| *** netcomnet has quit (Ping timeout: 245 seconds) | 00:36 | |
| *** vladdy has quit (Ping timeout: 272 seconds) | 06:06 | |
| *** vladdy (~vladdy@194.242.5.47) has joined #wikid | 06:35 | |
| *** wikider (78c56e46@gateway/web/freenode/ip.120.197.110.70) has joined #wikid | 09:45 | |
| *** wikider has quit (Client Quit) | 09:46 | |
| joevano | nowen: George contacted me.. we trying to connect up next week to talk about WiKID and challenges with identity mgmt | 12:49 |
|---|---|---|
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 12:50 | |
| *** Steve__ (46b71922@gateway/web/freenode/ip.70.183.25.34) has joined #wikid | 14:47 | |
| Steve__ | Nick, thanks for helping me yesterday on the Wikid Server and the ASA Firewall. I was using netcomnet. But seems taken today | 14:48 |
| nowen | make any progress? | 14:48 |
| Steve__ | Yes the test VPN works fine. The issue was an odd one | 14:49 |
| Steve__ | We had two nics in the Server. Only configured one. even in the setup | 14:49 |
| nowen | what was it? | 14:49 |
| nowen | huh, setup didn't pick it up? | 14:49 |
| Steve__ | But it had a staic ip on one. But the other one had no IP but the default gateway | 14:49 |
| Steve__ | so i shutdown the 2nd nic and all works internally now | 14:50 |
| nowen | you can nat the external ip to the WiKID server | 14:51 |
| nowen | for the production domain | 14:51 |
| Steve__ | Now the big question. I tried this from home last night and the WikID program could not get a connection. I am guessing frm the docs I read that this needs a connection on the internet | 14:51 |
| nowen | yes | 14:51 |
| Steve__ | So a basic static nat | 14:51 |
| Steve__ | But the zero padded IP is an internal IP. Wont the wikID client try the zero padded IP? | 14:52 |
| nowen | yep, then create a new domain with the zero-padded external | 14:52 |
| Steve__ | So the clients try the domains in a particular order? | 14:53 |
| Steve__ | If I have multiple domains? Say an internal on and an external one? | 14:53 |
| nowen | that would be two different domains. the user chooses which one | 14:53 |
| Steve__ | Oh. So what would your recommendation be on the simplest way. To not confuse the users? | 14:54 |
| nowen | do users need 2fa when inside? | 14:55 |
| Steve__ | Not at the moment. But to configure them we need internal initially | 14:55 |
| nowen | well, you can create a dns entry inside to route the requests to the external ip to the internal ip | 14:56 |
| Steve__ | Internal network cannot access the External IP of the ASA5520 | 14:56 |
| nowen | or allow a round-trip on the external | 14:56 |
| nowen | then a dns entry would work | 14:57 |
| Steve__ | I did that before, was a bit messy | 14:57 |
| nowen | how so? | 14:57 |
| Steve__ | Nat for internal users to external. I had to do a double nat on a separate firewall | 14:58 |
| nowen | if you just use dns, is there a need for NAT? | 14:58 |
| Steve__ | Every time I need to make changes that one broke. So I had to be careful. Seems I always for got that one. Then stops the internet for users. They gotta have Facebook access :) | 14:58 |
| nowen | I'm lost here. if you're external IP is 70.x.x.x. and the internal is 192.x.x.x, then you create a dns entry internally that routes requests to 70.x.x.x to 192.x.x.x, how does that affect anything else? | 15:00 |
| nowen | brb - coffee time | 15:03 |
| Steve__ | So the WikID clients use DNS? I thought they hit the IP on requests for passcodes? | 15:10 |
| nowen | yes, they check both. | 15:20 |
| nowen | that's how do the 888888888888 test domain, it is a dns entry in wikidsystems.net | 15:23 |
| Steve__ | So just so I understand everything | 15:24 |
| Steve__ | I create a domain with 192.168.x.x which is an IP internally | 15:24 |
| nowen | nope | 15:24 |
| nowen | you create a domain with your external ip | 15:24 |
| Steve__ | Like I originally had | 15:25 |
| nowen | say, 070xxxxxxxxxxx | 15:25 |
| Steve__ | ok | 15:25 |
| nowen | then you create a dns entry for your LAN only that points 070xxxxxxxxx.wikidsystems.net to 192.168.x.x | 15:26 |
| nowen | when the tokens are inside, they can't get to the IP, so the go to the dns entry. | 15:26 |
| Steve__ | What ports do I open externally? | 15:26 |
| nowen | when outside, they don't get dns, so they go to the IP | 15:26 |
| nowen | the token uses port 80 | 15:27 |
| Steve__ | ok | 15:27 |
| Steve__ | Can I modify the domain or should I recreate it? | 15:27 |
| nowen | you can't modify the ip, so re-creat | 15:27 |
| nowen | e | 15:27 |
| Steve__ | Ok, trying that now. Thanks | 15:28 |
| nowen | np | 15:28 |
| Steve__ | Ok, I added a new domain and created a FW NAT. Outside is working. Create a internal Dns for 70xxxxxxxxx.internal dns domain points to 192.168.x.x. DNS resolves ok but the internal WikID client cannot obtain configuration for it. I also restarted the services | 16:00 |
| nowen | hmm | 16:01 |
| nowen | maybe the server can't get the data back to the token | 16:01 |
| Steve__ | your example used wikidsystems.net. That was an example right? | 16:01 |
| nowen | yes | 16:01 |
| nowen | but | 16:01 |
| nowen | maybe I am recalling this wrong - i've never set it up myself, only helped people do it | 16:02 |
| nowen | what if you just used the external ip instead of dns? | 16:02 |
| Steve__ | Let me remove the dns and try. But cannot access the IP internally | 16:03 |
| nowen | can you just edit your hosts file and test that way? | 16:03 |
| Steve__ | Already removed. | 16:05 |
| Steve__ | before I saw this reply | 16:05 |
| nowen | I mean after removing it from dns | 16:06 |
| nowen | seems less likely to mess up others on the network :) | 16:06 |
| Steve__ | So IP only no luck internally | 16:07 |
| Steve__ | Externally is good tho | 16:08 |
| nowen | hmm | 16:08 |
| Steve__ | But I have no way to do initial configurations for users | 16:08 |
| nowen | maybe you do need to do a firewall rule | 16:08 |
| nowen | let's run the token in debug and see more of what's happening | 16:09 |
| Steve__ | Internally my client to Server should not hit the Firewall | 16:09 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-run-the-token-in-debug-mode | 16:09 |
| nowen | back in a bit - it's taco day at the offic | 16:16 |
| nowen | e | 16:16 |
| Steve__ | Quick question. I see the jw.properties file on my computer. It has domain suffix as wikidsystems.net and use IP before dns as true. As a quick test is this file editable by me? | 16:16 |
| Steve__ | It is supposed to be taco tuesday not thursday :) | 16:16 |
| nowen | any day is good for tacos! | 16:39 |
| nowen | you can edit that file | 16:40 |
| nowen | we can also create a dns entry in wikidsystems.net for you | 16:40 |
| Steve__ | I do not think that would go well with management :) | 16:48 |
| nowen | doesn | 16:48 |
| nowen | 't often | 16:48 |
| Steve__ | So I modifiedf the file and still no luck | 16:49 |
| Steve__ | It seems to not like being altered | 16:49 |
| nowen | hmm - it makes no sense. if the token can get to the server, why can't the server get back? | 16:49 |
| Steve__ | Externally works on IP. Internal fails whether I alter the file and choose DNS or IP first | 16:50 |
| nowen | and you don't want to make changes to jw.properties that don't work inside and out | 16:51 |
| nowen | I think you need to make a firewall rule | 16:51 |
| Steve__ | Already have a rule for outside. You mean a NAT for inside to create a loop? | 16:52 |
| nowen | yes | 16:52 |
| Steve__ | This is proving tough as the Firewall thinks I am attacking it. Internal users NAT on the outside and then try to come back in | 17:22 |
| Steve__ | Ok, I got it all working. | 20:06 |
| Steve__ | This was a job :) | 20:06 |
| nowen | what got it working? | 20:06 |
| Steve__ | For inside to go out and back is called haripinng or NAT uturn. I did it before but forgot the commands. Finally found it and works now. | 20:07 |
| Steve__ | inside and outside work now with one domain | 20:07 |
| nowen | cool | 20:07 |
| Steve__ | Thanks for the help. Now on to testing this with some pilot users | 20:08 |
| nowen | excellent | 20:09 |
| nowen | also | 20:09 |
| nowen | you should check out example.jsp and ADRegister.jsp | 20:09 |
| Steve__ | I have the AD register setup. The ADregister may be good for the users. I will look at example.jsp. Is there a descrtiption on it? | 20:10 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 20:13 |
| nowen | it is the entire API | 20:13 |
| *** Steve__ has quit (Ping timeout: 245 seconds) | 20:21 | |
| *** nowen has parted #wikid (None) | 23:07 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!