Tuesday, 2011-03-08

« Monday, 2011-03-07 Index Wednesday, 2011-03-09 »
*** makobug (~csec14_2@128.8.135.198) has joined #wikid00:50
*** makobug has parted #wikid (None)02:11
*** m0rg4n (4ce2a73e@gateway/web/freenode/ip.76.226.167.62) has joined #wikid06:33
*** m0rg4n has quit (Client Quit)06:33
*** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid14:31
*** Bart_ (d57e804a@gateway/web/freenode/ip.213.126.128.74) has joined #wikid15:19
*** WI_User (a5bd4f32@gateway/web/freenode/ip.165.189.79.50) has joined #wikid15:36
WI_UserNew Install using RADIUS and ASA - Can anyone help?15:37
nowensure15:37
nowenat least on the WiKID side ;)15:37
nowendid you restart wikid after creating the network client for the ASA?15:38
nowenalso, there is a known issue where radius takes forever to start15:38
WI_UserCool .  Config the server via IOS and VM and that's all good.  RADIUS in inabled and the server is validating users and users can get passcodes but when I test auth there is nothing in the logs.  I have a trace as this server is a dmz and it shows the ASA making a connection to the server on UDP 1812 but the server logs nothing15:39
nowensounds like the fw is blocking - did you restart WiKID with 'wikidctl restart'?15:40
WI_UserYep.15:40
nowenon the WiKID server, run 'netstat -anp | grep 1812' and see if there is a listener15:41
WI_UserRetuns"upd 0 0 :::1812  :::*"15:42
nowenok15:43
nowenrun 'iptables -L -n' and make sure that the fw has a port open for the IP of the ASA15:44
WI_UserLooks good:15:49
WI_UserChain INPUT (policy ACCEPT) target     prot opt source               destination          ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           state NEW tcp dpt:49  ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           state NEW tcp dpt:8388  ACCEPT     udp  --  127.0.0.1            0.0.0.0/0           state NEW udp dpt:1813  ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           state NEW tcp dpt:1813  ACCEPT    15:49
nowenhmm, no, it shouldn't be the localhost, it should be the cisco ASA15:50
WI_UserSorry there was amore15:51
WI_UserACCEPT     udp  --  10.123.1.8           0.0.0.0/0           state NEW udp dpt:1812  ACCEPT     tcp  --  10.123.1.8           0.0.0.0/0           state NEW tcp dpt:181215:51
WI_UserI think I see the issue15:51
nowenwhat?  wrong IP?15:52
WI_UserThe ASA network client will be use PAT to access the server in the DMZ so the network client will be 62.20015:52
WI_UserI changed the network client but the firewall tables did not update15:53
WI_UserIf I create a new client will the tables update?15:53
nowensorry - you still have to restart - the radius client caches the info15:55
nowenbut once you restart, you should be good15:55
WI_UserChecking...15:57
nowenok - brb, coffee time15:59
WI_UserBuilt outbound UDP connection 211331626 for dmz:10.123.62.15/1812 (10.123.62.15/1812) to inside:10.123.xxx.8/1025 (10.123.62.200/47518)16:01
WI_UserStill no activity on the WiKID server.  Just the issuing of the passcode16:01
nowentry running 'service iptables stop' and then test.  we'll know if it is the firewall16:03
WI_UserSorry I was away.  Testing now16:16
nowenk16:16
WI_UserThat worked16:17
nowenhmm16:17
nowenis this an RPM install?16:17
WI_UserAccess granted for klivese, domain code: 165189075015 client: /10.123.62.20016:17
WI_UserThis is the 30 day trail IOS build on a VM16:18
nowenhmm16:21
nowenis /10.123.62.200 the asa?16:22
WI_User10.123.62.200 is the pat address any client will be assigned when communication from the inside trusted network to the DMZ.16:23
WI_UserIt's the network client address I have in the WiKID server.16:24
nowenpat address?16:24
WI_UserPort Address Translation.  Like NAT Network Address Translation.16:25
WI_UserIt assigned and maps 10.123.1.x address to 10.123.62.200 when talking to the DMZ network 10.123.62.x16:26
nowenhmm. the network client for WiKID is supposed to be the ASA16:27
WI_UserIt is as far as the WiKID sever knows.16:28
nowenbut it is supposed to be static, otherwise, the fw won't let it in.16:28
nowenis it static?16:29
WI_UserThe network client will always use 62.200 when communiatioing with the WiKID server so in that way it's static16:30
nowenok - sorry, a bit slow today and too many windows open ;)16:30
WI_UserIs there an IPS IDS running on the WiKID server16:30
nowenno, just the fw16:30
WI_UserK16:31
WI_UserHmm16:31
nowenbut if that is the network client IP, then the fw should open a port for it16:31
nowenhmm, ACCEPT     udp  --  10.123.1.8           0.0.0.0/0           state NEW udp dpt:1812  ACCEPT     tcp  --  10.123.1.8           0.0.0.0/0           state NEW tcp dpt:181216:31
WI_UserIt did.16:31
WI_UserACCEPT     tcp  --  10.123.62.200        0.0.0.0/0           state NEW tcp dpt:49  ACCEPT     tcp  --  10.123.62.200        0.0.0.0/0           state NEW tcp dpt:8388  ACCEPT     udp  --  10.123.62.200        0.0.0.0/0           state NEW udp dpt:1813  ACCEPT     tcp  --  10.123.62.200        0.0.0.0/0           state NEW tcp dpt:1813  ACCEPT     udp  --  10.123.62.200        0.0.0.0/0           state NEW udp dpt:1812  ACCEPT     tcp 16:31
nowenhmm16:32
WI_UserI know strange16:32
nowenok - so did you restart iptables?  if, so try again16:32
WI_UserNot yet I will.  is there a way to review the iptables log to see why it's blocking UDP 1812 traffic?16:33
nowenyou can run 'tail -f /var/log/secure'16:34
WI_UserK.  The test failed.  No logs just the issuing of the passcode "Issued passcode to device 2184324507355248423"16:35
WI_UserI will check the firewall logs16:35
WI_UserThere are no logs for the last hour and a half ???16:38
WI_UserLast line Mar  8 08:57:41 wikid runuser: pam_unix(runuser-l:session): session closed for user postgres16:38
WI_UserGoing to restart the server16:39
nowenwhat does 'date' return?16:39
WI_UserIt's an hour behind16:41
nowendid you set the time-zone16:41
WI_UserYep. CST -S Chicago16:42
WI_Usererr -616:42
nowenyou can use date to also set the time16:44
nowen 'date 03081146' or whatever time it is there16:45
WI_Userhmm.  After a restart I cannot access the web admin console16:50
nowen'netstat -anp | grep 443'16:50
WI_UserI reran the wikidctl setup and verifed all settings16:50
nowenis there an error?16:50
WI_UserNothing16:51
WI_UserNetstat returns nothing16:51
*** bigbash has parted #wikid ("Leaving")16:53
nowenhave a look in  /opt/WiKID/tomcat/logs/catalina.out16:56
WI_Userk16:56
WI_UserTail shows Mar 8, 2011 9:39:19 AM org.apache.coyote.http11.Http11BaseProtocol destroy INFO: Stopping Coyote HTTP/1.1 on http-80 Mar 8, 2011 9:39:19 AM org.apache.coyote.http11.Http11BaseProtocol destroy INFO: Stopping Coyote HTTP/1.1 on http-44316:57
nowenhmm16:58
nowentry running wikidctl  start again16:58
WI_UserThat started successfuly but a test auth after failed17:02
WI_UserNothing in the secure log17:03
WI_UserIs there a way to set the firewall logging to debugging17:04
nowenmaybe this: http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html?17:11
WI_UserK.  You have your note pad open?17:17
WI_UserI edited the DMZ ACL to allow the WiKID server to access any time server via UDP 123 and once the servers time was updated I tested again...  It works!17:19
nowenhehe17:19
nowenso, it was the date?17:20
WI_UserSeems to be.  I don't know of any reason that would affect iptables or RADIUS17:20
WI_UserHave a good one and thanks for your assistance17:21
nowennp17:21
nowenhere to help17:21
*** WI_User has quit (Quit: Page closed)17:21
*** klaze (4227a4c2@gateway/web/freenode/ip.66.39.164.194) has joined #wikid18:02
klazehello18:03
nowenhi18:11
nowenklaze: let me know if you have any questions about wikid18:21
*** klaze has quit (Quit: Page closed)18:21
nowenls18:24
*** nowen has quit (Quit: Leaving.)21:57
*** klaze (4227a4c2@gateway/web/freenode/ip.66.39.164.194) has joined #wikid22:05
klazehello22:05
klazeill check back later22:40
*** klaze has quit (Quit: Page closed)22:51
« Monday, 2011-03-07 Index Wednesday, 2011-03-09 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!