| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 13:19 | |
| *** gvidals_ (18f9cf04@gateway/web/freenode/ip.24.249.207.4) has joined #wikid | 17:27 | |
| gvidals_ | owen is it possible to have linux server that is ONLY on a private IP use two factor auth? | 17:28 |
|---|---|---|
| nowen | gvidals_: not sure I follow. is the server the wikid server or the target server? | 17:29 |
| gvidals_ | the problem is that the domain for the wikid server is a public IP 207158010011 | 17:29 |
| nowen | ok - you can nat the WiKID server | 17:29 |
| nowen | that's fine | 17:30 |
| nowen | as long as the traffic gets to the WiKID server | 17:30 |
| gvidals_ | so the wikid server has both a public and private IP and has a domain of 207158010011 and the ubuntu server is only on a private IP. | 17:30 |
| nowen | the ubuntu server is your ssh target? | 17:31 |
| gvidals_ | so in pam_radius_auth.conf i chanted the server from 207.158.158.11 to 10.84.168.11 | 17:31 |
| gvidals_ | i thought this should work without having to do nat? | 17:31 |
| nowen | the wikid server doesn't need to have the external ip - if you have a firewall doing nat. | 17:32 |
| gvidals_ | yes ubuntu server is ssh target | 17:32 |
| nowen | or it can have the external ip | 17:32 |
| gvidals_ | :q | 17:32 |
| nowen | I was thinking you wanted to nat it.. but you don't have to | 17:34 |
| nowen | is this for *another* customer?? ;) | 17:34 |
| gvidals_ | this is for the first customer. | 17:37 |
| nowen | ok ;) | 17:37 |
| gvidals_ | does the wikid domain 207158010011 have any bearing on the ssh target being on a private IP? | 17:38 |
| nowen | no - it is just about the tokens | 17:39 |
| gvidals_ | ok. | 17:39 |
| nowen | only the WiKID server needs to talk to the ssh target box | 17:39 |
| gvidals_ | may be i have to restart pam services or something for the changes in pam_radius_auth to take effect? i don't how to to restart it... | 17:39 |
| nowen | no need to restart | 17:40 |
| nowen | what is the error your getting? | 17:40 |
| nowen | you might look in /var/log/secure on the target | 17:40 |
| gvidals_ | The NAS IP supplied does not match the NAS table | 17:42 |
| gvidals_ | that is the entry in the wikid log. | 17:42 |
| nowen | is the network client IP correct? | 17:42 |
| gvidals_ | so the ubuntu ssh target had two IPs - a public and private one - i disabled the public IP and changed pam_radius_auth.conf to include the private IP for the wikid server. | 17:44 |
| nowen | ok - is the private ip what is used on the WiKID server Network clients tab? | 17:44 |
| gvidals_ | so it seems that the wikid server is expecting the IP from the ubuntu target to be a public IP. | 17:45 |
| nowen | just delete the old network client and create a new one with the private ip and restart | 17:45 |
| nowen | radius will not accept packets from unknown ips | 17:45 |
| gvidals_ | ok i see what you mean. instead of deleting, i modified the network client and now it works :-) | 17:51 |
| gvidals_ | thanks again. | 17:51 |
| nowen | ok cool! | 17:51 |
| gvidals_ | i have two more opportunities for wikid servers. hopefully one will come through soon. | 17:51 |
| gvidals_ | and i plan on downloading the NFR one you said you would give me soon. | 17:51 |
| nowen | please do! | 17:52 |
| gvidals_ | we'll be able to get more business once the rankings for "hipaa compliant hosting" go up. | 17:52 |
| gvidals_ | currently we made it to position #10 in google and so we are on the home page. | 17:53 |
| nowen | excellent | 17:53 |
| gvidals_ | we're targeting being in the top #1-3 spot so we have more work to do. | 17:53 |
| nowen | anything I can do? | 17:53 |
| gvidals_ | yes, if you can put a link on your website to www.vmracks.com (instead of esx-hosting.vm-racks.com) | 17:54 |
| gvidals_ | we recently go rid of the esx-hosting.vm-racks.com for the shorter www.vmracks.com | 17:54 |
| nowen | ok | 17:55 |
| gvidals_ | i would like to do another press release like we did last time. if you are up for it, let me know and i can write one. | 17:55 |
| nowen | website updated | 17:56 |
| nowen | sure | 17:56 |
| gvidals_ | that was fast. thanks | 18:01 |
| nowen | np | 18:02 |
| *** gvidals_ has quit (Ping timeout: 265 seconds) | 18:35 | |
| *** jhill_ (ada1a201@gateway/web/freenode/ip.173.161.162.1) has joined #wikid | 19:22 | |
| jhill_ | Hello, I'm testing out WiKID integrating with NPS and am having trouble NPS to look at AD user accounts before passing the request off to WiKID | 19:24 |
| nowen | hold on one minute - on the phone | 19:24 |
| jhill_ | will do | 19:24 |
| nowen | ok - thanks | 19:31 |
| nowen | all the sudden real busy ;) | 19:31 |
| jhill_ | I understand :) | 19:31 |
| nowen | are you following the how to? | 19:32 |
| jhill_ | I did | 19:32 |
| nowen | damn phone again | 19:33 |
| jhill_ | :) | 19:33 |
| jhill_ | I have to step out for a minute, but here's my issue in a nutshell... | 20:04 |
| jhill_ | Trying to connect a firewall / VPN to NPS+WiKID. The firewall is set up as a RADIUS client on NPS, with a shared secret. The firewall has a RADIUS server configured pointing to NPS, with that same shared secret. The WiKID server is configured in NPS as a RADIUS server, with a separate shared secret. I've configured a Connection Request Policy to forward authentication to WiKID. At this point, I can test the auth and am successful, | 20:04 |
| nowen | ok | 20:04 |
| jhill_ | mbers of the AD domain. | 20:04 |
| nowen | sorry :( | 20:05 |
| nowen | ok - bio-break and I'll be right back | 20:08 |
| nowen | jhill_: let me know when you're back | 20:11 |
| jhill_ | OK, I'm back | 20:27 |
| nowen | ok | 20:27 |
| nowen | so, tell me where it is failing? the user doesn't have to be in the right group? | 20:28 |
| jhill_ | Right, I created a WiKID-only user and can auth successfully | 20:29 |
| nowen | ok, so the settings in nps aren't quite right somehow. the permissions aren't getting checked | 20:29 |
| jhill_ | Yep, that seems right | 20:30 |
| nowen | on your network policy, what is set for the conditions? | 20:31 |
| jhill_ | I think that's where the problem is... I can't seem to figure out the connection between the Connection Request Policy (where WiKID's configured) and the Network Policy. | 20:32 |
| nowen | yeah, there's not much on the doc. | 20:33 |
| nowen | i have notes for IAS, the nps predecessor | 20:34 |
| nowen | Connection Request Policies > Edit Profile > 'Advanced' Tab > Add 'Remote-RADIUS-to-Windows-User-Mapping' = true | 20:34 |
| jhill_ | I read that too, but couldn't the equivalent in 2008 | 20:34 |
| nowen | is there something for settings? | 20:37 |
| nowen | you should be able to add Remote-RADIUS-to-Windows-User-Mapping | 20:37 |
| nowen | all I have is a screen grab | 20:38 |
| nowen | but it looks like policy >> condition >> settings? | 20:38 |
| jhill_ | Let me take a look | 20:38 |
| jhill_ | Here http://technet.microsoft.com/en-us/library/cc771347.aspx it says that it should be in the Connection Request Policy | 20:43 |
| nowen | hmm. yes. | 20:50 |
| nowen | I'll try to start up our nps vm | 20:50 |
| jhill_ | OK, I've got to head out for a bit again. I'll leave the window open, if you see it, let me know. Otherwise, I'll circle back around when I figure it out. :) | 20:51 |
| nowen | ok, please do. I would like to add it to the docs | 20:52 |
| nowen | jhill_: check out http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/ | 20:53 |
| jhill_ | I get that option in the Network Policies, but not the connection request policy | 20:55 |
| nowen | do you have conditions set for the connection request policy? | 21:01 |
| jhill_ | Yeah, just the IP of the firewall | 21:02 |
| nowen | like that the client ipv4 address be you firewall? | 21:02 |
| jhill_ | yep | 21:02 |
| nowen | http://technet.microsoft.com/en-us/library/cc753603.aspx | 21:03 |
| nowen | it's not clear how the settings are entered tho | 21:06 |
| *** nowen has parted #wikid (None) | 23:25 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!