| *** Livemark (50a99e82@gateway/web/freenode/ip.80.169.158.130) has joined #wikid | 09:31 | |
| Livemark | Hello | 09:32 |
|---|---|---|
| Livemark | I need some help getting Wikid working? | 09:32 |
| Livemark | Anyone there? | 09:33 |
| Livemark | hello? | 10:19 |
| *** Livemark has quit (Quit: Page closed) | 10:22 | |
| *** Mark___ (50a99e82@gateway/web/freenode/ip.80.169.158.130) has joined #wikid | 11:09 | |
| Mark___ | hello - anyone there? | 11:09 |
| joevano | yep | 12:02 |
| Mark___ | hello | 12:03 |
| joevano | so what seems to be the issue... ill see if I can help out | 12:03 |
| Mark___ | I'm trying to get the Wikid 2FA working with a Windows 7 computer connected to a port on a cisco switch | 12:04 |
| Mark___ | I'm almost there - I think I just need help with a final part of the puzzle | 12:05 |
| Mark___ | I am using NPS | 12:05 |
| joevano | your going to have to wait for 'nowen' on that one.. I've got no experience on that | 12:05 |
| Mark___ | okay | 12:05 |
| Mark___ | do you think nowen will be around today? | 12:06 |
| joevano | he usually shows up between 9 and 10:30... (in 1 to 1.5 hours) | 12:06 |
| joevano | I think he may... i think he was out on vacation lately but I get the feeling from his twitter that things are getting back to normal | 12:07 |
| Mark___ | okay - forgetting NPS | 12:07 |
| Mark___ | Have you any experience of using 802.1x on a windows computer and Wikid | 12:08 |
| joevano | nope... we use Wikid for 2FA on our VPN appliance | 12:09 |
| Mark___ | okay | 12:09 |
| Mark___ | Any idea why I'm getting this: <20> Access-Challenge(11) LEN=186 10.1.10.6:60122 PACKET SUCCESSFULLY SENT | 12:10 |
| Mark___ | after the log says: | 12:10 |
| Mark___ | Access granted for ddb-europe\marklong, domain code: 010001010009 client: /10.1.10.6 | 12:10 |
| Mark___ | if it's granted me access, why is it sending another challenge | 12:11 |
| *** nowen (~nowen@adsl-98-66-183-205.asm.bellsouth.net) has joined #wikid | 12:22 | |
| nowen | Mark___: | 12:25 |
| nowen | good morning | 12:25 |
| nowen | the PACKET SUCCESSFULLY SENT message doesn't mean anything except just that, the packets were sent | 12:26 |
| Mark___ | hi | 12:26 |
| Mark___ | okay - i'll explain what I'm doing... | 12:26 |
| Mark___ | I have a windows 7 computer connected to a port on a cisco switch | 12:27 |
| Mark___ | the switch is set up for 801.1x on the port | 12:27 |
| Mark___ | the radius server is windows nps | 12:27 |
| Mark___ | and it is set to forward radius messages to the wikid server | 12:28 |
| Mark___ | if I set the nps server to deal with the radius requests itself, without the wikid server based on membership of an active directory group for example | 12:28 |
| Mark___ | then the port on the cisco switch allows me access to the network | 12:29 |
| Mark___ | if I forward the request to the wikid radius server then I do not get access | 12:29 |
| Mark___ | the cisco switch says the radius server is not respoding | 12:29 |
| Mark___ | however, in the wikid logs, I can see that a conversation has started | 12:30 |
| nowen | do you see the request getting back to the NPS? | 12:30 |
| Mark___ | no - there's nothing in the NPS logs | 12:31 |
| Mark___ | not even the request being forwarded on | 12:31 |
| Mark___ | but I know it is being forwarded on because i can see the request in the nps log | 12:32 |
| Mark___ | sorry - the wikid log | 12:32 |
| nowen | yeah, sounds like NPS is dropping it somehow | 12:33 |
| nowen | NPS is using port 1812, correct? | 12:34 |
| Mark___ | is it normal for the wikid log to say access-challenge packet sent after it says that access has been given | 12:34 |
| Mark___ | yes - 1812 | 12:34 |
| nowen | yes | 12:34 |
| nowen | do you have you wikid logs set to debug? | 12:36 |
| Mark___ | i have apolicy set in connection request policies for the forwarding to wikid | 12:37 |
| Mark___ | yes - debug | 12:37 |
| nowen | and you added the radius logger? | 12:37 |
| Mark___ | should I also have a "network policy" set? | 12:37 |
| nowen | in nps? yes, I think so | 12:37 |
| Mark___ | OKay - I don't have a network policy. I'm not sure what it would need to say. I followed the document on the wikid website | 12:38 |
| Mark___ | and it didn;t mention a network policy | 12:39 |
| nowen | see "Adding a Network Policy" on http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 12:40 |
| Mark___ | I set everything to debug in the configure loggers section | 12:40 |
| Mark___ | that's the doc | 12:40 |
| Mark___ | I think the problem might be that my windows 7 computer doesn;t understand that access has been granted | 12:42 |
| nowen | I think you need to add a network policy to nps | 12:43 |
| Mark___ | okay - any idea how I tie that in to the wikid server though? What does the rule need to say? | 12:44 |
| Mark___ | If you get access aloowed from wikid then allow access to the network? | 12:44 |
| nowen | in the example on that page, we used the IP address of the VPN server | 12:44 |
| nowen | it's more like: "which requests get sent to wikid instead of processed locally" | 12:45 |
| Mark___ | Okay - so I have that already. That's under connection policies, and I've said "if you get a request from this radius client (the cisco switch) then forward to wikid | 12:46 |
| Mark___ | and that works - the requests get forwarded. My understanding is that when a response comes back it is automatically sent to the client that requested access | 12:46 |
| Mark___ | without any further rules | 12:46 |
| nowen | hmm | 12:47 |
| nowen | and you set the user to use NPS? | 12:47 |
| nowen | I assume so, since it worked without wikid | 12:47 |
| Mark___ | on windows 7, when it says "you need to enter additional info to get access" it asks for a username and password | 12:47 |
| Mark___ | what username and password should I be using? | 12:48 |
| Mark___ | I have been using the userid of the user setup on the wikid server, and the OTP | 12:48 |
| nowen | your AD username, which should also be your WiKID username and the the OTP | 12:48 |
| Mark___ | The wikid server logs say Access granted for ddb-europe\marklong, domain code: 010001010009 client: /10.1.10.6 | 12:49 |
| Mark___ | which indicates to me that it is correct | 12:49 |
| nowen | seems likely | 12:49 |
| Mark___ | however, I've just tested typing a random username and password, and it still says access-granted | 12:50 |
| nowen | on WiKID? | 12:51 |
| nowen | is the time correct on the logs? | 12:51 |
| Mark___ | yes | 12:51 |
| Mark___ | yes | 12:52 |
| nowen | I mean, those are new entries in the logs | 12:52 |
| Mark___ | yes - it mentions the random username I used | 12:53 |
| nowen | can you post the logs to pastebin.org for me to see? | 12:53 |
| nowen | do you see "Access-Request by xxxxx succeeded"? | 12:56 |
| nowen | brb, coffee time! | 12:56 |
| Mark___ | wikid_nowen | 12:56 |
| Mark___ | no access-request by xxx succeeded messages | 12:57 |
| Mark___ | pasted to wikid_nowen | 12:57 |
| Mark___ | Back in 20 mins | 12:58 |
| nowen | hmm, not sure what pasted to wikid_nowen means ;) | 13:09 |
| Mark___ | http://pastebin.com/zj67SmBh | 13:17 |
| Mark___ | sorry - not used it before | 13:18 |
| Mark___ | hold on - it has expired | 13:18 |
| nowen | np ;) | 13:18 |
| Mark___ | http://pastebin.com/kYUZUiSd | 13:19 |
| nowen | do you have com.wikidsystems.radius.log.DBSvrLogImpl enabled and set to debug in the Configure loggers page? | 13:21 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 13:28 |
| nowen | something odd is going on here | 13:29 |
| Mark___ | http://pastebin.com/sTHPHTaa | 13:30 |
| nowen | hmm | 13:31 |
| nowen | ok | 13:31 |
| nowen | i wonder if the Access-Challenge means that something is not right. It could be trying to process a challenge-response instead of an OTP | 13:32 |
| Mark___ | maybe it just doesn't work with windows 802.1x or cisco switches | 13:34 |
| nowen | it's possible, but it should | 13:35 |
| nowen | it's recognizing that it is an eapmd5 request | 13:35 |
| nowen | can you re-run the auth, starting with an OTP request? | 13:35 |
| nowen | and re-post it for me? | 13:36 |
| Mark___ | okay | 13:36 |
| Mark___ | on the wondows computer, when it says "additional info is required" and prompts for a username and password, what should I type? | 13:36 |
| nowen | the windows/wikid username and the WiKID OTP. | 13:37 |
| *** Jim_ (d578dc04@gateway/web/freenode/ip.213.120.220.4) has joined #wikid | 13:37 | |
| Jim_ | hey | 13:38 |
| Jim_ | anyone home? | 13:38 |
| nowen | hi | 13:38 |
| Jim_ | hi nick | 13:38 |
| nowen | hi | 13:38 |
| Jim_ | can you help me out please? I'm trying to logon to my new WiKID server over SSH and root/wikid doesn't seem to be working | 13:39 |
| nowen | is this the iso? | 13:39 |
| Jim_ | yep | 13:39 |
| Mark___ | http://pastebin.com/Ed7Yq1D7 | 13:40 |
| nowen | hmm | 13:40 |
| nowen | Mark___: hmm, still not seeing "Issued passcode to device xxx" can you set com.wikidsystems and com.wikidsystems.client.wClient and com.wikidsystems.server.wAuth to debug also and try again? | 13:42 |
| nowen | Jim_: is this the latest iso? | 13:43 |
| Jim_ | i downloaded this copy last week | 13:43 |
| nowen | and at the install prompt, you just hit enter? | 13:43 |
| Jim_ | i think so | 13:44 |
| nowen | well, the only thing I can think of is to re-install. did you verify the md5sum of the download? | 13:45 |
| Jim_ | not at the time | 13:45 |
| Jim_ | it's cool, i'll just reinstall from the iso | 13:46 |
| *** Jim_ has quit (Quit: Page closed) | 13:46 | |
| Mark___ | I have set to debug but I cannot see the individual logs to filter against | 13:54 |
| nowen | look on the Configure Loggers page | 13:55 |
| Mark___ | 5 listed - all set to debug | 13:56 |
| nowen | do you have Source set to None on the log page? | 13:56 |
| Mark___ | no - source is set to one of the filters | 13:56 |
| Mark___ | okay | 13:57 |
| nowen | ok, try it with none | 13:57 |
| Mark___ | now set to none | 13:57 |
| Mark___ | pasting log | 13:57 |
| Mark___ | http://pastebin.com/FMV19EJU | 13:58 |
| nowen | hmm | 14:00 |
| nowen | Ā Length: 10, Data: 0x0A010A0600000088 State (24), Length: 7, Data: 0x01DCD1BAEE EAP-Message Information: Error displaying EAP-Message: EAP Packet's physical size (36) doesn't match packet's stated length (23) <25> | 14:00 |
| nowen | did you check the box for "Request must contain the message authenticator attribute". | 14:01 |
| nowen | on NPS? | 14:01 |
| Mark___ | yes | 14:02 |
| nowen | maybe try unchecking it? | 14:03 |
| Mark___ | same error | 14:05 |
| nowen | hmm | 14:06 |
| Mark___ | do i need any additional software on the windows machine to get it working | 14:07 |
| nowen | no, I don't think so. It should only be between the cisco, nps and wikid | 14:07 |
| nowen | so, this is for a wifi connection? | 14:08 |
| nowen | does the response die after the error about the stated packet length? | 14:09 |
| Mark___ | no - wired | 14:09 |
| Mark___ | the box on the computer pops up a couple more times | 14:10 |
| Mark___ | then gives up and the port on the switch falls back to the guest vlan | 14:10 |
| nowen | so that seems to be the issue? | 14:11 |
| Mark___ | yes - it should authorise the port via 802.1x and allow access to the specified vlan | 14:12 |
| nowen | hmm | 14:27 |
| Mark___ | do i need to install any certificates on the windows PC? | 14:34 |
| nowen | well, not for WiKID, but perhaps for eap? | 14:34 |
| nowen | I may have to set up an environment to test this, but I won't be able to mimic yours exactly | 14:47 |
| Mark___ | okay - there's nothing special about my env. Just windows 7 --> Cisco switch --> NPS --> Wikid | 14:48 |
| nowen | what are the radius options on the cisco switch? eap, leap, peap? | 14:55 |
| Mark___ | I think that part of it comes from the windows box | 15:26 |
| Mark___ | the cisco switch just passes the requst on | 15:26 |
| nowen | makes sense, what are the options on the win7 box? | 15:27 |
| Mark___ | is there a way I can test the windows side of things against wikid? | 15:27 |
| nowen | you can try pointing the cisco directly to WiKID | 15:27 |
| Mark___ | but then I won;t have an interface to input the OTP | 15:28 |
| nowen | ? | 15:28 |
| Mark___ | but I get the same error | 15:29 |
| Mark___ | I have told the cisco switch to use wikid as the radius server instead onf the NPS | 15:29 |
| nowen | ah - that's what i meant | 15:29 |
| Mark___ | sorry - I thought you meant to take the windows 7 machine out of the equation | 15:30 |
| nowen | ;) | 15:30 |
| Mark___ | is there a way to test wikid from the windows box, taking the nps and switch out of the equation? | 15:30 |
| nowen | I'm wondering if there is a bug with one our eap implementations. so I wanted to see if we could test some other options | 15:30 |
| nowen | not really, as it isn't a radius client. You can test to make sure that you have installed the server correctly via the example.jsp page | 15:31 |
| Mark___ | On windows, I am using PEAP | 15:33 |
| Mark___ | on the next box it says authentication method: secured password(EAP-MSCHAP v2) | 15:34 |
| Mark___ | the other option is smart card or certificate | 15:35 |
| nowen | I'm sorry - back up a bit. are you setting up a new network connection or VPN? | 15:45 |
| Mark___ | new connection | 15:46 |
| nowen | and under Choose a Connection option, which do you choose? | 15:46 |
| Mark___ | Sorry - I mean it's on the existing NIC connection. If I enable the "wired auto config" service, I get 802.1x options on the NIC | 15:47 |
| nowen | hmm, I don't see that | 15:51 |
| Mark___ | You don't see the service? | 15:51 |
| nowen | no | 15:52 |
| nowen | is it under Local Are Connections? | 15:53 |
| *** Jim (d578dc04@gateway/web/freenode/ip.213.120.220.4) has joined #wikid | 15:53 | |
| *** Jim is now known as Guest84797 | 15:53 | |
| Guest84797 | Hi | 15:53 |
| nowen | Hi, any luck? | 15:53 |
| Guest84797 | yeah no probs, all set up now | 15:53 |
| Guest84797 | well almost, i'm trying to set up for connecting to my new CAG | 15:54 |
| Guest84797 | but the access interface is not prompting for a one time code | 15:54 |
| nowen | just put it into the password box | 15:55 |
| Guest84797 | where does my AD password go then? | 15:55 |
| nowen | no where! ;) AD will do the authorization based on the username and then proxy the creds to WiKID for authentication | 15:58 |
| Mark___ | hi - are you talking to me? | 16:00 |
| nowen | Mark___: no, sorry, to Guest84797 | 16:01 |
| Guest84797 | my CAG is a RADIUS client of the ADDS | 16:01 |
| nowen | what is ADDS? | 16:01 |
| Guest84797 | WiKID is its own RADIUS server and the CAG is a client of that | 16:01 |
| Guest84797 | sorry, active directory | 16:01 |
| nowen | Guest84797: typically, the way this is setup is CAG >> AD/NPS>> WiKID | 16:02 |
| Guest84797 | so the WiKID server is a RADIUS client of AD/NPS? | 16:02 |
| nowen | other way around. the NPS is client to WiKID | 16:03 |
| Guest84797 | so my cag stays a RADIUS client of NPS/AD? | 16:04 |
| nowen | yes | 16:04 |
| Guest84797 | the docs describe it differently is all, I did wonder | 16:04 |
| nowen | which docs? | 16:04 |
| Guest84797 | the ones on your site | 16:04 |
| nowen | check out this one: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 16:05 |
| Guest84797 | k dude | 16:05 |
| Guest84797 | sec | 16:05 |
| Guest84797 | ok that makes a lot more sense, i was looking here: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-a-citrix-access-gateway | 16:07 |
| nowen | yeah, we need to have a better guide to our guides | 16:07 |
| Guest84797 | it's ok, i got a domain set up and got my test client to communicate using that | 16:08 |
| Guest84797 | so half the job done there | 16:08 |
| Guest84797 | i did wonder how it was expected to know about the account | 16:08 |
| Guest84797 | anyway, brb | 16:08 |
| nowen | ok | 16:08 |
| Guest84797 | so if my users don't have to enter an AD password, how does this satisfy the requirements to be a two factor system? | 16:10 |
| Guest84797 | if they can access from a non-domain joined machine, which is my intention | 16:10 |
| Guest84797 | I can add that separately to Xenapp I guess, but had hoped to keep the extra authentication looking at seamless as possible | 16:11 |
| nowen | the two factors are knowledge of the PIN and possession of the (private key embedded in) the software token | 16:11 |
| Guest84797 | I'd have to use the locked down software token | 16:11 |
| nowen | I would argue that it is more secure to not use your LAN password outside of the LAN | 16:12 |
| nowen | is this for PCI? | 16:12 |
| Guest84797 | so would I! I'm just thinking from a PCI complaince point of view | 16:12 |
| Guest84797 | yeah, ah, you beat me to it | 16:12 |
| nowen | we have a ton of PCI customers | 16:12 |
| Guest84797 | and they have this system in place? | 16:12 |
| nowen | oh yeah, we see a lot of citrix for pci too | 16:13 |
| Guest84797 | our current PCI "compliant" solution is utter shit, so I'd actually be interested in introducing WiKID instead | 16:13 |
| nowen | I hope we would be better ;) | 16:13 |
| Guest84797 | it can't be any worse, the second factor can be circumvented too easily | 16:13 |
| Guest84797 | yep, this sounds like it's a go-er pal, let me get back to you in a few when I've set the RADIUS server up again. | 16:14 |
| nowen | ok | 16:14 |
| Mark___ | I'm now trying to get this to work with a juniper vpn | 16:29 |
| Mark___ | and still no luck | 16:30 |
| nowen | Mark___: ok, good idea | 16:30 |
| nowen | same error? | 16:30 |
| Mark___ | no - it says access-rejected | 16:30 |
| nowen | is the user enabled still? | 16:30 |
| Mark___ | http://pastebin.com/TLExv4bJ | 16:31 |
| nowen | check your user, they often get disabled during testing | 16:32 |
| Mark___ | checked - it's enabled | 16:34 |
| Mark___ | aaarrrrggggghhhhh | 16:34 |
| nowen | ? | 16:34 |
| Mark___ | Sorry - any other ideas why it's not working | 16:35 |
| nowen | let's make sure it is working without radius: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 16:36 |
| nowen | the example.jsp page will allow you to login without radius | 16:36 |
| Guest84797 | Hi Nick | 16:38 |
| nowen | hi | 16:38 |
| Guest84797 | What's the "Device Domain Name" on Domain Setup in WiKID? | 16:38 |
| nowen | that is what shows up on the token client | 16:39 |
| Guest84797 | Oh so I can call it anything? | 16:39 |
| nowen | yes, but know that your users may eventually get more than one domain, though it is unlikely | 16:40 |
| Guest84797 | No worries | 16:40 |
| Guest84797 | ah shit, Nick how can I change the time on the WiKID server manually? I don't have an NTP server to synch to | 17:01 |
| nowen | the date command | 17:02 |
| Guest84797 | cheers | 17:02 |
| nowen | date 08131302 | 17:02 |
| nowen | mmddtttt | 17:02 |
| Guest84797 | do i have to do anything special with certificates? | 17:08 |
| nowen | did you create the intermediate ca and localhost cert? | 17:08 |
| Guest84797 | yes | 17:08 |
| nowen | that's it for wikid | 17:09 |
| Guest84797 | ok cool | 17:09 |
| Guest84797 | I'm getting a lot of packet dropped - message authenticator is incorrect errors, any idea what these indicate? | 17:13 |
| nowen | hmm | 17:13 |
| nowen | not sure. | 17:13 |
| nowen | brb - gotta grab some lunch | 17:14 |
| nowen | back | 17:24 |
| Guest84797 | hey there | 17:25 |
| Guest84797 | just working through some troubleshooting, think im getting closer now | 17:26 |
| nowen | know that sometimes users get disabled during testing, typically for excessive bad passcode attempts | 17:32 |
| Guest84797 | What I'm getting currently is that the RADIUS server is not responding to the proxy | 17:34 |
| nowen | did you restart WiKID after adding it as a network client? | 17:34 |
| Guest84797 | yeah, let me do it again i have made a couple of changes. | 17:35 |
| nowen | the ip address is the important piece. if that is wrong, no go | 17:36 |
| Guest84797 | which IP address? | 17:36 |
| nowen | the ip address of the radius proxy | 17:37 |
| Guest84797 | that's what I have set up as the Network client, just to confirm? | 17:38 |
| nowen | yes | 17:38 |
| Guest84797 | ok that's correct | 17:38 |
| nowen | you can turn on radius debugging: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 17:38 |
| Guest84797 | Aaah, ok got it lol | 17:41 |
| Guest84797 | working now, was my fault I didn't format the username correctly | 17:41 |
| Guest84797 | stupid error, been here too long | 17:41 |
| Guest84797 | tired | 17:42 |
| nowen | ;) | 17:42 |
| Guest84797 | gave me a chance to go over some stuff and correct it as I went, so good enough for me | 17:42 |
| Guest84797 | bah my boss just went home 5 mins ago as well | 17:42 |
| nowen | oh well, you can always buy tomorrow ;) | 17:45 |
| Guest84797 | lol yeah | 17:49 |
| Guest84797 | just got to work a couple of bugs out and I'll get a demo on for tomorrow | 17:50 |
| Guest84797 | thanks for your help today Nick, i gotta go before they throw me out of here | 17:51 |
| nowen | no problem | 17:51 |
| nowen | later | 17:51 |
| *** Guest84797 has quit (Quit: Page closed) | 17:59 | |
| *** nowen has quit (Quit: Leaving.) | 22:27 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!