Thursday, 2011-01-20

« Wednesday, 2011-01-19 Index Friday, 2011-01-21 »
*** _markh_ (~chatzilla@wish-hq3.gotadsl.co.uk) has joined #wikid12:10
*** zaeem (3d059f5a@gateway/web/freenode/ip.61.5.159.90) has joined #wikid12:18
zaeemhi12:18
zaeemDoes wikid support juniper and cisco routers for ssh/telnet logins?12:19
zaeemhello12:25
zaeemanyone around12:25
*** zaeem has quit (Ping timeout: 265 seconds)12:29
*** zaeem (3d059f5a@gateway/web/freenode/ip.61.5.159.90) has joined #wikid12:32
zaeemanyone around?12:32
*** zaeem has quit (Quit: Page closed)13:18
*** _markh_ has quit (Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014])15:19
*** _markh_ (~chatzilla@wish-hq3.gotadsl.co.uk) has joined #wikid15:19
*** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid16:01
nowenhey _markh_16:02
_markh_hi nick16:15
nowenhow's it going? sorry  for the continued confusion!16:15
_markh_np. We're doing well16:16
_markh_Have a problem with one of our Netwrok Clients16:16
nowenok16:16
_markh_basically, whenever it tries to authenticate it gets access denied...16:17
nowenradius16:17
nowen?16:17
_markh_Yep. All the other services work fine16:17
nowenis there any info in the WiKIDAdmin logs?16:17
nowendid it's ip address change or anything like that?16:18
_markh_nope. But here's what's in radius.log...16:18
_markh_NASip is '109.200.13.2'16:18
_markh_PAP Request16:18
_markh_passcode is �^H^J�6^^k^L+�16:18
_markh_Passcode is not a number.16:19
_markh_Check PAP bombed with AccessRejectException: Access Denied16:19
nowenhmm. the encoding is bad.  check the shared secrets16:19
_markh_And when we start wikid, we get an exception (sorry for the inline pasting)16:20
_markh_java.net.SocketException: Broken pipe16:20
_markh_        at java.net.SocketOutputStream.socketWrite0(Native Method)16:20
_markh_        at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)16:20
_markh_        at java.net.SocketOutputStream.write(SocketOutputStream.java:136)16:20
_markh_        at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)16:20
_markh_        at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)16:20
_markh_        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:666)16:20
_markh_        at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:584)16:20
_markh_        at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:698)16:20
_markh_        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:624)16:20
_markh_        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)16:20
_markh_        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)16:20
_markh_        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)16:20
_markh_        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)16:20
_markh_        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)16:20
_markh_        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)16:20
_markh_        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)16:20
_markh_        at com.wikidsystems.client.wClient.init(wClient.java:211)16:20
_markh_        at com.wikidsystems.client.wClient.<init>(wClient.java:149)16:20
_markh_        at com.wikidsystems.radius.access.WikidAccess4.set(WikidAccess4.java:68)16:20
_markh_        at com.wikidsystems.radius.access.MakeAccess.createAccessImpl(MakeAccess.java:112)16:20
_markh_        at com.theorem.radserver3.RADIUSServer.setAccessImplFactory(RADIUSServer.java:1468)16:20
_markh_        at com.wikidsystems.radius.authserver.AuthServer.configure(AuthServer.java:362)16:20
_markh_        at com.wikidsystems.radius.authserver.AuthServer.go(AuthServer.java:156)16:20
_markh_        at com.wikidsystems.radius.authserver.AuthServer.main(AuthServer.java:98)16:20
_markh_brb16:20
nowenme too - be back in a bit16:29
nowenin the meantime, check your certs:16:29
nowenhttp://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid/?searchterm=keytool16:29
_markh_nick, secrets are good. IntCA is good, but keytools shows the localhost cert as follows:16:53
_markh_keytool error: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.16:53
_markh_it is the same pasphrase as the CA right?16:53
nowennot necessarily16:53
_markh_oh16:53
nowenyou can go ahead and create a new localhost cert - are you only using radius?16:54
_markh_nope, we use wAuth in one place16:54
nowenarg - pphone call16:54
nowencheck that cert too16:54
_markh_:)16:54
nowenif you recreate the localhost  cert, restart wikid16:55
_markh_recreated the localhost cert. still failing. anyhow, wouldn;t that affect ALL network clients rather than just this one?17:04
nowenmight depend on when it was created, not sure17:05
_markh_Anyhow, I don't seem to get the exception on startup but this one (Linux) client still fails...17:09
_markh_There must be a clue in that it suddenly stopped working. To my knowledge neither the box nor wikid was changed17:10
_markh_there _was_ a network topology change recently, but I don't see how that would make any difference (no IP changes).17:11
nowendid you check the shared secrets?17:29
_markh_OK. Working now. The secrets were incorrect. I have NO idea how they becamed different. the file dtaes are consitent with the last change we made months ago.17:33
_markh_So, we need to ionvestiogate what happened. Thx for your help17:33
nowenhehe17:34
_markh_btw17:34
nowenit's always the simple stuff.  unless it's not17:34
_markh_If you recall we wanted to use Android/Iphone clients with our own DOMAIN DNS17:34
_markh_any news on that front?17:35
nowenyeah, we're working on that a part of then next release.  it will be a big update and require new token clients17:35
_markh_because we still want to, but can't really delegate the DNS to you17:35
nowenI am looking for a beta in the next 30 days17:35
_markh_without holding you to anyting - when is that likely?17:35
_markh_beaten to it17:36
_markh_thx17:36
nowenI'm hopeful 30 days17:36
_markh_If you want a tester...17:36
nowenyes I do!17:36
nowenyou're on the list17:36
_markh_Thx17:37
_markh_Gotta go now. Bye17:37
nowenlater!17:37
*** _markh_ has quit (Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014])17:39
*** JP (cf683602@gateway/web/freenode/ip.207.104.54.2) has joined #wikid17:52
JPhello, I'm having issues with the example.jps file. I get "The wClient connection to the server was NOT successfully established" I changed lines 42 (Server code) and 48 (passphrase) as mentioned in the install doc. Restarted the service. and still get that error.17:55
nowenhmm17:56
nowenand you're passphrase is the localhost passphrase?17:56
JPi believe so17:56
nowenis this an iso install or rpm?17:56
JPiso17:57
nowenwhat's the error in the WiKIDAdmin logs?17:57
JPchecking...17:58
JPERROR: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded17:58
nowentry running this on the command line: keytool -list -v -keystore /opt/WiKID/private/localhost.p12 -storetype pkcs12 -storepass yourpassphrase17:59
JPgot the same error plus a bunch of other text, trying to figure out how to copy and paste it here18:03
nowenahh - use http://pastebin.com18:03
nowenpaste there, then put the url here18:04
nowencan you run 'locate java.security'18:04
JPya i get...18:05
nowenand then 'diff firstfile secondfile'?  it should return nothing18:05
JPtest18:05
JPit didn't accept what i typed, let me try again18:06
JP /opt/WiKID/conf/templates/java.security18:06
JPand...18:06
JP /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/java.security18:07
nowenok, run 'diff  /opt/WiKID/conf/templates/java.security /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/java.security'18:08
nowenit should return nothing18:08
JPa bunch of text scrolled by, now way to scroll up.. sorry linux noob here18:10
nowennp18:10
nowenrun 'cp /opt/WiKID/conf/templates/java.security /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/java.security'18:10
JPk...18:10
nowenthis could be a bug in our iso18:11
JPdo i overwite?18:11
nowenyes18:11
JPok done18:12
nowenok, 'wikidctl restart'18:12
nowenhmm. I wonder if you will need to create a new localhost cert?18:13
JPhow would i know if I do?18:13
nowenlet's just do it, I say18:13
JPfrom the web ui?18:14
nowenyeah18:14
JPok18:14
JPdoing it now18:15
JPok created localhost cert18:17
nowenok18:17
nowenif you used the same passphrase, you should be able to just browse to the example.jsp18:18
JPshoot i didn't use the same, do i just edit line 48 again in the example.jsp file on the server?18:18
JPok we're good now18:21
JPthanks for your helpo18:21
nowenok.  I'll have to see what's going on in the iso18:21
JP*help18:21
nowenthanks for the report!18:21
JPyw18:21
nowenfeel free to hang here for questions, can make it faster18:22
JPwe're looking at using this for about 350 users in our company, what are the main differences between the enterprise and community version18:23
nowenwireless tokens and radius support18:23
nowenand support support18:23
JPlol18:23
JPok18:23
JPso no radius in community?18:24
nowenalthough between irc and the forums, support is pretty good18:24
nowenno18:24
nowenwe use a 3rd party plugin18:24
nowenso no gpl option18:24
nowenbrb18:25
JPok. We're looking to replace ActiveIdentity with a lower cost option so I am working to get a Proof of concept using wikid setup18:25
JPany links to help with setting this up with a cisco ASA SSL VPN solution?18:26
nowenmaybe18:27
nowenis AD in the middle?18:28
nowenhttp://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-a-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid/?searchterm=cisco18:28
nowenthat's more for just a vpn concentrator18:28
nowenI don't know how close it is to the ASA18:29
nowenhow expensive is the ActiveIdentity?18:30
nowendid you see our pricing?18:30
JPI can't see exactly how much we are paying, but lets just say we are looking to aff 150 tokens with Active ID for a total of 350 and I can basically replace Active ID with wikid for all 350 users for about half the cost 150 active ID users.18:32
JP*add not aff18:32
JPthe recurring costs are about the same18:33
nowenthat's like a math problem or something, but seems to work ;)18:34
nowenso the difference is in the upfront charge for hardware tokens?18:34
JPyes18:34
JPits about $100 per token18:34
nowenok - we appreciate pricing feedback. we don't bend like Oracle to get a deal b/c who has the time?, but we will adjust pricing for all18:35
JPthats good. I work for Save Mart / Lucky / FoodMaxx in CA18:36
nowenok - so PCI?18:36
JPoh ya!18:36
JPdo the soft tokens need network connectivity to the server to generate the OTP?18:37
nowenyes, they encrypt the PIN and send it to the server18:38
JPok18:38
nowenwhat will the tokens run on? wireless devices? laptops?18:39
JPso how would that work if the user is remote and needs to authenticate via vpn?18:39
JPthey would be off the network18:39
nowentypically, the WiKID server has an external ip address (nat'd)18:39
JPahhh, that right that was mentioned in those setup videos18:40
JPwe would be using all of the above, wireless phones, laptops, PCs18:40
nowenand fyi, each user can have more than one token18:40
JPi saw that, that is nice18:41
JPuser based license only18:41
nowenyes, so a seat equals a user in a domain, not tokens in a domain18:42
JPany issues using NAT if I place the wikid server in my dmz?18:42
nowenno18:42
nowenuse the external ip as the domain identifier18:42
JPis there a listing of which ports I need to open up on my FW?18:42
JPok18:43
nowenjust 80 for the tokens18:43
nowenthe WiKIDAdmin uses 443, but you probably don't want that outside18:43
JPno we wouldn't need that18:43
JPdoes it use http over port 80? Im thinking my auditor may have an issue with that18:49
nowenhehe, we use asymmetric encryption, so no need for ssl.18:50
nowenplus we have *lots* of PCI customers18:50
JPok, but auditors don't typically accept that is used with other customers as a "pass" lol. Good to know though. Can you link me more info the the assymetric encryption setup?18:52
nowenhttp://www.wikidsystems.com/learn-more/technology/overview18:52
JPty18:52
nowenI have talked to auditors in the past, but it's been awhile.  I think word has spread18:53
JPok cool18:53
JPwell thanks for all the info... gotta run to a meeting.18:54
nowenyou can think of WiKID like certificates.  Except there is not "infrastructure" to the PK.  Just flat public key pairs.  The difference is that the PIN is encrypted and sent to the server.  so, unlike certs, you cannot brute force attacj the pin18:54
nowensicne most qsas accept certs...18:55
nowenok - see you later!18:55
JPok c ya18:55
*** JP has quit (Quit: Page closed)19:10
*** nowen has parted #wikid (None)23:07
« Wednesday, 2011-01-19 Index Friday, 2011-01-21 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!