| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 14:05 | |
| *** jon___ (0cba3d04@gateway/web/freenode/ip.12.186.61.4) has joined #wikid | 16:00 | |
| jon___ | hi | 16:00 |
|---|---|---|
| nowen | hi | 16:00 |
| jon___ | I'm looking for a two factor authencation | 16:01 |
| jon___ | is it possible to schedule a demo? | 16:01 |
| jon___ | for my team | 16:01 |
| nowen | tell me a bit about what you are trying to secure? | 16:01 |
| jon___ | just the vpn | 16:01 |
| nowen | ok | 16:01 |
| jon___ | we have ssl vpn | 16:02 |
| jon___ | juniper | 16:02 |
| nowen | ok, both systems talk radius, so integration is not an issue | 16:02 |
| jon___ | yeah | 16:03 |
| nowen | have you played with the token client? | 16:03 |
| jon___ | yes with different vendor | 16:04 |
| nowen | ? | 16:04 |
| jon___ | yes | 16:04 |
| jon___ | how can I schedule for a demo? | 16:04 |
| jon___ | like webex/gotomeeting demo | 16:04 |
| nowen | I can schedule something - but right now it might be the week of 1/4 | 16:05 |
| jon___ | that is fine | 16:05 |
| nowen | ok | 16:05 |
| nowen | I got your email as well | 16:05 |
| jon___ | my email is joe.tran@beryl.net | 16:05 |
| jon___ | yeah, I just request from the website | 16:05 |
| nowen | feel free to download the server if you'd like as well | 16:06 |
| jon___ | WiKID is us base company? | 16:06 |
| nowen | yes | 16:06 |
| nowen | Atlanta, Ga | 16:06 |
| jon___ | ok | 16:06 |
| nowen | how many users do you have? | 16:07 |
| jon___ | little over 300 | 16:07 |
| nowen | cool. Using tokens already or is this a new thing? | 16:07 |
| jon___ | So how does the server integrate into vpn? | 16:07 |
| jon___ | through win 2008 NPS? | 16:08 |
| nowen | you can set it up that way | 16:08 |
| jon___ | we dont have token now | 16:08 |
| jon___ | but it's nice to have hardware/software token | 16:08 |
| nowen | does the Juniper talk to NPS now? | 16:08 |
| jon___ | juniper with ldap | 16:08 |
| jon___ | to AD | 16:08 |
| nowen | ok - so, you will have to switch to radius from ldap, because ldap has no proxying capability | 16:09 |
| nowen | have you seen our how-to on NPS? | 16:09 |
| jon___ | yes, i have read on the website | 16:09 |
| nowen | and the Juniper how to for radius? | 16:09 |
| jon___ | not yet | 16:09 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-use-wikid-strong-authentication-with-juniper-uac-appliance/?searchterm=juniper | 16:10 |
| nowen | so, the Juniper will talk Radius to NPS, then NPS will proxy the auth request to WiKID after verifying the user | 16:10 |
| jon___ | user will prompt to enter the pin with generate/verify from wikid system? | 16:11 |
| nowen | the user will start the WiKID token and enter their PIN. The PIN is encrypted and sent to the WiKID server. If the PIN is correct, the account active & the encryption valid, the OTP is generated on your WiKID server, encrypted and returned to the user | 16:12 |
| nowen | then the user logs in with username & otp | 16:12 |
| jon___ | hardware and software token both available? | 16:13 |
| jon___ | otp is AD password? | 16:13 |
| nowen | just software - windows, mac, linux, android, j2me, iphone, etc | 16:13 |
| nowen | no, the AD password is no longer needed | 16:13 |
| nowen | NPS checks the user for permissions etc. | 16:13 |
| jon___ | is there a way we can configure so user require to put their pin and AD pass? | 16:14 |
| nowen | that is a question for Juniper. I would recommend against it. it is considered "good thing" to not use your LAN password outside the lan | 16:14 |
| jon___ | ok | 16:15 |
| jon___ | what's the pricing look like for our environment? | 16:16 |
| nowen | http://www.wikidsystems.com/learn-more/financial - $24/user per year | 16:16 |
| nowen | there is also a 30% discount if you pre-pay for 3 years | 16:16 |
| nowen | but - we have no hardware tokens - is that an issue? | 16:17 |
| jon___ | well | 16:18 |
| jon___ | If the user remotely use soft token on this machine | 16:19 |
| jon___ | it still generate legit pin code? | 16:19 |
| nowen | you mean - can the user move the token to a different machine? | 16:19 |
| jon___ | yes | 16:20 |
| nowen | we have what we call "locked tokens" that hash data from the computer during the token registration process. | 16:21 |
| nowen | that data is sent to the WiKID server and must be sent with each OTP request | 16:21 |
| nowen | also, you should be able to do mutual https authentication. | 16:22 |
| nowen | that will thwart MiTM attacks | 16:22 |
| jon___ | and what if the user remotely | 16:22 |
| jon___ | it'll sync through https? | 16:22 |
| jon___ | we have a few users who office remotely | 16:23 |
| nowen | no - the token will validate the SSL cert for the users - and will give a warning if the cert has changed. | 16:23 |
| jon___ | does soft token on a remote machine require sync to the server to keep up with the pin changes? Or just once time setup and it's good? | 16:24 |
| nowen | just a one-time setup | 16:24 |
| jon___ | k | 16:24 |
| nowen | we have scripts on the server that allow users to register their tokens based on their AD creds | 16:25 |
| jon___ | We have user that randomly connect to our vpn from their home machine | 16:26 |
| jon___ | in this case they can't have a token on their pc | 16:27 |
| jon___ | is there a way we can generate some pin through the web | 16:27 |
| jon___ | base on their AD credential? | 16:27 |
| nowen | well, we always need to store the keys on the local machine - they are the second factor | 16:27 |
| nowen | we have an html5 token | 16:28 |
| jon___ | how is it work? | 16:28 |
| jon___ | they have to copy the file/key to run on their local machine? | 16:28 |
| nowen | http://www.wikidsystems.com/downloads/html5-token/ | 16:28 |
| nowen | it's automatic, but FF & chrome only | 16:29 |
| nowen | they could also use a wireless token | 16:29 |
| jon___ | Can you explain the wireless token? | 16:30 |
| nowen | it's just a software token that runs on a phone. Android, iphone, blackberry | 16:31 |
| nowen | etc | 16:31 |
| nowen | what kind of phone do you have? | 16:31 |
| jon___ | office phone or mobile? | 16:33 |
| jon___ | mobile i have iphone | 16:33 |
| nowen | mobile | 16:33 |
| nowen | ok - go to the market and search for WiKID | 16:33 |
| jon___ | appstore you mean? | 16:33 |
| nowen | yeah | 16:34 |
| nowen | ;) | 16:34 |
| jon___ | Does the trial WiKID server require serial to install? | 16:37 |
| nowen | no | 16:37 |
| jon___ | You just select trial option when you configure it? | 16:37 |
| jon___ | and it'll expire in 30 days? | 16:37 |
| nowen | no selection needed, just follow the standard directions | 16:38 |
| nowen | we track usage via the certificate you request during the install | 16:38 |
| jon___ | what happen after 30? | 16:40 |
| jon___ | we can't use the product anymore? | 16:40 |
| nowen | by license, but in truth, we haven't set up the 30 cert processor yet | 16:41 |
| nowen | ;) | 16:41 |
| jon___ | well, i'm curious because i'm planning to do the trial | 16:42 |
| nowen | please do! | 16:42 |
| jon___ | wanting to know if the software no longer function after 30 | 16:42 |
| jon___ | or it still work after 30 | 16:42 |
| jon___ | we just need to buy the licence to be legal | 16:42 |
| nowen | yeah, it works fine. In fact, if you want to go into production with the same box that is fine | 16:42 |
| jon___ | ok | 16:42 |
| jon___ | does it require anything as far as the licence? | 16:43 |
| nowen | yeah - we tend to focus more on adding new features than worrying about stealing | 16:43 |
| nowen | just the cert | 16:43 |
| jon___ | ok | 16:43 |
| jon___ | how big is the vmware image? | 16:44 |
| nowen | 629 meg | 16:44 |
| nowen | if you're using esx, grab the iso instead | 16:45 |
| nowen | then create your own vmware image and boot the iso. the vmware image was created with the free vmware server | 16:46 |
| jon___ | is there any firewall/vpn that WiKID not support? | 16:48 |
| nowen | not in the Enterprise space. Where I define enterprise as supporting radius | 16:48 |
| nowen | radius is a great standard for authentication | 16:49 |
| jon___ | I agree | 16:50 |
| jon___ | Can I use the token installed on my iphone to authentication my remote laptop? | 16:50 |
| nowen | yes | 16:50 |
| jon___ | how is it work? | 16:51 |
| nowen | you get the OTP on your iPhone and on your laptop, you enter your username and the OTP into your juniper page | 16:51 |
| jon___ | when I generate the OTP it require AD credential? | 16:53 |
| nowen | nbo | 16:53 |
| nowen | no | 16:53 |
| jon___ | well, I ask enough question | 16:53 |
| nowen | NPS will validate that the user is active in AD, has the right permissions, etc | 16:53 |
| jon___ | I would love to have a demo for my team | 16:53 |
| nowen | then it will proxy the username and OTP to WiKID for the final auth | 16:54 |
| nowen | ok | 16:54 |
| jon___ | when you can schedule one, please send invite to joe.tran@beryl.net | 16:54 |
| jon___ | i will forward to my team | 16:54 |
| nowen | ok will do | 16:54 |
| jon___ | we just become a pci compliance ship | 16:54 |
| jon___ | shop | 16:54 |
| nowen | ahh | 16:54 |
| nowen | yes, then two-factor auth is required | 16:54 |
| jon___ | so this project will need to get done the next 3 months | 16:54 |
| nowen | ok - that's the audit? | 16:55 |
| jon___ | well | 16:55 |
| jon___ | the audit will be in January i think | 16:55 |
| nowen | sometimes, we have PCI people that have auditors coming in the next week | 16:55 |
| jon___ | we dont have the audit yet | 16:55 |
| jon___ | oh | 16:55 |
| jon___ | WiKID require auditor too? | 16:56 |
| nowen | no - we just get a lot of PCI business | 16:56 |
| jon___ | oh ok | 16:56 |
| jon___ | yeah | 16:56 |
| jon___ | it sure create alot of business out of the pci thing | 16:56 |
| jon___ | which is cool | 16:56 |
| jon___ | what's your name? | 16:56 |
| nowen | I tend to think that a lot of merchants are way more secure than they would be | 16:56 |
| nowen | Nick Owen | 16:57 |
| jon___ | Thanks Nick | 16:57 |
| jon___ | appreciated your time | 16:57 |
| nowen | np. have a great holiday | 16:57 |
| jon___ | do you have an email? | 16:57 |
| nowen | yeah, nowen@wikidsystems.com | 16:59 |
| nowen | just sent you an email | 17:01 |
| nowen | ok - running out to do some last minute xmas shopping. jon___ do you want the link for the iso? | 18:59 |
| *** nowen has quit (Quit: Leaving.) | 19:05 | |
| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 22:30 | |
| *** nowen has parted #wikid (None) | 22:44 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!