Thursday, 2012-02-09

« Monday, 2012-01-30 Index Friday, 2012-02-10 »
*** WiKIDLogbot (~WiKIDLogb@ec2-174-129-6-100.compute-1.amazonaws.com) has joined #wikid14:11
card.freenode.netTopic for #wikid is: support for the WiKID Strong Authentication System.  If no one is here, try the nabble forums: http://www.wikidsystems.com/support/support/wikid-forums14:11
card.freenode.netUsers on #wikid: WiKIDLogbot @nowen perestre1ka coolacid ionepoch jY mikekr_ mick_laptop14:11
*** SLiVER (~SLiVER@99-6-152-182.lightspeed.wlfrct.sbcglobal.net) has joined #wikid16:06
*** SLiVERR (~SLiVER@99-6-152-182.lightspeed.wlfrct.sbcglobal.net) has joined #wikid16:06
*** SLiVERR has parted #wikid (None)16:07
SLiVERAnyone alive?16:07
nowenyep16:07
SLiVERhello hello16:07
SLiVERdo you work for wikid?16:08
nowenyes :)16:08
SLiVEROh great, I got a few questions for you then.16:08
nowenshoot16:08
SLiVERI am looking to set up wikid with a netgear vpn firewall. I was reading the whitepaper on it but would like to know if it supports IPSec VPNs or only SSL VPNS?16:09
nowenWiKID doesn't care what kind of vpn it is.  as long as it supports radius, it will work16:10
SLiVERAhh, ok gotcha, is there a way to keep 2 wikid servers syncronized? I have an amazon vpc and an onsite network that I would like to secure using same credentials16:12
nowennot with the current versions.  we're working on a new product that would, but it would cost a bit more16:13
SLiVERok, good to know16:13
nowenhave you heard about radsec proxy?16:13
nowenit encrypts radius traffic16:13
SLiVERI have heard of it, but have to look into it some more I guess16:14
nowensame here16:14
nowenyou can set up two server and have your users have two domains on a single token16:14
SLiVERhmm, does that mean I have to have 2 licenses per seat?16:15
nowenyes16:15
SLiVERok, I will consider that16:16
SLiVERlooks like radsec hasnt been standardised yet16:16
nowenradsecproxy would be better, most likely16:16
nowen?16:16
nowenyou mean that radius doesn't support encrpytion?16:17
SLiVERno i mean the radsec protocol hasnt been standardized by the IETF, not a huge deal, just not a standard prtocol for now16:17
ionepochgood morning... new here, almost done setting up wikid, plan to integrate radius auth with juniper firewall today.. have a few questions as well..  1st... about radius...16:18
ionepochi see that you guys mention radius is not encrypted16:18
nowenSLiVER: can't see that it matters as long as radius goes in one end and comes out the other :)16:18
ionepochhowever, is the data somewhat masked due to the shared key?16:18
nowenionepoch: correct. it is encoded by the shared key16:19
SLiVERiionepoch it is MD5 encrypted but MD5 is not secure16:19
ionepochok...16:19
SLiVERfrom what i understand16:19
ionepochi've taken it for granted that it was secrue16:19
ionepochhowever...16:19
ionepochi guess what you are seeing is md5 is weak for complete security16:19
ionepoch... (but i guess better than plaintext)16:19
SLiVERmd5 is easily crackable so you cant rely on it16:20
ionepochk16:20
nowenyes. radius traffic should only be on the inside16:20
ionepochwell... we're paranoid over here  (inside and out)  so i'll have to look into radsec as well16:20
ionepoch...16:20
ionepochi have another question about radius16:20
ionepochi set it up in the wikidadmin panel16:21
ionepochthe configuration section was pretty clear stating you should have to mess with the default radius settings... however, the IP is set to 127.0.0.1 ... this makes it seem like the radius service attached to wikid will only be accessible by the local wikid server...16:21
ionepochhowever... when i take a look at the ports... it appears radius is listening on all interfaces:16:21
ionepochnetstat -tupan | grep 181216:22
ionepochudp6       0      0 :::1812                 :::*                                3752/java16:22
ionepochdoes the IP Address under the "RADIUS Configuration" panel need to be the public facing id?16:22
nowenno.  that's where the WiKID radius listener will be.16:22
ionepochok..16:22
ionepochso just leave it at 127.0.0.116:23
ionepochcorrect?16:23
nowencorrect16:23
ionepochok...16:23
ionepochalso... yo'll have to forgive my ignorance... we're switching from (icky) RSA16:23
ionepoch..16:23
nowenI need to take out the option to change it at all.  the dev thought of a scenario where this code would run off the WiKID server16:23
nowennp16:23
ionepochRSA generated time synchronized OTP for us on our mobile phones (without the need to connect to the central RSA auth server)16:24
ionepoch...16:24
ionepochit seems obvious... but I just want to make sure I'm understanding this...16:24
ionepochour mobile phones will need to be able to establish a data connection to our wikid auth server to generate the OTP for normal operation, correct?16:25
nowenin WiKID, the token communicates with the server16:25
nowenyes16:25
ionepochto my next question...16:25
ionepochno problem with the comminication...16:25
ionepochbut i'd like to NAT the server...16:25
ionepochie... some public ip 3.3.3.3  ... nat to...  192.168.x.x16:25
ionepoch....16:25
nowennp.  just use the external IP as teh domain identifier16:25
ionepochawesome...16:25
ionepochthat was my question ... and seems to make since as the WIKID clients appear to use that ip in the server identifier to phone home...16:26
ionepochalso... in the examples... i do see a: Offline Login:16:26
ionepochUserID:16:26
ionepochChallenge: 2310700916:26
nowenyeah, we support a fallback to C/R mode if the user doesn't have a network connection16:27
ionepochnot that it matters much... but is the offline login implemented as a fallback16:27
ionepochk16:27
ionepoch...16:27
ionepochthis is truly great16:27
nowenit comes up in pre-sales, but it never comes up in production, it seems.  I think that with wifi and the fact that users choose carriers that cover where they go, it isn't an issue16:27
ionepochfallback is really nice  (not sure it will matter for us though).. chances are if we can't reach the auth server... we've got problems....16:28
ionepochyeah...16:28
nowenI'd be interested in your comparison between the RSA auth server and ours.16:28
ionepochfrom sales point of view... everyone tries to poke holes in everything just in case16:28
nowenhehe, yeah, better before you pay than after :)16:28
ionepochi can tell you right now... 95% better right off the bat16:28
ionepochnightmare stories with RSA16:28
ionepochit's been my goal to move our company off for sometime16:29
ionepoch...16:29
ionepochRSA doesn't run on debian based boxes (boo)16:29
SLiVERIs 10 users the minumum license I can purchase?16:29
nowenSLiVER: yes16:30
ionepochRSA appears massively designed for Windows  (all windows/linux flame wars aside)... we don't use windows for our production systems ... so i don't care about it16:30
ionepoch...16:30
ionepochalso... RSA works with SUN's implementation of ldap... (never realized that it was different than regular openldap)... zero support for openldap... ie... you are on your own...16:30
ionepoch...16:30
SLiVERok, thanks for the support, i wish every business had an IRC channel. I am sure I will be back when I go to set up the server. THANKS!16:30
nowenhehe16:31
nowenirc is pretty nice for support16:31
ionepochthe self installer packages in RSA are horrible in unworkable unless you are running redhat... we ended up buying a dedicated appliance from RSA to get it done...16:31
SLiVERbah bye16:31
nowenSLiVER: also, if you come to irc for support, I know you won't need much support :)16:31
ionepochthe dedicate appliance you think would be easy ... but it was horrible...16:31
SLiVERyeh right eheh16:31
nowenionepoch: doesn't their appliance run windows?16:31
*** SLiVER has parted #wikid ("Taking my Vortec IRC elsewhere...")16:31
ionepochredhat16:31
ionepoch....16:31
ionepochwikid has been much more straightforward and actually works...16:32
ionepochi am a huge fan of...  "here ... apt-get these standard packages... then install ours"16:32
ionepochsimple...16:32
nowenI'm testing some new .debs. soon. a bit behind on those16:32
ionepochin a dream world... getting into the apt repository would be AWESOME16:32
nowenyeah, we're working on that16:32
nowenor at least setting up our own16:33
ionepochmy only 5% confusion with WIKID i think has to do with either entropy or a name server timing out...16:33
ionepochwhen i boot wikid... takes like 2 minutes for success  (no problem, that's fine)...16:33
ionepochbut then when i load the admin panel... takes another 2 minutes to get the tomcat engine to wake up and respond...16:34
ionepochany thoughts on this?16:34
nowenhmm16:34
nowenwhat are your machine's specs?16:34
ionepochmodel name: Intel(R) Xeon(R) CPU           X3430  @ 2.40GHz16:34
ionepoch4gb16:35
ionepochshould be good16:35
nowenoh yeah16:35
nowenanything in the WiKIDAdmin logs?16:36
ionepochlet me check...16:36
ionepochactually... very very little and nothing that would indicate a problem..16:37
ionepochlet me check catalina16:37
ionepochnothing in there either...16:38
ionepochwhat is normal for boot times once you enter wikidctrl start?16:38
nowenwhat version # is this?16:38
ionepochwikid-server-enterprise_3.4.87-b1092-1.deb16:39
nowenwe have done some work to improve the radius start time.  it needs entropy16:40
ionepochno problem...16:40
ionepochthere are some entropy packages ...16:41
nowenrunning rngd -r /dev/urandom apparently gets radius to start quickly16:41
ionepochhmm..16:41
nowenI should be able to post a new .deb today16:41
nowenalso, I can just give you the link if you want to test it too.16:42
ionepochawesome, ok, i'll take a look... which brings me to my next questions...16:42
ionepochmailing lists for updates and security updates?16:42
nowenworking on that too.  :)16:43
ionepochok...16:43
ionepochno problem rome isn't built in a day (from dev cycles, believe me i understand)16:43
ionepoch...16:43
nowenif you selected to subscribe when you downloaded, you'll get on it. or if you purcase16:43
ionepochwhich leads me to next questions...16:43
ionepochmy goal for today is to integrate with juniper... and get mobile phone authenticating and then we're done.16:44
ionepochdo i need to have real licenses to test the phone?16:44
nowenno, everything should work16:44
ionepochk..16:44
ionepochone more..16:44
ionepochsince i will be natting the wikid auth server...16:45
ionepochthe only thing that our employees will need to reach is ... a.b.c.d:8388  ?? correct?16:45
ionepochie port 8388 ?16:45
nowenno, the tokens use port 80.  that should be the only port open to the outside16:46
ionepochok, so mobile phones and clients connect on 80... and just to be clear... no need for 443?16:47
nowenonly if you want the WiKIDAdmin available outside.  the tokens use asymmetric encryption, so no ssl is needed16:47
ionepochawesome..16:48
ionepochwe have ssl vpn...16:48
ionepochso.. i think i will pat the ports...   443 to vpn server... and 80 to wikid server16:48
ionepochsweet16:48
nowensounds right16:48
ionepochok... thank you so much for your time16:48
nowennp.  thanks for the feedback16:48
ionepochhow long does it take to get 10seat 3yr license delivered once payment is made?16:49
nowenlike seconds :)16:49
ionepochdo you have an option for 10seat 5 yr?  I didn't see it on the purchase page16:49
nowenno, just 3 yr16:49
ionepochk16:50
nowenok - I haven't tested this, but i have tested the rpm.  http://wikidsystems-dl.com/wikid-server-enterprise_3.4.87-b1181-1.deb16:50
ionepochalright back to work for me... probably keep that chat open... i'll check back in a bit later... thanks again!16:50
nowenp16:50
ionepochfor updates... can i just dpkg that and away we go?16:51
nowenyes16:55
ionepochok...16:55
ionepochi'll get working on all of this and let you know what i find... be back in a while, cheers16:55
*** mikekr_ has quit (Quit: Page closed)19:41
ionepochnowen... small update... i haven't installed the new test deb yet... but... the rngd -r /dev/urandom seems to have fixed the slow boot times...  (starting to work on this again)19:42
nowenyeah, we basically added that as the fix19:43
ionepochas a heads up ... apt-get install rng-tools19:43
nowendamn, the ssl cert gen takes a long time too19:43
ionepochrng-tools is the package i installed for rngs...  not sure if you need people to add that to the list of standard packages to install before getting started19:44
ionepochi didn't have any problems with ssl gen times so far19:47
ionepochwill let you know if i encounter any19:47
ionepochnowen, if i want to rename the server's host name... from blah.myinternalserver.com   to...  auth.liveserver.com ... should i recreate the intermediate cert, install it, and recreate the local host cert?19:53
nowenyes19:53
nowenrerun set up too19:53
ionepochthanks!19:56
ionepochwoohoo... first test auth success with juniper device20:19
ionepochsuper easy!20:19
ionepochsweet!20:19
nowenhehe, nice20:19
nowenbtw, I will be traveling tomorrow.  if you need something, you can use the forums or email me (if you have it :)23:09
*** dystonic (c7ff532e@gateway/web/freenode/ip.199.255.83.46) has joined #wikid23:33
*** dystonic is now known as dystie23:33
dystiehi, Nick, you around23:33
dystiei'm having a service restart issue and could use some pointers.23:33
ionepochhola~ i'm not nick (think he might have left for the day)...23:47
ionepochbut i've been messing with this...23:47
ionepochcouple things I had issues with...23:47
ionepochkillall java related processes on restart23:47
ionepoch... and the entropy random generator seems to help alot23:47
ionepochrngd -r /dev/urandom23:47
ionepochonce i loaded the rngd processes... restarts worked alot better23:48
dystiehi.23:50
dystieok -- i can't get the services up.  kinda frustrating,23:51
ionepochi'm in the processes of moving away from rsa to wikid23:51
ionepochso far ...23:51
dystieso i'm in a paired setup;  we fail from our 01 box to our 02 box, but it's not failing back or coming up and i'm not sure what's wrong cus i didn't build the solution.23:51
ionepochthe initial setup has been pretty good23:51
dystieyeah rsa makes me cranky.  didja read the sp-800-01 doc from nist?  i think that's the name23:52
dystiewas updated twofactor guidance.23:52
ionepoch01 and 02 ...  02 is a backup box?23:52
ionepochso do you have 2 issues?23:53
dystieyeah, i'm not sure what our license count on it is, but things fail to 02;  when 01 is back up we restart service on 02 and it's supposed to fail back23:53
dystiebut things arne't communicating right and i can't get either server to bring up the wikid browser page.23:53
ionepochahh23:53
dystiewell tomcat is starting but it's not bringing up the auth page23:53
ionepochok...23:53
ionepochso...23:53
dystieand i'm getting database connection errors.23:53
ionepochahh23:53
dystiewhatcha think?23:53
ionepochi recall setting a password on postgres23:54
dystiedya know what user it needs to run as?23:54
ionepochare you on a debian based box?23:54
ionepochif so...23:54
dystiecentos23:54
ionepochhmm23:54
ionepochwell23:54
ionepochcat /etc/passwd23:54
ionepochlook for a postgres user23:54
ionepochpostgres  or postgresql  (we're on ubuntu so i don't know what centos did)23:55
ionepoch...23:55
ionepochthen sudo su to root23:55
ionepoch...23:55
ionepochthen su - postgres user23:55
ionepochwhatever the postgres user is for you distro23:55
ionepochi had to google search this for ubuntu...23:55
ionepochon ubuntu23:55
ionepochit's postgres23:55
ionepochsu - postgres23:55
ionepochthen psql -Upostgres23:55
dystiecheck.23:56
dystiewhat commands do you typcially run to diagnose issues?  in terms of what do you check is listening or started.23:56
ionepochwell23:57
ionepochfirst i'd see that postgres is running..23:57
ionepochthen...23:57
ionepochsu - postgres23:58
ionepochpsql23:58
ionepoch\c template123:58
ionepochALTER USER postgres WITH PASSWORD 'changeme';23:58
ionepoch\q23:58
ionepochdpkg -i wikid-server-xxx.deb23:58
ionepoch 23:58
ionepoch# Follow prompts... not cert takes a while to generate (up to 5 minutes).23:58
ionepoch 23:58
ionepoch 23:58
ionepoch 23:58
ionepoch# type postgres password as many times as prompted23:58
ionepoch 23:58
ionepoch 23:58
ionepoch# type postgres password as many times as prompted23:58
ionepoch 23:58
ionepoch(if you have the rngd -r /dev/urandom ... the cert generation should be faster23:59
« Monday, 2012-01-30 Index Friday, 2012-02-10 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!