| *** Jon_Ole has quit (Quit: Page closed) | 07:16 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 13:58 | |
| *** nowen has quit (Read error: Connection reset by peer) | 14:52 | |
| *** nowen (~nowen@adsl-74-176-163-69.asm.bellsouth.net) has joined #wikid | 14:53 | |
| *** Andrew_ (c010ccd7@gateway/web/freenode/ip.192.16.204.215) has joined #wikid | 16:02 | |
| Andrew_ | Hi Nick | 16:09 |
|---|---|---|
| nowen | hi | 16:09 |
| Andrew_ | I was wondering if you'd have any ideas on where I should start troubleshooting wikid tokens not being accepted when login | 16:10 |
| nowen | what's your setup again? | 16:10 |
| Andrew_ | I have wikid setup to use radius and radius authenticates against our ldap server | 16:10 |
| nowen | and where does it start? at a VPN? | 16:11 |
| Andrew_ | I'm able to login to a test host using radius credentials which were validated against the ldap but it doesn't seem to accept wikid tokens | 16:11 |
| Andrew_ | I setup sshd on a test box to use radius by following the wikid directions from: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid | 16:12 |
| nowen | so, it sounds like the creds are stopping at the ldap server | 16:12 |
| nowen | what ldap server are you using? | 16:13 |
| Andrew_ | openldap | 16:13 |
| nowen | did you see this doc: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius | 16:13 |
| nowen | did you Create an entry in /etc/raddb/proxies.conf? | 16:14 |
| Andrew_ | yes however the file name is now /etc/raddb/proxy.conf | 16:15 |
| nowen | huh, now why would they do that to me? ;) | 16:15 |
| nowen | can you only have one proxy? | 16:15 |
| nowen | so - you can log in with static creds that are in ldap, but WiKID fails | 16:16 |
| Andrew_ | ha yes | 16:16 |
| nowen | what's the last message in the WiKIDAdmin logs? | 16:16 |
| Andrew_ | A C3P0Registry mbean is already registered. This probably means that an application using c3p0 was undeployed, but not all PooledDataSources were closed prior to undeployment. This may lead to resource leaks over time. Please take care to close all PooledDataSources. | 16:17 |
| nowen | yeah, not applicable. do you see the OTP request? | 16:18 |
| Andrew_ | I'm running radius in debug and it returns access reject when using the wikid token | 16:18 |
| Andrew_ | Issued passcode to device -84954..... | 16:19 |
| nowen | ok | 16:20 |
| nowen | so, the fact that you don't see anything after that that mentions radius, makes me think the request is not getting to the server | 16:20 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 16:20 |
| nowen | also, you can run 'tcpdump -p radius' to see if a request is coming in | 16:21 |
| Andrew_ | 2012-03-08 10:56:02.894INFOcom.wikidsystems.radius.log.DBSvrLogImplRADIUS Receiver Started: listening on port 8388 | 16:24 |
| nowen | hmm | 16:24 |
| nowen | can you run | 16:24 |
| nowen | 'netstat -anp | grep 1812' on the terminal for me? | 16:24 |
| nowen | post the results here | 16:24 |
| Andrew_ | netstat -anp | grep 1812 udp 0 0 0.0.0.0:1812 0.0.0.0:* 19041/radiusd | 16:27 |
| nowen | ok | 16:28 |
| Andrew_ | should that be binded to an IP? | 16:28 |
| nowen | looks normal to me | 16:28 |
| nowen | the ldap server is on a different box, right? | 16:29 |
| Andrew_ | correct | 16:29 |
| nowen | run 'iptables -L -n | 16:29 |
| nowen | ' | 16:29 |
| nowen | and makes sure it's ip is listed | 16:30 |
| Andrew_ | it doesn't appear to be there | 16:32 |
| nowen | did you set it up as a Network Client? | 16:32 |
| Andrew_ | Just did, restartign wikid now | 16:33 |
| Andrew_ | ok it's listed in iptables now | 16:34 |
| nowen | good stuff | 16:34 |
| nowen | what version of WiKID is this? | 16:34 |
| Andrew_ | wikid-server-enterprise-3.4.87-b1159 | 16:34 |
| nowen | ok | 16:34 |
| nowen | we have an update, so before you go, let's do that too | 16:34 |
| nowen | it might take a bit for radius to start | 16:35 |
| nowen | you can re-run the netstat command to make sure it has come up | 16:35 |
| Andrew_ | would it make a difference if I was running radius in a separate terminal using /usr/sbin/radiusd -X to watch it process requests? | 16:36 |
| Andrew_ | or does it have to be started with wikid? | 16:36 |
| Andrew_ | it's still running on the same box just wasn't started through wikid, the netstat on port 1812 shows it listening | 16:36 |
| nowen | is freeradius running on the same server as WiKID? | 16:37 |
| Andrew_ | yes | 16:37 |
| nowen | is this just for testing? | 16:37 |
| Andrew_ | yup | 16:37 |
| Andrew_ | once I have wikid working I'm going to be moving it into the QA/preproduction and out of dev | 16:38 |
| nowen | ok | 16:38 |
| nowen | it's just that WiKID uses 1812 for it's listener so I'm not sure that freeradius can run on it too | 16:38 |
| nowen | unless you change freeradius's port | 16:38 |
| Andrew_ | that's fine | 16:39 |
| nowen | ok | 16:39 |
| nowen | I guess try to auth again and see what happens | 16:39 |
| Andrew_ | the ssh to the test server responded: Permission denied, please try again. | 16:40 |
| Andrew_ | the RADIUS logs show: rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 1 modcall: leaving group LDAP (returns reject) for request 1 auth: Failed to validate the user. | 16:41 |
| Andrew_ | the LDAP directory wouldn't have the wikid pw in it, which is what it's trying to authenticate against and failing | 16:41 |
| Andrew_ | it seem like the communication between radius/ldap and wikid isn't working | 16:42 |
| nowen | anything in the WiKIDAdmin logs? | 16:44 |
| Andrew_ | 2012-03-08 11:25:33.391INFOcom.wikidsystems.radius.log.DBSvrLogImplFailed to create RADIUS server socket on port 8388: java.net.BindException: Address already in use 2012-03-08 11:25:33.388INFOcom.wikidsystems.radius.log.DBSvrLogImplRADIUS Receiver Started: listening on port 8388 | 16:45 |
| nowen | hmm | 16:45 |
| nowen | ahh - I didn't look at your response close enough | 16:45 |
| nowen | (11:27:47 AM) Andrew_: netstat -anp | grep 1812 udp 0 0 0.0.0.0:1812 0.0.0.0:* 19041/radiusd | 16:45 |
| nowen | that's not WiKID | 16:46 |
| nowen | it is freeradius | 16:46 |
| nowen | so, the WiKID radius listener is not starting | 16:46 |
| Andrew_ | yes, so I should change the ports on the freeradius server? | 16:46 |
| nowen | you need to move freeradius off that port or onto another box | 16:46 |
| Andrew_ | Which ports should I have freeradius start on? | 16:47 |
| nowen | doesn't matter, but not 80,443, 8388 or 1812 | 16:47 |
| Andrew_ | gotcha restarting wikid now | 16:49 |
| Andrew_ | just ran netstat -anp | grep 1812 after restarting wikid and nothing came up | 16:50 |
| nowen | give it some time | 16:50 |
| Andrew_ | freeradius is running on 1645 | 16:50 |
| nowen | it needs entropy and there's not much on a headless system | 16:51 |
| nowen | you can run ls -allR on / to create some | 16:51 |
| Andrew_ | how long will it typically take? | 16:52 |
| nowen | well, we did some optimization | 16:53 |
| nowen | not sure if you have that in that version | 16:53 |
| Andrew_ | what's the latest version available now? | 16:53 |
| nowen | still nothing? | 16:53 |
| nowen | actually, I think you have the most recent radius updates http://www.wikidsystems.com/downloads/changelogs/enterprise-changelog | 16:54 |
| Andrew_ | nope, nodda thing just re-ran netstat -anp | grep 1812 | 16:54 |
| nowen | you moved freeradius and then restarted WiKID? | 16:55 |
| Andrew_ | yup | 16:55 |
| nowen | check the WiKIDAdmin logs | 16:55 |
| Andrew_ | 2012-03-08 11:49:40.373FATALcom.wikidsystems.radius.authserver.AuthServerCan't start RADIUS Server 2012-03-08 11:49:40.298INFOcom.wikidsystems.radius.log.DBSvrLogImplFailed to create RADIUS server socket on port 8388: java.net.BindException: Address already in use 2012-03-08 11:49:40.279INFOcom.wikidsystems.radius.log.DBSvrLogImplRADIUS Receiver Started: listening on port 8388 2012-03-08 11:49:39.949INFOcom.wikidsys | 16:56 |
| Andrew_ | isn't wauth supposed to be on 8388? | 16:57 |
| nowen | run: 'wikidctl stop' then 'killall -9 java' and 'wikidctl start | 16:57 |
| nowen | ' | 16:57 |
| Andrew_ | ok it did prompt me for the wauth passphrase which i added to /etc/wikid/security as it said to do in the youtube videos | 16:59 |
| nowen | does it always do that? or just this once | 16:59 |
| Andrew_ | just this time since we killed java | 17:00 |
| nowen | hmm | 17:00 |
| Andrew_ | wikid's still not running on port 1812 after running ls -allR / | 17:00 |
| nowen | your network client is using radius, right? | 17:01 |
| Andrew_ | yes | 17:01 |
| Andrew_ | 2012-03-08 11:58:24.561INFOcom.wikidsystems.radius.log.DBSvrLogImplRADIUS Receiver Started: listening on port 8388 | 17:01 |
| Andrew_ | that was directly after the wikidctl stop and start | 17:02 |
| nowen | did you change any of the items on the radius protocol page? | 17:02 |
| Andrew_ | nope | 17:02 |
| Andrew_ | from radius pg in wikid: Host Name: IP Address: Port: 1812 | 17:02 |
| nowen | you should see "RADIUS Receiver Started: listening on port 1812" in the WiKIDAdmin logs | 17:03 |
| Andrew_ | 012-03-08 11:58:24.561INFOcom.wikidsystems.radius.log.DBSvrLogImplRADIUS Receiver Started: listening on port 8388 | 17:04 |
| Andrew_ | nothing about 1812 | 17:05 |
| nowen | there's nothing running on 1812? | 17:05 |
| Andrew_ | nothing showing up in netstat | 17:05 |
| Andrew_ | netstat -anp | grep 8388 tcp 0 0 0.0.0.0:8388 0.0.0.0:* LISTEN 13104/java udp 0 0 0.0.0.0:8388 0.0.0.0:* 13252/java | 17:05 |
| nowen | odd | 17:07 |
| Andrew_ | is this setting defined in a conf file somewhere on wikid? | 17:08 |
| nowen | no, it is hard-coded | 17:12 |
| Andrew_ | hmm quite interesting | 17:12 |
| nowen | try disabling radius, doing a restart and then enable and restart | 17:12 |
| Andrew_ | disable it in the wikid admin pg? | 17:13 |
| nowen | yeah | 17:13 |
| Andrew_ | Its restarting the last time now | 17:15 |
| Andrew_ | tcp 0 0 0.0.0.0:8388 0.0.0.0:* LISTEN 16431/java udp 0 0 0.0.0.0:8388 0.0.0.0:* 13252/java | 17:17 |
| Andrew_ | nothing running on port 1812 yet | 17:17 |
| nowen | try running 'rngd -r /dev/urandom' | 17:19 |
| Andrew_ | still nothing there | 17:22 |
| nowen | let's upgrade and see if that helps | 17:22 |
| Andrew_ | ok | 17:22 |
| nowen | http://wikidsystems-dl.com/wikid-server-enterprise-3.4.87.b1216-1.noarch.rpm | 17:23 |
| nowen | download that to the server and run 'rpm -Uvh wikid-server-enterprise-3.4.87.b1216-1.noarch.rpm' | 17:24 |
| nowen | then restart | 17:24 |
| Andrew_ | just wikid or the server? | 17:24 |
| nowen | just WiKID | 17:24 |
| Andrew_ | ok download's complete installing now | 17:25 |
| Andrew_ | starting up now | 17:26 |
| Andrew_ | it's still asking for the wAUTH passphrase instead of using the one in the file | 17:27 |
| nowen | perhaps you need to put it in quotes | 17:27 |
| Andrew_ | single or double quotes? | 17:27 |
| nowen | ie WAUTH_PASSPHRASE='usingnonalpha@#$@#$@#" | 17:27 |
| nowen | either | 17:27 |
| nowen | but not both, as in my example ;) | 17:28 |
| Andrew_ | haha updating now | 17:28 |
| Andrew_ | still didnt work | 17:29 |
| Andrew_ | it asked for it once I restarted again | 17:29 |
| nowen | and it is in /etc/WiKID | 17:30 |
| Andrew_ | in a file named security | 17:30 |
| nowen | you sure it is the intermediate CA passphrase? | 17:31 |
| Andrew_ | it was in a directory called /etc/wikid instead of WiKID | 17:32 |
| nowen | yeah, that won't work | 17:32 |
| Andrew_ | it seem to work now that it's moved to the correct folder | 17:32 |
| Andrew_ | sry bout that | 17:32 |
| nowen | np | 17:32 |
| Andrew_ | ok wikid is back online and it still isn't running radius on 1812 | 17:33 |
| nowen | same log message? | 17:33 |
| Andrew_ | but 8388 has java running on both udp and tcp | 17:33 |
| Andrew_ | plenty of red in the logs: | 17:34 |
| Andrew_ | 2012-03-08 12:32:18.135FATALcom.wikidsystems.radius.authserver.AuthServerCan't start RADIUS Server 2012-03-08 12:32:18.114ERRORcom.wikidsystems.server.wAuthCouldn't validate the client certificate. Verify the validity and dates of the client cert. 2012-03-08 12:32:18.092ERRORcom.wikidsystems.client.wClientERROR: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown 2012-03-08 12:32:15.728ERRO | 17:34 |
| nowen | yeah, you've got cert issues | 17:34 |
| Andrew_ | can I simply remake the cert? | 17:35 |
| nowen | yes | 17:35 |
| Andrew_ | how should I do that | 17:35 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid | 17:35 |
| nowen | you can validate them via the command line | 17:35 |
| nowen | or just create new ones via the WiKIDAdmin config tab | 17:35 |
| Andrew_ | ok they're both good until 2013 | 17:37 |
| nowen | hmm. maybe those errors were from earlier? | 17:38 |
| Andrew_ | nope just tried restarting the wikid and the same errors popped up: | 17:39 |
| Andrew_ | 2012-03-08 12:39:10.407FATALcom.wikidsystems.radius.authserver.AuthServerCan't start RADIUS Server 2012-03-08 12:39:10.022ERRORcom.wikidsystems.client.wClientERROR: java.net.SocketException: Broken pipe 2012-03-08 12:39:09.904ERRORcom.wikidsystems.server.wAuthCouldn't validate the client certificate. Verify the validity and dates of the client cert. 2012-03-08 12:39:07.079ERRORorg.apache.catalina.core.ContainerBase. | 17:39 |
| Andrew_ | will you be around this afternoon? | 17:40 |
| nowen | yes | 17:42 |
| nowen | did the hostname change or anything like that? | 17:42 |
| *** nowen1 (~nowen@adsl-98-66-180-154.asm.bellsouth.net) has joined #wikid | 17:46 | |
| *** nowen has quit (Ping timeout: 252 seconds) | 17:48 | |
| Andrew_ | Nope, always been radiusdev | 19:25 |
| Andrew_ | 87WestDna | 19:26 |
| Andrew_ | could it be that the wikid's radius server isn't starting properly? | 19:29 |
| nowen1 | could be | 19:35 |
| Andrew_ | should I remove it and reinstall? | 19:36 |
| nowen1 | did you recreate the certs? | 19:36 |
| Andrew_ | nope | 19:36 |
| nowen1 | that might help, but at this point, I would recommend you start from scratch. while that sounds bad, it's not that hard | 19:38 |
| Andrew_ | ok | 19:38 |
| Andrew_ | how should I uninstall the server | 19:43 |
| nowen1 | just use rpm -e wikid.. and the rm /opt/WiKID and /etc/WiKID | 19:44 |
| Andrew_ | error: package wikid-server-enterprise-3.4.87.b1216-1.noarch.rpm is not installed | 19:44 |
| nowen1 | is this a virtual server? | 19:45 |
| Andrew_ | yes | 19:45 |
| nowen1 | can you just rebuild it from scratch or use the iso? seems a bit borked to me | 19:45 |
| Andrew_ | yup | 19:47 |
| Andrew_ | I'm gonna start a fresh vm and build it up according to the instructions here : | 19:50 |
| Andrew_ | http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-enterprise-rpms | 19:50 |
| Andrew_ | are those still accurate? | 19:50 |
| nowen1 | or you can use the iso. it is based on centos | 19:50 |
| nowen1 | yes | 19:50 |
| Andrew_ | will this work on rhel6? | 19:50 |
| nowen1 | yes | 19:51 |
| Andrew_ | Ok will let you know how it goes | 19:51 |
| Andrew_ | Thanks | 19:51 |
| nowen1 | np - sorry for the issues | 19:51 |
| Andrew_ | it's ok. no worries | 19:53 |
| Andrew_ | Can you remove the ca on your end? | 19:53 |
| Andrew_ | This CSR contains a Distinguished Name(DN) that already exists in the WiKID CA database. | 19:53 |
| nowen1 | sure | 19:53 |
| nowen1 | what's the fqdn? | 19:54 |
| Andrew_ | radiusdev.net.ias.edu | 19:54 |
| nowen1 | done | 19:54 |
| Andrew_ | Thanks | 19:55 |
| *** nowen1 has quit (Quit: Leaving.) | 23:10 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!