| *** Jbern has quit (Ping timeout: 245 seconds) | 06:46 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 12:04 | |
| *** Skelroy_afk is now known as Skelroy | 13:49 | |
| *** obcecado (~ob@otherreality.net) has joined #wikid | 13:57 | |
| obcecado | hi | 13:57 |
|---|---|---|
| nowen | hi | 13:57 |
| obcecado | i'm looking into wikid as a solution for a 2nd factor auth on a wifi network | 13:58 |
| nowen | ok | 13:58 |
| obcecado | involving a cisco acs | 13:58 |
| nowen | ok | 13:59 |
| obcecado | looking trough the examples in the website, it looks like the two factor auth from wikid to nortel contivity, is the closest case | 13:59 |
| nowen | well, what you need to do is configure the ACS to talk radius to WiKID | 14:00 |
| nowen | . | 14:02 |
| obcecado | my understanding is wikid will sit between the wireless controller and the cisco acs | 14:02 |
| obcecado | right? | 14:02 |
| nowen | by wireless controller, do you mean the wireless access point? | 14:03 |
| nowen | typically, the process would look like: client >> ACS >> auth server. | 14:05 |
| obcecado | hmm the android client seems to be taking a long time to sync with the domain settings | 14:49 |
| nowen | does your domain work with the PC token? | 14:50 |
| obcecado | could not obtain configuration for domain | 14:51 |
| nowen | what's the domain id? | 14:51 |
| obcecado | the domain id wasnt properly generated | 14:53 |
| obcecado | let me retry | 14:54 |
| obcecado | it seems to be working :-) | 14:56 |
| obcecado | thank you for your time | 14:56 |
| nowen | :-) no problem | 14:56 |
| obcecado | were you the guy answering my emails? | 14:57 |
| nowen | probably | 14:57 |
| obcecado | quite a nice fast support | 14:57 |
| nowen | thanks | 14:57 |
| obcecado | do you mind if i stay around? | 14:57 |
| nowen | which emails? the once about the cert? | 14:57 |
| obcecado | yes | 14:57 |
| nowen | please do. lurking is welcome | 14:58 |
| obcecado | :-) | 14:58 |
| obcecado | can i take some more of your time? | 15:23 |
| obcecado | i validated softtokens | 15:24 |
| obcecado | what i'm missing is the radius return attribute | 15:24 |
| nowen | ok | 15:26 |
| nowen | will all the users get a return attribute? | 15:26 |
| nowen | I mean, the same attribute? | 15:26 |
| obcecado | well, yes | 15:26 |
| nowen | then, on the Network Client tab, you can modify your client and add it on the second page | 15:27 |
| nowen | otherwise, you would do it in groups | 15:27 |
| obcecado | sorry for my ignorance, but i'm not getting how i should conf this, if i want to have domain auth and this otp password | 15:28 |
| joevano | hi obcecado welcome to the lurkers club | 15:28 |
| obcecado | i'm not understanding the concept of this return attribute | 15:28 |
| nowen | if you don't know what the are for, leave it blank | 15:28 |
| nowen | what are you trying to do? what do you mean by 'domain auth' | 15:29 |
| obcecado | let me explain | 15:29 |
| obcecado | i have a cisco 4402 which is a wireless controller which provides 802.1x peap + ssl, authentication agains cisco acs 5 | 15:30 |
| obcecado | the cisco acs queries the ldap directory | 15:30 |
| nowen | ok | 15:31 |
| nowen | and you want to add two-factor authentication. | 15:34 |
| nowen | will the cisco chain the two - ie, do authorization from ldap and then do authentication via radius to wikid? I assume so | 15:35 |
| obcecado | yes, that's the scenario i was designing | 15:35 |
| nowen | ok - that should work. I have a question: if the incoming auth is 802.1x peap, what are the options/requirements for 'outbound' auth to WiKID? | 15:36 |
| obcecado | i have to check that | 15:38 |
| obcecado | in a while | 15:38 |
| obcecado | got some task with priority | 15:38 |
| nowen | let me know what you find | 15:38 |
| nowen | I understand ;) | 15:38 |
| *** Skelroy is now known as Skelroy_afk | 15:39 | |
| obcecado | i can talk plain radius with wikid | 15:41 |
| obcecado | from what i could see | 15:41 |
| nowen | so, PAP? | 15:41 |
| obcecado | yes | 15:41 |
| nowen | good to know. I know that freeradius has that ability too, but I think IAS/NPS does not. | 15:41 |
| obcecado | although i have to work with ms windows, i try to run away from it at all costs ;-) | 15:42 |
| nowen | hehe | 15:42 |
| nowen | are you using openldap? | 15:42 |
| obcecado | nope, i manage networking solutions, not directory services, those are win2k8 | 15:43 |
| nowen | gotcha | 15:47 |
| *** troy_ (6b02a614@gateway/web/freenode/ip.107.2.166.20) has joined #wikid | 16:24 | |
| *** Skelroy_afk is now known as Skelroy | 16:35 | |
| *** Skelroy is now known as Skelroy_afk | 17:05 | |
| *** abetterman (de49d3f2@gateway/web/freenode/ip.222.73.211.242) has joined #wikid | 17:33 | |
| abetterman | hello | 17:33 |
| nowen | hi | 17:33 |
| abetterman | I want help! Any friend can help me? | 17:34 |
| nowen | I can help you | 17:34 |
| abetterman | I run wikid token client at my laptop(win7), it says "Could not obtain configuration...." | 17:35 |
| nowen | what domain are you trying to reach? | 17:35 |
| *** Skelroy_afk is now known as Skelroy | 17:35 | |
| abetterman | when I creat domain,I write server code 192168030030,and then click "continue" button,It says error. | 17:36 |
| abetterman | I'm sure that I write correct serverid | 17:37 |
| nowen | and is 192.168.30.30 is the ip address of your WiKID server? | 17:37 |
| abetterman | yes | 17:37 |
| nowen | and is your PC on that network? | 17:37 |
| abetterman | yes,but not in a same subnet. | 17:38 |
| abetterman | I can ping wikid server. | 17:38 |
| nowen | check out this link: https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-run-the-token-in-debug-mode | 17:39 |
| nowen | you'll see the url the token is trying to reach | 17:39 |
| nowen | did you require any specific token types on the domain? | 17:40 |
| abetterman | Allow All Token Types | 17:42 |
| nowen | ok. run the token in debug mode | 17:43 |
| abetterman | OS is: Windows 7 Using Token File: C:\Users\Zhang\AppData\Roaming\WiKID\WiKIDToken.wkd devPub.length: 294 Sending 310 bytes of post data from pullConfig wComms.connectInternal(): connecting to http://192.168.30.30/wikid/servlet/com.w ikidsystems.server.InitDevice4AES?a=0&S=192168030030&CT=1 Opening http://192.168.30.30/wikid/servlet/com.wikidsystems.server.InitDevice4AE S?a=0&S=192168030030&CT=1 POST /wikid/servlet/com.wikidsystem | 17:45 |
| nowen | try to browse to that last url | 17:45 |
| abetterman | not found | 17:46 |
| abetterman | I've changed tomcat listen port | 17:47 |
| abetterman | now it's 8443,and my apache run at 443&80 | 17:47 |
| nowen | hmm | 17:47 |
| nowen | that's the issue | 17:47 |
| nowen | do you have to run WiKID on the same server as apache? | 17:48 |
| abetterman | yes,in a same server. | 17:48 |
| nowen | we recommend you do not do that as a vulnerability in other servers could result in your 2FA server getting owned | 17:48 |
| nowen | however, you can just do a redirect in apache to route the traffic to the new port. | 17:49 |
| nowen | what port did you use for the WiKIDAdmin? | 17:49 |
| abetterman | 8443 | 17:49 |
| nowen | what port did you use for the tokens? | 17:49 |
| abetterman | it's default. | 17:50 |
| nowen | ok - that is port 80 | 17:50 |
| nowen | I'm surprised tomcat started | 17:51 |
| abetterman | I changed tomcat listen port:8080 | 17:51 |
| nowen | ok, a re-write rule to apache like: RewriteRule ^/wikid/(.*) http://localhost:8080/wikid/$1 [P] | 17:52 |
| nowen | that will route the token traffic to the right port | 17:53 |
| abetterman | Ok,I try it. | 17:53 |
| abetterman | now it's ok. thank you very much! | 17:57 |
| abetterman | one more question. can I connect server through internet,eg MIP? | 18:10 |
| nowen | not sure I understand the question | 18:10 |
| abetterman | token client and server are not in same network. server is at firewall's trust zone,and token client is at untrust zone. | 18:12 |
| nowen | you will need to NAT an external ip | 18:13 |
| nowen | and create a new domain with the external ip | 18:13 |
| abetterman | ok,I know. | 18:16 |
| nowen | ;) | 18:17 |
| *** abetterman has quit (Ping timeout: 245 seconds) | 18:44 | |
| *** abetterman (dfa72fd0@gateway/web/freenode/ip.223.167.47.208) has joined #wikid | 19:01 | |
| abetterman | hi @nowen,you are still here? I want your help again! : ) | 19:02 |
| abetterman | I set NAT and create a new domain with external IP,but I can't open url,Tomcat's error is :http status 405,why? | 19:03 |
| joevano | abetterman: did you restart the wikid service after creating the new domain? | 19:06 |
| *** abetterman has quit (Ping timeout: 245 seconds) | 19:07 | |
| nowen | he needs to check his apache logs | 19:35 |
| nowen | thanks for covering for me. joevano ;) | 19:47 |
| *** Skelroy is now known as Skelroy_afk | 20:00 | |
| *** Skelroy_afk is now known as Skelroy | 20:13 | |
| *** Skelroy is now known as Skelroy_afk | 20:43 | |
| *** Skelroy_afk is now known as Skelroy | 20:56 | |
| *** zhangqijie (de49d3e5@gateway/web/freenode/ip.222.73.211.229) has joined #wikid | 21:12 | |
| zhangqijie | hello everyone | 21:12 |
| nowen | hi | 21:13 |
| zhangqijie | who can help me? I setup wikid and openvpn,now I dial openvpn,an error occured:TLS Auth Error: Auth Username/Password verification failed for peer | 21:13 |
| nowen | I can help you, I work for WiKID | 21:14 |
| zhangqijie | OK,it's great. | 21:14 |
| nowen | on the WiKID server, take a look at the logs, in the webui there is a link on the top right side | 21:15 |
| nowen | what the last log entry? it's at the top | 21:15 |
| zhangqijie | last log entry is about radius server stopped before 3 hours ago. | 21:17 |
| nowen | did you add a network client for the openvpn on WiKID? | 21:17 |
| zhangqijie | yes,openvpn and wikid are in same server. | 21:18 |
| nowen | oh, that could be part of the issue | 21:18 |
| zhangqijie | ? | 21:18 |
| nowen | what IP address did you use for the openvpn server? | 21:18 |
| zhangqijie | 192.168.10.10 | 21:19 |
| nowen | ok | 21:19 |
| nowen | run this on the terminal: 'netstat -anp | grep 1812' | 21:19 |
| zhangqijie | [root@mStation openvpn]# netstat -anp | grep 1812 udp 0 0 0.0.0.0:1812 0.0.0.0:* 31825/radiusd udp 0 0 127.0.0.1:18120 0.0.0.0:* 31825/radiusd | 21:20 |
| joevano | nowen: np... not sure he heard it though. he got disconnected a few seconds later | 21:20 |
| nowen | are you also running free radiuson this | 21:20 |
| nowen | joevano: yeah, I noticed that. we'll see ;) | 21:21 |
| nowen | zhangqijie: WiKID needs to listen on port 1812. | 21:21 |
| zhangqijie | yes, It's freeradius. | 21:22 |
| zhangqijie | it's now listening on port 1812 | 21:23 |
| zhangqijie | I can dial openvpn with username/password now. this passwd is set in radius database,not wikid generated. | 21:24 |
| zhangqijie | if I use wikid generated password,I will meet above metioned error:TLS Auth Error: Auth Username/Password verification failed for peer | 21:25 |
| nowen | was your associate here early? | 21:25 |
| nowen | earlier> | 21:25 |
| zhangqijie | yes. that question was solved.thanks! | 21:26 |
| nowen | ok | 21:26 |
| nowen | so, is openvpn talking to freeradius? | 21:26 |
| zhangqijie | yes. | 21:26 |
| nowen | and do you want to keep freeradius in this setup? | 21:27 |
| zhangqijie | you mean that I can uninstall freeradius? | 21:28 |
| nowen | that's fine with WiKID. Freeradius does stuff that WIKID can't do. If you need it for that, then you need it, if not, then you don't. | 21:29 |
| nowen | what version of openvpn are you using? | 21:32 |
| nowen | AS? | 21:33 |
| *** zhangqijie has quit (Ping timeout: 245 seconds) | 21:34 | |
| *** troy_ has quit (Quit: Page closed) | 21:35 | |
| *** nowen has quit (Quit: Leaving.) | 22:13 | |
| *** jY (~jy@photoblog.com) has joined #wikid | 22:32 | |
| jY | I upgraded to the latest release via rpm now I get just displaying html code when i go to https://radius.sc.recurly.net/WiKIDAdmin/ | 22:33 |
| jY | ok seems the tomcat process didn't shutdown cleanly on upgrade | 22:40 |
| jY | killed it.. restarted wikid.. works now | 22:40 |
| *** jY has parted #wikid (None) | 22:47 | |
| *** Skelroy is now known as Skelroy_afk | 23:02 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!