| *** nowen (~nowen@adsl-98-66-183-205.asm.bellsouth.net) has joined #wikid | 12:41 | |
| *** nowen has parted #wikid (None) | 12:59 | |
| *** nowen (~nowen@adsl-98-66-183-205.asm.bellsouth.net) has joined #wikid | 13:00 | |
| *** Tom_____ (5b559d01@gateway/web/freenode/ip.91.85.157.1) has joined #wikid | 13:19 | |
| Tom_____ | Hi | 13:19 |
|---|---|---|
| nowen | hi | 13:19 |
| Tom_____ | Wonder if someone can help... Quick question hopefully | 13:19 |
| nowen | ok | 13:19 |
| Tom_____ | We use wikid on our system, but I have an issue with users connecting to the domain.. In short I think this is caused by when they log into their laptops, there is obviously no connection, and cannot auth with the domain.. It uses cached passwords. Then, when they start wikid, it asks to lock pc and re enter credentials. Is it possible to run wikid as a service so that when users log into windows, it can auth to domain? Or can I even c | 13:21 |
| Tom_____ | Windows VPN natively? | 13:22 |
| Tom_____ | What do you think/suggest | 13:22 |
| Tom_____ | When you log out, wikid closes connection, so you can never actually log against the domain server. | 13:22 |
| nowen | what version of WiKID are you using? | 13:23 |
| Tom_____ | Wikid server enterprise 3.4.87-b1039 | 13:23 |
| nowen | what company are you with? | 13:25 |
| Tom_____ | Exaxt mortgage experts | 13:26 |
| nowen | ahh | 13:26 |
| nowen | Stuart still there? | 13:26 |
| Tom_____ | Exact mortgage experts | 13:26 |
| Tom_____ | He is yeah. - my boss. | 13:27 |
| nowen | ahh | 13:27 |
| Tom_____ | I have been here since march. Having some issues with laptops, which I think is due to expiring | 13:28 |
| nowen | ok, so I'm not sure about your problem | 13:28 |
| Tom_____ | I currently have a laptop on the next desk with the issue.. I think if I was to connect using copper, it would fix the issue. | 13:28 |
| nowen | WiKID only provides the otp to login to the VPN | 13:28 |
| nowen | what do you mean by "copper"? you mean wired vs wireless? | 13:29 |
| nowen | also how do you have the auth set up? does it go through AD via NPS? | 13:29 |
| Tom_____ | Yeah sort of.. I was referring to plugging into the work LAN.. | 13:30 |
| Tom_____ | I am not families with NPS? | 13:30 |
| nowen | it is the MS radius plugin | 13:31 |
| nowen | it allows you to do Authorization via AD and then proxies the authentication to a separate server, eg, WiKID | 13:31 |
| nowen | running as a service doesn't really do it for WiKID. All we do is get the OTP | 13:33 |
| nowen | so, your users login to their laptop, login to their VPN and then have to login to the domain? | 13:36 |
| Tom_____ | I am not sure. What I experience is this- once connected via VPN, windows will prompt for password. Even though the password is set on AD the same as local one. The account gets locked out without Tthe user typing in any passwords. I think this would be fixable if I plugged into the LAN and bypass VPN... I think the issue lies with not being able to log into the network fron the login screen? | 13:36 |
| Tom_____ | The first login prompt they have would be the login for the domain, but in this scenario, the domain isn't available as the VPN is not running. | 13:37 |
| Tom_____ | The first login allows them in as the password is cached. | 13:38 |
| Tom_____ | The cached password is the same as the domain password, but I still think they are not synced together. | 13:38 |
| Tom_____ | If I was to plug into the domain and login, I think this would fix the issue for a short while. | 13:39 |
| nowen | Not sure I can help. It is odd that you'll are the only ones that have come to me with this. | 13:42 |
| nowen | I wonder if running the auth through NPS would fix this | 13:42 |
| Tom_____ | Is there a way I can check this? | 13:44 |
| nowen | I don't know. You can set up NPS | 13:44 |
| Tom_____ | I guess most VPN users could be logging in with local accounts? And then perhapse remoting to a ts server. | 13:45 |
| Tom_____ | Do you have any further info on NPs for me to read? | 13:46 |
| nowen | I just the feeling that you'll have some extra complexity there you don't need. Like the requirement to login to the domain. seems like most companies, once you login to the VPN, you get access | 13:46 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 13:46 |
| Tom_____ | The error message we see In dc when users try to authenticate is "pre-authentication failed" | 13:47 |
| nowen | yeah, you might search the MS knowledge base for that | 13:47 |
| Tom_____ | Possibly, but this would have been the preferred method to manage user accounts... Users log into their local laptops as domain users. Threre services would work as when they bring their laptops in the office | 13:49 |
| Tom_____ | I guess ,my next step is to see if I can fix the issue by r | 13:50 |
| Tom_____ | Loggin into domain on LAN. Them try again over VPN, if this works then I know it has to be relating to the lack of connectivity | 13:50 |
| Tom_____ | I might not see all your responses cause my iPad keeps sleeping. | 13:54 |
| nowen | :- | 13:54 |
| nowen | } | 13:54 |
| nowen | well, it seems like something is not optimal in your VPN set up | 13:55 |
| nowen | but I don't know what | 13:55 |
| Tom_____ | Ok | 13:55 |
| Tom_____ | Not really important, but who's | 13:57 |
| Tom_____ | Whilst Im here., is wikid VPN supported on iPad?? | 13:57 |
| nowen | WiKID is not a vpn, it is a two-factor authentication token. the token is available on the app store | 14:02 |
| nowen | what VPN are you using? | 14:02 |
| Tom_____ | Ok. I understand a bit better. It's open VPN | 14:02 |
| nowen | I see | 14:03 |
| Tom_____ | Guys, thanks for the help! | 14:03 |
| nowen | np! | 14:03 |
| *** Tom_____ has quit (Quit: Page closed) | 14:03 | |
| *** __TOM (~wtfnom@66.150.156.1) has joined #wikid | 17:13 | |
| __TOM | Nick | 17:13 |
| __TOM | im back | 17:13 |
| nowen | welcome! | 17:13 |
| __TOM | and i got the cert stuff squared. | 17:13 |
| nowen | what was it? | 17:13 |
| __TOM | not sure. just did what you suggested | 17:13 |
| __TOM | installed centos with a simple name | 17:14 |
| __TOM | no dashes. | 17:14 |
| __TOM | anyhow, im up to testing out connecting a wireless client to the system via pub ip | 17:14 |
| nowen | ok | 17:14 |
| __TOM | each time i try to register a domain | 17:15 |
| __TOM | i get error code 4 | 17:15 |
| __TOM | back | 17:15 |
| __TOM | i've opened tcp 80 | 17:15 |
| nowen | does it work on a PC token? | 17:15 |
| __TOM | Mmmmmmmm | 17:15 |
| __TOM | no clue. | 17:15 |
| __TOM | let me try i guess. | 17:15 |
| __TOM | it was a bb token that was working on the old system | 17:15 |
| __TOM | i just wanted to reg a second domain. | 17:15 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-run-the-token-in-debug-mode | 17:16 |
| nowen | that can help too | 17:16 |
| __TOM | hmm | 17:17 |
| __TOM | thats assuming i have a nix client | 17:17 |
| __TOM | ? | 17:17 |
| nowen | you can run it in windows from the dos prompt too, I believe | 17:17 |
| __TOM | pc client okay | 17:18 |
| __TOM | illt ry. | 17:18 |
| nowen | what is the domain id? | 17:18 |
| nowen | I can try it too | 17:18 |
| __TOM | 066156150110 | 17:23 |
| nowen | here's the url it is trying to reach: http://66.156.150.110/wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=066156150110&CT=1 | 17:25 |
| nowen | looks like it is timing out | 17:25 |
| __TOM | port 80 tcp is open | 17:25 |
| __TOM | are there any other ports i need to open? im confuzzled. | 17:26 |
| nowen | nope | 17:26 |
| __TOM | i can try using the private ip since im on a bes network. | 17:26 |
| __TOM | k | 17:26 |
| __TOM | is there any logging i can enable on the server end to troubleshoot? I enabled debugging | 17:27 |
| nowen | anything in the WiKIDAdmin logs? | 17:27 |
| __TOM | but i dont see anything fruitful | 17:27 |
| nowen | you have the log filter set to debug? | 17:27 |
| __TOM | yes | 17:27 |
| __TOM | and i dont see any output | 17:27 |
| __TOM | and yes, i click on the filter button after modding the level | 17:27 |
| nowen | double check your firewall, I don't think the requests are getting thru | 17:28 |
| __TOM | i just confirmed and tested from a 3rd party that port 80 tcp is open | 17:29 |
| nowen | http://66.156.150.110/ doesn't work for me either | 17:29 |
| __TOM | okay | 17:30 |
| __TOM | ill check again...maybe i fatfingered something... | 17:30 |
| __TOM | oops | 17:32 |
| __TOM | i gave you the wrong ip? | 17:32 |
| nowen | ;) | 17:32 |
| __TOM | 066150156110 | 17:32 |
| __TOM | thats the right string | 17:33 |
| __TOM | i have all loggers on the server set to debug | 17:33 |
| __TOM | and still no results | 17:33 |
| __TOM | weird... | 17:33 |
| __TOM | wait, i see something now. | 17:33 |
| nowen | ok - now you should see something | 17:33 |
| nowen | Reading response iteratively ... | 17:33 |
| nowen | Returning data ... (1 bytes) | 17:33 |
| nowen | Read 1 bytes from the server | 17:33 |
| nowen | Invalid Server Response | 17:33 |
| __TOM | Could not find configuration for domain 066150156110 on this server. | 17:34 |
| nowen | can you get out from the server? | 17:34 |
| __TOM | get out? | 17:34 |
| __TOM | like where am i getting out to? | 17:34 |
| nowen | try this from the command line: wget http://www.wikidsystems.com | 17:34 |
| __TOM | [root@WIKID ~]# wget http://www.wikidsystems.com | 17:34 |
| __TOM | --2012-08-24 10:34:42-- http://www.wikidsystems.com/ | 17:34 |
| __TOM | Resolving www.wikidsystems.com... 174.129.6.100 | 17:34 |
| __TOM | Connecting to www.wikidsystems.com|174.129.6.100|:80... connected. | 17:34 |
| __TOM | HTTP request sent, awaiting response... 200 OK | 17:34 |
| __TOM | yeah, i can pull it | 17:35 |
| nowen | hmm | 17:35 |
| __TOM | 2012-08-24 10:33:25.210 ERROR com.wikidsystems.server.DeviceTransactionExec Could not find configuration for domain 066150156110 on this server. | 17:35 |
| __TOM | is that a problem? | 17:35 |
| nowen | did you create a domain? | 17:35 |
| __TOM | yes | 17:35 |
| nowen | does it have the correct IP? | 17:35 |
| __TOM | oh wtf.... | 17:35 |
| nowen | hehe | 17:35 |
| __TOM | how did it warp to 107 | 17:35 |
| __TOM | okay...yes! captain obvious. | 17:36 |
| nowen | your fingers must have had a long week! ;) | 17:36 |
| __TOM | more like multitasking hell... but thanks ;-) | 17:36 |
| __TOM | and regarding registered URL under domain creation | 17:36 |
| __TOM | the wikid server would simply pull the ssl cert from whatever url is in there | 17:37 |
| __TOM | and validate its valid | 17:37 |
| __TOM | thats pretty much it? | 17:37 |
| nowen | yes, it pulls the cert from the url | 17:37 |
| nowen | are you planning to do mutual https auth? | 17:37 |
| __TOM | mutual? | 17:39 |
| __TOM | ill read up on that one. | 17:39 |
| nowen | then just leave that box blank for now | 17:39 |
| __TOM | ok | 17:41 |
| __TOM | heh | 17:53 |
| __TOM | theres a slight bug | 17:53 |
| __TOM | i found | 17:53 |
| nowen | ? | 17:53 |
| __TOM | i had a domain configured with the wrong server code. | 17:53 |
| __TOM | and i had a client configured for that domain. | 17:53 |
| __TOM | what i did was create a new domain, with the same domain name, and device domain name. | 17:53 |
| __TOM | whether or not that was a prudent decision | 17:53 |
| __TOM | the gui allowed me to do so | 17:54 |
| __TOM | anyhow | 17:54 |
| __TOM | after that, i removed the client, and both domains. | 17:54 |
| nowen | the domain name and device name can be the same | 17:54 |
| __TOM | can be? | 17:54 |
| __TOM | or cant be. | 17:54 |
| nowen | can be | 17:54 |
| __TOM | yes. | 17:54 |
| __TOM | anyhow | 17:54 |
| __TOM | now i recreated the domain, and the client | 17:54 |
| __TOM | in the logs im testing out connecting to a ssl vpn portal | 17:54 |
| __TOM | and the logs on the server state: Access denied for [username], domain code: 066150156107 client: /10.10.0.136 | 17:55 |
| __TOM | problem is that the domain code is incorrect | 17:55 |
| __TOM | its the invalid domain code from the deleted domain. | 17:55 |
| __TOM | maybe a cleanup/inconsistency issue in the db? | 17:56 |
| __TOM | the domain code thats in the current domain is 066150156110. | 17:56 |
| __TOM | im going to create everything from scratch | 17:57 |
| __TOM | with new names | 17:57 |
| nowen | could be that yo u need to edit the network client | 17:57 |
| nowen | I don't think that is needed | 17:57 |
| __TOM | okay | 17:57 |
| __TOM | so what abut the net client? | 17:57 |
| nowen | edit the network client and run 'wikidctl stop' | 17:57 |
| nowen | then run 'netstat -anp | grep java' to make sure it is all dead | 17:58 |
| nowen | and then start | 17:58 |
| __TOM | yeah baby :) | 18:03 |
| __TOM | it works now. | 18:03 |
| __TOM | im elated. | 18:03 |
| nowen | sweet! | 18:03 |
| __TOM | btw | 18:03 |
| __TOM | restarting didnt help | 18:03 |
| __TOM | still same prob | 18:03 |
| __TOM | i eventually just nuked it | 18:03 |
| __TOM | and started with some new domain name and client name | 18:03 |
| nowen | huh, ok | 18:04 |
| __TOM | but i got what i needed | 18:04 |
| __TOM | thanks for your help. :) | 18:04 |
| nowen | no problem | 18:04 |
| nowen | what's next? | 18:04 |
| __TOM | im likely going to try that mitm validation url | 18:05 |
| __TOM | see what breaks. | 18:05 |
| nowen | you want to put the url for your ssl vpn in there | 18:05 |
| __TOM | yes. just the fqdn. | 18:05 |
| nowen | wtih the https:// | 18:05 |
| __TOM | im going to input an invalid url and see if that breaks it all. | 18:05 |
| __TOM | yep | 18:06 |
| __TOM | thanks | 18:06 |
| nowen | any https will work. a http will not | 18:06 |
| __TOM | hmm | 18:06 |
| __TOM | the device domain name is what shows up in the client dropdown list | 18:07 |
| __TOM | correct? | 18:07 |
| nowen | in the device yes | 18:07 |
| __TOM | ah | 18:07 |
| nowen | the idea is that you can have multiple domains but the users don't know | 18:07 |
| __TOM | is there a way to do multiple URL checks? | 18:07 |
| __TOM | yes. | 18:08 |
| __TOM | i know taht was the idea. | 18:08 |
| nowen | no | 18:08 |
| __TOM | unfortunately my users are clowns. | 18:08 |
| __TOM | so... | 18:08 |
| __TOM | arg this is going to be interesting. | 18:08 |
| __TOM | and what i mean by clowns is that they get confused at the slightest need to do much of anything technical | 18:09 |
| __TOM | so... | 18:09 |
| __TOM | wow, you have a great way of splitting up the domains | 18:09 |
| __TOM | unfortunately thats super complex | 18:09 |
| __TOM | hmm | 18:09 |
| nowen | why do you need to split domains? | 18:09 |
| __TOM | well | 18:10 |
| __TOM | i dont want to | 18:10 |
| __TOM | i have 3 ssl vpn portals | 18:10 |
| __TOM | that i would like to validate against | 18:10 |
| __TOM | for mitm. | 18:10 |
| nowen | ahh | 18:10 |
| nowen | how many users per vpn? | 18:11 |
| __TOM | not sure at this point, but if all goes well, probably roughly 250 per | 18:11 |
| nowen | so, all the users get instructions to use "SSL VPN OTP" | 18:12 |
| __TOM | okay? | 18:12 |
| nowen | but you have three domains with three names and one device domain name | 18:12 |
| __TOM | ah...well. | 18:13 |
| __TOM | the catch is | 18:13 |
| __TOM | a single user may have a usecase of using all 3 vpn connections | 18:13 |
| nowen | well, then that is complex | 18:13 |
| __TOM | :-) | 18:13 |
| __TOM | oh | 18:13 |
| __TOM | one other thing | 18:13 |
| __TOM | i remember a long long time agpo | 18:13 |
| nowen | can your vpn handle that instead | 18:13 |
| __TOM | i came in here | 18:13 |
| __TOM | and saw someone complaining about their wikid portal not working | 18:14 |
| __TOM | and in the end | 18:14 |
| __TOM | it turned out to be an expired certificate. | 18:14 |
| __TOM | so... is there an easy way to track those? | 18:14 |
| __TOM | so i know when they need to be recreated? | 18:14 |
| nowen | what is your domain again? | 18:14 |
| __TOM | domain name is CANYON | 18:14 |
| __TOM | right now | 18:14 |
| __TOM | subject to change* | 18:14 |
| nowen | we're working on a better system for tracking | 18:15 |
| nowen | should be up before yours expires | 18:15 |
| nowen | you got a new one 8/23 | 18:15 |
| __TOM | okay, well is the renewal process a pita? | 18:16 |
| __TOM | or is it quick? | 18:16 |
| __TOM | just for my own edification | 18:16 |
| nowen | very quick | 18:16 |
| __TOM | k | 18:16 |
| __TOM | btw, when i punched in my url | 18:16 |
| __TOM | https://vpn1.canyonpartnershq.com | 18:16 |
| __TOM | into the domain | 18:16 |
| __TOM | i dont see any new logs.... | 18:16 |
| __TOM | hmm maybe i need to cycle again | 18:17 |
| nowen | hmm, you might need to restart your token. you might actually have to re-register | 18:18 |
| nowen | this is PC tokens only too | 18:18 |
| __TOM | huh? | 18:19 |
| __TOM | what do you mean? | 18:19 |
| nowen | the smart phone tokens do not do the mutual https authentication, only the PC tokens | 18:19 |
| __TOM | hmmm | 18:20 |
| __TOM | well | 18:20 |
| __TOM | maybe im confused how that works. | 18:20 |
| __TOM | i was under the impression if i put in https url into domain | 18:20 |
| __TOM | that the wikid server will validate the https link before issuing token | 18:20 |
| nowen | http://www.wikidsystems.com/learn-more/technology/mutual_authentication | 18:20 |
| nowen | no, the token validates that cert is the same as in the server before presenting the OTP | 18:21 |
| __TOM | i see. | 18:21 |
| __TOM | btw, is that your voice? | 18:21 |
| nowen | probably | 18:21 |
| __TOM | lol | 18:21 |
| __TOM | probably* | 18:21 |
| __TOM | thats an awesome answer. | 18:21 |
| nowen | I specialize in awesome answers! | 18:22 |
| __TOM | thats freaking awesome explanation | 18:23 |
| __TOM | might encourage me to use the wikid pc client. | 18:23 |
| nowen | the benefit of using both is that users are unlikely to lose/forget the passphrase for two | 18:24 |
| nowen | so, your risk decision | 18:27 |
| __TOM | well... | 18:27 |
| __TOM | yuck | 18:27 |
| __TOM | if i use the pc client | 18:27 |
| __TOM | then i really have to get them to remember a pin | 18:28 |
| __TOM | which will have the same problems as their passwords. | 18:28 |
| __TOM | whereas if i have them use a secondary device | 18:28 |
| __TOM | such as their smartphone | 18:28 |
| nowen | they have to have a PIN with their smartphone token too | 18:28 |
| __TOM | aka blueberry or iFail, then its atleast something else they have. | 18:28 |
| __TOM | i know you and i have had this debate over 2factor effectiveness. | 18:29 |
| __TOM | im using the token purely as a "something they have" play | 18:29 |
| nowen | the something else is the private key embedded in the token. the question is how easy it might be to steal that and get the PIN and passphrase | 18:29 |
| __TOM | i dont care about the pin so much | 18:29 |
| __TOM | not so much that i dont care. | 18:29 |
| __TOM | but it does not work well in my application | 18:30 |
| __TOM | where my users would etch the pin onto the smartphone exterior if they could. | 18:30 |
| __TOM | "WIKID PIN = 1234" | 18:30 |
| __TOM | or whatever if was | 18:30 |
| __TOM | so. while they can remote into ssl vpn from practically any desktop in the world | 18:30 |
| __TOM | they would need that particular device. | 18:30 |
| __TOM | to log in. hence, 2 factor. | 18:31 |
| nowen | yep | 18:31 |
| __TOM | i've asked you whether you'd consider writing in a option file to disable pin requirement before | 18:31 |
| __TOM | and i think you said i was smoking | 18:31 |
| nowen | yes | 18:31 |
| __TOM | but you dont see the possible reason/use case that im presenting as viable? | 18:32 |
| __TOM | im not saying enable it by default, | 18:32 |
| __TOM | but how about making it some hidden var | 18:32 |
| __TOM | so when some tool like myself enters irc chat | 18:32 |
| __TOM | you can tell them yeah, do this, but not advised unless youre doing this particular use case. | 18:33 |
| nowen | opens too many holes. there's no way to do securely | 18:33 |
| __TOM | how are there too many holes in my usecase? | 18:33 |
| nowen | well, for one, it;s not two-factor auth | 18:33 |
| __TOM | sure it is | 18:33 |
| __TOM | if i use the mobile client | 18:33 |
| __TOM | mobile token | 18:33 |
| __TOM | on a mobile device. | 18:33 |
| __TOM | its something they have. | 18:34 |
| nowen | and? | 18:34 |
| __TOM | k...and something they know, is their domain credentials, e.g. password | 18:34 |
| nowen | but how does that work on the back end? | 18:34 |
| __TOM | well | 18:34 |
| __TOM | for my vpn im using cisco as a vendor | 18:35 |
| __TOM | basically cisco does two auth checks | 18:35 |
| __TOM | validates user creds via AD LDAP | 18:35 |
| __TOM | and second validates the code via radius | 18:35 |
| __TOM | (from the wikid server) | 18:35 |
| __TOM | if either fail, access denied. | 18:35 |
| __TOM | same thing for vmware view | 18:35 |
| __TOM | btw. | 18:35 |
| __TOM | two very mainstream use cases | 18:36 |
| __TOM | think about it, if you want me to whiteboard it, or discuss with you, im more than willing to give you a call to chat about it | 18:36 |
| __TOM | but i dont think i'm necessarily way off in left field. | 18:36 |
| nowen | but you can do all that with the otp and username and then not user your lan password outside of the lan | 18:37 |
| __TOM | yes! except...our users are used to RSA | 18:37 |
| __TOM | so...to tell them forget your windows password | 18:37 |
| __TOM | and just use this pin that wikid spits back | 18:37 |
| __TOM | is mindblowing | 18:37 |
| __TOM | like epic brain implosion | 18:37 |
| __TOM | does not compute | 18:37 |
| __TOM | you get what im saying. | 18:37 |
| __TOM | and of course the C-level execs who dont get the technology | 18:38 |
| __TOM | nor want to get it... | 18:38 |
| __TOM | will nix the wikid platform | 18:38 |
| __TOM | saying its not secure. | 18:38 |
| __TOM | how could it possibly be. | 18:38 |
| __TOM | even with a good presentation. | 18:38 |
| __TOM | you know... political problems | 18:39 |
| nowen | so you currently enter in the rsa otp, the PIN and the AD password? | 18:39 |
| __TOM | and i doubt this would be the only org with the same challenges. | 18:39 |
| __TOM | yes. | 18:39 |
| __TOM | goto .... https://vpn1.canyonpartnershq.com | 18:39 |
| __TOM | and from the drop down, select "CP" domain | 18:39 |
| __TOM | you will see 3 fields | 18:39 |
| __TOM | username | 18:39 |
| __TOM | password | 18:39 |
| __TOM | pin | 18:39 |
| nowen | show the execs this http://www.wikidsystems.com/learn-more/features/lessexpensive | 18:39 |
| nowen | and multiply by 3 | 18:39 |
| __TOM | its not a cost issue | 18:40 |
| __TOM | trust me...i dont have a cost issue here.... | 18:40 |
| nowen | based on other customers that have moved from RSA to WiKID it shouldn't be that bad | 18:40 |
| __TOM | okay then. | 18:40 |
| __TOM | honestly Nick | 18:40 |
| __TOM | youre stopping your entry point into the hedgefund world. | 18:41 |
| __TOM | im telling you right now | 18:41 |
| nowen | essentially to do what you are asking, we re-write all of our tokens | 18:41 |
| __TOM | not just my company who is interested in wikid | 18:41 |
| __TOM | they are looking at me for a recommendation into how to deploy into their worlds | 18:41 |
| __TOM | they dont like eating it with RSA and having to swap out keys whenever they have a breach. | 18:41 |
| __TOM | no way | 18:41 |
| __TOM | well | 18:41 |
| __TOM | well, i'm simply giving you a general accepted use case right now | 18:42 |
| __TOM | and how i *must* implement a 2 factor solution | 18:42 |
| __TOM | i totally get the logic behind what youre telling me | 18:42 |
| __TOM | but it doesnt float well upstream. | 18:42 |
| nowen | I'm lost - is it not the same or easier than what you're doing now? | 18:43 |
| __TOM | for a technical individual like myself | 18:43 |
| __TOM | yes. | 18:43 |
| __TOM | much easier! | 18:43 |
| __TOM | however.... | 18:43 |
| __TOM | whats technical easier does not mean is better or gets adopted. | 18:43 |
| __TOM | neccesarily. | 18:44 |
| __TOM | even wiht a lower pricepoint. | 18:44 |
| nowen | if it is ease of use, then go with the PC token. The OTP is copied into the clipboard. they go to the vpn, paste and og | 18:44 |
| nowen | go | 18:44 |
| __TOM | thats not the point. | 18:44 |
| __TOM | and i would never do that. | 18:44 |
| __TOM | thats single factor. | 18:44 |
| nowen | but it's not | 18:45 |
| __TOM | well. i've given you my two cents, and honestly i think you have a product that can potentially crush the market, but you'll need to make it a bit more flexible to avoid company execs from cringing. | 18:46 |
| nowen | ok - I understand | 18:46 |
| __TOM | now as far as rewritting tokens. | 18:46 |
| __TOM | yeah, if its a chore. i understand and concede | 18:46 |
| __TOM | but i dont know whats involved | 18:46 |
| __TOM | so pardon my ignorance. | 18:46 |
| __TOM | im merely telling you from my implementation experience background, whats the norm, and whats required. | 18:47 |
| __TOM | off to lunch! | 18:47 |
| nowen | well, apple, blackberry, android, windows mobile | 18:47 |
| __TOM | hope you think about it a bit more... | 18:47 |
| __TOM | yeah, i know its fragmented. | 18:47 |
| nowen | testing for all | 18:47 |
| __TOM | yeah :-\ | 18:47 |
| nowen | and updates to the server | 18:47 |
| nowen | and while this Cisco can do that, not all VPNs can | 18:48 |
| __TOM | sonicwall, palo alto, and juniper can too | 19:12 |
| __TOM | i havent tested them all out yet. | 19:12 |
| __TOM | and in financial space 90% are rolling cisco/juniper. | 19:13 |
| nowen | I'll open a long range ticket for it | 19:25 |
| __TOM | bombs away. :) | 19:27 |
| nowen | so your login as two boxes | 19:36 |
| nowen | what are they entering? | 19:37 |
| __TOM | ? | 20:10 |
| __TOM | 3 login fields | 20:10 |
| __TOM | 1) username | 20:10 |
| __TOM | 2) password | 20:10 |
| __TOM | 3) pin | 20:10 |
| __TOM | A C3P0Registry mbean is already registered. This probably means that an application using c3p0 was undeployed, but not all PooledDataSources were closed prior to undeployment. This may lead to resource leaks over time. Please take care to close all PooledDataSources. | 20:10 |
| __TOM | btw, what the heck is a mbean? | 20:10 |
| nowen | https://vpn1.canyonpartnershq.com I see, group, username and password | 20:11 |
| nowen | ignorable | 20:11 |
| __TOM | swap the group to "CP" | 20:11 |
| __TOM | thats the only one enabled for wikid atm | 20:11 |
| nowen | ahh | 20:11 |
| nowen | I would drop the password | 20:11 |
| __TOM | well the catch is, this is a test portal | 20:13 |
| __TOM | its not always up | 20:13 |
| __TOM | the users have a seperate client | 20:13 |
| __TOM | similar to this, but installed on their workstation. | 20:14 |
| __TOM | sort of irrelevant for this convo | 20:14 |
| __TOM | but yes, i hear your comment about dropping password. | 20:14 |
| __TOM | and again, that wont compute here. | 20:14 |
| nowen | oh, so they have an ssl-vpn client? | 20:14 |
| __TOM | they do... | 20:14 |
| __TOM | cisco is going all out. | 20:14 |
| nowen | I thought the point of ssl-vpns was to not have a client | 20:15 |
| __TOM | yes and no. | 20:16 |
| __TOM | the background encryption methodology is diff as well | 20:16 |
| __TOM | and lastly, different port usage. | 20:17 |
| __TOM | so friendly with retarded hotels | 20:17 |
| *** nowen has quit (Quit: Leaving.) | 21:28 | |
| *** __TOM has quit () | 22:17 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!