| *** mick_laptop has quit (Ping timeout: 240 seconds) | 08:16 | |
| *** mick_laptop (~mick@mickweiss.com) has joined #wikid | 08:18 | |
| *** nowen (~nowen@adsl-98-66-165-233.asm.bellsouth.net) has joined #wikid | 12:52 | |
| perestrelka | b | 13:43 |
|---|---|---|
| perestrelka | Hi Nowen | 13:44 |
| nowen | hi perestrelka | 13:44 |
| perestrelka | do you have a moment for a question? | 13:44 |
| nowen | sure | 13:44 |
| perestrelka | so we use wikid for VPN auth | 13:44 |
| perestrelka | via Radius | 13:44 |
| perestrelka | there is a user who gets disabled for a some reason in wikid | 13:45 |
| perestrelka | where can I find the info on what causes the disabling? | 13:45 |
| nowen | if you search the WiKIDAdmin logs for his device, what comes up? | 13:46 |
| perestrelka | if devices are not indentified by the username, I wonder what is the identificator? | 13:46 |
| *** Lake_Lurker (~Just@h218.200.140.67.dynamic.ip.windstream.net) has joined #wikid | 13:46 | |
| nowen | I'm sorry - I meant device id, first look in the user page for the user, then copy the deviceID | 13:47 |
| perestrelka | aah just a moment | 13:47 |
| perestrelka | there is nothing in files under /opt/WiKID/log | 13:48 |
| perestrelka | is it normal that the ID is a negative number? | 13:48 |
| nowen | I meant the WiKIDAdmin web ui logs | 13:48 |
| perestrelka | k | 13:48 |
| nowen | yes, negative numbers are ok | 13:49 |
| perestrelka | if I search by the id in web interface | 13:50 |
| perestrelka | the only message for the last 24 hours is "Issued passcode to device ..." | 13:50 |
| perestrelka | for sure they were disabled within that period | 13:50 |
| nowen | is Log Level set to debug? | 13:50 |
| perestrelka | yep | 13:50 |
| nowen | hmm. try 2 days | 13:51 |
| perestrelka | two messages "Issued passcode to device" | 13:51 |
| nowen | when i test disablement for bad PINs, I get: Recieved bad passcode request. Incrementing bad attempt counter on device 6417306936991638387 | 13:52 |
| nowen | and then Device 6417306936991638387 disabled due to bad passcode attempts. | 13:52 |
| nowen | try doing a search for 'disable' | 13:53 |
| perestrelka | k | 13:53 |
| perestrelka | hm... no results | 13:54 |
| perestrelka | maybe I should change something for loggers? | 13:54 |
| perestrelka | like increase their level | 13:54 |
| nowen | mine are on the default, but if you want you can set com.wikidsystems.client.wClient and com.wikidsystems to debug | 13:54 |
| perestrelka | k changed | 13:55 |
| perestrelka | I'll get back to you tomorrow about that ;) | 13:55 |
| nowen | you can test with your own token, if you like | 13:55 |
| nowen | to make sure disablement is working. | 13:56 |
| perestrelka | it worked for me when I tested | 13:56 |
| nowen | so, did you re-enable the user in the WiKID server? | 13:56 |
| perestrelka | I just wonder why that guy gets disabled | 13:56 |
| perestrelka | yeah | 13:56 |
| perestrelka | like I reenable them each day | 13:56 |
| perestrelka | and he tells he inputs the pin once | 13:56 |
| perestrelka | get logged in | 13:56 |
| perestrelka | then at some point it gets out of vpn and is not able to login anymore | 13:56 |
| perestrelka | till I re-enable his account | 13:57 |
| perestrelka | btw is 3.4.85-b758 the latest enterprise release? | 13:57 |
| nowen | hmm. I wonder if he is telling his vpn client to remember the password | 13:57 |
| perestrelka | no he doesn't | 13:57 |
| perestrelka | that was the first thing I checked with him | 13:57 |
| nowen | wikid-server-enterprise-3.4.87.b839-1.noarch.rpm is the latest. http://www.wikidsystems.com/downloads/changelogs/enterprise-changelog | 13:58 |
| perestrelka | rpm -U will work? | 14:02 |
| nowen | yes | 14:02 |
| perestrelka | k thanks for all your help | 14:02 |
| *** esoteric (43840c45@gateway/web/freenode/ip.67.132.12.69) has joined #wikid | 14:02 | |
| nowen | np | 14:02 |
| nowen | odd that it is not in the logs | 14:02 |
| perestrelka | I'll get back to you tomorrow about those strange disablings | 14:02 |
| nowen | ok | 14:02 |
| perestrelka | possible something will be cought today | 14:02 |
| perestrelka | *caught | 14:03 |
| esoteric | is there a time limit on reg codes? | 14:03 |
| nowen | yes, | 14:03 |
| esoteric | how long? | 14:03 |
| esoteric | hour? | 14:03 |
| nowen | esoteric: RegCodeTTL | 14:03 |
| nowen | It was, but then we upped the default to 24 hours | 14:03 |
| nowen | you can change it in Configuration, Set Parameters and the restart | 14:04 |
| esoteric | cool | 14:04 |
| esoteric | also | 14:04 |
| esoteric | the web interface seems to be vulnerable to atleast 1 XSS attack | 14:04 |
| nowen | can you email me details? | 14:05 |
| esoteric | sure | 14:05 |
| esoteric | we are still running scans but when i have the full details I will send em over | 14:05 |
| nowen | of course, we recommend that the web interface only be available behind the fw | 14:05 |
| esoteric | :) | 14:05 |
| nowen | but, I'm not sure everyone does that :) | 14:05 |
| *** Lake_Lurker has parted #wikid (None) | 14:06 | |
| *** Lake_Lurker (~Just@h218.200.140.67.dynamic.ip.windstream.net) has joined #wikid | 14:12 | |
| *** Lake_Lurker has parted #wikid (None) | 14:12 | |
| esoteric | and when you say restart you just mean restart the services | 14:22 |
| esoteric | the whole box doesnt need to go down right? | 14:22 |
| nowen | yes, just the services | 14:22 |
| esoteric | merci | 14:22 |
| nowen | ok - I'm looking for two more twitter followers @wikidsystems - then I will have 1337 followers and follow 1337. who is in? | 14:23 |
| *** Lake_Lurker (~Just@h218.200.140.67.dynamic.ip.windstream.net) has joined #wikid | 14:42 | |
| *** Lake_Lurker has parted #wikid (None) | 14:42 | |
| *** vp_ (40b3d246@gateway/web/freenode/ip.64.179.210.70) has joined #wikid | 14:52 | |
| vp_ | Is anyone here for a help? | 14:53 |
| nowen | yep | 14:53 |
| vp_ | Hello, Nick. How are you today? | 14:53 |
| nowen | good, and you? | 14:53 |
| vp_ | not too bad. | 14:53 |
| vp_ | Nick, I am getting "AccessRejectException: Access Denied" 32 times in a row right after my user gets granted for an access. | 14:55 |
| vp_ | and eventually, my user account gets disabled. | 14:55 |
| nowen | sounds like your session cookie is not working | 14:55 |
| nowen | I'm guessing there are 32 elements on your first page | 14:55 |
| vp_ | so can you tell me it in more details, please? | 14:56 |
| vp_ | You the session cookie on the webserver? or wikid server? | 14:56 |
| vp_ | *you mean the session cookie on the webserver or wikid server? | 14:57 |
| vp_ | or you are talking about the session cookie on a browser? If you are referring to the one on a browser, yes I enabled it. | 14:59 |
| nowen | web server | 15:03 |
| nowen | your web server is attempting to authenticate each element on the page | 15:03 |
| vp_ | ok. so you are saying we have to set a cookie for the session on the apache configuration? | 15:03 |
| nowen | yes | 15:04 |
| esoteric | nowen: you want me to use the contact form on the page or do you have a direct email I can use for the xss info? | 15:04 |
| nowen | vp_: do you have AddRadiusCookieValid 60 set? | 15:04 |
| nowen | esoteric: nowen @ wikidsystems.com | 15:05 |
| esoteric | merci | 15:05 |
| vp_ | you are talking about the apache configuration on the webserver, correct? | 15:05 |
| nowen | yes | 15:05 |
| vp_ | PLUS we have to set a cookie for the session on the apache conf, correct? | 15:06 |
| nowen | hmm. I'm not sure about apache configs on debian. you need a session cookie. I've done it on via " AddRadiusCookieValid 60 " and via dbm on redhat | 15:07 |
| vp_ | ok, let me check it on our end again. thx. | 15:08 |
| nowen | np | 15:09 |
| *** vp_ has quit (Ping timeout: 252 seconds) | 15:17 | |
| *** perestrelka has quit (Ping timeout: 252 seconds) | 15:25 | |
| *** perestrelka (~vladdy@194.242.5.47) has joined #wikid | 15:26 | |
| esoteric | where are the logs located that you can view through the web util? | 15:31 |
| nowen | they are in the db, but you can direct them to /opt/WiKID/log by changing /etc/WiKID/log4j.properties | 15:33 |
| *** esoteric has quit (Ping timeout: 252 seconds) | 15:35 | |
| *** esoteric (43840c45@gateway/web/freenode/ip.67.132.12.69) has joined #wikid | 15:38 | |
| esoteric | irc web client fail | 15:38 |
| esoteric | so ... what kind of database is this running? | 15:38 |
| nowen | postgresql | 15:40 |
| nowen | change it to http://pastebin.com/Zw5LDujg | 15:41 |
| esoteric | postgres | 15:42 |
| esoteric | yea i dont want to redo the scans | 15:45 |
| esoteric | I have all the data I need to get the info you need | 15:45 |
| esoteric | I just have to get it from the db | 15:45 |
| esoteric | which I am now in | 15:45 |
| esoteric | i just haven't used postgres in years | 15:46 |
| *** mick_laptop has quit (Changing host) | 15:53 | |
| *** mick_laptop (~mick@clamwin/admin/mickhome) has joined #wikid | 15:53 | |
| nowen | brb | 16:16 |
| nowen | b | 16:27 |
| esoteric | yup yup | 16:55 |
| esoteric | nowen: I sent you that email I am still working with the logs | 17:49 |
| nowen | k | 17:49 |
| esoteric | ill shoot you a reply when I have some better info | 17:49 |
| nowen | so, what are you trying to do with the logs? | 17:49 |
| esoteric | i found a work around :P | 17:50 |
| esoteric | archive logs > download > extract | 17:50 |
| esoteric | :) | 17:50 |
| nowen | hehe | 17:50 |
| nowen | you can also set up syslogging | 17:50 |
| esoteric | i just wanted a txt file easier for me to work with | 17:50 |
| esoteric | yea, which I will probably do later | 17:50 |
| esoteric | sent the logs | 18:18 |
| nowen | thx | 18:18 |
| esoteric | sure thing | 18:18 |
| esoteric | not sure as which one was triggering it those are just some of the tests the fuzzer runs | 18:19 |
| esoteric | you can write a simple script to loop through each line and replace it with unique value into the alert to figure out which was calling it | 18:19 |
| *** nowen has quit (Read error: Connection reset by peer) | 21:16 | |
| *** nowen (~nowen@adsl-98-66-165-233.asm.bellsouth.net) has joined #wikid | 21:16 | |
| *** cdub_ (40fee8e2@gateway/web/freenode/ip.64.254.232.226) has joined #wikid | 21:16 | |
| cdub_ | I have a question about the registed url option on the domian management page on the wikid server | 21:18 |
| nowen | cdub_: yes, it is rather undocumented :) | 21:18 |
| nowen | it is for mutual https authentication | 21:18 |
| nowen | leave it blank, unless you want the WiKID PC tokens to validate the SSL cert of a targeted website | 21:19 |
| cdub_ | no matter what I put I get unable to validate the registered url. My guess is I am doing something wrong | 21:19 |
| cdub_ | I would like to try an use the option | 21:19 |
| nowen | what are you entering? | 21:19 |
| cdub_ | I have a test deployment setup for a customer and everything else works great | 21:19 |
| cdub_ | I am putting the url for the ssl site | 21:19 |
| cdub_ | https://vpn.customername.com | 21:20 |
| nowen | any https url that the client can reach should work - ahh, but try restarting the token | 21:20 |
| cdub_ | I get the error on the server? I am not sure if this would cause an issue but the name resolves to the internal ip address from the LAN | 21:20 |
| nowen | is the token on the lan too? | 21:21 |
| cdub_ | no, I am running the wireless token off of a Blackberry. I get the error when trying to save the url in the domain management page on the server | 21:22 |
| nowen | ahh, I think I see | 21:22 |
| nowen | is the server able to get an ssl cert from that page? | 21:22 |
| cdub_ | how would I test that? | 21:23 |
| nowen | well, you could run 'wget https://vpn.customername.com' from the command line | 21:24 |
| cdub_ | let me see | 21:24 |
| cdub_ | is there any issue if the cert is self signed (using self signed for testing) | 21:25 |
| nowen | nope, shouldn't be | 21:26 |
| cdub_ | seems like my dns settings may have issues | 21:28 |
| cdub_ | give me a sec I am not that familiar with linux | 21:29 |
| nowen | you can put an entry in /etc/hosts | 21:29 |
| nowen | ipaddress fullyqualifieddomainname | 21:29 |
| cdub_ | ok so just setup a static mapping then | 21:31 |
| nowen | for now I think that is fine | 21:31 |
| cdub_ | ok that was the issue | 21:33 |
| cdub_ | thanks | 21:33 |
| cdub_ | by the way this is a grate product | 21:33 |
| nowen | the other thing to know is that the domain has to be configured for it before the token is reg'd | 21:33 |
| nowen | thanks! | 21:33 |
| cdub_ | can I ask a question about licensing | 21:33 |
| nowen | yes | 21:33 |
| cdub_ | my customer has about 50 users but only 10-15 will need tokens so I can just buy the 10 to 15 token licenses? | 21:34 |
| nowen | yes | 21:34 |
| cdub_ | ok great | 21:34 |
| cdub_ | I will get back to testing but so far everything has been fairly fast and simple. Thanks for the greate support | 21:35 |
| nowen | they will have to buy 10 or 20 | 21:35 |
| nowen | my pleasure | 21:35 |
| cdub_ | so they can only order in blocks of 10? | 21:35 |
| nowen | or 25 | 21:35 |
| cdub_ | ok. Have a great day | 21:35 |
| nowen | so, yes, effectively | 21:35 |
| nowen | you too! | 21:35 |
| *** cdub_ has quit (Quit: Page closed) | 21:36 | |
| *** esoteric has quit (Quit: Page closed) | 22:24 | |
| *** nowen has quit (Quit: Leaving.) | 22:33 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!