| *** Flexyz (3e74c0c6@gateway/web/freenode/ip.62.116.192.198) has joined #wikid | 09:49 | |
| *** Flexyz has quit (Ping timeout: 258 seconds) | 10:14 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 13:15 | |
| *** XaaS (ad498917@gateway/web/freenode/ip.173.73.137.23) has joined #wikid | 13:38 | |
| XaaS | @nowen - couple of questions for you... 1) do you have a license for home users (5 or so license) - something I can set a lab up at home with? 2) can the tokens use something other than port 80 if your ISP blocks it? | 13:40 |
|---|---|---|
| nowen | XaaS: yes, on our buy online page you will see a home license option | 13:41 |
| nowen | the tokens cannot use anything other than port 80, so if your ISP won't allow you to host a server on 80, you are out of luck | 13:41 |
| nowen | do you have comcast? | 13:41 |
| XaaS | Verizon FiOS | 13:42 |
| XaaS | Verizon blocks Port 80 on all residential services - either FiOS or DSL | 13:42 |
| nowen | the java token can be configured to use a proxy | 13:44 |
| nowen | maybe that would help? | 13:44 |
| XaaS | I don't think its my browser - your Purchase On-line page doesn't seem to go anywhere | 13:44 |
| XaaS | yes - that could work | 13:44 |
| nowen | trying to think about that. you setup a proxy on your home network and connect to it remotely? | 13:44 |
| XaaS | The only way it could work is to have proxying going on both the client and the server to redirect traffic - or a VPN tunnel | 13:49 |
| XaaS | but most probably the phone tokens won't work | 13:49 |
| nowen | nope | 13:50 |
| XaaS | maybe something to think about for future development | 13:50 |
| *** XaaS has quit (Quit: Page closed) | 13:54 | |
| *** FlexyZ (3e74c0c6@gateway/web/freenode/ip.62.116.192.198) has joined #wikid | 15:17 | |
| nowen | FlexyZ: how's it going? | 15:37 |
| FlexyZ | well I am strugeling a little :( | 15:59 |
| FlexyZ | some times it works and some times it dont :( - from a palo alto firewall | 15:59 |
| FlexyZ | I am getting crazy :) | 16:00 |
| FlexyZ | btw. your frontpage links where bad today - but is fixed now | 16:00 |
| nowen | yeah - my bad, borked the cms | 16:00 |
| nowen | what do you see in the WiKIDAdmin logs when it fails? | 16:01 |
| FlexyZ | nothing :( -I can see I got a OTP on my token, but login page on palo alto just states invalid user | 16:02 |
| FlexyZ | so maybe not related to wikid | 16:02 |
| FlexyZ | but wierd | 16:02 |
| nowen | hmm - if the last thing you see is the OTP, then WiKID isn't getting the radius request | 16:02 |
| nowen | could it be coming from more than one ip? | 16:03 |
| FlexyZ | yes maybe - can I see somewhere if something is denied | 16:03 |
| FlexyZ | on the wikid server | 16:03 |
| nowen | you can also run tcpdump on the radius port | 16:03 |
| FlexyZ | what is the params | 16:04 |
| FlexyZ | if have them around :) | 16:04 |
| nowen | tcpdump -p radius | 16:04 |
| nowen | should do it | 16:04 |
| nowen | nope | 16:04 |
| nowen | tcpdump port 1812 | 16:05 |
| nowen | or tcpdump port radius | 16:06 |
| FlexyZ | of course it worked now - but cool, will watch the dump | 16:07 |
| nowen | lol | 16:07 |
| FlexyZ | thx | 16:10 |
| FlexyZ | if i restarted the wikied - i see the radius requets, but not login | 16:12 |
| FlexyZ | looks like 3-4 retried in the tcpdump | 16:14 |
| FlexyZ | but no login | 16:14 |
| FlexyZ | what does this mean | 16:16 |
| FlexyZ | A C3P0Registry mbean is already registered. This probably means that an application using c3p0 was undeployed, but not all PooledDataSources were closed prior to undeployment. This may lead to resource leaks over time. Please take care to close all PooledDataSources. | 16:16 |
| FlexyZ | damn have to leave now - what could it be? | 16:17 |
| nowen | I'll have to check | 16:17 |
| FlexyZ | thx | 16:19 |
| nowen | ok - so you see the radius requests from the palo alto but you don't see an accept or reject? | 16:28 |
| FlexyZ | when I submit login, I can see 3-4 radius requets in the tcpdump - but PA return invalid login | 16:30 |
| FlexyZ | and it seems to happend after a wikidctl restart | 16:31 |
| FlexyZ | then if I wait 2-3 minutes it seems start working | 16:31 |
| nowen | what do you see in the WiKIDAdmin logs? when the PA rejects? | 16:34 |
| FlexyZ | tried 4 times now and no problems - let me try and restart again - is there any special requirements for the vm? 1gb mem, one cpu | 16:35 |
| nowen | that should be plenty | 16:35 |
| FlexyZ | warn logs? | 16:36 |
| nowen | if you set the level to Debug and hit Filter, you should see more | 16:37 |
| FlexyZ | not much | 16:38 |
| FlexyZ | trace com.mchange.v2.resourcepool.BasicResourcePool@191e4c [managed: 3, unused: 2, excluded: 0] (e.g. com.mchange.v2.c3p0.impl.NewPooledConnection@12549c4) | 16:38 |
| nowen | did you set the radius logger to debug? http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 16:39 |
| FlexyZ | looks like maybe the radius is slow to start | 16:39 |
| FlexyZ | RADIUS Receiver Started: listening on port 1812 | 16:39 |
| FlexyZ | long after restart | 16:39 |
| FlexyZ | in debug | 16:39 |
| FlexyZ | log | 16:39 |
| FlexyZ | and now login works | 16:40 |
| FlexyZ | but it takes a while :( | 16:40 |
| nowen | ok - that is the radius server. it needs random info to start. | 16:40 |
| FlexyZ | ? | 16:41 |
| nowen | however, you can make it start faster by running 'rngd -r /dev/urandom' | 16:41 |
| nowen | hat tip to asofrank | 16:42 |
| FlexyZ | oki so this is normal? | 16:42 |
| nowen | yes - there is not a lot of entropy on a headless system | 16:42 |
| nowen | but this only happens on restart - in production you will not be restarting much | 16:42 |
| FlexyZ | :( been fighting this a long time - no but is testing stuff now, so lots of restart etc | 16:43 |
| nowen | sorry | 16:43 |
| FlexyZ | np - now I know :) | 16:43 |
| FlexyZ | seems to work now - time on client and wikid server should be the same right | 16:44 |
| nowen | yes | 16:44 |
| FlexyZ | good | 16:44 |
| FlexyZ | rngd -r /dev/urandom seems to kickstart it faster :) thx! | 16:51 |
| nowen | we'll be backing that in soon | 16:51 |
| FlexyZ | c.u | 17:00 |
| nowen | later! | 17:00 |
| *** FlexyZ has quit (Ping timeout: 258 seconds) | 17:05 | |
| *** Pirkka (54f8812f@gateway/web/freenode/ip.84.248.129.47) has joined #wikid | 19:10 | |
| Pirkka | Hi. Is there available token client for Windows Phone 7.5 (Nokia Lumia 800) ? | 19:11 |
| nowen | almost - still trying to get through the cert process | 19:12 |
| Pirkka | So, somebody is working and it's expected to come out "soon"? | 19:17 |
| nowen | yeah. MS only rejects you for one thing at a time | 19:17 |
| nowen | so it takes a while | 19:18 |
| Pirkka | Ok. Thanks. I can survive with my old phone for a moment (Nokia X6). | 19:20 |
| nowen | which token are you using? | 19:20 |
| Pirkka | JME client running on Symbian phone. | 19:20 |
| Pirkka | But I just got a new Windows Phone and I don't think the java client runs on it. | 19:21 |
| nowen | probably not | 19:21 |
| *** Pirkka has parted #wikid (None) | 19:26 | |
| *** FlexyZ (5551950e@gateway/web/freenode/ip.85.81.149.14) has joined #wikid | 21:32 | |
| FlexyZ | nowen, how do I assign multiple token to the same user in same domain | 21:35 |
| FlexyZ | UserID xxxxx is already registered in this domain | 21:35 |
| nowen | FlexyZ: you need to use the example.jsp page or some other network client-based app | 21:35 |
| FlexyZ | oki how do I enable the example.jsp - need to do something right | 21:37 |
| nowen | this is the best doc for that: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 21:38 |
| nowen | it's pretty basic - just change "passprhase" and the default domain | 21:38 |
| *** mo (d8390e7c@gateway/web/freenode/ip.216.57.14.124) has joined #wikid | 21:49 | |
| *** mo is now known as Guest31565 | 21:49 | |
| Guest31565 | hi | 21:50 |
| Guest31565 | quick question | 21:50 |
| nowen | ok | 21:50 |
| Guest31565 | on a shared pc how do you distinguish the users | 21:51 |
| Guest31565 | that is can you set this up on a shared pc | 21:51 |
| nowen | Are the users sharing a login? or just a PC with multiple accounts? | 21:51 |
| Guest31565 | sharing a login | 21:52 |
| nowen | hmm. then what the point of distinguishing the user? | 21:52 |
| Guest31565 | you are right | 21:53 |
| nowen | lo | 21:53 |
| nowen | l | 21:53 |
| nowen | if you own the box, you can own the network | 21:53 |
| nowen | if the users login separately, then whatever mechanism secures their space, secures the WiKID token | 21:54 |
| nowen | you can run more than one wikid token on a machine | 21:54 |
| nowen | you can't use the installer | 21:54 |
| nowen | for boty | 21:54 |
| nowen | both | 21:54 |
| nowen | FlexyZ: I assume you don't need help editing the example.jsp page, but if you do. let me know | 21:55 |
| FlexyZ | no but not sure what pass to use where :) | 21:56 |
| nowen | hehe - use the localhost.p12 passphrase | 21:57 |
| FlexyZ | Client PKCS12 Passphrase | 21:57 |
| FlexyZ | in admin right | 21:57 |
| nowen | not necessarily | 21:57 |
| nowen | you can use keytool on the localhost p12 to check it | 21:58 |
| FlexyZ | how :) | 21:58 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid | 21:58 |
| nowen | by searching the site, my friend! :) | 21:58 |
| FlexyZ | seem to have pass right on both | 22:02 |
| FlexyZ | but still no go | 22:03 |
| FlexyZ | domain also changed | 22:03 |
| Guest31565 | thanks | 22:03 |
| nowen | Guest31565: welcome | 22:04 |
| nowen | FlexyZ: try giving wikid a restart | 22:04 |
| nowen | the old one may be cached | 22:04 |
| Guest31565 | can you help with this | 22:05 |
| Guest31565 | a user is getting url changed | 22:06 |
| Guest31565 | did it change on the server itself | 22:06 |
| nowen | the URL changed message is from when their a Registered URL in the domain settings. did you set one up? | 22:06 |
| Guest31565 | yes | 22:07 |
| Guest31565 | has been tested and working | 22:07 |
| nowen | ok - in that case it could be an MiTM attack | 22:07 |
| nowen | is it just that user? | 22:07 |
| FlexyZ | restart did it | 22:08 |
| Guest31565 | nope all users to that domain | 22:08 |
| nowen | ok - what is the URL? | 22:08 |
| Guest31565 | gts2.globetax.com | 22:08 |
| nowen | it should be https:// | 22:09 |
| Guest31565 | yes | 22:10 |
| nowen | oh - it is? or it will be? | 22:10 |
| Guest31565 | it is | 22:11 |
| nowen | what's the domain id? | 22:11 |
| Guest31565 | i know its public | 22:12 |
| Guest31565 | but i still feel uncomfortable putting this in a chat | 22:12 |
| nowen | have one of your users kill and restart their token and see if that works | 22:12 |
| nowen | hehe | 22:12 |
| nowen | I'm usre | 22:12 |
| nowen | sure | 22:12 |
| FlexyZ | :) | 22:12 |
| nowen | So you changed the URL in the domain and restarted WiKID? | 22:16 |
| Guest31565 | hi | 22:24 |
| nowen | Guest31565: any luck? | 22:24 |
| Guest31565 | still trying | 22:25 |
| nowen | did you restart the token? | 22:26 |
| Guest31565 | yes | 22:26 |
| nowen | still no go? | 22:27 |
| nowen | how many users have you rolled this out to? | 22:27 |
| Guest31565 | 4 | 22:27 |
| Guest31565 | so far | 22:27 |
| Guest31565 | i was hoping to roll out to most this week | 22:27 |
| nowen | why did you change the URL? | 22:27 |
| Guest31565 | same client works for two ohter domain | 22:27 |
| Guest31565 | i did not change anything | 22:27 |
| nowen | oh, I thought you said you did. | 22:28 |
| Guest31565 | url would be the last thing i change | 22:28 |
| Guest31565 | nope that was the error | 22:28 |
| nowen | did the site's SSL cert change? | 22:29 |
| Guest31565 | nope | 22:29 |
| Guest31565 | i changed the domain registered url on wikid server | 22:29 |
| Guest31565 | saved; then changed it back | 22:30 |
| nowen | yeah - that is what I meant when I asked why you changed the URL | 22:30 |
| Guest31565 | it seems to be working now | 22:30 |
| Guest31565 | yes | 22:30 |
| Guest31565 | that is why i did it | 22:30 |
| Guest31565 | but why do i have to do this | 22:30 |
| Guest31565 | if this was the only wikid sever then i would not be able to login at all | 22:31 |
| nowen | why did you change it in the first place? | 22:31 |
| Guest31565 | without some sort of backdoor | 22:31 |
| Guest31565 | i never changed anything | 22:31 |
| Guest31565 | it just stopped working | 22:31 |
| nowen | "05:29:50 PM) Guest31565: i changed the domain registered url on wikid server" | 22:31 |
| Guest31565 | yes as per your suggestion; then i changed it back | 22:32 |
| Guest31565 | so then it started working | 22:32 |
| Guest31565 | thanks though | 22:33 |
| Guest31565 | hopefully its more stable with future updates ;-) | 22:33 |
| nowen | I'm not sure what happened. it could have been an attack or who knows | 22:33 |
| nowen | did you see anything in the WiKIDAdmin logs> | 22:34 |
| nowen | ? | 22:34 |
| Guest31565 | no | 22:34 |
| Guest31565 | i will double check tomorrow | 22:34 |
| Guest31565 | i have to go now | 22:34 |
| Guest31565 | thanks again | 22:34 |
| nowen | np | 22:34 |
| FlexyZ | nowen what is the best way to auto start wikid if server is rebooted - I have the pass in tje security file | 22:46 |
| nowen | there's a script in /opt/WiKID/conf/templates | 22:46 |
| nowen | you can drop it into /etc/init.d | 22:47 |
| FlexyZ | cool | 22:47 |
| *** FlexyZ has quit (Ping timeout: 258 seconds) | 23:10 | |
| *** nowen has quit (Quit: Leaving.) | 23:31 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!