| *** Withoutaname (~Withoutan@unaffiliated/withoutaname) has joined #wikid | 00:06 | |
| *** Bart_ has quit (Ping timeout: 245 seconds) | 02:22 | |
| *** Withoutaname has quit (Read error: Connection reset by peer) | 09:21 | |
| *** AiaBart (d57e804a@gateway/web/freenode/ip.213.126.128.74) has joined #wikid | 10:58 | |
| AiaBart | I was wondering if MS Chap2 was supported, because I am using it (in my ISA/IAS) setup, but authentication returns errors mentioning "Microsoft MS-Chap failed authentication" | 11:00 |
|---|---|---|
| AiaBart | Seems to be supported, but that doesn't make my setup work =) | 11:07 |
| *** AiaBart has quit (Quit: Page closed) | 13:50 | |
| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 15:36 | |
| *** Aargh (d57e804a@gateway/web/freenode/ip.213.126.128.74) has joined #wikid | 16:02 | |
| Aargh | Aargh =) I had it WiKID working with ISA2006/IAS and WiKID and a "Test" internal domain but ... | 16:03 |
| Aargh | I had a created a user Bart and a token and it worked (after I figured out that usernames became case sensitive when using WiKID) | 16:04 |
| Aargh | But now I created an externally reachable domain 213******** instead of 010001******* | 16:05 |
| nowen | Aargh: did you change the network client to the new domain? | 16:05 |
| Aargh | Yup, I used a client on my iPhone (which does work nicely) | 16:06 |
| nowen | right - but on the WiKIDAdmin, did you also edit the Network Client page? | 16:06 |
| Aargh | But the problem seems to be (logs) that the old user is being validated (old Bart on 010000 domain) not existent anymore) | 16:06 |
| Aargh | No, I didn't | 16:07 |
| Aargh | My ISA server and my IAS server are still there. Should I recreate those as well? | 16:08 |
| nowen | do that and be sure to restart - the radius plugin caches the info | 16:08 |
| nowen | that depends on what you want to do. | 16:08 |
| Aargh | Thanks, I'll try that now. | 16:08 |
| nowen | you probably should have all your traffic go through IAS | 16:09 |
| nowen | that way, when a user is disabled in AD, they are locked out. | 16:09 |
| Aargh | Well, I want the IAS Radius thingie to authenticate me as Bart | 16:09 |
| Aargh | You mean, IAS should be my gateway?! | 16:09 |
| nowen | no | 16:09 |
| nowen | the credentials should go from ISA to IAS to WiKID. | 16:10 |
| Aargh | Blind me hadn't seen I could/should change the domain on the "client" page | 16:10 |
| nowen | so, the ISA should not be in WiKID | 16:10 |
| nowen | ;) | 16:10 |
| Aargh | PS: The "manual" install guides didn't mention the "case sensitivity" which I have seen. | 16:11 |
| nowen | you mean there are still OSs that aren't cap sensitive ;) | 16:12 |
| Aargh | Errr, alas yes ... not everyone is running an OS with sense | 16:13 |
| nowen | haha | 16:13 |
| Aargh | Aargh, still not working atm, stupid IAS server, something so slow there. Not patching anything through to WiKID server. | 16:17 |
| nowen | so, is the last thing you see the passcode request? | 16:18 |
| Aargh | Yup. And the IAS log files not being updated. | 16:18 |
| Aargh | No the code being issued =) | 16:21 |
| nowen | what I mean is in the WiKIDAdmin logs, if the last thing you see is the passcode being returned to the token, then you know that the request is not getting from IAS to WiKID | 16:22 |
| nowen | if you see anything after that, then it should be the request from IAS | 16:22 |
| Aargh | Issued passcode to device 235........ is the last code | 16:23 |
| Aargh | Woohoo it's working! Blood, sweat and tears and mostly waiting after I learned that not everything was updated/active in a second in the Windows world. | 16:26 |
| nowen | hehe | 16:33 |
| nowen | you know, a lot of the stuff that happens during config can be a pain, but it just doesn't happen in production when you're not changing everything | 16:34 |
| *** malcolm (29df2122@gateway/web/freenode/ip.41.223.33.34) has joined #wikid | 16:46 | |
| malcolm | hi there | 16:46 |
| nowen | Aargh: what version of iPhone OS are you running? I just had someone say they were having troubles | 16:46 |
| nowen | hi malcolm | 16:46 |
| malcolm | we are looking to install on sles and are having issues with the rpms | 16:47 |
| malcolm | any chance we will be able to chat to someone on the phone ? | 16:47 |
| nowen | malcolm: the rpms are really Redhat rpms | 16:47 |
| malcolm | how would we build it on sles ? | 16:48 |
| nowen | if you download the ISO, it is essentially centos | 16:48 |
| nowen | I'm not really familiar with sles. | 16:49 |
| nowen | but some people have gotten it running on ubuntu | 16:49 |
| nowen | and other flavors | 16:49 |
| malcolm | i assume the source is closed ;) | 16:49 |
| malcolm | for the enterprise edition | 16:49 |
| nowen | yes, but the only difference in the code is the radius plugin and the wireless encryption | 16:50 |
| nowen | if you want to make changes to the scripts, etc, we will accept them | 16:50 |
| nowen | but, we have to review all that stuff - it is a security app after all | 16:50 |
| malcolm | i understand | 16:51 |
| malcolm | We need a solution to work with our Cisco ASA5505 | 16:51 |
| nowen | we're working on debian packaging now | 16:51 |
| malcolm | this seems to be the best | 16:51 |
| malcolm | We were using AD auth but now for PCI it is no longer 2 factor | 16:52 |
| nowen | do you have to have sles? the iso comes with everythning needed | 16:52 |
| malcolm | I know but finding a box in production is a major hassle and we need to have it working by friday | 16:52 |
| nowen | ooh | 16:53 |
| nowen | do you do any virtual stuff? | 16:53 |
| malcolm | only in our test eniron | 16:54 |
| malcolm | Can I get a copy of the enterprise source | 16:55 |
| malcolm | it will probably be the easiest to complile | 16:55 |
| nowen | yes, I can do that | 16:56 |
| malcolm | cool - can I get a download link please | 16:56 |
| nowen | send me an email to nowen at wikidsystems.com | 16:56 |
| malcolm | okay | 17:01 |
| malcolm | I've sent | 17:01 |
| nowen | we might be able to incorporate sles into our built, not sure | 17:01 |
| malcolm | great - lets hope the source will work | 17:05 |
| nowen | malcolm: what else will you have running on the server? | 17:17 |
| malcolm | Opanldap, rsyncs | 17:29 |
| nowen | ok - the wikid token uses port 80 | 17:29 |
| malcolm | what does that mean ? | 17:49 |
| nowen | the tokens talk to the WiKID server over http | 17:49 |
| malcolm | does that mean we need to allow access to the server fromthe web ? | 17:49 |
| malcolm | Also - we seem to have it installed | 17:50 |
| malcolm | on sles | 17:50 |
| nowen | that was fast | 17:50 |
| malcolm | what is the default username | 17:50 |
| malcolm | and password | 17:50 |
| nowen | any documentation is much appreciated | 17:50 |
| malcolm | the WiKIDAdmin is not working | 17:50 |
| malcolm | i am guessing that we may have dbase issues | 17:50 |
| nowen | WiKIDAdmin/2Factor. if it is not working, it is a db issue | 17:50 |
| nowen | yes | 17:50 |
| malcolm | dammit | 17:51 |
| malcolm | but it seems we are 90% there | 17:51 |
| nowen | did the db config script run ok? | 17:51 |
| malcolm | so talk to me about tokens | 17:51 |
| malcolm | no we did it all manually | 17:51 |
| malcolm | the db stuff | 17:51 |
| malcolm | and we created symlinks etc | 17:52 |
| malcolm | so basically our wikid server needs to have internet access for the tokens ? | 17:52 |
| nowen | yes | 17:52 |
| malcolm | does it speak to your server directly ? | 17:52 |
| malcolm | or do the token clients speak to it ? | 17:52 |
| malcolm | so if we needed we could lock the FW rules down. | 17:53 |
| nowen | the tokens send the PIN to the server, the server responds with the OTP. all encrpyted, etc http://www.wikidsystems.com/learn-more/technology/overview | 17:53 |
| nowen | sure | 17:53 |
| nowen | but the server needs an external ip. it can be nat'd | 17:54 |
| malcolm | ok - so from Internet | 17:55 |
| malcolm | Your IP -> our IP (port 80) | 17:55 |
| malcolm | and our ip to your ip port 80 | 17:56 |
| nowen | not quite. the token talks directly to your IP | 17:56 |
| malcolm | encrypted but running over normal web port | 17:56 |
| malcolm | ah ha - ok - how does it get our address ? | 17:56 |
| malcolm | I can see the 12 digit domain code | 17:57 |
| malcolm | but not sure how that relates to our domain > | 17:57 |
| malcolm | ? | 17:57 |
| malcolm | do you have a landline ? | 17:58 |
| malcolm | are you at your offices - maybe it would be better to chat | 17:58 |
| nowen | the 12 digit codes is your IP. So , 65.192.1.1 becomes 065192001001 | 17:59 |
| nowen | I have to go out for a meeting, sorry | 17:59 |
| nowen | in fact, I have to go now. | 18:01 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server/referencemanual-all-pages | 18:02 |
| nowen | oopp | 18:02 |
| nowen | s | 18:02 |
| nowen | malcolm: check out the commands on this page: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-enterprise-rpms | 18:02 |
| nowen | the db needs to be loaded | 18:03 |
| nowen | you might just be able to run /opt/WiKID/sbin/load_db.sh | 18:03 |
| nowen | once you get logged in go to that first line | 18:03 |
| nowen | link and follow the manual | 18:03 |
| nowen | I'll be back in about 3-4 hours | 18:04 |
| *** nowen has quit (Quit: Leaving.) | 18:04 | |
| malcolm | thanks | 18:14 |
| *** malcolm has quit (Quit: Page closed) | 18:14 | |
| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 20:21 | |
| *** nowen has quit (Ping timeout: 276 seconds) | 21:58 | |
| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 22:10 | |
| *** nowen has quit (Quit: Leaving.) | 23:41 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!