:29 |
| nowen | you know, someone is working on a script to mass add network clients to WiKID | 15:29 |
| nowen | but it sounds like you need to add them to NPS | 15:29 |
| cmatthews_ | yeah.. nps has an import/export I'll check it out after I get 1 working. | 15:29 |
| nowen | nice | 15:39 |
| cmatthews_ | Start by installing PAM Radius. ... This needed? Seems redundant. | 15:49 |
| nowen | no - that tutorial is specifically for ssh. for vpns that is not needed | 15:50 |
| cmatthews_ | figured | 15:55 |
| *** drhex (~Admin@76.70.9.182) has joined #wikid | 16:04 | |
| drhex | anyone here? | 16:05 |
| nowen | yep | 16:05 |
| drhex | hi Nick | 16:05 |
| nowen | hmm? | 16:06 |
| *** MRicketts (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid | 16:06 | |
| MRicketts | Nick, I'm setting up the "Net work Client" for Check Point and I'm at the point where it is telling you to go to the Network Client Tab. This appears to be for older versions of Check Point. Is this now a User? | 16:08 |
| MRicketts | BTW, I'm working with CMatthews on this. | 16:08 |
| nowen | upi | 16:08 |
| nowen | erp | 16:08 |
| nowen | you're on the WiKIDAdmin ? | 16:09 |
| MRicketts | In the Check Point interface. | 16:09 |
| MRicketts | I created the Raduis server and Raduis auth service | 16:09 |
| MRicketts | Do you offer a paid implementation service? | 16:10 |
| nowen | MRicketts: not too often, but we have we don't do checkpoint | 16:11 |
| nowen | so, we can't be too hands on. we prefer to help you work through it | 16:12 |
| MRicketts | That's fine. Thanks. | 16:12 |
| nowen | MRicketts: ok - so you are adding WiKID to the checkpoint? I thought that the checkpoint was going to talk to NPS? or is this just a test? | 16:12 |
| MRicketts | That is correct. | 16:13 |
| nowen | ok, so on the checkpoint what are the options to add a 3rd party radius server? | 16:14 |
| MRicketts | All the steps in the link provided on your site were good up until "Next we add a specific network client for the Checkpoint firewall/vpn:" In the newer versions of Check Point, there is no Network Client tab. I'm wondering if this should be a user? | 16:16 |
| nowen | aah - not that is on the WiKID server | 16:16 |
| nowen | the checkpoint (or nps eventually) will be a network client on wiki | 16:17 |
| nowen | d | 16:17 |
| MRicketts | AH. I saw that part the step above, but failed to relate that I shouldn't switch back to Check Point. My bad. Thanks. | 16:17 |
| nowen | it's a bit nebulous | 16:18 |
| MRicketts | And for clarity, I need a rule in the firewall that allows the client to talk to the NPS, correct? | 16:19 |
| nowen | which client? | 16:19 |
| MRicketts | Firewall client | 16:19 |
| nowen | the VPN client? | 16:19 |
| MRicketts | Yes | 16:20 |
| MRicketts | VPN client | 16:20 |
| nowen | no, the VPN client will still just talk to the vpn server/firewall. The only thing the nps is doing is authentication | 16:20 |
| nowen | so, the username and OTP will come to the checkpoint and the checkpoint will proxy them to NPS, which will proxy them to WiKDI | 16:21 |
| nowen | those machines need to be able to talk radius over UDP 1812, but not the vpn client | 16:21 |
| *** drhex has parted #wikid (None) | 16:48 | |
| cmatthews_ | The checkpoint enpoint connect VPN client application... Do I set it up to perform authentication differently in order to process the token? | 16:53 |
| cmatthews_ | SecurID - Software Token | 16:53 |
| cmatthews_ | is an authentication method choice... | 16:53 |
| nowen | no, that's proprietary to rsa | 16:53 |
| nowen | all you want is radius | 16:54 |
| nowen | however, the WiKID token does need to talk to the WiKID server over port 80 | 16:54 |
| nowen | the WiKID ip address can be NAT'd | 16:54 |
| cmatthews_ | What I'm at a loss for at the moment is how to configure the client application to accept the token. | 16:54 |
| cmatthews_ | It has 6 authentication methods available right now | 16:55 |
| cmatthews_ | but none of them are radius | 16:55 |
| cmatthews_ | CAPI, P12, Pinpad, KeyFOb, Software Token, and Challenge Response. | 16:55 |
| cmatthews_ | The method we currently use is Username and password... | 16:55 |
| cmatthews_ | no token.. | 16:55 |
| nowen | is this on the vpn client or on the checkpoint? | 16:56 |
| cmatthews_ | the client application | 16:56 |
| nowen | you will probably still use username and password | 16:56 |
| cmatthews_ | got ya | 16:56 |
| nowen | but instead of a static password, use the OTP | 16:56 |
| cmatthews_ | The token | 16:57 |
| cmatthews_ | ? | 16:57 |
| nowen | the One-time passcode | 16:57 |
| cmatthews_ | interesting... | 16:57 |
| cmatthews_ | ok | 16:57 |
| cmatthews_ | the pices of this seem to fit together so loosely I will be amazed if it works ... really seems like I am missing something.. heh | 16:58 |
| nowen | hehe | 16:58 |
| nowen | no, it just works. | 16:58 |
| cmatthews_ | I mean "works" based on what I have configured so far. | 16:58 |
| nowen | well, it is a lot of moving pieces. | 16:58 |
| nowen | and many of those pieces are both 'servers' and 'clients' ;) | 16:59 |
| nowen | the NPS is a server to checkpoint and a client to WiKID. | 16:59 |
| *** drhex (~Admin@76.70.9.182) has joined #wikid | 17:24 | |
| cmatthews_ | Nick... I'm at a loss to explain what I don't know. What I mean is users use our VPN client application to connect to our corporate firewall. From their they go to other places they have access. | 17:35 |
| nowen | maybe it would help to step through it. | 17:36 |
| nowen | the user wants to login to the vpn | 17:36 |
| nowen | they start their WiKID token and get an otp | 17:36 |
| cmatthews_ | Yes that is all working. | 17:37 |
| nowen | they enter the username and otp into the vpn client | 17:37 |
| cmatthews_ | ok. | 17:37 |
| cmatthews_ | that is where the failures begin. | 17:37 |
| nowen | the checkpoint sees that the user is in a group that uses radius | 17:37 |
| nowen | and proxies the auth request to the radius server (nps or wikid) | 17:37 |
| nowen | if the otp and username are correct, the radius server responds with an ack to the checkpoint | 17:38 |
| nowen | the checkpoint grants them access | 17:38 |
| nowen | their session and perms are still managed by the checkpoitn | 17:39 |
| cmatthews_ | Okay I think I get it... something is missing in AD configuration that I didn't do. | 17:39 |
| cmatthews_ | Association between NPS and an AD group. | 17:39 |
| cmatthews_ | Also.... | 17:40 |
| cmatthews_ | if the password becomes the otp then how do I quantify that as 2 factor when no we'll longer use password but instead just OTP. | 17:40 |
| nowen | the two factors are knowledge of the PIN and possession of (the private key embedded in) the token | 17:41 |
| cmatthews_ | ok | 17:41 |
| nowen | we've got lots of pci customers ;) | 17:41 |
| cmatthews_ | yeah... | 17:41 |
| nowen | the nps part is done in the Policy | 17:41 |
| cmatthews_ | okay back to trying to figure out how the heck I get a AD user doing this. | 17:42 |
| cmatthews_ | I mean I'm not sure what is making a login through the VPN software trigger a validation rule against the wikid server through NPS.. that seems to be my current blockade. | 17:42 |
| nowen | you need to create a Network Policy | 17:42 |
| cmatthews_ | I'll go review the implementation materials again and come back when I have a question that makes sense... hehe | 17:43 |
| nowen | and look for the Conditions tab | 17:43 |
| *** drhex has parted #wikid (None) | 17:57 | |
| MRicketts | Were white boarding this with a few IT staff trying to wrap our head around what we are changing/missing/maybe misunderstanding | 17:58 |
| nowen | what is happening now? | 17:58 |
| MRicketts | So right now everyone who connects to stores through our VPN does so through a central firewall here at our corporate office. | 17:58 |
| nowen | ok | 17:58 |
| MRicketts | Should we be thinkning that users need to be added to all the 400 VPN's and then we start connecting directly to the store level checkpoints rather than our centralized one? | 17:59 |
| MRicketts | and the store level checkpoints use the Firewall ---> NPS --> AD --> NPS server --> wikid --> | 18:00 |
| nowen | Oh, I don't think so. | 18:00 |
| MRicketts | yeah we can keep centralized right? | 18:00 |
| nowen | I think so - that's more of a question for #checkpoint if there is such a thing | 18:00 |
| nowen | can you just have the centralized server talk to NPS? | 18:02 |
| MRicketts | *discussing | 18:03 |
| MRicketts | okay we'll just mess with some confguration for a bit and see what we get working... seems to be a bit of a loss .. like we are just missing something bigger... | 18:08 |
| MRicketts | back with more questions in a few... | 18:08 |
| nowen | try this: | 18:08 |
| nowen | can you set up the checkpoint to talk radius to NPS without WiKID? that is, auth users through radius using their AD creds? | 18:09 |
| MRicketts | yes. and right now were are currently using checkpoint ---> LDAP interface. | 18:14 |
| MRicketts | but yes checkpoint does support radius or LDAP | 18:15 |
| MRicketts | without putting wikid in for the sake of confusion | 18:15 |
| nowen | right - so does a switch to radius work? | 18:15 |
| nowen | w/o wikid | 18:15 |
| MRicketts | it should but this is where we are getting lost. | 18:18 |
| MRicketts | were not sure how the VPN client software connecting to our centralized firewall is .... | 18:18 |
| MRicketts | x y z... where lost here. | 18:18 |
| nowen | do the requests to the centralized fw come in ldap? | 18:19 |
| nowen | are the vpn clients connecting to the central serves and then getting access to the 400 remote sites? | 18:20 |
| MRicketts | yes | 18:20 |
| nowen | ok | 18:20 |
| MRicketts | and yes central FW using LDAP to talk to AD | 18:20 |
| nowen | and did you test checkpoint > wikid directly yet? | 18:21 |
| MRicketts | no | 18:21 |
| MRicketts | not aware of how to get their | 18:22 |
| nowen | can you point me to an online manual for your checkpoint? | 18:22 |
| MRicketts | looking | 18:23 |
| nowen | what are your support options from checkpoint? | 18:23 |
| MRicketts | We have full support with CP. Try this link to the Getting Started Guide. | 18:27 |
| MRicketts | http://dl3.checkpoint.com/paid/c5/CheckPoint_R60A_GettingStarted.pdf?HashKey=1289852803_8c862f46c1babfd308774545754955ec&xtn=.pdf | 18:27 |
| nowen | anything better than that? | 18:30 |
| nowen | that's only got Radius in it once ;) | 18:30 |
| nowen | is there an administrators guide? | 18:31 |
| cmatthews_ | he's being pulled another direction for a minute... We'll look and try to post something with more depth in a moment. | 18:33 |
| *** cmatthews has quit (Quit: Page closed) | 18:36 | |
| MRicketts | I think may have what we are looking for. | 18:48 |
| MRicketts | http://dl3.checkpoint.com/paid/c4/CheckPoint_R65_SecurePlatform_SecurePlatformPro_AdminGuide.pdf?HashKey=1289854070_adb0a86761d9e065e1d1cbd4581c85ff&xtn=.pdf | 18:48 |
| nowen | Authentication Servers | 18:53 |
| nowen | This page lists the configured RADIUS Authentication Servers and Authentication | 18:53 |
| nowen | Server Groups. It also allows you to add a new RADIUS server and a new | 18:53 |
| nowen | Authentication Server Group, or delete them. | 18:53 |
| nowen | that sounds like where you are supposed to add a radius server | 18:53 |
| *** manonst (406a83fe@gateway/web/freenode/ip.64.106.131.254) has joined #wikid | 19:08 | |
| *** nowen has quit (Quit: Leaving.) | 22:59 | |
| *** MRicketts has quit (Quit: Page closed) | 23:25 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!