Friday, 2010-11-19

« Thursday, 2010-11-18 Index Sunday, 2010-11-21 »
proprietarysuckshi guys, any thoughts on the stuff I posted last night?01:14
proprietarysucksI've installed following the docs, community version twice now and ended up at a 404 page both times. I'm trying to figure out what mistakes I've made or the documentation possibly01:15
proprietarysucksalso any thoughts about the script I wrote?01:15
*** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid13:13
*** cmatthews (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid15:59
*** Luiz_ (c8ac968b@gateway/web/freenode/ip.200.172.150.139) has joined #wikid16:28
cmatthewsNick, just send over the PO.16:29
Luiz_Who can help me about wikid with fortigate?16:30
nowenok, cool. we may be able to get started today.  it's a bit busy for a Friday.16:30
*** Luiz_ has quit (Client Quit)16:32
nowenhmm. sorry Luiz16:33
cmatthewsthose firewalls support radius... but he left before we were able to respond.. heh16:34
nowenand we have a doc on it ;)16:38
cmatthewswill you need to login to the wikid server also when doing this?16:53
nowenhopefully not16:54
nowenyou have it working through IAS now, right?  I suggest we point freenx to IAS16:54
cmatthewsyep16:55
nowenso, you will need to add the freenx box as a client to IAS16:55
cmatthewswill do16:55
cmatthewsJust standard raduis client right>/16:57
nowenyeah, should be16:57
cmatthewsNick when possible just plz confirm you can login.17:07
cmatthews22 should be open for you.17:07
nowenI'm in17:08
nowenI assume that 1812 UDP is open b/t this box and ias?17:09
cmatthewsyeah should be fine17:09
cmatthewshmm I'll double check...17:11
cmatthewsyeah internal we don't have that stuff locked17:13
cmatthewssurprised me that nps wouldn't allow telnet but I suppose that is normal.17:13
cmatthewsAfter you receive payment, do we need to revise certificates or something on the wikid server?17:32
nowenno, you're good to go.17:32
*** cmatthews has quit (Quit: Page closed)18:03
*** cmatthews (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid18:05
nowencmatthews: have you got the nx client?18:20
cmatthewsnot yet18:21
cmatthewsI'll go grab it18:21
nowencan you try to ssh into the freenx server with a WiKID otp?18:21
nowenthat's a better 1st test18:21
cmatthewsuse my domain username?18:24
nowenif that is how it is registered in WiKID, then yes18:25
cmatthewsaccess denied18:25
cmatthewsI can check the IAS log..18:25
cmatthewssee if it got hit sec.18:25
nowendon't think it id18:26
nowendud18:26
nowendid !18:26
cmatthewsyeah doesn't look like it18:27
nowenok - try again18:41
cmatthewsdtill denied19:08
cmatthewsstill19:08
nowenhmm. check IAS again. this got a bit furter19:09
nowenboy I cannot type today19:09
cmatthewsyes eee the attempt19:10
nowendoes it get all the way to wikid?19:10
*** cmatthews2 (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid19:12
cmatthews2I see the username prefixed by my domain in the nps log..19:13
cmatthews2wondering if that is part of the trouble19:13
cmatthews2checking wikid log now.. and sorry for delays19:13
cmatthews2hmm doesn't look like IAS hit wikid19:14
nowennp on the delays. I understand19:15
cmatthews2checking nps conditions ... I think it's set to just time based atm19:16
cmatthews2yeah all hits should forward19:18
cmatthews2i'm goign to just try again19:18
nowenhmm19:20
nowen"Received disconnect from 172.17.12.106: 13: Unable to authenticate"19:21
nowenthat's not the ias ip19:21
cmatthews2nope19:22
cmatthews2thats my local machine19:22
nowentry again19:23
cmatthews2nope19:26
nowendid you try with the domain + user or just user?19:27
cmatthews2both19:27
cmatthews2wierd thing is not seeing NPS hit wikid in wikid logs19:28
nowen pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 941155219:28
cmatthews2sec19:28
cmatthews2HAH19:29
cmatthews2sec I think my acct is locked19:29
nowenheh19:29
cmatthews2why it's not being forwarded19:29
cmatthews2unlocked and tried again19:36
cmatthews2still ntohign in wikid logs19:36
nowenand this is the same ias that works with the VPN?  the only difference is that the radius client is different?  Is the network policy the same?19:37
cmatthews2yeah let me see about testing once with firewall to ensure we are still up..19:38
cmatthews2my firewall IT guy is telling me may be his fault that nps isn't talking to wikid and he's checking.19:44
nowenok19:44
cmatthews2it isn't hitting from the firewall at all right now.19:45
cmatthews2were restarting IAS server19:54
nowenok19:54
nowenhmm19:58
nowenstill no go19:58
nowenanything on WiKID?19:58
cmatthews2that seems to be the problem... nothing is going to wikid from nps.19:59
nowenis the last thing you see in the WiKID logs the request for the OTP?20:05
nowenis the vpn not working either?20:05
cmatthews2yes last wikid entry is OTP request20:14
cmatthews2and20:14
cmatthews2no matter source of NPS request NPS is not passing to wikid.20:14
cmatthews2one thing different20:15
cmatthews2sec20:15
*** cmatthews2 has quit (Quit: Page closed)20:15
cmatthewsyesterday when our firewall was hitting nps the nps log entries looked like this20:15
cmatthews0x3C4576656E743E3C54696D657374616D7020646174615F747970653D2234223E31312F31372F323031302030383A35363A32382E3133333C2F54696D657374616D703E3C436F6D70757465722D4E616D6520646174615F747970653D2231223E45504C2D4E50532D30313C2F436F6D70757465722D4E616D653E3C4576656E742D536F7572636520646174615F747970653D2231223E4941533C2F4576656E742D536F757263653E3C4E41532D506F727420646174615F747970653D2230223E313134313139323333393C2F4E41532D506F72743E3C467261620:15
cmatthewstoday they look like this20:16
cmatthews<Event><Timestamp data_type="4">11/19/2010 12:14:03.515</Timestamp><Computer-Name data_type="1">EPL-NPS-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">matthc01</User-Name><NAS-IP-Address data_type="3">127.0.0.1</NAS-IP-Address><NAS-Identifier data_type="1">sshd</NAS-Identifier><NAS-Port data_type="0">8243</NAS-Port><NAS-Port-Type data_type="0">5</NAS-Port-Type><Service-Type data_type="0">8</S20:16
cmatthewsone thing I'm not quite getting20:16
cmatthewsis why or how the nps server is knowing that the request is related at all to epl-dev-0720:17
cmatthewsmy local machine name20:17
cmatthewswhen I'm originating the request through putty on the freenx system20:17
nowenhmm20:18
cmatthewsI emailed you the full handshake that nps is performing20:18
cmatthewsI see two rows in the nps log everytime I hit it from the freenx system20:19
cmatthewsbut nothing on the wikid server20:19
cmatthewseven when I try to login to the freenx ssh with root it isn't letting me now20:21
cmatthewsis that related20:21
nowenno - I have made a change to the /etc/pam.d/sshd file20:21
nowenI changed it back though.20:22
nowentry logging in one more time, I upped the logging to debug for ssh20:23
cmatthewsyeah I did........20:25
cmatthewsso wierd20:25
cmatthewsthat nps isn't hitting wikid20:25
nowenrun 'iptables -L -n' on wikid and look for the NPS ip address20:27
cmatthewsnope20:28
cmatthewsnot their20:28
nowenhmm20:28
cmatthewswait20:28
cmatthewsit is20:28
nowenok20:28
cmatthewsACCEPT     tcp  --  172.17.15.132        0.0.0.0/0           state NEW tcp dpt:4920:29
nowenjust wanted to make sure the wikid firewall wasn't blocking20:29
cmatthewssorry about this I'm pretty sure someone has done something on my end that changed something and they just don't know it.20:30
nowennp20:30
cmatthewsmy staff is all out for food atm.20:30
cmatthewsI think what we should do since you believe the config should be working is..20:30
cmatthewslet me get our firewall testing that had success yesterday back to operations20:31
cmatthewsoperational20:31
nowenok20:31
cmatthewsthen try this on my own20:31
cmatthewsand then let you know if it is still not working.20:31
nowenthat works.20:31
cmatthewsin theory though20:31
cmatthewsI should be able to just ssh to the centos server and connect with a otp and my acct20:31
nowenhold on - I want to test one more thing20:32
nowenok - try one more time20:34
cmatthewsk20:34
nowenok, yeah. I think you'll need to figure out the NPS > WiKID bit20:36
nowenthe other thing to test is nps without wikid - can you login to ssh with your AD creds20:36
nowenIf you can login with your AD creds and the VPN is still working, I would look at the policy20:37
cmatthewstrying that20:37
nowenyou can't login to the VPN, look at the network20:37
cmatthewsyeah I can login to our main FW fine without wikid related.20:40
cmatthewscan't login to the SSH system with or without domain creds.20:41
cmatthewsand with or without domain prefix20:41
nowendid you remove the NPS policy?20:41
cmatthewsNo I'll try that20:41
nowentry that, I;m assuming that will then just auth with AD creds, but I'm not 100% on that20:42
cmatthewsNo either way the system doesn't take the credentials...20:46
cmatthewswith or without the policy...20:46
nowenis that shared secret we shared correct?20:46
cmatthewsI'll retype in the client config just in case20:47
cmatthewsjust did wikidctl restart to see if / when the radius listener restarts20:52
nowenyou can also run 'netstat -anp | grep 1812'20:52
cmatthewsso far returning nothing20:53
nowenit might take awhile20:53
cmatthewsthe joy of daemons as I understand it..20:53
cmatthewsnot yet...20:56
nowenhmm. do you also have ldap on?20:58
nowenstill nothing?21:01
cmatthewsyeah it eventually started21:01
cmatthewsand I tried again21:02
cmatthewsand nps never asked wikid anything21:02
cmatthewsI'll let you know when I think I'm ready to go again with something functional.21:02
nowenok21:02
cmatthewsthanks21:02
*** nowen has quit (Quit: Leaving.)23:15
« Thursday, 2010-11-18 Index Sunday, 2010-11-21 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!