| *** Embalmed has quit (Remote host closed the connection) | 00:40 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 00:41 | |
| *** CowboyPride (~BartSimps@cpe-075-183-170-059.sc.res.rr.com) has joined #wikid | 04:31 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 12:17 | |
| *** Embalmed has quit (Quit: changing servers) | 13:05 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 13:10 | |
| *** Embalmed has quit (Max SendQ exceeded) | 13:11 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 13:13 | |
| *** Embalmed has quit (Max SendQ exceeded) | 13:13 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 13:14 | |
| *** Embalmed has quit (Remote host closed the connection) | 13:17 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 13:20 | |
| *** Lake_Lurker (~Just@h200.9.30.71.dynamic.ip.windstream.net) has joined #wikid | 13:43 | |
| *** Lake_Lurker has parted #wikid (None) | 14:09 | |
| *** bill_ (c6a56402@gateway/web/freenode/ip.198.165.100.2) has joined #wikid | 15:35 | |
| bill_ | any one here | 15:36 |
|---|---|---|
| nowen | yes | 15:36 |
| bill_ | the soft token i have on the phone , does it a net connecting to gen codes | 15:36 |
| nowen | it encrypts the PIN and send it to the WiKID server behind your firewall | 15:37 |
| nowen | if all is ok, the server gens the passcode, encrypts is and returns it to the token | 15:37 |
| bill_ | so its a little diffrent from the rsa tokens | 15:38 |
| nowen | yes, RSA is time-based | 15:38 |
| nowen | so, they have to keep track of drift, etc | 15:38 |
| bill_ | what about if my phone does not have a net connection but the laptop does, how will i get a code | 15:39 |
| bill_ | from the laptop its self i guess | 15:39 |
| nowen | well, we support an offline-challenge response mode for that scenario | 15:40 |
| nowen | and yes, we have PC tokens too | 15:40 |
| nowen | and a user can have more than one token without a reduction in security | 15:40 |
| bill_ | what big clients do you have | 15:40 |
| nowen | haha | 15:40 |
| bill_ | lol | 15:40 |
| nowen | none that will say they use us | 15:40 |
| nowen | :) | 15:40 |
| nowen | you're in canada right? | 15:41 |
| bill_ | yep | 15:41 |
| nowen | your ISP | 15:41 |
| bill_ | i got your email | 15:41 |
| bill_ | give me a call | 15:41 |
| nowen | I don't think I have your phone number | 15:42 |
| nowen | was it in your submission? | 15:42 |
| bill_ | just emailed ya | 15:43 |
| bill_ | do you have any gov that uses this | 15:43 |
| nowen | I'm not sure, they could be using the open source version and we wouldn't really know | 15:44 |
| nowen | we tend to let people use the software and get comfortable with it. we don't respond to RFPs and the like | 15:45 |
| bill_ | k | 15:45 |
| nowen | most of our customers do not want anyone knowing what forms of protection they are using | 15:45 |
| bill_ | true enough | 15:46 |
| bill_ | so u have a big isp in canada that uses this? | 15:47 |
| nowen | yes, but they only have a small number of seats | 15:48 |
| bill_ | cool | 15:48 |
| bill_ | ill give it a shot. | 15:48 |
| bill_ | will be in touch take care | 15:49 |
| *** bill_ has quit (Quit: Page closed) | 15:49 | |
| *** scranley_ (d839cdfa@gateway/web/freenode/ip.216.57.205.250) has joined #wikid | 16:40 | |
| scranley_ | Seems my radius process is dying on the wikid server, can't see anything in the logs but | 16:41 |
| scranley_ | log4j:ERROR Could not connect to remote log4j server at [172.20.8.101]. We will try again later | 16:41 |
| scranley_ | that shouldn't kill radius right | 16:41 |
| nowen | no I don't think so | 16:41 |
| nowen | how do you know radius is dead? | 16:41 |
| scranley_ | when I restart the server it says RADIUS protocol daemon already stopped. | 16:42 |
| scranley_ | and I don't see anything listening on port 1812 | 16:42 |
| nowen | how old are your certs? | 16:42 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid/?searchterm=valid%20certificate | 16:43 |
| nowen | check your localhost in particular | 16:43 |
| scranley_ | first one Valid from: Thu Jul 07 13:50:46 PDT 2011 until: Sun Jul 06 13:50:46 PDT 2014 | 16:44 |
| scranley_ | 2nd Valid from: Thu Jul 07 10:52:11 PDT 2011 until: Fri Jul 06 10:52:11 PDT 2012 | 16:45 |
| scranley_ | that looks like they are still valid | 16:45 |
| scranley_ | I recently rebooted the server | 16:45 |
| nowen | is the date on the server correct? | 16:46 |
| scranley_ | yep | 16:46 |
| nowen | is selinux on? | 16:46 |
| scranley_ | sorry whats that | 16:46 |
| nowen | are you running the ISO? | 16:47 |
| nowen | or did you set up your own linux server? | 16:47 |
| scranley_ | yes from ISO | 16:47 |
| scranley_ | WiKID Linux 3.4.87-b839 | 16:47 |
| nowen | what version of WiKID? rpm -qa | grep wikid will tell you | 16:48 |
| scranley_ | something went a little wierd with the network interfaces, they didn't connect when they came up | 16:48 |
| scranley_ | but they are working now | 16:48 |
| nowen | hmm | 16:48 |
| scranley_ | wikid-utilities-3.0.9-1 wikid-server-enterprise-3.4.87.b839-1 wikid-appliance-3.4.21.b126-1 | 16:48 |
| scranley_ | Sep 12 09:37:06 wikid postgres[1384]: [1-1] ERROR: relation "db_version" does not exist Sep 12 09:37:06 wikid postgres[1384]: [2-1] LOG: unexpected EOF on client connection | 16:49 |
| scranley_ | this is in messages | 16:49 |
| nowen | what do you mean the interfaces didn't come up? how did you know? | 16:49 |
| scranley_ | I couldn't ping it, so I went in the datacenter and moved it to the other interface, but it still has the same IP address | 16:50 |
| nowen | Ping is blocked by the WiKID firewall | 16:50 |
| scranley_ | getting a lot of these | 16:51 |
| scranley_ | postgres[22135]: [1-1] ERROR: relation "db_version" does not exist | 16:51 |
| nowen | I don't think that's the issue | 16:51 |
| scranley_ | k | 16:51 |
| nowen | run 'wikidctl stop' | 16:51 |
| nowen | and then 'killall -9 java' | 16:51 |
| scranley_ | done | 16:52 |
| nowen | ok. run 'wikidctl start' | 16:52 |
| nowen | and the 'cd /; ls -Rl' | 16:53 |
| nowen | that will run a bunch of stuff | 16:53 |
| scranley_ | ok theres this other problem now, wAuth sits there and takes forever to init | 16:53 |
| scranley_ | Waiting for wAuth initialization to complete.................................................. | 16:54 |
| nowen | hmm | 16:54 |
| scranley_ | it's doing that right now | 16:54 |
| scranley_ | This all happened after I remand the raidus client on friday | 16:54 |
| scranley_ | remade* | 16:54 |
| scranley_ | I doublechecked all the settings it looks good | 16:55 |
| nowen | what do you mean remade? you reconfigured in WiKID? | 16:55 |
| scranley_ | I deleted the old radius client | 16:55 |
| scranley_ | and made a new one with attributes | 16:55 |
| scranley_ | that didn't work | 16:56 |
| scranley_ | so I deleted it again, and made it w/o attributes | 16:56 |
| nowen | how did it not work? did you restart the server after the changes? | 16:57 |
| scranley_ | after I did that, I tried to login via two factor, and the token client would lock up on the android phone | 16:58 |
| scranley_ | it works half the time, sometimes it locks up | 16:59 |
| scranley_ | sometimes it returns a good login number, but then the login doesnt work | 16:59 |
| nowen | ugh, that android token is a pain. we really hopped on the android wagon fast. the coding on it shows :( | 17:01 |
| nowen | did wikid finally start? | 17:02 |
| *** scranley__ (d839cdfa@gateway/web/freenode/ip.216.57.205.250) has joined #wikid | 17:03 | |
| scranley__ | hm got botted | 17:03 |
| scranley__ | now theres 3 scranleys | 17:03 |
| scranley__ | yeah it restarted | 17:03 |
| nowen | hehe | 17:03 |
| scranley__ | but still no radius | 17:03 |
| nowen | did wikid finally start? | 17:03 |
| scranley__ | yes | 17:03 |
| nowen | run 'netstat -anp | grep 1812 | 17:03 |
| scranley__ | radius not listen on port 1812 | 17:03 |
| nowen | run 'cd /; ls -Rl' | 17:04 |
| nowen | that will generate some data for the process | 17:04 |
| nowen | radius needs random info to start and a headless systems doesn't have much | 17:04 |
| *** scranley has quit (Ping timeout: 252 seconds) | 17:05 | |
| nowen | what are the specs on this box? | 17:05 |
| *** scranley2 (d839cdfa@gateway/web/freenode/ip.216.57.205.250) has joined #wikid | 17:05 | |
| scranley2 | sorry back | 17:05 |
| *** scranley_ has quit (Ping timeout: 252 seconds) | 17:05 | |
| nowen | run 'cd /; ls -Rl' | 17:06 |
| scranley2 | maybe i wont get kicked again | 17:06 |
| scranley2 | k | 17:06 |
| scranley2 | ton of stuff | 17:06 |
| nowen | yeah | 17:06 |
| nowen | just noise | 17:06 |
| nowen | don't worry about it | 17:06 |
| scranley2 | k | 17:06 |
| nowen | radius needs random info to start and a headless systems doesn't have much | 17:06 |
| scranley2 | its done | 17:07 |
| nowen | ok, run 'netstat -anp | grep 1812' again | 17:07 |
| scranley2 | nope | 17:08 |
| nowen | what are the specs on this box? | 17:08 |
| scranley2 | it's a amd athlon 1u server from like 2007 | 17:09 |
| scranley2 | sata | 17:09 |
| nowen | how much memory? | 17:09 |
| nowen | should be fine | 17:09 |
| scranley2 | 1 gig I think :( | 17:10 |
| nowen | didn't you set up some external logging? | 17:10 |
| scranley2 | yes | 17:11 |
| scranley2 | its not working | 17:11 |
| scranley2 | I could shut that off | 17:11 |
| scranley2 | it can't reach the logging server which I don't control right now | 17:11 |
| scranley2 | so it's not on wikid | 17:11 |
| nowen | can you cd into /opt/WiKID/logs and run 'ls -ltr' and see if there is a log from today? | 17:13 |
| scranley2 | yes, but all it says is log4j:ERROR Could not connect to remote log4j server at [172.20.8.101]. We will try again later | 17:13 |
| scranley2 | I can shut that off | 17:14 |
| nowen | which log is that? | 17:14 |
| scranley2 | raidus | 17:14 |
| nowen | what about wauth.log? | 17:14 |
| scranley2 | same | 17:14 |
| scranley2 | log4j:ERROR Could not connect to remote log4j server at [172.20.8.101]. We will try again later. | 17:14 |
| nowen | anything in /opt/WiKID/tomcat/logs/catalina.out ? | 17:14 |
| scranley2 | yeah just some stuff about the webserver starting | 17:15 |
| scranley2 | INFO: Starting Coyote HTTP/1.1 on http-443 Sep 12, 2011 10:08:21 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 1277 ms | 17:15 |
| nowen | and there's nothing in the WiKIDAdmin logs either? | 17:15 |
| scranley2 | not of interest | 17:16 |
| scranley2 | I tried looking at those | 17:16 |
| scranley2 | a little debug | 17:16 |
| scranley2 | but nothing about radius | 17:16 |
| scranley2 | which should probably be there | 17:16 |
| nowen | still no radius listener on udp port 1812? | 17:16 |
| scranley2 | sec | 17:17 |
| scranley2 | ugh whats suppose to be in log4j.properties to log locally I think I screwed it up | 17:21 |
| nowen | try this: http://pastebin.com/kt3dmDMJ | 17:21 |
| scranley2 | thanks! | 17:23 |
| scranley2 | no radius yet though I'll keep checking | 17:23 |
| nowen | you will have to restart wikid to get the new logging going | 17:23 |
| scranley2 | ok I restarted it, logging looks like its working | 17:24 |
| scranley2 | DEBUG com.wikidsystems.server.WikidIPCListener - Starting IPC thread. | 17:24 |
| scranley2 | Failed to create RADIUS server socket on port 8388: java.net.BindException: Address already in use | 17:24 |
| nowen | what does 'netstat -anp | grep 8388' return? | 17:24 |
| scranley2 | tcp 0 0 :::8388 :::* LISTEN 12400/java tcp 1 0 ::ffff:127.0.0.1:45212 ::ffff:127.0.0.1:8388 CLOSE_WAIT 28111/java udp 0 0 :::8388 :::* 28111/java | 17:25 |
| nowen | ok, run 'wikidctl stop' again | 17:25 |
| nowen | and then 'killall -9 java' | 17:25 |
| scranley2 | done | 17:25 |
| nowen | 'netstat -anp | grep 8388' again | 17:26 |
| nowen | should return nothing | 17:26 |
| scranley2 | yes | 17:26 |
| scranley2 | I returns nothing | 17:26 |
| scranley2 | it | 17:26 |
| nowen | ok, now run wikidctl start | 17:26 |
| scranley2 | wauth seems to be starting quickly now | 17:27 |
| scranley2 | ok this is all thats in the raidus log | 17:27 |
| scranley2 | 0 [main] DEBUG com.wikidsystems.server.WikidIPCListener - Starting IPC thread. 30 [main] DEBUG com.wikidsystems.radius.authserver.AuthServer - Started IPC Listener. 31 [main] DEBUG com.wikidsystems.radius.authserver.AuthServer - Registered callback for IPC. | 17:27 |
| scranley2 | brb | 17:27 |
| nowen | ok, do you see the listener? | 17:27 |
| scranley2 | yes | 17:29 |
| scranley2 | you talking about this guy? | 17:29 |
| scranley2 | tcp 0 0 :::8388 :::* LISTEN 29371/java | 17:29 |
| scranley2 | 38765 [main] DEBUG com.wikidsystems.radius.authserver.AuthServer - Can't get snmp manager address, disabling traps. 239150 [main] DEBUG com.wikidsystems.client.wClient - wClient(127.0.0.1, 8388, /opt/WiKID/private/localhost.p12, sa1VAK24) called ... 239152 [main] DEBUG com.wikidsystems.client.wClient - init() called ... 239178 [main] DEBUG com.wikidsystems.client.wClient - creating keyFile object: /opt/WiKID/private/localhost.p | 17:31 |
| scranley2 | 240866 [main] INFO com.wikidsystems.radius.log.DBSvrLogImpl - RADIUS Receiver Started: listening on port 8388 | 17:32 |
| nowen | no, the 1812 guy :) | 17:34 |
| scranley2 | not yet | 17:34 |
| nowen | hmm | 17:34 |
| nowen | did you make any changes to the radius protocol config via the WiKIDAdmin? | 17:42 |
| scranley2 | let me check | 17:42 |
| scranley2 | hostname: Wikid Radius Authentication | 17:45 |
| scranley2 | ip address 127.0.0.1 | 17:45 |
| scranley2 | port 1812 | 17:45 |
| scranley2 | Multihomed on | 17:45 |
| scranley2 | Normal | 17:45 |
| scranley2 | 1813 | 17:46 |
| scranley2 | it's not a multihomed server though | 17:46 |
| nowen | that's ok | 17:46 |
| nowen | and what do you have for the network client? | 17:46 |
| scranley2 | pretty basic just the named and the ip address of the client protocol radius and domain. | 17:49 |
| nowen | what command are you using to check to see if radius is listening? | 17:50 |
| nowen | the 'netstat -anp | grep 1812' command? | 17:51 |
| scranley2 | yes | 17:52 |
| nowen | do you have ldap enabled? | 17:52 |
| scranley2 | no | 17:52 |
| scranley2 | I can see the radius client trying to connect | 17:52 |
| nowen | how? via tcpdump? | 17:53 |
| scranley2 | yes | 17:53 |
| nowen | if you run 'iptables -L -n' do you see the radius network client IP listed? | 17:53 |
| scranley2 | yes its listed there for 1812 | 17:55 |
| nowen | hmm | 17:55 |
| nowen | is there anything in in the radius.log? | 17:55 |
| scranley2 | 240787 [main] DEBUG com.wikidsystems.client.wClient - wClient connection to wAuth 3.0 ACCEPTED 240807 [main] INFO com.wikidsystems.radius.accounting.PlainAccountingImpl - Accounting logs set up. 240816 [main] DEBUG com.wikidsystems.radius.nas.UnknownNAS - NASCallBack logs set up. 240866 [main] INFO com.wikidsystems.radius.log.DBSvrLogImpl - RADIUS Receiver Started: listening on port 8388 | 17:55 |
| scranley2 | these are the last few lines | 17:56 |
| nowen | I'm restarting my test system, but because i have ldap on it is taking forever | 17:57 |
| scranley2 | kk | 17:59 |
| nowen | blagh, I screwed up my own log4j.properties ;) | 18:02 |
| scranley2 | I have to change my Wuath key now because I pasted it here | 18:03 |
| nowen | ooh | 18:04 |
| nowen | you will have to recreate the intermediate cert and localhost | 18:04 |
| *** pa1 (451c7f02@gateway/web/freenode/ip.69.28.127.2) has joined #wikid | 18:07 | |
| *** pa1 has quit (Client Quit) | 18:09 | |
| scranley2 | ok I updated the certs | 18:10 |
| nowen | let's go ahead and update the WiKID server too | 18:11 |
| nowen | run 'wget http://wikidsystems-dl.com/wikid-server-enterprise-3.4.87.b952-1.noarch.rpm' | 18:12 |
| nowen | and 'rpm -Uvh wikid-server-enterprise-3.4.87.b952-1.noarch.rpm' | 18:12 |
| scranley2 | k | 18:12 |
| scranley__ | do I have to reboot? | 18:15 |
| nowen | no | 18:15 |
| nowen | just start wikid again | 18:15 |
| scranley__ | ok did that | 18:15 |
| nowen | run 'tail -f radius.log' and see what comes up | 18:17 |
| nowen | the last log made it sound like it was listening on 8388, not 1812 | 18:17 |
| scranley2 | ok finally it worked | 18:22 |
| scranley2 | ! | 18:22 |
| nowen | magic! | 18:24 |
| nowen | lol | 18:24 |
| nowen | so, maybe the upgrade? | 18:24 |
| scranley2 | well I also redid the cert all that so I have to screw with radius client again to get the attributes working | 18:25 |
| scranley2 | so i guess we'll see | 18:25 |
| scranley2 | I know how to fix it now though I guess | 18:25 |
| scranley2 | well ok 2 factor auth is working again too course | 18:27 |
| nowen | so, you can login to the vpn? | 18:29 |
| scranley2 | yes | 18:29 |
| scranley2 | but I need it to give me the attributes so that the firewall will hand it the ip I specify in LDAP | 18:29 |
| scranley2 | thats what I started working on | 18:30 |
| scranley2 | I need to remake the client in wikid to pass attributes right | 18:30 |
| nowen | ok, you can do attributes two ways - in the network client or in groups | 18:30 |
| nowen | what attribute do you want it to pass? | 18:30 |
| scranley2 | FramedIP and FramedNetmask | 18:31 |
| scranley2 | for a start | 18:31 |
| nowen | so, if you go to the Network client page and hit modify, then modify again, select Framed-IP-Address, enter it in the box and hit Add. then Modify NC and restart the server | 18:32 |
| scranley2 | thanks | 18:35 |
| nowen | it should work, I tested it recently | 18:35 |
| scranley2 | The framed IP address seems to be coming back in some wierd value | 19:05 |
| nowen | what value did you enter? | 19:05 |
| scranley2 | Framed-IP-Netmask = 0x7261646975734672616d656449504e65746d61736b | 19:05 |
| nowen | what what is coming back? | 19:06 |
| scranley2 | radiusFramedIPAddress | 19:06 |
| scranley2 | Framed-IP-Address radiusFreamedIPAddress are the two values | 19:06 |
| scranley2 | radiusFramedIPAddress* | 19:06 |
| nowen | should the netmask be something like 255.255.255.240? | 19:07 |
| scranley2 | yeah | 19:10 |
| scranley2 | I thought the IP and Netmask were dynamic assigned from the ldap server, through radius. ah im all confused I'll have to think about it | 19:17 |
| nowen | I don't know how you have it setup on the vpn side. | 19:17 |
| nowen | for wikid, you set a value and it is returned via radius | 19:18 |
| scranley2 | The firewall VPN talks to freeradius, freeradius uses openldap for authorization, then uses wikid for authentication | 19:18 |
| scranley2 | Ldap passes the correct ip and netmask, but the firewallvpn doesn't seem to want to assign those to client. | 19:20 |
| scranley2 | thats probably not anything to do with Wikid though | 19:20 |
| scranley2 | I thought I would just try to pass something from wikid and see if it worked | 19:20 |
| nowen | hehe, no, sorry. don't know much about that | 19:21 |
| *** perestrelka has quit (*.net *.split) | 19:24 | |
| *** perestrelka (~vladdy@194.242.5.47) has joined #wikid | 19:24 | |
| *** scranley2 has quit (Ping timeout: 252 seconds) | 19:27 | |
| *** nowen has parted #wikid (None) | 21:42 | |
| *** scranley__ has quit (Quit: Page closed) | 23:00 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!