| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 13:00 | |
| *** dhahn (266f9a61@gateway/web/freenode/ip.38.111.154.97) has joined #wikid | 21:13 | |
| dhahn | Hello | 21:13 |
|---|---|---|
| nowen | hi | 21:13 |
| dhahn | I'm having a little trouble understanding if I can use wikid with my Cisco PIX boxes and what the user would experience in logging onto the system. | 21:14 |
| nowen | ok | 21:14 |
| dhahn | Just trying to understand | 21:14 |
| nowen | the user would login with their username and the WiKID OTP, which they would get from the token | 21:14 |
| dhahn | And they can get the token from a client on their machine or their smart phone? | 21:15 |
| nowen | yes | 21:15 |
| nowen | tho, you can limit that to one or the other if you want | 21:15 |
| dhahn | ok, that's good to know | 21:15 |
| dhahn | Is there any information on if the native OS X IPSEC client works with the wikid OTP to a cisco box? | 21:16 |
| dhahn | (I know that's a very specific question) | 21:16 |
| nowen | hmm | 21:17 |
| nowen | if the ipsec client supports radius, I don't know why there would be an issue. but that might be a big if | 21:18 |
| dhahn | ok. I'll see if I can run down that piece | 21:19 |
| nowen | it should just send the password through to the auth server, right? | 21:19 |
| dhahn | I think so. Are they sending their passord or the code from the OTP or both? | 21:22 |
| nowen | well, that's really a question for cisco. most people tho use only the OTP. most vpn clients are setup that way. and there is a benefit in not using the lan password outside the lan | 21:23 |
| dhahn | So, they would provide their username and the OTP code? | 21:24 |
| nowen | yes | 21:24 |
| nowen | you can run it through AD if you like using the MS radius plugin | 21:25 |
| nowen | ias/nps | 21:25 |
| nowen | and you can do the same with freeradius | 21:25 |
| dhahn | OK. I think that's fine as the Cisco just asks the wikid/RADIUS server if the auth is good | 21:25 |
| dhahn | FreeRADIUS is likely. We don't have an MS infrastructure. Mostly macs | 21:25 |
| nowen | where are the users stored? | 21:25 |
| nowen | we have a how-to for freeradius/openldap | 21:26 |
| dhahn | At this time, we move credentials around manually to the systems that need them. passwd files, et al. Looking to add openldap later, but, not before this is solved. | 21:27 |
| dhahn | So, in this scenario, I'm guessing we'd feed freeradius via PAM with the passwd/shadow files and then wikid for the OTP code? | 21:28 |
| nowen | well, you can just have the users in WiKID. Or you could setup freeradius and have it go to WiKID. then when you add openldap, you can just re-config freeradius | 21:28 |
| dhahn | Can wikid use PAM authentication credentials for the user list? | 21:28 |
| nowen | yes, or straight to WiKID. The benefit of using freeradius is that you don't have to change the individual configs later | 21:28 |
| nowen | not sure I follow - what do mean user list? | 21:29 |
| dhahn | I expect we'll be going through quite a few changes later, so, fastest to completion is likely the option that will win. | 21:29 |
| dhahn | Userlist - somewhere there has to be a tie together of the username and the OTP issued isn't there? | 21:29 |
| nowen | so, for PAM, there are a couple of things to set, if you set auth and account to use radius, then the list will be in WiKID (or radius server), does that answer the question? | 21:31 |
| nowen | It depends a bit on the OS | 21:32 |
| dhahn | I think so. It would be a linux based server and mac and windows clients. | 21:32 |
| nowen | but if you set account for local, then the user has to have an account on the local system | 21:32 |
| dhahn | we typically update /etc/passwd files, so, that's easy to manage | 21:32 |
| nowen | yeah, then I think just have the auth go to WiKID | 21:34 |
| dhahn | ok, sounds good. Thanks for the help. | 21:34 |
| nowen | np | 21:34 |
| nowen | feel free to download and get it set up | 21:34 |
| dhahn | Will do | 21:46 |
| *** dhahn has quit (Ping timeout: 252 seconds) | 21:50 | |
| *** nowen has quit (Quit: Leaving.) | 21:57 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!