| *** WiKIDLogBot (~WiKIDLogB@ec2-174-129-6-100.compute-1.amazonaws.com) has joined #wikid | 12:42 | |
| pratchett.freenode.net | Users on #wikid: WiKIDLogBot malcolm_ @nowen | 12:42 |
|---|---|---|
| malcolm_ | Hi nick | 12:54 |
| malcolm_ | i will "cut and paste" :) | 12:54 |
| nowen | ok | 12:54 |
| malcolm_ | 09:02] <malcolm_> Hi Nick [09:02] <malcolm_> I have a quick question please [09:03] <malcolm_> Is it possible to unlock user accounts via a DB script ? [09:03] <malcolm_> Our accounts on the server are being locked out - and never unlocking as our firewall is not releasing the session | 12:54 |
| nowen | so, this is the same issue? | 12:55 |
| nowen | what is the firewall doing? | 12:55 |
| malcolm_ | i seems to not close the session | 12:55 |
| nowen | how does that affect the WiKID server? | 12:55 |
| malcolm_ | I believe there is a firmware update which we will have in the next weeks to fix | 12:55 |
| malcolm_ | however until then | 12:55 |
| malcolm_ | The accounts do not revert from being disabled | 12:55 |
| nowen | what kind of firewall is this? | 12:56 |
| malcolm_ | ASA | 12:56 |
| malcolm_ | with our old Radius it wasn't an issue | 12:56 |
| nowen | I've never heard of this from any of our other ASA users | 12:56 |
| nowen | what does it say in the WiKIDAdmin logs? | 12:57 |
| malcolm_ | I asked and it seems a known bug - i'm not sure if we pehaps need a config change but the FW is managed by our datacentre | 12:57 |
| malcolm_ | I can check - if you need me to | 12:57 |
| nowen | well, you have access to the wikid admin, right? | 12:57 |
| malcolm_ | yip | 12:58 |
| malcolm_ | not usre what i'm looking for though ;) | 12:58 |
| nowen | in the logs, search for the string 'disable' | 12:59 |
| malcolm_ | okay | 13:00 |
| malcolm_ | nothing if I don't select a log file | 13:01 |
| malcolm_ | however if I look at the users section | 13:01 |
| malcolm_ | Stephen is logged in and his user is currently disabled | 13:01 |
| nowen | is log level set to debug? | 13:01 |
| nowen | ok, what is his device id? | 13:02 |
| malcolm_ | -3740545160298827727 | 13:02 |
| nowen | find it on the user page and then search for it in the WiKIDAdmin logs | 13:02 |
| malcolm_ | okay | 13:02 |
| malcolm_ | it shows issued passcode | 13:03 |
| malcolm_ | nothing about locking | 13:03 |
| nowen | and that's all? | 13:03 |
| nowen | log level set to Debug? | 13:03 |
| malcolm_ | i can check | 13:04 |
| nowen | on the WiKIDAdmin logs | 13:04 |
| nowen | there is a drop down for the log level | 13:04 |
| malcolm_ | No - we turned debugging off | 13:04 |
| nowen | no - look at the WiKIDAdmin log page | 13:04 |
| malcolm_ | I am searching on the debug level | 13:04 |
| nowen | try setting the timestamp to days, instead of hours | 13:05 |
| malcolm_ | sent you a snapshot of the output | 13:06 |
| malcolm_ | also the current log levels | 13:07 |
| nowen | and you say he is disabled? | 13:07 |
| malcolm_ | he was this morning | 13:07 |
| nowen | on the WiKID server? | 13:07 |
| malcolm_ | when we got into the office | 13:07 |
| malcolm_ | he couldn't login and I had to manually unlock him | 13:07 |
| malcolm_ | in the users section | 13:07 |
| nowen | on the log filters, set com.wikidsystems, wClient, radius and wAuth to debug and apply changes | 13:08 |
| malcolm_ | I don't seem to find the radius one | 13:10 |
| nowen | com.wikidsystems.radius.log.DBS... | 13:11 |
| malcolm_ | ok cool | 13:11 |
| malcolm_ | made that change | 13:11 |
| nowen | ok - can you log into the VPN from where you are? | 13:12 |
| malcolm_ | yes | 13:12 |
| nowen | ok, give it a go and let's see what happens | 13:12 |
| malcolm_ | cool - i'm in | 13:13 |
| nowen | ok, so what's in the logs? | 13:13 |
| malcolm_ | I see this - even though I managed to login | 13:15 |
| malcolm_ | com.wikidsystems.radius.access.WikidAccess4Access denied for msiegel, domain code: XXXXXXXXXXX client: /192.168.10.1 | 13:15 |
| malcolm_ | also this | 13:16 |
| malcolm_ | 135> Access-Request(1) LEN=216 192.168.10.1:1025 Access-Request by msiegel Failed: AccessRejectException: Microsoft MS-CHAP failed authentication. | 13:16 |
| nowen | ok, do you see one earlier that was accepts? | 13:16 |
| malcolm_ | yes | 13:16 |
| malcolm_ | Access-Accept(2) LEN=216 192.168.10.1:1025 Access-Request by msiegel succeeded | 13:16 |
| malcolm_ | and my vpn is working | 13:16 |
| nowen | ok, so the first one was accepted, then how many others? | 13:16 |
| malcolm_ | funnily my user account is not disabled | 13:17 |
| nowen | not yet, perhaps, but each time the VPN sends the OTP is another bad passcode attempts | 13:17 |
| malcolm_ | i see 1 denied and 1 bad mschap request | 13:18 |
| nowen | what is the Max bad password attempts limit on the domain? | 13:19 |
| malcolm_ | 6 | 13:19 |
| malcolm_ | PCI requirement | 13:19 |
| malcolm_ | hmm - i see where you are going | 13:20 |
| nowen | any more requests in the log? | 13:20 |
| malcolm_ | no - only stephen and I are logged in | 13:20 |
| nowen | I mean any more auth validation requests for your account from the VPN | 13:21 |
| nowen | can you get me the radius configuration information from the ASA? | 13:22 |
| malcolm_ | no | 13:22 |
| malcolm_ | sorry | 13:23 |
| nowen | can you ask if accounting is on? | 13:23 |
| malcolm_ | I can try and obfuscate it a bit | 13:23 |
| malcolm_ | give me a sec | 13:24 |
| nowen | ok - I'm going to grab some coffee brb. | 13:25 |
| nowen | if you WiKID max bad passcode attempts is set to 6, you should have gotten more failed attempts from the ASA | 13:31 |
| malcolm_ | i have gotten no more failed attaempts | 13:55 |
| nowen | hmm and you're not disabled? | 13:55 |
| malcolm_ | no | 13:55 |
| malcolm_ | only stephen is disabled - also logged in | 13:56 |
| nowen | well, remember that the session is managed by the ASA and wikid has nothing to do with that | 13:56 |
| nowen | once the user is validated, the ASA is in charge of the session | 13:56 |
| nowen | did you find out if radius accounting is turned on on the ASA? | 13:57 |
| malcolm_ | still awaiting the latest config | 13:57 |
| malcolm_ | Nick I have to run - attending a webinar now | 14:01 |
| malcolm_ | I will try pick this up tomorrow | 14:01 |
| *** malcolm_ has quit (Quit: Page closed) | 14:01 | |
| *** new_purchaser (4658e7ca@gateway/web/freenode/ip.70.88.231.202) has joined #wikid | 19:08 | |
| new_purchaser | @nowen: will I need to re-key after purchasing a license? | 19:09 |
| nowen | new_purchaser: no | 19:10 |
| nowen | new_purchaser: just about to process your payment - probably later today | 19:10 |
| new_purchaser | That's great news. Appreciate it! | 19:11 |
| nowen | no problem thanks for the business! | 19:11 |
| *** new_purchaser has parted #wikid (None) | 19:11 | |
| *** nowen has quit (Quit: Leaving.) | 22:22 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!