| *** WiKIDLogbot (~WiKIDLogb@ec2-174-129-6-100.compute-1.amazonaws.com) has joined #wikid | 12:03 | |
| card.freenode.net | Topic for #wikid is: support for the WiKID Strong Authentication System. If no one is here, try the nabble forums: http://www.wikidsystems.com/support/support/wikid-forums | 12:03 |
|---|---|---|
| card.freenode.net | Users on #wikid: WiKIDLogbot @nowen vladdy joevano | 12:03 |
| nowen | bad WiKIDLogbot | 12:04 |
| joevano | hehe... | 12:05 |
| joevano | NetComnent couldn't login to his newly installed instance | 12:05 |
| nowen | so hard to get good spies these days | 12:05 |
| nowen | hmm, often that means the db isn't setup right | 12:06 |
| joevano | he couldn't figure out the default password... I am guessing reading the manual isn't his strong suit ;-) | 12:06 |
| nowen | that could be too. but if the db isn't setup, you can't login with the correct creds either, but you can try all you want | 12:07 |
| joevano | i gave him the password and pointed him at the setup videos, he never responded when I asked if that helped him | 12:08 |
| joevano | he left about 30 minutes later | 12:09 |
| nowen | hmm. oh well | 12:09 |
| nowen | I bet he returns | 12:09 |
| joevano | Sidetalker had issues with his TACAS+ integration, but figured it out... needed to add the -i flag so the tac_plus reloaded on every connection | 12:10 |
| nowen | wow, that's good stuff. tacacs is not used much | 12:11 |
| joevano | yeah, luckily he knew quite a bit about it... I had no idea | 12:11 |
| joevano | brb | 12:14 |
| *** joevano has quit (Quit: leaving) | 12:14 | |
| *** joevano (~joevano@bzflag/developer/JoeVano) has joined #wikid | 12:20 | |
| nowen | ok - I've got a couple of off-site meetings. coffee now and lunch later. | 12:48 |
| *** nowen has quit (Quit: Leaving.) | 12:49 | |
| *** sideone (~sideone@23.24.175.105) has joined #wikid | 12:59 | |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 14:17 | |
| *** nowen has quit (Quit: Leaving.) | 15:25 | |
| *** netcomnet (46b71922@gateway/web/freenode/ip.70.183.25.34) has joined #wikid | 16:31 | |
| netcomnet | Can someone help me find th registration code? I have the server up, but the AD web self registration asks for a registration code | 16:32 |
| joevano | netcomnet: that is generated by the WiKID client when you add your domain, you supply that to the AD web self registration form and it associates the client with that user | 16:41 |
| netcomnet | W try to create new domain on client but it fails to obtain configuration. I cannot figure out what is missing. The documentation seems to skip this critical step | 16:43 |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 17:12 | |
| nowen | hi all | 17:12 |
| nowen | netcomnet: what is your domain identifier/12 digit code? | 17:13 |
| netcomnet | 070183025034 | 17:24 |
| nowen | hmm. | 17:25 |
| nowen | returns no data | 17:25 |
| nowen | did you set up the network using wikidctl setup? | 17:25 |
| netcomnet | I already had an IP and dns so I answered no, should I do that? | 17:26 |
| nowen | yes, I think the gateway it not configured | 17:26 |
| netcomnet | If I run all this is all my config gone? | 17:27 |
| nowen | no | 17:27 |
| netcomnet | Ok, did that. Now started up server. Now doing AD self registration. What is registration code and where do I get it | 17:32 |
| nowen | from the token | 17:32 |
| nowen | still returns no data | 17:33 |
| nowen | can you ping www.google.com from the terminal? | 17:33 |
| netcomnet | I have the windows client and entered the IP in preferences. Do I select new domain or preregister? New domain asks for domain code and fails to get info. Pre register stops at enter registration code | 17:34 |
| nowen | here is the url the token is trying to access: http://70.183.25.34/wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=070183025034&CT=1 | 17:34 |
| nowen | is there something blocking port 80? | 17:34 |
| netcomnet | no, we scanned the server. iptables off port 80 is good | 17:35 |
| netcomnet | that is the external IP | 17:36 |
| netcomnet | That is not accessible from inside | 17:36 |
| nowen | well, that would explain why you can't get to it, but not me ;) | 17:36 |
| nowen | can you ping www.google.com from the server? | 17:42 |
| netcomnet | changed domain to internal IP and register is good now. | 17:45 |
| netcomnet | Now to test Cisco ASA | 17:45 |
| nowen | cool | 17:45 |
| netcomnet | So now I found a doc for vpn 3k I have an ASA5520 same type device. Setup Radius the same. Should this be ok | 17:55 |
| nowen | cool - needless to say, we can't doc every vpn device out there | 17:55 |
| netcomnet | not a problem. Just got the ASA configured. It is similar. | 17:58 |
| netcomnet | Can the WikID server do the auth or do I need to pass thru to my microsoft IAS Server | 17:58 |
| netcomnet | I am getting Accesss Denied on the ASA to the WikID server.Radius configured correct IP address but the WikID still says Access Denied. | 18:49 |
| nowen | did you restart WiKID after adding the ASA as a network client? | 18:50 |
| netcomnet | yup | 18:50 |
| nowen | go to Configure Loggers | 18:51 |
| netcomnet | I know the doc says choose Radius server. Would SDI also work? | 18:51 |
| nowen | what is SDI? | 18:51 |
| nowen | set com.wikidsystems and com.wikidsystems.wauth to debug | 18:52 |
| netcomnet | another option like TACAS, LDA | 18:52 |
| netcomnet | LDAP | 18:52 |
| nowen | and addcom.wikidsystems.radius.log.DBSvrLogImpl and set it to debug as well | 18:52 |
| nowen | doubt it. radius will work, just need to figure out what's going on | 18:52 |
| nowen | make those logger changes and it will be clear | 18:53 |
| *** autodata (cdcd1c11@gateway/web/freenode/ip.205.205.28.17) has joined #wikid | 18:56 | |
| autodata | hi nick, how are you? | 18:56 |
| nowen | good | 18:56 |
| autodata | I lost my PIN number, any way to recover it? | 18:56 |
| nowen | nope, you have to delete the domain and re-register | 18:57 |
| autodata | ok, thanks | 18:57 |
| autodata | just concern for the future, if my client forget his PIN, we will do the same way to delete the domain? | 18:58 |
| nowen | yes, and you will want to delete his device on the server | 18:58 |
| autodata | But many users will use one domain, right? | 18:59 |
| nowen | correct | 19:00 |
| netcomnet | So I get a accept and then an deny | 19:08 |
| netcomnet | Can I paste a screenprint here? | 19:08 |
| nowen | netcomnet: use pastebin.com | 19:08 |
| nowen | just paste the text into pastebin and submit, then post the new url here | 19:09 |
| netcomnet | http://pastebin.com/ncZM8pGd | 19:11 |
| nowen | why is it trying twice? if the one-time passcode is submitted twice, the 2nd will always fail :) | 19:11 |
| netcomnet | I do not know | 19:12 |
| nowen | hmm - check the logs in the cisco | 19:13 |
| netcomnet | I got the login and enter username/passcode and enter | 19:13 |
| netcomnet | the cisco logs show nothing even in debug | 19:13 |
| netcomnet | which is odd | 19:13 |
| nowen | that can't be good | 19:16 |
| netcomnet | I forced some data, it says WikID Server not accessible | 19:24 |
| netcomnet | I can ping it from the Firewall ok | 19:24 |
| netcomnet | port 1812 on a scan does not respond | 19:24 |
| nowen | ping is blocked by the firewall/ | 19:24 |
| netcomnet | no | 19:24 |
| nowen | the requests are clearly getting to the server | 19:25 |
| netcomnet | connection is like this | 19:25 |
| netcomnet | Firewall >>Cisco switch no ACL's then WikID Server | 19:25 |
| nowen | there is a fw on the wikid server | 19:25 |
| netcomnet | disabled | 19:25 |
| nowen | there are radius requests getting to the WiKID server - the logs show it | 19:25 |
| nowen | what do the logs show on the Cisco? | 19:26 |
| netcomnet | 6May 16 201212:19:27113014AAA authentication server not accessible : server = 192.168.28.28 : user = sroman | 19:27 |
| netcomnet | This is port 1812 correct? | 19:38 |
| netcomnet | TCP or UDP? | 19:38 |
| nowen | correct - UDP | 19:38 |
| netcomnet | Netstat shows 1812 open | 19:38 |
| netcomnet | But the Firewall says not accessible | 19:39 |
| netcomnet | The are even on the same switch so no latency | 19:39 |
| nowen | are you asking if port 1812 is open on WiKID? | 19:39 |
| netcomnet | no I am saying it is open | 19:39 |
| netcomnet | udp | 19:40 |
| netcomnet | But the FW seems to fail when trying to auth the user | 19:40 |
| netcomnet | Is the accounting port required? | 19:40 |
| nowen | ahh so that is why it is trying twice? | 19:40 |
| nowen | no | 19:40 |
| *** marcel_ (50417948@gateway/web/freenode/ip.80.65.121.72) has joined #wikid | 19:48 | |
| nowen | welcome marcel_ | 19:49 |
| marcel_ | hi there, if have visite the wikid website and have a question. hopefully you can help me. sorry for my bad english. | 19:49 |
| nowen | no problem, sorry for my bad... everything else ;) | 19:49 |
| marcel_ | my situation is: I have a server in the datacenter and would like to run vm's on it. So I'm thinking to install wikid on the host for VPN connection from client PC and client smartphones to the server. | 19:51 |
| marcel_ | After connection establishment the user get a page with the webservices which are for her of him accessible. | 19:51 |
| nowen | ok | 19:51 |
| marcel_ | and he/she could login to the desired webservices. the webservices are running in vm's. does that work because I read somehere the server needs 2 ethernetcards. | 19:52 |
| marcel_ | hi nowen | 19:52 |
| nowen | we recommend two ethernet cards, but it isn't required - depends on the setup | 19:53 |
| nowen | do you do authentication at the VPN or at the webservices? | 19:53 |
| marcel_ | at VPN, but after that the user has to use a username and pw for each webservices (only 2 webservices) and probably something like a rsync share for backup data on pc's to server location. | 19:56 |
| nowen | and where do you want them to use two-factor auth? | 19:59 |
| marcel_ | A user first makes an vpn connection and uses wikid. After access granted, the user has access to some links like a link to webmail or rsync share. User can click on the desired link to get access after typed username and pw. | 20:01 |
| nowen | ok - so WiKID and the VPN need to communicate. that's very standard | 20:02 |
| *** autodata has quit (Ping timeout: 245 seconds) | 20:05 | |
| marcel_ | the idea is that there can be no access to webmail or rsync share without first an vpn connection. Must be not really difficult I think. Because I work with other people together, I think wikid is easy admin to give people access and also revoke access when needed. | 20:07 |
| netcomnet | since this keeps trying on port 1812 udp. The firewall just will not connect on that port. Is there a spot I can see the udp port being used? | 20:07 |
| nowen | netcomnet: on the WiKID server terminal, run 'tcpdump port radius' | 20:08 |
| nowen | that will show you the traffic | 20:08 |
| marcel_ | If I install wikid on the dedicated server and use ldap, then users can connect to the webmail vm and rsync share vm. Is that idea correct? | 20:09 |
| nowen | marcel_: I recommend radius if you are going to use the Enterprise version. If you're going Community, ldap might work. | 20:10 |
| marcel_ | community version is 3 users? enterprise version as much as you almost want? Can I use freeradius for Ubuntu 12.04 in stead of radius? | 20:12 |
| nowen | marcel_: http://www.wikidsystems.com/community-version/front-page/support/wikid-support-center/faq/whats-the-difference-between-the-community-release-and-enterprise-release/?searchterm=what%20is%20the%20difference | 20:13 |
| netcomnet | It shows nothing but Acecss request. Nothing going back to the Firewall | 20:13 |
| nowen | hmm | 20:16 |
| marcel_ | Nowen, you are fast. I checked the url. Radius is included, perfect. So installing Enterprise version (with 25 users for 3 years) so described on the wikid website and that's it? And I can also us it from the smartphone. That's easy!! | 20:18 |
| nowen | marcel_: ;) we aim to please | 20:18 |
| nowen | here's my recommendation: standardize on radius, and then see how your can all your services to support radius | 20:19 |
| marcel_ | I get lazy because of this. By the way, in the meantime I was finding out what the software and hardware requirements are for the Enterprise version. Can you please help me to find that webpage again? | 20:20 |
| nowen | 1 1 gig of ram, 100gig of hd | 20:21 |
| nowen | not much | 20:21 |
| marcel_ | sorry Nowen, I found it. bad news again, ;-) The require software will also be installed. | 20:22 |
| nowen | no problem | 20:22 |
| nowen | netcomnet: can you get to the cisco from WiKID? | 20:23 |
| marcel_ | Nowen, thx for the info. Over here in the Netherlands it is almost 22:30 hours. I can not wait to do the test the anonimous client and to work out the global design included wikid. Cheers Marcel | 20:25 |
| nowen | cheers! | 20:25 |
| *** marcel_ has quit (Quit: Page closed) | 20:25 | |
| nowen | netcomnet: what does tcpdump show? | 20:46 |
| *** nowen has quit (Quit: Leaving.) | 22:08 | |
| joevano | /n | 22:19 |
| *** sideone has quit () | 22:31 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!