| *** ImacG3 (b277c51e@gateway/web/freenode/ip.178.119.197.30) has joined #wikid | 10:14 | |
| *** Lake_Lurker (~Just@h218.200.140.67.dynamic.ip.windstream.net) has joined #wikid | 10:56 | |
| *** Lake_Lurker has parted #wikid (None) | 10:56 | |
| *** iMacG3_ (b277c51e@gateway/web/freenode/ip.178.119.197.30) has joined #wikid | 11:31 | |
| *** iMacG3_ has quit (Client Quit) | 11:33 | |
| *** ImacG3 has quit (Quit: Page closed) | 11:36 | |
| *** nowen (~nowen@adsl-98-66-165-233.asm.bellsouth.net) has joined #wikid | 11:46 | |
| nowen | good morning everyone | 11:50 |
|---|---|---|
| *** vp (40b3d246@gateway/web/freenode/ip.64.179.210.70) has joined #wikid | 17:55 | |
| vp | Hi. Anyone here? | 17:55 |
| nowen | yep | 17:56 |
| nowen | what's up? | 17:56 |
| vp | Hi, Nick. Not too muc. What about yourself? | 17:56 |
| vp | Things keep you busy, right? | 17:56 |
| nowen | indeed | 17:56 |
| vp | Nick, I have a little issue there. | 17:56 |
| vp | When I check logs | 17:57 |
| vp | it says that "Database error while validation offline response" | 17:57 |
| vp | What this can be? | 17:57 |
| nowen | hmm | 17:57 |
| nowen | well, the offline challenge response is for when a mobile token is out of network coverage | 17:59 |
| nowen | what kind of network clients do you have? | 17:59 |
| vp | We use Radius protocol | 18:00 |
| nowen | is it possible that it is making a request for a challenge to the WiKID server? | 18:01 |
| vp | Sorry, I am not sure that that means by "challenge to the WiKID server." | 18:01 |
| vp | *what that means by "challenge to the WiKID server." | 18:02 |
| nowen | ahh. in challenge-response mode (which is a radius standard) the radius server issues a challenge and a token takes that and encrypts it to generate the response. | 18:03 |
| nowen | if the server can decrypt the response and get the challenge, then the user is validated | 18:03 |
| nowen | so, I'm wondering if your radius client is asking wikid for challenges | 18:05 |
| nowen | on the configure loggers page of the WiKIDAdmin logs, you will see 5 loggers listed. if you drop the middle three to Debug, you will get more information. | 18:06 |
| nowen | vp: did you set up your example.jsp file by any chance? | 18:18 |
| vp | No. | 18:24 |
| nowen | hmm | 18:24 |
| nowen | is anyone reporting issues logging in? | 18:25 |
| vp | I am check it with one of our tech network administrators now. Please give me a moment here. | 18:27 |
| nowen | np | 18:27 |
| vp | I see "<1> Access-Challenge(11) LEN=76 xx.xx.xx.xx:1026 Access-Request by user resulted in Access-Challenge. | 18:42 |
| vp | I put my PIN and it generates a passcode. | 18:42 |
| vp | so I see "Passcode request processing successfully completed." | 18:42 |
| nowen | that seems normal | 18:44 |
| vp | then I see "com.wikidsystems.server.wAuth | Verify..." | 18:45 |
| vp | "com.wikidsystems.server.wAuth | Beginning offline passcode verification." | 18:45 |
| *** cdub (40fee8e2@gateway/web/freenode/ip.64.254.232.226) has joined #wikid | 18:47 | |
| vp | "Found device registered to usern in domain", "public:", "Loaded keys for domain", "Retrieved device information for deviceid", then "Database error while validation offline response" | 18:47 |
| cdub | There seems to be an issue with downloading the server from your site. I just was wondering if you guys were aware of any issues | 18:48 |
| vp | after that, it goes "Bad offline challenge response for user", "Access denied for user, domain code: client: /xx.xx.xx.xx", then my user is disbled. | 18:50 |
| vp | *disabled. | 18:51 |
| vp | Nick, are you there? | 19:01 |
| vp | ? | 19:05 |
| *** cdub has quit (Quit: Page closed) | 19:11 | |
| *** Lake_Lurker (~Just@h218.200.140.67.dynamic.ip.windstream.net) has joined #wikid | 19:14 | |
| nowen | sorry | 19:17 |
| nowen | vp: it sounds like your radius client is asking for a second authentication | 19:22 |
| vp | so it is not normal and shouldn't be that way, correct? | 19:24 |
| nowen | is your user getting disabled everytime you try to authenticate? | 19:32 |
| vp | yes | 19:33 |
| nowen | that is definitely not right | 19:33 |
| nowen | what kind of vpn is this? | 19:33 |
| vp | after I enable it, then it works. | 19:33 |
| nowen | huh, I see now, it is only asking for offline. what kind of vpn is this? | 19:35 |
| vp | I am checking it now, please give me a min. | 19:35 |
| *** Lake_Lurker has parted #wikid (None) | 19:41 | |
| nowen | also, what type of radius is it using? pap, chap, ms-chap? | 19:48 |
| vp | I guess the radius we are using is a defult module that comes with apache. | 20:04 |
| nowen | ahh | 20:04 |
| nowen | mod-auth-radius? | 20:04 |
| nowen | what OS is this? | 20:04 |
| vp | yes. | 20:04 |
| vp | debian | 20:04 |
| nowen | did you set a cookie? | 20:04 |
| nowen | you need to set a cookie for the session or else apache will try to authenticate each element on the page. so, 1 works, then the fail starts | 20:05 |
| vp | session cookie is on. | 20:12 |
| nowen | can you post your http conf files - just the radius portions? on pastebin? | 20:15 |
| vp | AuthType Basic AuthBasicProvider radius AuthName "Please enter your username and password" | 20:21 |
| nowen | what about AddRadiusAuth wikid_server_address:1812 wikidserver_shared_secret 5 AddRadiusCookieValid 60 | 20:24 |
| nowen | see http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-apache-to-use-radius-for-two-factor-authentication-on-ubuntu/?searchterm=apache%20radius | 20:24 |
| nowen | that was done on Ubuntu | 20:27 |
| nowen | but it seems to me you need more stuff in apache | 20:27 |
| vp | I think you just pointed out the problem. Thanks, Nick. | 20:32 |
| nowen | excellent | 20:32 |
| *** proprietarysucks (~nathanr@static-108-38-62-18.lsanca.fios.verizon.net) has joined #wikid | 21:11 | |
| proprietarysucks | Hi, anyone doing freelance set ups? | 21:11 |
| nowen | what do you need done? | 21:12 |
| proprietarysucks | wikid ce set up with sso for google domain, with all ips banned, except a list | 21:12 |
| proprietarysucks | for the purpose of allowing only certain IPs to log into our google domain | 21:13 |
| proprietarysucks | preferrably on centos 5 | 21:14 |
| nowen | I don't know that much about google | 21:14 |
| nowen | not sure I follow - do you need WiKID set up too? or just integrated with google? | 21:16 |
| nowen | and is the idea that the WiKID google plugin would lock down the users based on IP or google? | 21:18 |
| *** vp has quit (Quit: Page closed) | 21:26 | |
| proprietarysucks | wikid set up on a server | 21:31 |
| proprietarysucks | integrated with google sso on our domain | 21:31 |
| proprietarysucks | I can take it from there really | 21:32 |
| proprietarysucks | will just use iptables rules to block all except our allowed | 21:32 |
| nowen | ok, I see | 21:32 |
| nowen | are you using the enterprise or community version? | 21:38 |
| proprietarysucks | community | 21:39 |
| proprietarysucks | I'm not using anything at the moment, but it would be community | 21:39 |
| nowen | and we can do all this remotely, of course | 21:39 |
| proprietarysucks | yes | 21:39 |
| nowen | what's the timeline? | 21:40 |
| proprietarysucks | I would just set up a centos vm and let you in to it | 21:40 |
| proprietarysucks | it would be flash pan so you can kill it completely if you needed to | 21:40 |
| proprietarysucks | it needed to be done months ago so everyone has forgotten about it already by now | 21:41 |
| nowen | hha | 21:41 |
| nowen | ok - let | 21:41 |
| proprietarysucks | we also have a dev google site as well | 21:41 |
| nowen | 's meet back here tomorrow. I have to go to a meeting | 21:42 |
| proprietarysucks | so you could set it up that way to test, but changing from one to domain to the next is just as hard | 21:42 |
| proprietarysucks | alright. call me up tomorrow then I'll find out some info from you and contact accounting | 21:42 |
| nowen | ok | 21:42 |
| nowen | it will probably be late. the calendar is pretty full tomorrow | 21:43 |
| nowen | later | 21:44 |
| *** nowen has quit (Quit: Leaving.) | 21:44 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!