| *** progma has quit (*.net *.split) | 01:40 | |
| *** vladdy has quit (*.net *.split) | 01:40 | |
| *** joevano has quit (*.net *.split) | 01:40 | |
| *** vladdy (~vladdy@194.242.5.47) has joined #wikid | 01:46 | |
| *** joevano (~joevano@bzflag/developer/JoeVano) has joined #wikid | 01:46 | |
| *** progma (~progma@98-129-220-119.slicehost.net) has joined #wikid | 01:46 | |
| *** atomey (d8037522@gateway/web/freenode/ip.216.3.117.34) has joined #wikid | 15:06 | |
| atomey | Anyone around? | 15:07 |
|---|---|---|
| *** nowen (~androirc@mbd2436d0.tmodns.net) has joined #wikid | 15:33 | |
| *** nowen has quit (Remote host closed the connection) | 15:35 | |
| *** nowen (~androirc@mbd2436d0.tmodns.net) has joined #wikid | 15:37 | |
| nowen | Atomey, got a question? | 15:40 |
| atomey | yeah i e-mailed the other day about my setup | 15:41 |
| atomey | i was having an accessdenied exception error in my radius log | 15:41 |
| atomey | i'm able to generate a passcode now | 15:42 |
| atomey | but i can't authenticate with it | 15:42 |
| atomey | i'm trying to setup two-factor authentication for a windows 2003 VPN | 15:42 |
| atomey | right now when i attempt to connect to my Windows VPN, which is configured to use radius through wikid, it will basically say that the server didn't respond in a timely fashion | 15:43 |
| atomey | but after having connected, there is an entry in the radius.log on the wikid server | 15:43 |
| atomey | that says pap bombed with accessrejectexception: access denied | 15:43 |
| nowen | Anything in the wikid logs? | 15:43 |
| atomey | i enabled debugging for radius | 15:43 |
| atomey | yeah i didn't see thos naserrors you pointed to | 15:44 |
| atomey | and it does show the OTP (passcode right?) being generated | 15:44 |
| atomey | in the log | 15:44 |
| nowen | Hmm | 15:45 |
| atomey | simply says access denied for user adam | 15:45 |
| atomey | you said this is typically because the shared secret is wrong | 15:45 |
| atomey | i've triple-checked it and retyped it | 15:45 |
| atomey | i'm using the same shared secret password for everything for the sake of getting things working | 15:45 |
| atomey | <44> Access-Request(1) LEN=197 192.168.100.81:2593 Access-Request by adam Failed: AccessRejectException: Access Denied | 15:45 |
| nowen | Are seeing the otp as a number now? | 15:45 |
| atomey | yeah | 15:45 |
| atomey | it's a 6 digit number that expires in 60 seconds | 15:46 |
| atomey | and i should be using that to authenticate with the VPN, using the same username i'm assuming | 15:46 |
| nowen | I mean in the logs | 15:46 |
| atomey | oh | 15:46 |
| nowen | Yes | 15:46 |
| atomey | i see this in the logs: Issued passcode to device -9140447811324698094 | 15:47 |
| atomey | is that what you're referring to? | 15:47 |
| atomey | i don't see the actual number for the passcode in the log | 15:48 |
| nowen | No, remember how the logs said "passcode is not a number" | 15:48 |
| atomey | oh yeah, in the radius log | 15:48 |
| nowen | Yeah | 15:49 |
| atomey | i do see something there | 15:49 |
| atomey | RADIUS client supplied passcode is and then it's a bunch of gibberish | 15:49 |
| atomey | like ^^^X U+Ff82835 | 15:49 |
| nowen | Yeah, that should be the 6 digit otp | 15:49 |
| atomey | so it should be actually displaying the 6 digit otp as plaintext in the log? | 15:50 |
| nowen | If debug isenabled | 15:50 |
| nowen | Yes | 15:50 |
| atomey | hmm let me see | 15:50 |
| atomey | you know what i think i had it set but it was removed | 15:51 |
| nowen | Logging will revert on a restart unless you tell it not to | 15:53 |
| atomey | ok that makes sense since i've restarted wikid a few times, i'm going to try to get the same passcode in the log as in the token client | 15:53 |
| nowen | Yeah, that's what's odd. If it isn't the shared secret, i dont know what it is | 15:55 |
| atomey | and you're referring to the shared secret for the network client, correct? | 15:56 |
| atomey | i have com.wikidsystems and com.wikidsystems.radius.log.DBSvrLogImpl on debug, should i be able to see the OTP now in the radius log? | 15:58 |
| atomey | i saw something different in the log as the passcode when generating a new one | 15:58 |
| atomey | but it wasn't the plaintext number | 15:58 |
| nowen | Set the other loggers to debug too | 16:00 |
| atomey | ok | 16:00 |
| atomey | i mean at this point it seems like my Windows VPN is somehow modifying the passcode before it actually gets to the WiKID server, does that seem inaccurate? | 16:04 |
| atomey | the loggs are showing the same kind of passcode, like the Web logger shows this | 16:05 |
| nowen | It is possible, i suppose | 16:05 |
| atomey | RADIUS client supplied passcode is ??F? ?U? ?s*???% | 16:05 |
| atomey | but i've configured it to not use encryption, PAP, etc | 16:06 |
| *** nowen has quit (Remote host closed the connection) | 16:07 | |
| *** nowen (~androirc@mbd2436d0.tmodns.net) has joined #wikid | 16:08 | |
| nowen | Erp | 16:08 |
| atomey | definitely looks like a problem on the windows side, ive got some errors there i need to look at | 16:08 |
| atomey | "An invalid response was received from radius server <WIKID IP here> authenticator does not match in packet from radius server | 16:08 |
| nowen | Is there a checkbox for message autheb | 16:09 |
| nowen | Authenticator? | 16:09 |
| atomey | in the VPN connect dialogue? i can look | 16:09 |
| nowen | On nps | 16:09 |
| atomey | oh, i'm using IAS but i'll check | 16:09 |
| atomey | yes there is | 16:10 |
| atomey | let's see | 16:10 |
| atomey | there's a request must contain message authenticator check box for the radius client configured on the windows IAS service | 16:12 |
| atomey | i enabled that but i still seem to have the same problem | 16:12 |
| nowen | Hmm | 16:12 |
| atomey | should i enable always use message authenticator | 16:13 |
| atomey | for the radius server authentication in IAS? | 16:13 |
| atomey | i'll try it | 16:13 |
| *** nowen has quit (Remote host closed the connection) | 16:14 | |
| *** nowen (~androirc@mbd2436d0.tmodns.net) has joined #wikid | 16:15 | |
| atomey | holy shit it worked | 16:19 |
| atomey | i can see the passcode in the log now too | 16:20 |
| nowen | Woot | 16:21 |
| nowen | What was it? | 16:21 |
| atomey | you know maybe it was the secret for the servers? i retyped my secret password for the authentication on the server | 16:21 |
| atomey | but i'm really confused by the secrets because i have them for the network clients | 16:22 |
| atomey | but also for the radius server itself? | 16:22 |
| atomey | like when you use IAS you select your authentication provider and accounting provider | 16:22 |
| atomey | under the server configuration for authentcation i typed secret and made it always use message authenticator | 16:23 |
| atomey | that seemed to make it work | 16:23 |
| nowen | Ok, good to kn otp | 16:23 |
| *** nowen has quit (Remote host closed the connection) | 16:24 | |
| *** nowen (~androirc@mbd2436d0.tmodns.net) has joined #wikid | 16:25 | |
| atomey | nick thanks for your help i'm gonna play around with it some more and see if this is what we want | 16:26 |
| nowen | Ok, later! | 16:27 |
| atomey | bye! | 16:27 |
| *** atomey has quit (Quit: Page closed) | 16:27 | |
| *** nowen has quit (Remote host closed the connection) | 16:54 | |
| *** nowen (~androirc@mbd2436d0.tmodns.net) has joined #wikid | 17:13 | |
| *** nowen has quit (Remote host closed the connection) | 17:27 | |
| *** GregM (42bab9be@gateway/web/freenode/ip.66.186.185.190) has joined #wikid | 19:05 | |
| GregM | Hello | 19:05 |
| joevano | hi | 19:07 |
| GregM | Hey Joe, do you know if I need to run yum update to keep the server up to date? How about the wikid system itself? Is there a command to update it? | 19:10 |
| GregM | sorry I work more with debian so I get a little nervy when working with RHEL based distros like CentOS | 19:12 |
| joevano | the wikid system has an update facility in the software itself on the 'Configuration' tab | 19:16 |
| joevano | tells you if there are updates available, etc | 19:16 |
| joevano | i work with debian/ubuntu as well, so the whole yum thing is a challenge for me as well | 19:17 |
| joevano | for the server itself I believe it would be: su -c 'yum update' | 19:19 |
| joevano | but don't quote me on that ;-) | 19:19 |
| GregM | ok thanks, and do you guys recomend us to run the yum updates as needed, I just don't want to break the system | 19:20 |
| joevano | I'm just an end user like you... nick stepped out a bit ago, not sure when/if he is coming back today | 19:20 |
| joevano | did you look at the wikid documents online? | 19:20 |
| GregM | ok sorry man | 19:21 |
| GregM | I though you were with the company | 19:21 |
| joevano | no problem, just trying to fill in and help out | 19:21 |
| joevano | I really can't see any harm in doing a system update though... would hardly be secure if you couldn't do that | 19:23 |
| GregM | yeah I looked online for docs but didn't find anything that said do X then Y then Z to update | 19:24 |
| joevano | yeah, me either | 19:24 |
| GregM | I just want to run apt-get update and have it be done lol, anyway thanks Joe, take care... | 19:25 |
| joevano | no problem... have a good one | 19:26 |
| *** GregM has quit (Quit: Page closed) | 19:28 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!