| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 13:53 | |
| *** nowen has quit (Remote host closed the connection) | 15:14 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 15:17 | |
| *** cdub_ (40fee8e2@gateway/web/freenode/ip.64.254.232.226) has joined #wikid | 15:18 | |
| cdub_ | What is the best way to run the token off of a usn key so that they token can easliy by used on different PCs? | 15:18 |
|---|---|---|
| cdub_ | I mean usb key | 15:19 |
| nowen | all you have to do is put the jar on the usb key | 15:19 |
| nowen | if you are using the non-locked token, you can also copy the WiKIDToken.wkd file and move your domains, etc | 15:19 |
| cdub_ | and all the information will be stored on the USB key then, nothing will need to be stored on the PC? | 15:19 |
| nowen | correct | 15:19 |
| cdub_ | so the only requirement would be to have java installed on the PC | 15:20 |
| nowen | hmm, I suppose so. The bundled token installer includes it's own jre. but I haven't tried to use it on a usb on a computer without java | 15:20 |
| cdub_ | perfect, thanks for the help | 15:21 |
| *** cdub_ has quit (Client Quit) | 15:21 | |
| *** jhall (53f185c1@gateway/web/freenode/ip.83.241.133.193) has joined #wikid | 15:32 | |
| *** jhall is now known as johall | 15:32 | |
| johall | hi.. anyone alive? | 15:32 |
| nowen | mostly | 15:32 |
| johall | ;) | 15:32 |
| johall | will wikid work with built-in windows 7 vpn client? | 15:32 |
| nowen | the vpn client has nothing to do with it really. it depends on the vpn server - does it support Radius? | 15:33 |
| *** cdub_ (40fee8e2@gateway/web/freenode/ip.64.254.232.226) has joined #wikid | 15:33 | |
| johall | it's a 2008r2 nps | 15:33 |
| johall | so yeah | 15:33 |
| cdub_ | I had previously run the token non-insaller exe on a PC. Now when | 15:34 |
| johall | but i'm interested in knowing how the end user will actually connect | 15:34 |
| nowen | johall: have you seen our nps doc? | 15:34 |
| cdub_ | Now I run the the JAR file token of of a usb key on the same PC it is pulling the info from when the exe was run | 15:34 |
| nowen | johall: they will enter their username and OTP into the vpn client, after getting the otp from the WiKID token | 15:35 |
| johall | nowen: yeah, or at least I think we're referring to the same one... on the one i mean there's some java app where you can request a otp | 15:35 |
| nowen | johall: http://www.wikidsystems.com/downloads | 15:35 |
| nowen | cdub_: you might need to use a new token. one that doesn't have an installer | 15:35 |
| nowen | johall: I meant: http://www.wikidsystems.com/downloads/token-clients | 15:35 |
| cdub_ | Just re-writing so it is altogether - I had previously run the token non-insaller exe on a PC. Now when I run the the JAR file token off of a usb key on the same PC it is pulling the info from when the exe was run. Requesting previously cofigure passphrase. | 15:37 |
| cdub_ | Where is it pulling the data from? | 15:37 |
| nowen | look for WiKIDToken.wkd | 15:38 |
| johall | nowen: I guess that's some internal user database? Is it possible to integrate with Active Directory? | 15:38 |
| nowen | if you create an empty WiKIDToken.wkd in the same directory as jar/exe file on the usb drive, it should use that | 15:39 |
| nowen | johall: you can allow users to register their own tokens based on their AD creds, Radius handles the authz integration wtih AD. | 15:39 |
| cdub_ | how do I go about creating an empty wkd file. Just use a text file and save as .wkd? | 15:40 |
| nowen | yeah, that should do it | 15:41 |
| cdub_ | ok, thx | 15:41 |
| nowen | np | 15:41 |
| nowen | johall: does that make sense? | 15:41 |
| johall | nowen: trying to wrap my head around it.. | 15:42 |
| johall | nowen: so what's the procedure? end user -> wikid-token -> otp -> ??? | 15:42 |
| nowen | the process goes VPN >> NPS >> AD >> NPS >> WiKID | 15:42 |
| nowen | or WiKID >> OTP >> VPN >> NPS/AD >> WiKID >> NPS >> VPN | 15:43 |
| nowen | NPS validates that the user has permissions based on their username, if so, it checks the creds with WiKID, if that passes too, the NPS allows access | 15:44 |
| johall | nowen: and by VPN you mean, or, it could be, Windows 7 built-in VPN Client? | 15:44 |
| nowen | by VPN, I really mean the VPN server. The connection request comes from the client to the VPN server/concentrator, which talks to NPS for authorization and authentication. | 15:45 |
| johall | and by client you mean wikid-token? | 15:45 |
| nowen | in that example, I mean VPN client. | 15:46 |
| nowen | :) | 15:46 |
| johall | hmmm | 15:46 |
| nowen | lots of clients and servers involved :) | 15:46 |
| johall | if i ask you this | 15:46 |
| nowen | the user has two clients, WiKID & VPN | 15:46 |
| johall | is it possible to combine otp with windows 7 built-in vpn client? | 15:46 |
| johall | otp/wikid | 15:46 |
| nowen | Not sure. | 15:47 |
| nowen | can the windows VPN be launched via a command line with a username and password? | 15:47 |
| johall | rasdial.exe <vpn_connection_name> <username> <password> | 15:49 |
| nowen | interesting | 15:49 |
| nowen | we can look into it | 15:49 |
| johall | i was told nps has no support for radius challenge response | 15:51 |
| johall | do you know if that's true? | 15:51 |
| nowen | we only use that as a fall-back if a wireless token is out of coverage | 15:51 |
| johall | ok | 15:52 |
| johall | do you get what i'm after? | 15:52 |
| johall | i want users to be able to authenticate with ad username and password along with the otp from wkid-token using windows 7 built-in vpn client | 15:53 |
| johall | also, it shoud work with OS X Lion, but that's the next bump to handle ;) | 15:55 |
| nowen | that depends on the options for windows VPN client and your VPN | 15:55 |
| nowen | I recommend against it. | 15:55 |
| johall | why's that? | 15:56 |
| nowen | it is best to not use your LAN password outside of the LAN. it's a major security benefit of using two-factor authentication | 15:56 |
| johall | ok, i understand... let me rephrase | 15:57 |
| johall | i want users to be able to authenticate with ad username along with the otp from wkid-token using windows 7 built-in vpn client... | 15:58 |
| johall | and users should be "imported" to wikid automatically | 15:58 |
| johall | where's the security in sending out the otp? | 15:58 |
| nowen | That's what we've been covering. However,users cannot be imported automatically. WIKID uses public private keys that are generated on the devices and exchanged with the server | 15:59 |
| nowen | http://www.wikidsystems.com/learn-more/technology/overview might help | 16:00 |
| johall | ok, i guess i will have to keep looking, thanks for your time | 16:00 |
| nowen | any system that "imports" users will use shared secrets and you will face the RSA issue | 16:01 |
| *** johall has quit () | 16:03 | |
| *** cdub_ has quit (Quit: Page closed) | 16:59 | |
| *** nowen has parted #wikid (None) | 22:56 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!