| *** Terho has quit (Ping timeout: 245 seconds) | 00:57 | |
| *** Terho (d58473c2@gateway/web/freenode/ip.213.132.115.194) has joined #wikid | 01:31 | |
| Terho | Still problem with certificates. I am now not sure probably we need wAuth | 01:32 |
|---|---|---|
| Terho | 2012-04-20 04:20:55.341ERRORcom.wikidsystems.server.wAuthCouldn't validate the client certificate. Verify the validity and dates of the client cert. | 01:32 |
| Terho | WAUTH is enabled. We had a firewall update some time ago. | 01:35 |
| *** Terho has quit (Ping timeout: 245 seconds) | 02:17 | |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 12:55 | |
| *** Tom___ has quit (Ping timeout: 245 seconds) | 16:08 | |
| joevano | nowen: is there a way to have the WiKID service start without having to supply the passphrase? ie have it cached in sowe way I am not sure I want a cert with a bsank passphrase | 19:40 |
| nowen | yes, you can put it into a file: /etc/WiKID/security | 19:41 |
| nowen | one line: WAUTH_PASSPHRASE='yourpassphrase' | 19:41 |
| nowen | there is a start-up script in /opt/WiKID/conf iirc. | 19:41 |
| joevano | oh and by the way the copying of the directories over to move the server didn't work so we just rebuilt it ( all of aout 10 minutes) | 19:42 |
| nowen | hmm | 19:42 |
| *** Troy__ (4b47ae94@gateway/web/freenode/ip.75.71.174.148) has joined #wikid | 19:46 | |
| Troy__ | @nowen - Hi Nick.. I have a quick question if you have a few min | 19:48 |
| nowen | ok | 19:48 |
| Troy__ | we have a master -> slave server setup.. if I enable a new protocol (Radius) on the master, would the change also apply to the slave if I sync? | 19:50 |
| Troy__ | @nowen or would I need to set them as stand-alone and enable Radius on both separately? | 19:50 |
| nowen | you should not have to sync. the changes should be replicated to the slave automatically | 19:51 |
| nowen | the only changes that require sync would be something to do with the certificates | 19:51 |
| Troy__ | ok | 19:51 |
| Troy__ | thank you Nick | 19:51 |
| nowen | np | 19:54 |
| *** Troy__ has parted #wikid (None) | 21:05 | |
| *** Tom___ (42969c01@gateway/web/freenode/ip.66.150.156.1) has joined #wikid | 21:25 | |
| Tom___ | hello nowen. | 21:26 |
| nowen | hi | 21:26 |
| Tom___ | i'm back, with a Q | 21:26 |
| nowen | ok | 21:26 |
| Tom___ | so i setup second auth on the asa as i mentioned yesterday | 21:26 |
| Tom___ | but looking at the logs the cisco firewall is unable to communicate via radius to wikid server | 21:26 |
| Tom___ | so i checked a few things | 21:26 |
| Tom___ | thinking it might be iptables | 21:27 |
| Tom___ | or something funky | 21:27 |
| nowen | did you restart wikid after adding the network client? | 21:27 |
| Tom___ | anyhow, with the rpm install of wikid, iptables isnt opened for radius | 21:27 |
| Tom___ | yeah, i did | 21:27 |
| Tom___ | the rub is. it doesnt look like the radius service is listening on 1812 | 21:27 |
| nowen | did you check udp? | 21:27 |
| Tom___ | i see in the services details when i restart wikid that it successfully restarts radius | 21:28 |
| nowen | what does 'netstat -anp | grep 1812' show? | 21:28 |
| Tom___ | udp 0 0 :::1812 :::* | 21:29 |
| nowen | so the listener is up | 21:29 |
| nowen | what is the last thing you see in the WiKIDAdmin logs? set the log level to debug | 21:29 |
| Tom___ | yeah, did that too | 21:31 |
| Tom___ | i dont see squat. | 21:31 |
| Tom___ | hang on...ill dump a copy of what i see | 21:31 |
| nowen | the cisco is setup as a network client right? | 21:31 |
| nowen | try this: | 21:31 |
| nowen | wikidctl stop | 21:32 |
| nowen | killall -9 java | 21:32 |
| nowen | wikidctl start | 21:32 |
| Tom___ | yeah, its setup as a network client | 21:32 |
| Tom___ | using radius prot | 21:32 |
| Tom___ | ok | 21:33 |
| Tom___ | restarted | 21:33 |
| Tom___ | let me try to reestablish a connect. | 21:33 |
| nowen | radius might need some time to get started. run the netstat command to make sure it is up | 21:33 |
| Tom___ | ya | 21:38 |
| Tom___ | its up | 21:38 |
| Tom___ | trace com.mchange.v2.resourcepool.BasicResourcePool@19518cc [managed: 3, unused: 2, excluded: 0] (e.g. com.mchange.v2.c3p0.impl.NewPooledConnection@1955970) | 21:38 |
| Tom___ | this is the only debug msg i see | 21:38 |
| Tom___ | in the last 5 minutes or so | 21:38 |
| Tom___ | and during this time i tried to send over a bogus auth | 21:38 |
| nowen | get an new OTP and try again. is the user enabled? | 21:38 |
| Tom___ | yes...the user is enabled. | 21:39 |
| Tom___ | on the cisco logs i see | 21:39 |
| Tom___ | send pkt 172.16.10.255/1645 | 21:39 |
| nowen | wrong port | 21:39 |
| Tom___ | RADIUS_SENT:server response timeout | 21:39 |
| nowen | should be 1812 | 21:39 |
| Tom___ | hmm | 21:39 |
| Tom___ | just a moment | 21:39 |
| Tom___ | cool | 21:43 |
| Tom___ | layer 8 issue. | 21:43 |
| Tom___ | thanks for spotting the obv. | 21:44 |
| Tom___ | let me see if i can get this to work with a proper token | 21:44 |
| Tom___ | okay | 21:45 |
| Tom___ | so now... | 21:45 |
| Tom___ | wikid logs say... | 21:46 |
| Tom___ | RADIUS client supplied passcode is 504249 | 21:46 |
| Tom___ | Checking [username]:504249:172016010255 | 21:46 |
| Tom___ | Server returns passcode: -1 | 21:46 |
| Tom___ | so the code is getting thru to the server, but server is sending back access-reject. | 21:47 |
| Tom___ | any suggestions? | 21:47 |
| nowen | hmm - what loggers do you have set to debug? | 21:48 |
| Tom___ | com.wikidsystems | 21:48 |
| Tom___ | com.wikidsystems.radius.log.DBSvrLogImpl | 21:48 |
| nowen | set com.wikidsystems.server.wAuth to debug too | 21:49 |
| nowen | that should tell you why | 21:49 |
| Tom___ | okay. will do. meanwhile, I have another Q -- what kind of connectivity does the wikid server need? does it need access to the internet or can i cut off internet access altogether? | 21:51 |
| Tom___ | im trying to assess what kind of dependency the on-premise wikid server has to your systems, over there. | 21:52 |
| nowen | no dependency to us | 21:55 |
| nowen | the tokens must communicate with the server though | 21:55 |
| nowen | you can NAT the external ip and use a proxy if you like | 21:55 |
| Tom___ | i see... thanks | 21:55 |
| Tom___ | btw, the extra debug doesnt seem to give me any more color as to whats going on. | 21:56 |
| nowen | hmm | 21:56 |
| Tom___ | Server returns passcode: -1 | 21:56 |
| Tom___ | Check returned false | 21:56 |
| nowen | is that domain the only one? | 21:56 |
| Tom___ | yes | 21:56 |
| Tom___ | i dont have multiple | 21:56 |
| Tom___ | oh. | 21:57 |
| Tom___ | hmm | 21:57 |
| Tom___ | the server code should be the expanded ip address of the device, and not of the wikid server. | 21:57 |
| Tom___ | right? | 21:57 |
| Tom___ | i may have fudged this. | 21:57 |
| Tom___ | let me look at the docs again. just a moment | 21:58 |
| nowen | all you need really is the two you had, now that i review the docs too | 21:59 |
| nowen | the server code is the IP of the WiKID server. | 22:00 |
| nowen | it is how the token finds the server | 22:00 |
| Tom___ | ah | 22:00 |
| Tom___ | okay. just verified that too | 22:00 |
| Tom___ | so whats the problem | 22:00 |
| Tom___ | hmm | 22:00 |
| Tom___ | ya | 22:01 |
| Tom___ | i dont see it. | 22:01 |
| Tom___ | radius packet arrives. | 22:01 |
| Tom___ | it says, checking pin | 22:02 |
| Tom___ | then the only next item is server returns passcode -1 | 22:02 |
| Tom___ | im hoping there is a debug flag i didnt set still | 22:02 |
| nowen | oh - so this is on the token | 22:02 |
| Tom___ | well... | 22:03 |
| nowen | ? | 22:03 |
| Tom___ | so on the token client for blackberry, i obtain a pin after punching in the passcode | 22:03 |
| Tom___ | that works just fine. | 22:03 |
| Tom___ | then i take the pin and try to use it on the asa for vpn authentication | 22:03 |
| Tom___ | the cisco asa submits the req to the wikid server on 1812 | 22:03 |
| Tom___ | wikid server receives the request | 22:04 |
| Tom___ | and the logs im pulling out right now are out of the admin gui | 22:04 |
| Tom___ | with debug enabled | 22:04 |
| Tom___ | com.wikidsystems | 22:04 |
| Tom___ | m.wikidsystems.radius.log.DBSvrLogImpl | 22:04 |
| Tom___ | com.wikidsystems.server.wAuth | 22:05 |
| Tom___ | all on debug. | 22:05 |
| nowen | and the "server returns passcode -1" is in the WiKIDAdmin logs? | 22:06 |
| Tom___ | yes | 22:06 |
| Tom___ | 2012-04-20 14:54:54.713 DEBUG com.wikidsystems.radius.access.WikidAccess4 Server returns passcode: -1 | 22:06 |
| nowen | but you see it in plain text in the logs, and it matches? | 22:07 |
| Tom___ | which logs am i comparing this to | 22:08 |
| Tom___ | the only logs im looking at right now are the ones in the web UI | 22:08 |
| nowen | yeah, that's right. | 22:08 |
| nowen | do you see the Checking [username]:504249:172016010255 | 22:08 |
| Tom___ | yes! | 22:08 |
| Tom___ | i do | 22:08 |
| nowen | and that domain id is correct? | 22:09 |
| Tom___ | 2012-04-20 14:54:54.707 DEBUG com.wikidsystems.radius.access.WikidAccess4 Checking [username]:393003:172016010255 | 22:09 |
| Tom___ | yes | 22:09 |
| Tom___ | thats the right domain ID | 22:09 |
| Tom___ | it matches the ID in the only domain i have. | 22:09 |
| nowen | hmm | 22:10 |
| Tom___ | if you'd like i'd be more than happy to send you the logs so you dont think im FOS | 22:12 |
| Tom___ | but i dont see much to go on here | 22:12 |
| nowen | hmm | 22:12 |
| nowen | setting up a test server | 22:13 |
| Tom___ | okay | 22:13 |
| nowen | do you see a log entry like | 22:18 |
| nowen | er-Name (1), Length: 7, Data: [nowen], 0x6E6F77656E Acct-Session-Id (44), Length: 17, Data: [1334960261D6ebi], 0x313333343936303236314436656269 NAS-IP-Address (4), Length: 6, Data: [IP 127.0.0.1], 0x7F000001 NAS-Identifier (32), Length: 11, Data: [Localhost], 0x4C6F63616C686F7374 NAS-Port (5), Length: 6, Data: [# 0], 0x00000000 Calling-Station-Id (31), Length: 12, Data: [1115551212], 0x31313135353531323132 User-Password (2), Length: 18, Da | 22:18 |
| nowen | odd, my logs say "Server returns passcode: 132410" | 22:18 |
| Tom___ | User-Name (1), Length: 7, Data: [ttsai], 0x7474736169 User-Password (2), Length: 18, Data: 0x2BB9AB389127D8244E59ACF60F08671C NAS-Port (5), Length: 6, Data: [# 86016], 0x00015000 Called-Station-Id (30), Length: 15, | 22:19 |
| Tom___ | yes i see that | 22:19 |
| nowen | so, the radius plugin is getting the data correctly, and the server is mangling it somehow | 22:20 |
| nowen | do you have "RADIUS client supplied passcode is 132410" | 22:21 |
| Tom___ | RADIUS client supplied passcode is 124553 | 22:21 |
| Tom___ | aye | 22:21 |
| Tom___ | Checking ttsai:124553:172016010255 | 22:21 |
| Tom___ | Server returns passcode: -1 | 22:21 |
| Tom___ | Check returned false | 22:21 |
| nowen | what kind of request is it? mine is pap | 22:22 |
| Tom___ | PAP Request | 22:22 |
| Tom___ | mine is pap too | 22:22 |
| nowen | and the user is enabled? double check on the user page | 22:22 |
| Tom___ | yep! | 22:22 |
| Tom___ | user is enabled. | 22:22 |
| nowen | did you configure the example.jsp page? | 22:22 |
| Tom___ | erm | 22:23 |
| Tom___ | no. | 22:23 |
| Tom___ | i needed to do this? | 22:23 |
| nowen | well, you don't have to | 22:23 |
| nowen | but we can use to check a login without radius | 22:23 |
| Tom___ | so you are suggesting not using radius? | 22:24 |
| nowen | just to check | 22:24 |
| nowen | this issue seems to be after radius | 22:24 |
| Tom___ | okay. let me know what to do | 22:24 |
| Tom___ | i'll do it | 22:24 |
| Tom___ | or if you got a page with the instructions | 22:24 |
| Tom___ | ill do that too | 22:24 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 22:24 |
| Tom___ | k | 22:28 |
| Tom___ | so i punched in the local privatekey | 22:28 |
| nowen | does the page come up? | 22:28 |
| Tom___ | yes | 22:28 |
| nowen | try to login | 22:28 |
| Tom___ | This page demonstrates the general usage of the wClient component. | 22:28 |
| Tom___ | online login? | 22:28 |
| nowen | yep | 22:29 |
| Tom___ | oh | 22:29 |
| Tom___ | wait a second. | 22:29 |
| Tom___ | does my username | 22:29 |
| Tom___ | username thats passed via radius | 22:29 |
| Tom___ | need to match the userid | 22:29 |
| nowen | has to match what is in wikid | 22:29 |
| Tom___ | for "users" | 22:29 |
| Tom___ | ah ok then there is the issue | 22:29 |
| Tom___ | let me make that chance. | 22:30 |
| Tom___ | change* | 22:30 |
| Tom___ | in the video it says that one userid can have multiple devices/tokens | 22:30 |
| nowen | in [username]:504249:172016010255, [username] must exactly match what is listed under the WiKID users | 22:30 |
| Tom___ | but in the actual user menu it doesnt allow me to duplicate userid | 22:30 |
| nowen | yes, the can | 22:30 |
| Tom___ | let me test this out real quick | 22:31 |
| nowen | look on example.jsp for 'Add a device without a passcode' | 22:31 |
| nowen | you can do it there | 22:31 |
| Tom___ | okay | 22:32 |
| Tom___ | cool | 22:32 |
| Tom___ | so that worked | 22:32 |
| Tom___ | but so like | 22:32 |
| Tom___ | i got a userID ttsai | 22:33 |
| Tom___ | its associated with a blackberry right now | 22:33 |
| Tom___ | lets say i have a iphone token as well | 22:33 |
| Tom___ | the only way to add it is thru that example.jsp? | 22:33 |
| Tom___ | assuming that the userID needs to be the same. | 22:33 |
| nowen | it is limited to the API so that it is limited to the network client. it was a requirement of a customer | 22:34 |
| nowen | you can also let users add themselves and 2nd tokens via ADRegister.jsp | 22:34 |
| nowen | or write your own script | 22:34 |
| Tom___ | im not even too worried about automation at this point. | 22:34 |
| Tom___ | im just saying for my small test case | 22:35 |
| Tom___ | so like | 22:35 |
| Tom___ | if i download a client | 22:35 |
| Tom___ | and want to register that token client on the server via the "manually validate a user" link | 22:35 |
| Tom___ | it wont let me punch in a userId thats already existing | 22:36 |
| nowen | correct | 22:36 |
| Tom___ | okay, so how do i get around this using example.jsp | 22:36 |
| Tom___ | oh | 22:36 |
| Tom___ | Add device without passcode: | 22:36 |
| Tom___ | would let me dupe? | 22:36 |
| Tom___ | let me try that. | 22:37 |
| nowen | yes | 22:37 |
| Tom___ | thank you for entertaining my stupidity | 22:37 |
| nowen | hehe, no problem | 22:37 |
| nowen | all will be equal if you share your two step auth ASA instructions! ;) | 22:38 |
| Tom___ | oh yes. i will | 22:38 |
| Tom___ | you got an email address i can ship this to? | 22:38 |
| Tom___ | im not going to paste it in a web irc client | 22:38 |
| Tom___ | :-D | 22:38 |
| nowen | sur | 22:38 |
| nowen | e | 22:38 |
| nowen | nowen at wikidsystems.com | 22:38 |
| Tom___ | okay | 22:40 |
| Tom___ | i'll send across the config thats needed on the cisco asa | 22:40 |
| nowen | nice! | 22:40 |
| nowen | did the radius login work? | 22:41 |
| nowen | 'cause it's is gin o'clock here | 22:43 |
| nowen | alright - I'm signing out. btw, I'll be scarce Tues, Wens & Thurs. the forums may be the best option or email | 22:47 |
| *** nowen has quit (Quit: Leaving.) | 22:47 | |
| *** perestrelka has quit (*.net *.split) | 23:05 | |
| *** perestrelka (~vladdy@194.242.5.47) has joined #wikid | 23:11 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!