| *** vladdy has quit (Read error: Operation timed out) | 06:52 | |
| *** vladdy (~vladdy@194.242.5.47) has joined #wikid | 06:56 | |
| *** nowen (~nowen@50-194-249-126-static.hfc.comcastbusiness.net) has joined #wikid | 12:16 | |
| joevano | morning nowen | 12:25 |
|---|---|---|
| nowen | morning joevano | 12:25 |
| joevano | did you guys have any issues with Sandy? | 12:26 |
| nowen | no, just some wind down here | 12:26 |
| joevano | have to thank the Bulldogs for knocking down Florida, allowed us to move up to #3 | 12:28 |
| nowen | we do what we can ;) | 12:28 |
| *** jpreston (d8e79e1a@gateway/web/freenode/ip.216.231.158.26) has joined #wikid | 19:55 | |
| *** jpreston has quit (Client Quit) | 19:57 | |
| *** Roger_ (d8e79f10@gateway/web/freenode/ip.216.231.159.16) has joined #wikid | 20:57 | |
| Roger_ | How are you guys doing? | 20:57 |
| nowen | good, how about you? | 20:58 |
| Roger_ | Great..........having issues with my current WIKID setup at work using TACACS thought :-/ | 20:58 |
| Roger_ | though* | 20:58 |
| nowen | it's a bit tricky, there are not a lot of opensource tacacs tools | 20:58 |
| nowen | so, we had limited options | 20:59 |
| nowen | is it not starting? | 20:59 |
| Roger_ | Well, so im a network guy and our desktop guy has setup up the box for TACACS and he set me up as a user and i downloaded the WIKID software to generate a code,,,,,,,,,,,,,and from our Cisoc ASA, I test authentication and get this in my debug.................. | 21:00 |
| Roger_ | test aaa-server authentication TACACS host 10.1.100.130 username roger password ********** | 21:01 |
| Roger_ | ERROR: Authentication Rejected: Unspecified | 21:01 |
| nowen | on the WiKID server, run 'netstat -anp | grep 49' | 21:01 |
| Roger_ | and the desktop guy says my user is setup in WIKID and that im generating the passcode | 21:01 |
| Roger_ | to see if port 49 is listening im guessing? | 21:02 |
| nowen | yes | 21:02 |
| Roger_ | one sec....and thanks | 21:02 |
| Roger_ | ok so the very first line, i see the following | 21:05 |
| Roger_ | tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 1496/tac_plus | 21:06 |
| nowen | well, that's good | 21:06 |
| Roger_ | yep | 21:06 |
| nowen | run 'tcpdump port 49' on the WiKID server and then try to auth again. | 21:07 |
| nowen | oh, and run 'iptables -L -n' and see if port 49 is open for that IP | 21:08 |
| Roger_ | awesome ....doign that now | 21:08 |
| Roger_ | ACCEPT tcp -- 10.1.0.2 0.0.0.0/0 state NEW tcp dpt:49 | 21:12 |
| nowen | ok - and that's your cisco? | 21:12 |
| Roger_ | 10.1.0.2 is the firewall im testing authentication from | 21:12 |
| Roger_ | yep exactly | 21:12 |
| Roger_ | i can do the tcpdump real quick | 21:12 |
| nowen | and via the WiKIDAdmin UI, can you check the logs? | 21:13 |
| *** jpreston (d8e79e1a@gateway/web/freenode/ip.216.231.158.26) has joined #wikid | 21:13 | |
| Roger_ | Actually Jpreston is here now ....he is in charge of the WIKID server | 21:14 |
| nowen | ok | 21:14 |
| nowen | jpreston: via the WiKIDAdmin UI, can you check the logs? | 21:14 |
| nowen | set the log level to debug and hit the filter button | 21:14 |
| jpreston | sure | 21:15 |
| jpreston | the last log is from 20-222012 | 21:15 |
| jpreston | sorry 10-22-2012 | 21:15 |
| nowen | hmm | 21:15 |
| nowen | on the terminal, can you run | 21:16 |
| nowen | 'date' | 21:16 |
| jpreston | it's 10-29-2012 15:09 MDT | 21:16 |
| nowen | ok | 21:16 |
| nowen | on the logs page, you'll see a link to Configure Loggers, go to that page and set the three middle loggers to debug, and apply changes | 21:17 |
| jpreston | got it. and i applied the changes | 21:18 |
| nowen | ok - run that tcpdump command 'tcpdump port 49' and try to auth again | 21:19 |
| nowen | also, make sure that the user is enabled | 21:19 |
| jpreston | running tcpdump now | 21:20 |
| Roger_ | we have the tcpdump output but not sure if we can get it into this chat | 21:25 |
| nowen | that's fine | 21:25 |
| Roger_ | i see a syn, syn ack, and ack ...so the 3 way handshake looks good | 21:25 |
| nowen | yeah, so that is working | 21:25 |
| nowen | what is in the WiKIDAdmin logs? | 21:26 |
| Roger_ | which is verified with my Cisco ASA reject message coming from the WIKID server | 21:26 |
| jpreston | still nothing in the WiKID logs from today | 21:26 |
| nowen | do you see the OTP request? | 21:27 |
| nowen | is the user enabled? | 21:28 |
| jpreston | no...still showing 10-22 as the last logged | 21:28 |
| jpreston | yes the account is enabled | 21:29 |
| nowen | you have 'log level' set to Debug? | 21:29 |
| jpreston | yes | 21:29 |
| nowen | you should see the OTP request | 21:30 |
| jpreston | still nothing, but i checked the runing processes on the server and i do not see a syslog service running. so that is probably why we are not getting logging on the WiKID server | 21:31 |
| Roger_ | and Just FYI from this same Cisco ASA i can successfully authenticate to our Active Directory server using RADIUS everytime | 21:31 |
| nowen | no, the WiKID logs are internal | 21:31 |
| jpreston | hmm..... | 21:32 |
| nowen | well, if you want to use radius, then that's quite easy. tacacs is a pita | 21:32 |
| Roger_ | lol unfortunaely...its not free :-/ | 21:35 |
| nowen | and if you're using AD, you should use NPS to route the requests through AD. Unless you need tacacs for something specific | 21:35 |
| nowen | no | 21:35 |
| jpreston | well one of the requirments is not to use AD at all. | 21:36 |
| Roger_ | I thought it cost money with WIKID | 21:36 |
| nowen | radius requires the Enterprise version, so yes $$ | 21:36 |
| Roger_ | Yep, exactly. | 21:38 |
| nowen | probably the logs are being written to the file system somewhere. you can check in /opt/WiKID/logs | 21:42 |
| jpreston | i'm looking at the centralLogger.log there are a lot of log4j:ERROR problem appending event, org.portgresql.util.PSQLExecption: ERROR: duplicate key value violates unique constraint "logging_event_pkey" | 21:47 |
| jpreston | not much of anything else in that one | 21:47 |
| nowen | no, it would be something with tacacs in the name | 21:48 |
| jpreston | in /opt/WiKID/logs there are no logs with tacacs in the name | 21:49 |
| nowen | run 'updatedb; locate tacacs*' | 21:57 |
| jpreston | brb | 21:57 |
| nowen | time for me to go home | 22:16 |
| nowen | I'll be back tomorrow | 22:16 |
| *** nowen has parted #wikid (None) | 22:16 | |
| *** jpreston has quit (Quit: Page closed) | 22:27 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!