| *** Vipin (0cb66102@gateway/web/freenode/ip.12.182.97.2) has joined #wikid | 01:36 | |
| Vipin | Hello WIKID , anyone online | 01:37 |
|---|---|---|
| *** Vipin has quit (Client Quit) | 01:38 | |
| *** Vj (0cb66102@gateway/web/freenode/ip.12.182.97.2) has joined #wikid | 02:26 | |
| Vj | Hi Nick | 02:26 |
| Vj | Hi Nick | 02:27 |
| *** Vj has quit (Ping timeout: 265 seconds) | 02:53 | |
| *** CheckDavid (~Dave@89.181.154.186) has joined #wikid | 04:44 | |
| *** CheckDavid has parted #wikid ("Leaving") | 04:45 | |
| *** perestrelka has quit (Ping timeout: 240 seconds) | 11:14 | |
| *** perestrelka (~vladdy@194.242.5.49) has joined #wikid | 11:16 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 15:20 | |
| *** XaaS (ce705fb4@gateway/web/freenode/ip.206.112.95.180) has joined #wikid | 17:34 | |
| XaaS | Hi - I am in need of some assistance with using WiKID with NPS supporting multiple WiKID domains | 17:34 |
| nowen | ok | 17:37 |
| XaaS | Hi Nick | 17:37 |
| nowen | :) hi | 17:38 |
| XaaS | Can I call you? | 17:38 |
| nowen | I'm actually on a webinar right now | 17:38 |
| XaaS | I have a bunch of questions... | 17:38 |
| XaaS | :( | 17:38 |
| XaaS | when will you have time? | 17:38 |
| nowen | what are you trying to do? | 17:38 |
| XaaS | I am really frustrated - I know I am close but I can't seem to get certain things to work as we need them | 17:38 |
| XaaS | I want to use a single NPS server to act as a RADIUS proxy to WiKID for several security domains | 17:39 |
| nowen | and what is going wrong? | 17:39 |
| XaaS | and have all of the network clients attach to the NPS server | 17:39 |
| XaaS | 1) The NPS server when I have NTRadPing on it and try to authenticate fails, but from another PC it works | 17:40 |
| XaaS | 2) Multiple attempts to authenticate seem to disable an incorrect security domain (ie I am trying to authenticate against the Firewall security domain, but the VPN security domain account gets disabled after three attempts....) | 17:41 |
| nowen | 1) is this with WiKID OTPs? | 17:41 |
| XaaS | That one is really really wierd | 17:41 |
| XaaS | yes | 17:42 |
| XaaS | I can do a GoToMeeting with you if you have the time | 17:42 |
| XaaS | so you can see for yourself | 17:42 |
| XaaS | I have been pushing for WiKID as the 2FA for us | 17:42 |
| nowen | IRC is my preferred support method. | 17:42 |
| XaaS | I know - but you can't see the behavior that way | 17:42 |
| XaaS | . | 17:42 |
| nowen | ok, so you are on a PC, and enter the OTP and username. the OTP and username are proxied to WiKID and authenticated? | 17:43 |
| XaaS | so - to make things simple. | 17:43 |
| XaaS | I am on the NPS server - with NPS de-installed | 17:43 |
| XaaS | I have NTRadPing installed on the NPS server | 17:43 |
| XaaS | I have a Network Client configured for the NPS server with the NPS server's IP and a unique secret key | 17:44 |
| XaaS | in WiKID | 17:44 |
| nowen | ok | 17:44 |
| XaaS | I use NTRadPing to authenticate with the OTP token pointing to the WiKID's IP using that unique secret | 17:45 |
| XaaS | it is failing | 17:45 |
| nowen | what is the error in the WiKIDAdmin logs? | 17:45 |
| XaaS | owever, if I do the same thing on a different system, it works | 17:45 |
| XaaS | I haven't disected the WiKIDAdmin Logs | 17:45 |
| XaaS | I can do so | 17:45 |
| nowen | please do. | 17:46 |
| nowen | you can set the radius logger to debug: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests?searchterm=radius+debug | 17:48 |
| XaaS | I just modified the WiKID RADIUS logging to debug | 17:52 |
| XaaS | I am going to do the test now | 17:53 |
| nowen | ok | 17:54 |
| XaaS | damn - it just worked | 17:54 |
| nowen | LOL! | 17:55 |
| nowen | clearly, I am magic! | 17:55 |
| XaaS | so - question - is it allowed to have 2 or more network clients at the same IP with different domains and secrets??? | 17:56 |
| nowen | don't think so, that would probably cause some confusion | 17:56 |
| XaaS | OK - so how would one have a single NPS server supporting multiple security domains | 17:57 |
| nowen | does NPS do your authorization? | 17:57 |
| XaaS | No - it's to be our RADIUS Proxy - basically working ike a switchboard | 17:58 |
| nowen | then what purpose does it serve? | 17:58 |
| XaaS | Better rules and RADIUS Accounting | 17:58 |
| nowen | what do you mean by rules? | 17:59 |
| XaaS | you can put conditional rules into the policies | 17:59 |
| nowen | isn't that authorization? | 17:59 |
| XaaS | in addition to the authorization - example OTP matches and PAP is in use | 18:00 |
| XaaS | As well as the RADIUS Accounting to SQL | 18:01 |
| XaaS | er MS SQL | 18:01 |
| nowen | ok - well, most people that would set up a radius server between WiKID and a service do it so that the radius server can handle authorization and they can use a single domain. You could also set up multiple domains and multiple Network clients on WiKID without NPS. | 18:01 |
| nowen | I guess what I'm suggesting is that it would probably be easier to set use NPS to handle the authorization and use one WiKID domain | 18:02 |
| XaaS | I am sure the one WiKID domain would work - I have done it and it does | 18:03 |
| XaaS | but what do you do when you need multiple WiKID domains to work and you only have one NPS server to work with? | 18:03 |
| nowen | I don't really know - no one has had to do that, to my knowledge | 18:05 |
| nowen | tell me again why you need multiple domains? | 18:07 |
| XaaS | In a cloud environment, we have to have multiple tenancies - we have to have a token that provides 1 or more security domains, and we don't want to have to have multiple NPS servers in order to do so | 18:07 |
| nowen | yeah, I don't think you do need multiple NPS servers. Are your users in AD in groups? | 18:07 |
| XaaS | Corporate users are in AD, howerver customers may not be.... what ideas are you thinking about? | 18:08 |
| *** Chris_____ (6c30280d@gateway/web/freenode/ip.108.48.40.13) has joined #wikid | 18:09 | |
| nowen | well, most setups would put their users in groups, then when the request comes in from Service A, NPS would check to see if that user had the right to use that service | 18:10 |
| XaaS | That is if we were using AD for group access you mean? | 18:11 |
| XaaS | I guess we could use AD for customers | 18:11 |
| nowen | if you're not using AD for customers, then does the logging, etc work? also, if you're not using AD, what are you using? | 18:11 |
| XaaS | AD is only for internal corporate, on other VLANs/subnets, there can be workgroup VMs | 18:12 |
| XaaS | Thoses workgroup VMs will not be tied to AD and will need to have access control | 18:13 |
| XaaS | If WiKID had the ability to have support for multiple Network Clients at the same IP but with different secret passphrases/domains it would do the trick | 18:16 |
| nowen | have you tried it? | 18:17 |
| XaaS | Yes - I think that is the issue I have been having where things aren't authenticating properly | 18:17 |
| nowen | yeah, I think that the server does not know which network client to use. | 18:18 |
| XaaS | That might be what I am seeing | 18:18 |
| nowen | so, you have multiple network clients with the same IP and different domains | 18:19 |
| nowen | ? | 18:19 |
| XaaS | I don't know if I can put multiple IPs on to the NPS, and more importantly force it to use those different IPs | 18:19 |
| XaaS | I have multiple firewa ll and VPN devices, with multiple security domains, where I wish to use the NPS server to proxy the requests from the Firewall and VPN devices to the respective WiKID security domains. | 18:20 |
| nowen | I just think that is what is radius is for. | 18:21 |
| XaaS | I don't understand your response, NPS can act as a RADIUS Server or a RADIUS Proxy (forwarding AAA requests to an external RADIUS server) | 18:22 |
| nowen | ok - so you can totally proxy the authentication requests to WiKID via NPS | 18:23 |
| nowen | but the way the domain is determined is by the IP address of the Network client | 18:24 |
| XaaS | in this case, we can do it with a single WiKID domain, with different devices through NPS, but now how do we support multiple WiKID domains though that same architecture | 18:24 |
| XaaS | exactly re: domain is determined is by the IP address of the Network client - how do you support multiple WiKID domains in this manner? | 18:25 |
| nowen | we do not | 18:25 |
| nowen | because if you are using a radius server, you typically do not need WiKID to do anything but authorization | 18:25 |
| XaaS | so, in order to have RADIUS Accounting, etc. we have to stand up multiple NPS servers? | 18:26 |
| XaaS | each with a seperate IP address, so that WiKID won't get confused? | 18:26 |
| nowen | that would work, but I think you can do the same job with 1 wikid server, NPS doing authorization and one WiKID network client | 18:27 |
| XaaS | Where does the RADIUS Accounting get provided for all of the WiKID domains? | 18:28 |
| XaaS | WiKID doesn't provide RADIUS Accounting, correct? | 18:28 |
| nowen | not really | 18:29 |
| XaaS | So that is a critical part of our security, the ability to audit logins | 18:29 |
| nowen | ok | 18:30 |
| XaaS | NPS allows us to have Accounting, but our issue is WiKIDs inablity to support multiple security domains tied to a single IP then. Is it possible for you to look into correcting this? | 18:31 |
| nowen | I am still missing something | 18:33 |
| XaaS | OK, what? | 18:33 |
| nowen | why can you not have NPS do the authorization and WiKID do the Authentication? | 18:33 |
| XaaS | I think the issue isn't NPS at this point - NPS I think could do it - the issue is WiKID's inability to properly handle RADIUS network clients at the same IP address but with different secret passphrases.... | 18:35 |
| nowen | it's not a bug - we need a method to make sure that the user is associated with the correct domain and that they are connecting from the appropriate network client. If not, there is a possibility that the user could be validated via a side-channel attack | 18:37 |
| XaaS | I agree - but if the secret passphrases are different, you have your method to maintain segregation | 18:37 |
| XaaS | That way everyone is happy, NPS provides authorization and accounting, WiKID provides authentication, etc. | 18:38 |
| XaaS | and WiKID can then provide multiple security domain support utilizing less resources (1 NPS server versus multiple) | 18:39 |
| nowen | I can put it in as a feature request, but it is an edge case. All of our current NPS-based customers are using just one NPS server. | 18:40 |
| XaaS | But only having one security domain, correct? | 18:40 |
| nowen | probably | 18:41 |
| nowen | but for multiple services | 18:41 |
| XaaS | OK, well I will have to adjust for this deficiency in the product... | 18:41 |
| XaaS | it will be an additional cost (CPU, RAM, Disk, etc.) to be able to provide the necessary auditing support for each security domain we wish to stand up. | 18:42 |
| XaaS | WiKID should consider this for cloud companies that need to support multi-tenant issues. | 18:43 |
| XaaS | as well as providing sub-admin accounts for managing users for those security domains only | 18:44 |
| nowen | hmm | 18:45 |
| nowen | well, you can do sub-admins through the API. it was specifically created for that | 18:45 |
| XaaS | You know the issue is - it has to work out of the box | 18:46 |
| XaaS | The API makes a lot of companies with only network guys and not developers queasy | 18:46 |
| nowen | I can see that | 18:48 |
| XaaS | OK - well everyone here is loving the tokens on the iPhone and Android | 18:49 |
| nowen | great | 18:49 |
| XaaS | let me know when you want to work with us on the advanced version | 18:49 |
| nowen | did the update for the Android token get pushed out ok? | 18:49 |
| nowen | will do | 18:49 |
| XaaS | I don't know - I haven't checked it yet... | 18:49 |
| Chris_____ | I'm having the problem with iPhone and iPad connecting over WiFi still but it's a minor issue | 18:50 |
| XaaS | My phone has over 400 apps on it - it's constantly needing updates...... | 18:50 |
| nowen | LOL | 18:50 |
| Chris_____ | Me too | 18:50 |
| nowen | Chris_____: who is your DNS provider? | 18:50 |
| Chris_____ | We are. I'm with XaaS. We spoke a while ago over the phone | 18:51 |
| Chris_____ | Well, where I'm using it from it's Open DNS | 18:51 |
| Chris_____ | They're doing the lookup at the two locations I use the devices at, but when I use ATT it works fine | 18:51 |
| nowen | they are not failing DNS properly. | 18:52 |
| nowen | go to their management interface and add wikidsystems.net as a domain that doesn't get intercepted. | 18:52 |
| Chris_____ | Will do. | 18:52 |
| XaaS | I find most carriers DNS suck and I love how fast OpenDNS updates it's cache | 18:53 |
| Chris_____ | Once we get this NPS issue worked out I'll be contacting you. Love the product. | 18:53 |
| nowen | thanks | 18:53 |
| nowen | sorry for the issue with radius | 18:53 |
| Chris_____ | Well, we're on the edge. I think you know that. | 18:53 |
| Chris_____ | Of this technology I mean | 18:53 |
| nowen | haha - I hope that's what you meant :) | 18:54 |
| Chris_____ | I mean pushing the edge. | 18:54 |
| XaaS | OK thanks nowen | 18:59 |
| XaaS | talk with you soon | 18:59 |
| Chris_____ | Thanks Owen | 19:00 |
| Chris_____ | Bye | 19:00 |
| *** Chris_____ has parted #wikid (None) | 19:00 | |
| *** XaaS has quit (Quit: Page closed) | 19:00 | |
| *** Carl_ (82cfdac4@gateway/web/freenode/ip.130.207.218.196) has joined #wikid | 20:14 | |
| Carl_ | Anybody home? | 20:16 |
| nowen | yep | 20:16 |
| Carl_ | Ever seen persistent 404's when hitting the WiKID server even though the ports are open and there do not appear to be errors in the logs? | 20:17 |
| nowen | is this a new setup? | 20:17 |
| Carl_ | yes, it is. | 20:17 |
| nowen | what OS? | 20:17 |
| Carl_ | RHEL6.1 | 20:17 |
| nowen | and you get the 404's on WiKIDAdmin? | 20:18 |
| Carl_ | I do. As well as / /index.jsp /index.html, etc. | 20:18 |
| nowen | what do you see in /opt/WiKID/tomcat/webapps/WiKIDAdmin? | 20:19 |
| nowen | apache isn't running on 443 or 80, right? | 20:19 |
| Carl_ | It is not. I have nothing but a ROOT directory in the WiKIDAdmin directory. | 20:19 |
| Carl_ | Well, I guess I should have said I do not have a WiKIDAdmin dir...just a ROOT under webapps | 20:20 |
| nowen | what is in /opt/WiKID/tomcat/webapps? | 20:20 |
| nowen | oh | 20:20 |
| nowen | sorry - now using my eyes to read :) | 20:20 |
| nowen | so, it appears that you install didn't quite take | 20:21 |
| nowen | did you check the md5sums? | 20:21 |
| Carl_ | A ha. That'd do it. I did check the sums, yes, but I could surely have bungled something else. My database seems intact, is there a way to reinstall just the files or should I begin anew? | 20:22 |
| nowen | I think an rpm -Uvh --force would reinstall | 20:22 |
| Carl_ | Hmm. I reloaded the file, and now I have 2 .war files in my webapps directory but am still not getting anything when I hit it with the browser. | 20:28 |
| nowen | did directories with the war file names get created? | 20:29 |
| nowen | what install doc are you following? | 20:29 |
| Carl_ | I see no directories with the war file names, just the .war files themselves. I have Quick Start Guide v3.0 | 20:31 |
| nowen | and you ran 'wikidctl setup'? | 20:33 |
| nowen | check /opt/WiKID/tomcat/logs/catalina.out | 20:34 |
| nowen | I bet the error is in there | 20:34 |
| Carl_ | I confess I jumped right to "start" but it DID ask me a bunch of questions (make a cert, do some stuff to the db, etc.) . I will now blow my installation away and start over... | 20:36 |
| nowen | hehe | 20:36 |
| nowen | might be a good idea | 20:36 |
| nowen | also, just so you know, our ISO is built on centos 5.4 | 20:36 |
| Carl_ | That is very good to know...! | 20:37 |
| nowen | If you need RHEL for support, the rpm is not too hard, but the iso has everything. | 20:38 |
| nowen | Carl_: any luck? | 21:47 |
| *** Carl_ has quit (Ping timeout: 265 seconds) | 23:09 | |
| *** nowen has quit (Quit: Leaving.) | 23:14 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!