| *** rodhajj (d465f2ea@gateway/web/freenode/ip.212.101.242.234) has joined #wikid | 12:06 | |
| rodhajj | hi | 12:06 |
|---|---|---|
| rodhajj | I'm trying to install WiKID on Centos but I'm facing a problem when starting wikidctl services | 12:07 |
| rodhajj | can anybody help me | 12:07 |
| *** rodhajj has quit (Ping timeout: 252 seconds) | 12:40 | |
| *** nowen (~nowen@adsl-98-66-165-16.asm.bellsouth.net) has joined #wikid | 12:45 | |
| *** WallyK (4004456e@gateway/web/freenode/ip.64.4.69.110) has joined #wikid | 14:11 | |
| WallyK | Hello | 14:12 |
| nowen | hi | 14:13 |
| WallyK | I am currently running wikid-server-enterprise-3.3.8-b2717 as a vertual machine. I would like to upgrade to the newest version but keep my config | 14:14 |
| WallyK | can you point me in the right direction to do this? | 14:14 |
| nowen | ok, do you have any special files you have configured on the server? like ADRegister.jsp or example.jsp? | 14:15 |
| WallyK | no it is a pretty standard install. It is configured to talk to our fortigate | 14:15 |
| nowen | that your users might be using to register, eg? | 14:15 |
| nowen | ok - piece of cake | 14:16 |
| WallyK | no I just manualy validate my clients | 14:16 |
| nowen | take a look at the Upgrade instructions here: http://www.wikidsystems.com/downloads/download-the-wikid-enterprise-server-3.0-rpms | 14:16 |
| nowen | at the bottom of the page | 14:16 |
| WallyK | that is exactally what I was looking for. I was hoping the upgrade was that easy. thanks I will give that a try. If I have problems I will be back : ) | 14:18 |
| nowen | ok - I should be here - I do have to run out for one errand at some point | 14:18 |
| WallyK | can I patch the back ground os as well or will this do that? | 14:20 |
| nowen | you can run 'yum update' to update the od | 14:20 |
| WallyK | I am going to be make it internet and I want to make sure it is patched | 14:20 |
| nowen | yes | 14:21 |
| WallyK | in the past we have just used our BES to connect to it on blackberrys but now we have iphone and android devices that I need to configure | 14:21 |
| nowen | ahh | 14:22 |
| nowen | some people have set up an apache server to proxy requests to the inside | 14:22 |
| WallyK | hmm that does sound more secure. do you have any documentation on that? | 14:25 |
| WallyK | I was linking of putting it in a dmz | 14:25 |
| WallyK | thinking | 14:25 |
| nowen | a lot of people put it in the dmz. the server is running its own firewall and should be fine there | 14:26 |
| nowen | I don't have any documentation on the proxy setup, but I can get you close | 14:26 |
| WallyK | I am using it for authenticating an internal app as well so that might be a better choice than a dmz | 14:27 |
| nowen | we use an apache rule to route token requests on our demo server: RewriteRule ^/wikid/(.*) http://localhost:8090/wikid/$1 [P] | 14:27 |
| nowen | all the token traffic goes to /wikid/ | 14:27 |
| nowen | but we are hosting it on the same server, so we don't use proxypass. | 14:28 |
| WallyK | hmm I am not an apache guru but I will take a look | 14:29 |
| nowen | ok - gotta pop out for a bit b/c I bricked my phone ;). be back in a bit | 15:16 |
| *** nowen has quit (Quit: Leaving.) | 15:17 | |
| *** Martin____ (adb4ab2d@gateway/web/freenode/ip.173.180.171.45) has joined #wikid | 15:27 | |
| Martin____ | Can someone answer a general "how does it work" question for me? | 15:28 |
| Martin____ | From what I read and saw on the Wikid website, I'm still not entirely sure whether the Authentication Server piece of the puzzle is something that I need to set up myself... | 15:29 |
| Martin____ | of whether that is a something that's provided by Wikid as an external service to a customer setup | 15:29 |
| *** WallyK has quit (Ping timeout: 252 seconds) | 16:04 | |
| drnez | you need to setup the authentication server yourself. | 16:06 |
| drnez | the software provided by wikid runs on the server, and acts as a radius server for your login clients | 16:06 |
| drnez | when the token client requests a password from the server, the database is updated to allow that user to login to the system using the password for a predetermined amount of time, after which is will be voided | 16:07 |
| *** nowen (~nowen@adsl-98-66-165-16.asm.bellsouth.net) has joined #wikid | 16:10 | |
| drnez | hey Nick | 16:11 |
| drnez | got a question for you | 16:11 |
| drnez | We want to test the enterprise edition for about a week on a semi-production level | 16:12 |
| drnez | I have 5 people who will be beta testing | 16:12 |
| drnez | the accounts keep flipping to "disable" after their first login. Is this a limitation of the un-purchased version? | 16:13 |
| nowen | drnez: no | 16:15 |
| nowen | are you testing on a web app? | 16:15 |
| drnez | no, a VPN | 16:16 |
| nowen | ssl-vpn? | 16:16 |
| drnez | yeah | 16:16 |
| nowen | typically, this happens when a web-app doesn't have caching set, so the web server re-authenticates every element on the page. which fails fast | 16:17 |
| drnez | we're using a soft client, not authenticating on a webpage | 16:17 |
| nowen | hmm. | 16:18 |
| nowen | on the WiKIDAdmin logs, do you see multiple auth requests? | 16:18 |
| drnez | let me check | 16:18 |
| drnez | which source would it be under | 16:19 |
| nowen | if you set it for None, they all show up. set log level to debug | 16:20 |
| drnez | yeah, I got some people hammering the admin interface with bogus requests | 16:21 |
| nowen | on the Configure loggers page, if you set the three middle loggers to debug and hit apply, you will also get more info | 16:21 |
| drnez | ah, there we go | 16:21 |
| drnez | lets see | 16:21 |
| drnez | yeah, bunch of login failures | 16:22 |
| drnez | in quick succession. | 16:23 |
| nowen | what kind of vpn is this? | 16:23 |
| drnez | fortigate 200b | 16:23 |
| nowen | are you using radius between them? | 16:23 |
| drnez | yes | 16:23 |
| drnez | <153> Access-Request(1) LEN=164 10.10.10.1:1510 Access-Request by asoryan2 Failed: AccessRejectException: Microsoft MS-CHAP failed authentication. | 16:24 |
| drnez | dunno why its trying MS-CHAP | 16:24 |
| *** Martin____ has quit (Ping timeout: 252 seconds) | 16:27 | |
| drnez | also, where is the APi documentation on manually registering a client, and adding a new registration code to an existing client | 16:31 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/manual/wikid-network-client-wclient-api-manual | 16:32 |
| nowen | but you might find /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp more useful | 16:32 |
| nowen | and probably more up-to-date | 16:33 |
| drnez | any idea why the login process would be trying multiple times like that with presumably varying protocols? | 16:33 |
| nowen | there is only one new thing that is not in the api docs | 16:33 |
| nowen | huh, so it starts with say pap, succeeds and then tries chap? | 16:33 |
| drnez | let me see | 16:34 |
| drnez | 2011-06-27 12:04:41.767INFOcom.wikidsystems.radius.access.WikidAccess4Access granted for asoryan2, domain code: 207210105098 client: /10.10.10.1 | 16:35 |
| drnez | 2011-06-27 12:04:41.767INFOcom.wikidsystems.radius.log.DBSvrLogImpl<148> Access-Accept(2) LEN=106 10.10.10.1:1509 Access-Request by asoryan2 succeeded | 16:35 |
| drnez | 2011-06-27 12:00:13.293INFOWiKIDAdmin.validatenewuser.jspUser manually validated: asoryan2with registration code: 6GQeXlQ2 | 16:35 |
| drnez | that seems to work just fine | 16:35 |
| drnez | then 2 minutes later, theres a bunch of failures | 16:35 |
| drnez | 2011-06-27 12:06:26.834INFOcom.wikidsystems.radius.log.DBSvrLogImpl<153> Access-Request(1) LEN=164 10.10.10.1:1510 Access-Request by asoryan2 Failed: AccessRejectException: Microsoft MS-CHAP failed authentication. | 16:35 |
| drnez | 2011-06-27 12:06:26.827INFOcom.wikidsystems.radius.access.WikidAccess4Access denied for asoryan2, domain code: 207210105098 client: /10.10.10.1 | 16:36 |
| drnez | 2011-06-27 12:06:26.827INFOcom.wikidsystems.radius.log.DBSvrLogImpl<152> Access-Request(1) LEN=106 10.10.10.1:1510 Access-Request by asoryan2 Failed: AccessRejectException: Access Denied | 16:36 |
| nowen | but why is the user manually validated in the third step? | 16:36 |
| drnez | bunch of those in quick succession. | 16:36 |
| drnez | thats actually first | 16:36 |
| nowen | ahh | 16:36 |
| drnez | i manually validated them | 16:36 |
| nowen | did you follow our guide? http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-a-fortinet-vpn/?searchterm=fortigate? | 16:37 |
| drnez | let me see if they have auto-reconnect enabled | 16:37 |
| drnez | yes, I wrote it remember :P | 16:37 |
| nowen | ahh :) | 16:37 |
| nowen | lol | 16:37 |
| drnez | I'll bet they have auto-reconnect enabled | 16:38 |
| drnez | for some reason the VPN client disconnected, and tried to reconnect using the last password | 16:38 |
| drnez | after X amount of times, it gets blocked | 16:38 |
| drnez | question being, how do I modified X in that? | 16:38 |
| drnez | oh hey, I have another nick now. No wonder you didnt notice | 16:39 |
| *** drnez is now known as asofrank | 16:39 | |
| nowen | ahh | 16:39 |
| nowen | mystery solved | 16:39 |
| asofrank | so is there a setting somewhere where I can define the number of login failures before it disables the account? | 16:40 |
| nowen | yes, on the domain page | 16:40 |
| asofrank | max bad passcode attempts right? | 16:41 |
| nowen | yes. I can't remember if it requires are restart. I don't think so. | 16:41 |
| asofrank | k | 16:42 |
| asofrank | yeah, was set to 3 as default | 16:42 |
| nowen | still, that should be fine. the Fortigate is doing something wrong | 16:42 |
| asofrank | thats a bit too paranoid for our fat fingered staff | 16:42 |
| asofrank | i'm willing to bet that its the client trying to autologin multiple times | 16:42 |
| nowen | hmm. | 16:42 |
| nowen | so, is it just this one user? | 16:43 |
| asofrank | its just weird that the MS-CHAP is coming through | 16:43 |
| asofrank | 2 users right now | 16:43 |
| asofrank | 2 out of 5 testing it | 16:43 |
| nowen | i guess there is an option to remember the password | 16:43 |
| asofrank | yeah | 16:43 |
| asofrank | a couple of them were complaining that the android app was crashing as well | 16:44 |
| asofrank | i cant reproduce on my android device | 16:44 |
| nowen | do they have new phones? the ui on the android app stinks, imo. we will be re-writing it eventually | 16:51 |
| asofrank | one is using the same phone as me, the HTC EVO | 16:55 |
| asofrank | and yeah, the UI/functionality stinks | 16:55 |
| asofrank | but I havent had it crash on me | 16:55 |
| asofrank | the "back" button should exit the program when you reach the top level menu | 16:56 |
| asofrank | and not just go back indefinately | 16:56 |
| nowen | yeah, the dev claimed that it was the standard. if so, no one else is following it | 16:56 |
| asofrank | Definately not standard. :) | 17:01 |
| *** nowen has parted #wikid (None) | 22:30 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!