| *** proprietarysucks has parted #wikid (None) | 02:08 | |
| *** remix_auei (~remix_tj@2002:59a3:90c8::1) has joined #wikid | 05:15 | |
| *** remix_tj has quit (Ping timeout: 272 seconds) | 05:16 | |
| *** manonst has quit (*.net *.split) | 08:19 | |
| *** cmatthews_ has quit (*.net *.split) | 08:19 | |
| *** manonst (406a83fe@gateway/web/freenode/ip.64.106.131.254) has joined #wikid | 08:36 | |
| *** cmatthews_ (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid | 08:36 | |
| *** remix_auei has quit (Quit: http://quassel-irc.org - Chat comfortably. Anywhere.) | 09:05 | |
| *** remix_tj (~remix_tj@ip6.server.remixtj.net) has joined #wikid | 09:05 | |
| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 13:39 | |
| *** nowen has quit (Quit: Leaving.) | 15:25 | |
| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 15:32 | |
| cmatthews_ | Nick, so we have been out this for about 5 days straight now.. Maybe were getting closer but ... | 16:00 |
|---|---|---|
| nowen | are you getting stuck on the cisco > ias or ias > wikid? | 16:01 |
| cmatthews_ | Anyhow .. Where we are at now is the checkpoint firewall is sending some sort of request to our NPS server and in theory that is forwarding a request to wikid but how can we tell if the request is hitting the wikid server. We are never seeing any users on wikid, is there a request log we can see? | 16:01 |
| nowen | yes, | 16:02 |
| cmatthews_ | Authentication times out on our VPN software atm.. We think maybe something about what params are being passed is not right. | 16:02 |
| nowen | also, if the last request is for the OTP, you know that the radius request is not getting there | 16:02 |
| cmatthews_ | I didn't see anything past "yes" about where the logs are. | 16:03 |
| nowen | on Logs/Configure Loggers and set com.wikidsystems to debug and addcom.wikidsystems.radius.log.DBSvrLogImpl and set it to debug as well. | 16:03 |
| nowen | oh - I hit enter too soon | 16:03 |
| nowen | the logs are on the WiKIDAdmin | 16:04 |
| nowen | link on the top right | 16:04 |
| cmatthews_ | oh I see | 16:04 |
| nowen | set the log level at debug | 16:05 |
| nowen | and hit filter | 16:05 |
| cmatthews_ | Also just so this stops stickin gout in my head, the tokens are global? not user specific right? | 16:07 |
| cmatthews_ | otp are global I mean. | 16:07 |
| nowen | not sure I understand | 16:07 |
| cmatthews_ | well I use the request application without providing any for of user | 16:07 |
| cmatthews_ | the otp request doesn't relate to user, or it appears it doesnt? | 16:08 |
| nowen | once the token is registered, it is specific to that user | 16:08 |
| nowen | if your token is not registered, the OTPs will not be validated | 16:08 |
| cmatthews_ | hmmm | 16:09 |
| cmatthews_ | man the amount of disconnects that don't seem to fit is always growing.. hehe | 16:09 |
| cmatthews_ | So ... I run the wikid token client | 16:09 |
| cmatthews_ | I put in the pass phrase | 16:10 |
| cmatthews_ | I put in a pin number | 16:10 |
| cmatthews_ | I get a otp? | 16:10 |
| cmatthews_ | how is this related to user from that point? | 16:10 |
| nowen | when you created the domain and double-entered the PIN, you got a registration code back from the server | 16:11 |
| nowen | did you associate the code with a user on the server? | 16:11 |
| cmatthews_ | Interesting I wondered what that code was for. | 16:11 |
| nowen | ;) | 16:11 |
| nowen | if you delete your domain on the token and recreate, you will see the registration code show up on the Manual Validate users page. | 16:11 |
| cmatthews_ | trying now ty | 16:12 |
| nowen | we also have scripts on the server to allow users to register themselves after logging in w/their AD creds | 16:12 |
| cmatthews_ | you think user is just my domain user name or should I prefix or anything, like DOMAIN\Username | 16:14 |
| nowen | just my domain user is my guess | 16:14 |
| cmatthews_ | And the domain configuration in wikid, is that just arbitrairy or should the wikid domain equal my AD domain name? | 16:14 |
| cmatthews_ | I set it to mydomain.wikid right now. | 16:15 |
| nowen | arbitrary - or really, just specific to wikid | 16:15 |
| cmatthews_ | Not seeing anything that looks like NPS talking to wikid in the wikid logs.. My firewall says in it's logs it is talking to NPS ... Seems my current disconnect is figuring out why nps and wikis don't appear to be talking. | 16:20 |
| nowen | is the NPS a network client on WiKID? | 16:21 |
| cmatthews_ | lol... no just the firewall.. I am seeing how that is dumb now. | 16:21 |
| nowen | ;) | 16:21 |
| nowen | and you need to run 'wikidctl restart' after you add it - it opens the fw and caches the radius info | 16:22 |
| cmatthews_ | is return attribute important to NPS? | 16:23 |
| nowen | NO | 16:23 |
| nowen | I mean, no | 16:23 |
| nowen | caps lock ;) | 16:24 |
| nowen | if you're not using them already, then no | 16:24 |
| cmatthews_ | I don't mind, yell at me as much as you liek so long as I can get this frustration behind me and pay you for your product. | 16:24 |
| cmatthews_ | hehe | 16:24 |
| nowen | ;) | 16:24 |
| nowen | just keep asking questions, more than happy to save you time and frustration | 16:31 |
| cmatthews_ | Okay got the NPS server added as a client got my users registered with the same name from the domain. My nps condition is set to forward basically all requests at all times to wikid. Not seeing the request hit wikid. | 16:38 |
| cmatthews_ | in the logs | 16:38 |
| nowen | and you ran 'wikidctl restart'? | 16:38 |
| cmatthews_ | yeah.. oh wait | 16:38 |
| cmatthews_ | forgot to do that step to add addcom.wikidsystems.radius.log.DBSvrLogImpl | 16:38 |
| cmatthews_ | sec | 16:38 |
| cmatthews_ | WOW | 16:40 |
| cmatthews_ | worked | 16:40 |
| cmatthews_ | logged and worked | 16:40 |
| cmatthews_ | WOOHOO! | 16:40 |
| cmatthews_ | hehe | 16:40 |
| nowen | been known to happen ;-) | 16:40 |
| cmatthews_ | Interesting ... when I added the radius log entry I notice that the log stated that is when the system started listening on port 1812... | 16:50 |
| nowen | is that not the default for nps? | 16:50 |
| cmatthews_ | at least that log message was geenrated at the moment I added the log entry. | 16:50 |
| cmatthews_ | that si all cotrrect I just mean wikid seemed to start listening at the time I added the log entry | 16:50 |
| cmatthews_ | my coworker had tried 1-2 minutes before I added the log entry and he was unable | 16:51 |
| cmatthews_ | then when we added the log entry you suggested a listening message appeared | 16:51 |
| cmatthews_ | and success after that | 16:51 |
| nowen | hmm | 16:51 |
| cmatthews_ | maybe just us.. but I thought I shoudl share | 16:51 |
| nowen | have you enabled any other protocols? besides radius and wauth? | 16:52 |
| cmatthews_ | nope | 16:52 |
| cmatthews_ | 2010-11-17 08:38:09.473 INFO com.wikidsystems.radius.log.DBSvrLogImpl RADIUS Receiver Started: listening on port 1812 | 16:53 |
| cmatthews_ | that message right when I added it as you suggested. | 16:53 |
| nowen | hm | 16:53 |
| nowen | it might be that there is a delay in radius starting that coincided with your log entry | 16:56 |
| cmatthews_ | So any ideas on this one... | 17:01 |
| cmatthews_ | Me and a coworked both are users on the wikid server. | 17:01 |
| nowen | and he's still not authenticating? | 17:01 |
| cmatthews_ | We both see on the wikid server when we try to conenct VPN that wikid says good | 17:01 |
| cmatthews_ | but only I am able to connect | 17:01 |
| cmatthews_ | he times out | 17:01 |
| nowen | what do the WiKIDAdmin logs say? | 17:01 |
| cmatthews_ | we were using different version of the VPN software | 17:01 |
| nowen | brb - phone call | 17:02 |
| cmatthews_ | but then we tried both from mine | 17:02 |
| cmatthews_ | kk | 17:02 |
| nowen | ok - back - srry | 17:24 |
| nowen | ok - 2 vpn clients, but only one works? | 17:24 |
| cmatthews_ | 3 now and 1 worked | 17:28 |
| cmatthews_ | but we figured it out | 17:28 |
| nowen | what was it? | 17:28 |
| nowen | nps? | 17:28 |
| cmatthews_ | old AD setting | 17:28 |
| cmatthews_ | "Allow dialup access" | 17:28 |
| cmatthews_ | I been here 7years it was enabled for me in our AD | 17:28 |
| cmatthews_ | the other two have only been here a couple years and it was set differently. | 17:28 |
| cmatthews_ | changed it and it worked | 17:28 |
| cmatthews_ | but | 17:28 |
| nowen | haha | 17:28 |
| cmatthews_ | we would much rather control with an AD group | 17:28 |
| nowen | can't you? | 17:29 |
| cmatthews_ | because this "dial in" tab in AD goes away post upgrade | 17:29 |
| cmatthews_ | of our AD | 17:29 |
| nowen | Connection Request Policies > Edit Profile > 'Advanced' Tab > Add 'Remote-RADIUS-to-Windows-User-Mapping' = true | 17:29 |
| nowen | there is a way to set it up via groups. I'm sure | 17:30 |
| cmatthews_ | we'll look into that I remember adding that option in the setup | 17:30 |
| *** proprietarysucks (~nathanr@static-96-247-50-178.lsanca.fios.verizon.net) has joined #wikid | 17:30 | |
| proprietarysucks | any of you guys in los angeles? | 17:31 |
| cmatthews_ | yeah I am in orange county | 17:34 |
| nowen | cmatthews_: I would think something on the Conditions tab on NPS Network Policy | 17:45 |
| cmatthews_ | Looking now | 17:45 |
| cmatthews_ | Also we will have about 15-20 users max.. is that the up to 25 seat license we should look to purchase? | 17:46 |
| nowen | or 2 ten packs | 17:46 |
| cmatthews_ | And if I have iphone and windows application for getting tokens but the same user id does that count as 2 or 1? | 17:47 |
| nowen | 1 | 17:47 |
| nowen | unique usernames per domain | 17:47 |
| cmatthews_ | nice | 17:47 |
| cmatthews_ | Nick, do you know of any programs besides VNC, like pcAnywhere, that support the two factor auth concepts as part of the application? | 18:49 |
| nowen | on windows? | 18:49 |
| cmatthews_ | yea | 18:49 |
| nowen | citrx | 18:49 |
| cmatthews_ | Well what I mean is we have a helpdesk | 18:50 |
| cmatthews_ | they dial into restauarants to support them | 18:50 |
| cmatthews_ | using our VPN client they can only be in 1 at a time | 18:50 |
| cmatthews_ | this limitation concerns them... heh | 18:50 |
| nowen | so, they have to login to the central vpn, then connect to a restaurant? they want to connect to more than one restaurant at a time? | 18:51 |
| cmatthews_ | Every restaurant has a VPN that is what they will be connecting too. | 18:52 |
| cmatthews_ | The VPN at the store level will be setup to radius | 18:52 |
| cmatthews_ | validate | 18:52 |
| cmatthews_ | We thought about a VM that they connect too then go from their to all the stores but | 18:53 |
| cmatthews_ | that has audit holes in it from my understanding | 18:53 |
| cmatthews_ | since the site they connect to from their wont be logged as two factor connection | 18:53 |
| nowen | on linux, there is NoMachine | 18:54 |
| nowen | the free version is freenx | 18:54 |
| nowen | there is a windows client | 18:54 |
| nowen | you run your vnc through the nx server | 18:54 |
| cmatthews_ | got ya | 18:55 |
| nowen | pretty cool tho | 18:59 |
| nowen | it's faster than plain vnc | 19:04 |
| nowen | encrypted through ssh and uses pam for authentication. so pam_radius | 19:04 |
| nowen | I wonder if IAS could take a windows login and convert it to a radius one | 19:10 |
| cmatthews_ | Yeah I get this all working then they start with the ... How do we connect with multiple instances of remote tools to different machines at the same time. | 19:13 |
| nowen | haha | 19:13 |
| cmatthews_ | Requirements post implementation are my favorite... | 19:14 |
| nowen | of course, if they have a lot of instances up at once the likelihood of a mistake is higher | 19:14 |
| cmatthews_ | yeah I treid to argue that I don't think our PCI auditor will like you guys being in 4 systems at once unmonitored. | 19:14 |
| nowen | well, this is really not 2FA, you just need to find a service that will do it that supports radius in some form | 19:14 |
| cmatthews_ | But I'll let them take it up with him after I figure out around it... No .. get this .. This was the best part of the conversation. | 19:15 |
| cmatthews_ | Can you script the process from our ticket software so that the helpdesk agent doesn't enter his pin and doesn't need to put the password in the VPN application to establish connections. | 19:15 |
| cmatthews_ | that mad eme laugh. | 19:15 |
| nowen | lol | 19:16 |
| cmatthews_ | I said I can but I thought that would sorta... u know.. defeat the purpose... Some wierd logic was trying to be applied and I said just talk to our auditor. | 19:16 |
| nowen | that's really missing the point | 19:17 |
| cmatthews_ | haha I know. | 19:17 |
| proprietarysucks | please add check for $JAVAHOME in set up script | 22:27 |
| proprietarysucks | currently if it's not set it just screws up, trying to copy files around to places that don't exist | 22:28 |
| proprietarysucks | [[ $JAVAHOME ]] && { echo JAVAHOME not set; exit 123; } | 22:28 |
| nowen | ok | 22:28 |
| proprietarysucks | -> /opt/WiKID/sbin/wikidserver_config.sh | 22:28 |
| proprietarysucks | also please add yum install iptables here: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-community-edition-3.x | 22:28 |
| proprietarysucks | as iptables is required | 22:28 |
| proprietarysucks | thank you guys =] | 22:29 |
| nowen | np | 22:29 |
| nowen | thanks for the feedback | 22:29 |
| proprietarysucks | I'm going to rewrite this thing for you | 22:44 |
| nowen | ;-) | 22:44 |
| *** nowen has quit (Quit: Leaving.) | 23:04 | |
| proprietarysucks | what is this appliance variable that is set but never used | 23:08 |
| proprietarysucks | I've rewritten this thing to always work and not need all this weirdness about checking config files and seeing if it ran before and all this other stuff | 23:10 |
| proprietarysucks | all the functionality of the original, plus being able to run over and over, can be written as here: http://pastebin.com/zKhC6ky5 | 23:11 |
| proprietarysucks | that doesn't include commented out lines from the original, and it doesn't include logic around setting the unused variable appliance | 23:12 |
| proprietarysucks | probably you'd want a little echo success statement at the end there | 23:13 |
| proprietarysucks | on this page: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-community-edition-3.x this line is wrong or outdated: service postgresql initdb | 23:20 |
| proprietarysucks | or incomplete | 23:20 |
| proprietarysucks | in centos for example, it's just as you would expect: service postgresql start | 23:21 |
| proprietarysucks | that initialized the database and starts the service | 23:21 |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!