| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 13:13 | |
| *** Sanjar (ca4194fc@gateway/web/freenode/ip.202.65.148.252) has joined #wikid | 13:54 | |
| Sanjar | hi... i am looking at wikid as an alternate to RSA two factor authentication | 13:54 |
|---|---|---|
| Sanjar | can someone help me out in this | 13:55 |
| nowen | ok - that would be us | 13:55 |
| nowen | sure | 13:55 |
| nowen | do you use RSA now? | 13:55 |
| Sanjar | ok nowen | 13:55 |
| Sanjar | nope we are doing poc for RSA | 13:55 |
| nowen | hardware tokens or software tokens? | 13:56 |
| Sanjar | we tried with both | 13:56 |
| Sanjar | let me put across my requirement | 13:56 |
| nowen | ok | 13:56 |
| Sanjar | We are looking for two factor authentication for VMWare virtual desktops, VMWare VCenter server, ADS, Oracle, Firewall, Storage etc. Appreciate if we can have comparison sheet of RSA and Verisign two factor authentication. | 13:56 |
| nowen | what authentication protocol do you use? | 13:57 |
| Sanjar | for ads and vmware virtual desktop its ldap | 13:58 |
| Sanjar | for rest we havent tested | 13:58 |
| nowen | do ADS and virtual desktop also support radius? | 13:58 |
| Sanjar | ok let me give u an intro of ourselves | 13:59 |
| Sanjar | we are an MSP | 13:59 |
| Sanjar | and this is for one of our customer | 13:59 |
| nowen | ok | 14:00 |
| Sanjar | customer would to go with LDAP | 14:00 |
| Sanjar | if radius is required we can talk to our customer | 14:00 |
| nowen | ok, well, we support LDAP, Radius TACACS+ and have an api too | 14:00 |
| Sanjar | grt | 14:00 |
| nowen | I do think that Radius is a better protocol that ldap for authentication | 14:01 |
| Sanjar | we would prefer to go with commercial version of wikid if we are through with the testing with the customer setup | 14:01 |
| nowen | we're very interested in the MSP space and there is a lot we can do with our API | 14:01 |
| Sanjar | can you plz help us out with a comaparision with RSA and how we can pitch in wikid | 14:02 |
| nowen | yes, I can | 14:02 |
| Sanjar | cost is certainly one big factor which we are clearly aware of | 14:02 |
| Sanjar | we need the features and support comparision | 14:02 |
| nowen | yes, but also our API will make life a lot easier | 14:02 |
| Sanjar | ok | 14:02 |
| nowen | and each user can have more than one token | 14:02 |
| nowen | for the price of one | 14:02 |
| Sanjar | can i have the comparision sheet at sanja.a@ctrls.in | 14:03 |
| Sanjar | i would appreciate | 14:03 |
| Sanjar | sorry its sanjar.a@ctrls.in | 14:03 |
| nowen | I'll send you what we have, which is not necessarily targeting RSA | 14:03 |
| Sanjar | ok will do | 14:03 |
| nowen | but it does the job :) | 14:03 |
| Sanjar | plz send n i wl confirm u rite away | 14:04 |
| Sanjar | ok one more thing u hv got only the soft tokens rite | 14:04 |
| nowen | correct - only software tokens | 14:04 |
| Sanjar | ok we are fine with this .. | 14:04 |
| nowen | how did you hear about us? | 14:04 |
| Sanjar | 14:05 | |
| nowen | ok | 14:05 |
| Sanjar | r u sending the docs now | 14:05 |
| nowen | yes | 14:05 |
| nowen | on their way | 14:06 |
| Sanjar | ok | 14:07 |
| nowen | my one suggestion is that you try to get all the apps using the same standard protocol | 14:08 |
| nowen | Does the customer use AD? | 14:08 |
| Sanjar | yes | 14:08 |
| Sanjar | ok nowen is your chat service available 24/7 | 14:10 |
| nowen | the benefit of using Radius is that you can send the auth requests through AD using their radius plugin. if they have the right AD rights, the creds are proxied to the WIKID server | 14:10 |
| Sanjar | ok | 14:10 |
| nowen | no, usually only east coast hours. 24x7 support is available for extra | 14:11 |
| Sanjar | but i need to setup radius auth for all the components | 14:11 |
| nowen | ideally | 14:11 |
| nowen | or run them through something that supports radius, like ISA or apache or a ssl-vpn | 14:12 |
| Sanjar | yeah got it ... ok so even the vmware vcenter and virtual desktop should talk to radius first | 14:12 |
| Sanjar | how u suggest us to kick off setting up the demo for our customre | 14:13 |
| nowen | yeah - it actually makes life a lot easier in the long urn | 14:13 |
| nowen | run | 14:13 |
| nowen | download the server! we really encourage testing | 14:13 |
| nowen | it's quite easy to setup. I can walk you through it on irc | 14:13 |
| Sanjar | ok not now... can we have this sometime tomorrow | 14:15 |
| nowen | sure | 14:15 |
| Sanjar | let us first convince the customer to have poc on wikid | 14:15 |
| nowen | with guidance, setting up the server should only take about 20-30 minutes | 14:15 |
| Sanjar | grt | 14:15 |
| Sanjar | will u b available 2moro | 14:15 |
| nowen | yes | 14:15 |
| Sanjar | fine then i will catch u up tomorrow | 14:16 |
| nowen | grt | 14:16 |
| Sanjar | thanx a lot ... gud day | 14:16 |
| nowen | you too! | 14:16 |
| *** Sanjar has quit (Quit: Page closed) | 14:16 | |
| *** vpn2factor (97b70024@gateway/web/freenode/ip.151.183.0.36) has joined #wikid | 14:55 | |
| vpn2factor | I was wondering how auth works if I set up a Cisco VPN device using Radius. How does the authetication take place for the user? | 14:57 |
| nowen | hi | 14:57 |
| nowen | there are a couple of options | 14:58 |
| nowen | auth can pass through AD using radius or the cisco can talk directly to WiKID | 14:58 |
| nowen | the user logs in with their username and the OTP in both cases | 14:58 |
| nowen | does that answer your question? | 14:59 |
| vpn2factor | I want to understand enough so that I feel confident that we are still able to do 2 factor. I am thinking... | 14:59 |
| vpn2factor | I guess I want to make sure that the OTP is indeed a private thing for the user. I haven't quite gotten the hang of it. | 15:00 |
| nowen | ahh | 15:00 |
| nowen | ok. so the two factors are knowledge of the PIN and possession of the private key embedded in the token | 15:01 |
| nowen | you can think of WiKID as compared to certificates. | 15:01 |
| nowen | but, there is no infrastructure, they are just flat keys.. | 15:01 |
| nowen | the difference is that the private key is used to encrypt the PIN, which is then sent to the server for validation | 15:02 |
| nowen | so, unlike certs, WiKID cannot be brute-forced attacked like certs | 15:02 |
| vpn2factor | That is of course what I want to get away from, that and the platform dependency of smartcards | 15:03 |
| nowen | interesting. I think that one-time passcodes are great because the UI piece has been done for everything - there are username and password boxes for all apps | 15:04 |
| nowen | then, all you need to do is choose applications that support the right protocol | 15:04 |
| nowen | such as radius | 15:05 |
| vpn2factor | What troubles me here is that the only service I have available is a crappy Cisco box (using Radius). Don't I need to host more myself? | 15:06 |
| nowen | not sure I follow - you will host the WiKID server | 15:06 |
| vpn2factor | That's were I got confused I guess, I realize I will have to have a WIKID server (or rather 2 for redundancy). But do I need to expose that on the Internet. Sorry if I sound stupid, but I just started reading about WIKID... | 15:07 |
| vpn2factor | ? after Internet of course. | 15:08 |
| nowen | no problem! that's why I'm here ;) | 15:08 |
| nowen | The server typically goes in the dmz, with one port facing out for token requests and one internal for network traffic to the cisco | 15:09 |
| vpn2factor | OK, now I see. This is what I lack in the docs I looked at. I couldn't quite put it together. | 15:10 |
| nowen | it's a very different architecture - the token talks to the server | 15:10 |
| nowen | it allows us to do some different stuff though | 15:10 |
| nowen | each user can have more than one token and each token can work with multiple wikid servers/wikid domains | 15:11 |
| vpn2factor | How do you limit who may talk to a wikid server? | 15:11 |
| nowen | there's a two-step process for validation. we have a bunch of ways to do it, but the simple version is: | 15:12 |
| nowen | the token communicates with the server and the user is prompted to double enter their PIN | 15:13 |
| nowen | the PIN is sent to the server and the server responds with a registration code | 15:13 |
| nowen | that reg code has to get back to the WiKID server in a trusted way for the account to be validated | 15:13 |
| nowen | the admin can validate or we have scripts that allow the users to self-validate based on existing trusted creds from AD | 15:14 |
| vpn2factor | I am kind of scared of the DMZ placed servers that are supposed to be the basis of authentication to the whole network. Do you get this past PCI/DSS auditors? | 15:15 |
| nowen | yes, constantly. You can put a server in the dmz that then routes the token info to WIKID. We do this with apache | 15:16 |
| vpn2factor | Ahh, so the server in DMZ is not the WIKID server itself | 15:17 |
| nowen | correct. the tokens use port 80 to /wikid/ so a simple redirect rule works fine | 15:17 |
| nowen | brb - got to get some coffee ;) | 15:20 |
| vpn2factor | Once again I feel a bit lost as to how to get the token info all the way in and still not exposing too much. You get some coffee. I will too | 15:20 |
| nowen | for our demo server/www server, we have a rule that routes the wikid token requests to a different port on the server (since www uses 80, obviously) | 15:26 |
| nowen | RewriteRule ^/wikid/(.*) https://localhost:8443/wikid/$1 [P] | 15:26 |
| nowen | you could have an apache server in the dmz to rewrite requests that come in to a server anywhere | 15:28 |
| vpn2factor | By design, does that service that is provided for the tokens give access to actually change anything in the WIKID server? | 15:30 |
| vpn2factor | I would of course want a no to such a question, but based on facts ;-) | 15:30 |
| nowen | no, it only receives PINs and responds with OTPs | 15:31 |
| nowen | the WiKIDAdmin wb ui service runs on 443 | 15:31 |
| vpn2factor | That is what I thought. | 15:32 |
| vpn2factor | I am thinking of how to further strengthen my case for using WIKID, since I feel it would suit our purposes. | 15:32 |
| nowen | so you use certs and smartcards now? | 15:33 |
| vpn2factor | Yes, and I want to get away from it to avoid the hassle and also since it's a pain to support multiple platforms. | 15:34 |
| vpn2factor | More coming real soon... | 15:36 |
| nowen | ok | 15:36 |
| nowen | I assume you saw our pricing online? | 15:36 |
| vpn2factor | Pricing doesn't hurt that much, no. and yes, I've seen it. By the way, what happens when the maintenance contract runs out? | 15:37 |
| nowen | it's an annual subscription, so it never runs out until you stop it ;) | 15:37 |
| nowen | we also have a three year option. pre-pay for 3 years and get a 30% discount | 15:38 |
| vpn2factor | I like the 3 year (both discount and not having to care for 3 years is great). I was rather wondering what happens after 3 years and a day, should one forget to renew. Keep in mind here that I am a consultant helping a customer (and not the one owning the IP for that matter) and I might not be around three years from now... | 15:40 |
| nowen | currently nothing exceptionally bad happens. we are working on a better system to track subscriptions that will have reminders, etc. but after 3years they will be in violation of the license if they haven't renewed | 15:41 |
| vpn2factor | I do believe in reminders but was a bit scared about service dying when support runs out. | 15:42 |
| vpn2factor | You should of course make sure that customers renew if they still use the application, but hurting them is of course not optimal | 15:43 |
| nowen | agreed | 15:43 |
| vpn2factor | If you don't get paid, then company and application will eventually die. Not good for existing customers... | 15:44 |
| nowen | true, but there sadly are always free-riders | 15:45 |
| vpn2factor | Is there nothing that upsets auditors when it comes the fact that you have a web service that does after all talk to the back end authentication service? I WANT to get a good grip of this... | 15:46 |
| nowen | I've talked to QSAs in the past about WiKID and nothing has been said about that. We have a lot of PCI customers | 15:47 |
| vpn2factor | Perhaps I'm the most paranoid of all then... I guess that is better than the other way round. | 15:49 |
| nowen | well, there' | 15:49 |
| nowen | s pci compliance, and then there is security ;) | 15:50 |
| nowen | the good ones look at it as a floor, others think it is a ceiling | 15:50 |
| vpn2factor | Yes, indeed. They sure don't require everything I want to lock down on my servers. It's more a question of getting paid for what I feel as reasonable security (which is pretty tight) | 15:51 |
| vpn2factor | OK, I guess I should request the download link and start testing | 15:53 |
| nowen | please do! | 15:53 |
| vpn2factor | Thanks for your help! | 15:53 |
| nowen | np | 15:53 |
| *** vpn2factor has quit (Quit: Page closed) | 15:54 | |
| *** nowen has quit (Quit: Leaving.) | 16:19 | |
| *** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid | 18:02 | |
| *** microtosh (~nathan@adsl-75-47-249-111.dsl.lsan03.sbcglobal.net) has joined #wikid | 18:15 | |
| nowen | howdy microtosh | 18:15 |
| microtosh | hey nowen | 18:15 |
| nowen | ahh, Hi Nathan :) | 18:16 |
| microtosh | heh | 18:17 |
| microtosh | hi Nick | 18:17 |
| microtosh | :-) | 18:17 |
| nowen | how goes the install? | 18:17 |
| microtosh | havent attempted yet, just got into the office | 18:17 |
| microtosh | I'm installing the ISO on VMware, what's the distro it's packaged with? | 18:17 |
| nowen | centos 5 | 18:17 |
| microtosh | ok | 18:18 |
| microtosh | 32bit? | 18:18 |
| nowen | yes | 18:18 |
| microtosh | hey did i read somewhere right that wikid is also a tacacs+ server? | 18:20 |
| nowen | we have support for tacacs+. It is a bit kludgey, IMO, but others have said they love it | 18:21 |
| microtosh | does the system really require 2 NIC's? | 18:23 |
| nowen | it's recommended. You most likely do not want your radius internal traffic on the same network as the external token traffic, but up to you | 18:24 |
| microtosh | ok | 18:24 |
| microtosh | just making sure | 18:24 |
| microtosh | lol awesome, as we just get an email from the client to hold on the project... | 18:27 |
| nowen | darn | 18:27 |
| nowen | is this for pci compliance? | 18:27 |
| microtosh | yes | 18:27 |
| nowen | well, they will need two-factor. are they looking at something else? | 18:28 |
| microtosh | its cool, we want to become a pci compliant service provider anyway | 18:28 |
| microtosh | no, unrelated to the infrastructure. something to do with their cart | 18:28 |
| nowen | hmm | 18:29 |
| nowen | ok | 18:29 |
| *** ciscorichy (423cb4f2@gateway/web/freenode/ip.66.60.180.242) has joined #wikid | 20:59 | |
| ciscorichy | Hi | 20:59 |
| nowen | hi ciscorichy | 20:59 |
| nowen | what's up? | 21:00 |
| ciscorichy | I am looking for a two factor authentication for a client and came across Wikid. What is the renewal cost per year for this and how is it implemented? Is it server based, virtual appliance based or what? | 21:01 |
| nowen | server or vm-based. lots of people deploy it virtually | 21:01 |
| nowen | typically they put it in their dmz | 21:01 |
| nowen | pricing is per-user http://www.wikidsystems.com/learn-more/financial | 21:02 |
| nowen | how did you find us? | 21:02 |
| ciscorichy | Great. I have about 100 users for a client and they are using Citrix. Will it work for that? | 21:02 |
| nowen | it should as long as the Citrix product you're using supports radius | 21:02 |
| ciscorichy | Ok I see the price for 100 seats as $24 per year. Is that correct? | 21:04 |
| nowen | correct. it includes everything but 24x7 support. that would be 18% extra | 21:04 |
| ciscorichy | Ok Great. Do you have both hard and soft tokens? | 21:05 |
| nowen | no, just software tokens | 21:05 |
| ciscorichy | Are they distributes as SMS or if not how does a user get the token? | 21:05 |
| nowen | there is a software package for each platform, delivery mech varies. iphone == app store, blackberry could be dl/ or push etc | 21:07 |
| nowen | we also have PC tokens | 21:07 |
| nowen | web start, full installers, .jar, .exe etc, etc | 21:07 |
| nowen | html5 token too ;) | 21:07 |
| nowen | once the token is installed, it is registered with the server and then associated in a secure way with the user | 21:08 |
| ciscorichy | Is Windows 2003 or 2008 Server required? | 21:08 |
| nowen | we have a number of ways to automate and simplify the process | 21:08 |
| nowen | no, the best way to install is to create a linux vm image and install our appliance ISO. no os needed | 21:09 |
| ciscorichy | will the appliance work as a virtual appliance on VMware ESX? | 21:09 |
| nowen | you need to use the ISO. our vmware image was created with the VMWare Server product, so it's better just to boot the iso | 21:10 |
| ciscorichy | Doea it include the radius component? | 21:10 |
| nowen | yes | 21:11 |
| nowen | the Enterprise version includes Radius | 21:11 |
| ciscorichy | Ok so vor VMware, I just create a linux VM and then boot it with the iso and that is all that is needed to install the product. Is that correct? | 21:12 |
| nowen | yes. RHEL5, we use Centos5. Then, http://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server/referencemanual-all-pages | 21:13 |
| ciscorichy | What is the price for 100 users for the enterprise version? | 21:13 |
| nowen | $2400 per user per year | 21:13 |
| nowen | also, we have a 3 year pre-payment option for a 30% discount | 21:13 |
| ciscorichy | $24 or $2400? | 21:14 |
| nowen | 24! ha | 21:14 |
| nowen | i wish | 21:14 |
| nowen | wishful typo'ing | 21:14 |
| ciscorichy | Awesome. I need to relay this to our client. This is exactly what we are looking for. | 21:14 |
| nowen | excellent. well, install is easy. just come back here and we'll walk through it | 21:15 |
| ciscorichy | Thank you for your time today. you are awesome. | 21:15 |
| nowen | np. | 21:15 |
| nowen | feel free to download the server | 21:16 |
| nowen | how did you find us? | 21:16 |
| nowen | our hits are off the hook today. I'm wondering what's going on | 21:16 |
| ciscorichy | Google search | 21:16 |
| nowen | they must like us today | 21:16 |
| *** ciscorichy has quit (Quit: Page closed) | 21:46 | |
| *** nowen has parted #wikid (None) | 22:57 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!