| *** djw1005 (bc5fce57@gateway/web/freenode/ip.188.95.206.87) has joined #wikid | 10:13 | |
| djw1005 | hello | 10:13 |
|---|---|---|
| *** djw1005 has quit (Client Quit) | 10:16 | |
| *** djw1005 (bc5fce57@gateway/web/freenode/ip.188.95.206.87) has joined #wikid | 14:11 | |
| djw1005 | hello | 14:11 |
| djw1005 | anyone there to help | 14:12 |
| *** djw1005 has quit (Client Quit) | 14:12 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 14:30 | |
| *** djw1005 (bc5fce57@gateway/web/freenode/ip.188.95.206.87) has joined #wikid | 16:42 | |
| djw1005 | hey there, can i ask for assistance | 16:42 |
| nowen | sure | 16:42 |
| djw1005 | I want to get my MS VPN to work with wikid but it just falls over | 16:44 |
| djw1005 | is it actually possible or am I fighting a loosing battle | 16:44 |
| nowen | totally possible | 16:45 |
| nowen | what version of WiKID are you using/ | 16:45 |
| nowen | ? | 16:45 |
| djw1005 | the latest one, I have tried following the Howto but I think there is steps missing | 16:46 |
| djw1005 | For starts I can get my AD users into WIKID | 16:46 |
| nowen | did you get a cert from us? | 16:47 |
| djw1005 | yeah that all worked | 16:47 |
| nowen | and you created a network client for the vpn? | 16:47 |
| djw1005 | network client? | 16:48 |
| nowen | the VPN needs to be setup as network client on the WiKID server | 16:48 |
| djw1005 | not sure what you mean? | 16:48 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server/how-to-install-the-wikid-strong-authentication-server-enterprise-edition-page-4 | 16:49 |
| nowen | the WiKID server needs to have a relationship with the VPN. This is done by setting up the vpn as a network client on the WiKID server | 16:49 |
| nowen | is this the Enterprise version? | 16:50 |
| djw1005 | yes it is | 16:50 |
| djw1005 | i downloaded the trial | 16:50 |
| djw1005 | Ok I have already added the vpn server | 16:51 |
| djw1005 | but what should it be added as? | 16:51 |
| nowen | and then did you restart the wikid service? | 16:51 |
| djw1005 | I mean the service type | 16:51 |
| nowen | radius | 16:52 |
| djw1005 | ok, it is thats what I thought | 16:52 |
| djw1005 | I presume that NPS should be set to forward on to this | 16:53 |
| nowen | yes | 16:53 |
| nowen | look at the WiKIDAdmin logs, set the log level debug and hit filter | 16:53 |
| nowen | do you see a radius request from the nps or do you see the OTP request? | 16:53 |
| djw1005 | don't see any from NPS | 16:56 |
| djw1005 | if its set up correct, what should happen on the client | 16:56 |
| nowen | on the terminal, run 'tcpdump port radius' and then try to login again. | 16:56 |
| *** jb____ (d0fef13f@gateway/web/freenode/ip.208.254.241.63) has joined #wikid | 16:57 | |
| jb____ | howdy | 16:57 |
| nowen | hi | 16:57 |
| jb____ | Do you mind if I ask a question about wikid and SSH? | 16:58 |
| nowen | not at all | 16:58 |
| djw1005 | On the client, that is connecting to the VPN, will a box pop up asking for a code? | 16:58 |
| nowen | you put it in the password field | 16:59 |
| djw1005 | ok | 16:59 |
| jb____ | (SSH) I have my wikid server set up, I have radius set up, and I have a wikid Radius client. I can confirm that ssh uses radius to authenticate (I have a user set up in radius, and I can log in, even though they don't have a password in /etc/passwd) | 16:59 |
| jb____ | But I can't seem to get radius to connect to wikid | 17:00 |
| jb____ | I looked at this page, but it doesn't seem to have that step: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid | 17:00 |
| nowen | you have a radius server between the ssh server and WiKID? | 17:01 |
| jb____ | yes. I can log into ssh using a user whose credentials are specified in the radius users file | 17:01 |
| djw1005 | in the notes for NPS, it says "Give your RADIUS client a friendly name such as "Enterprise VPN" or "Partner Extranet" and enter the IP address." Which IP is this? | 17:01 |
| nowen | djw1005: the IP of your VPN | 17:02 |
| nowen | the traffic goes VPN >>> NPS >>> WiKID | 17:02 |
| nowen | NPS does the authorization based on the username and policy. if it is good, it asked WiKID to do the authentication based on username/otp | 17:03 |
| djw1005 | ok, just notes aren't that clear. | 17:03 |
| nowen | well, it's hard for us to document all the VPNs out there. You can refer to the MS documentation. Also, we have a pdf eGuide that has better graphics: http://www.wikidsystems.com/learn-more/two-factor-authentication-white-papers | 17:05 |
| jb____ | (SSH) I can see that other people have this working just fine, so I know I must be doing something dumb, but I'm not sure what the dumb thing is | 17:07 |
| nowen | jb____: are you connecting the ssh server to WiKID directly or through a radius server such as NPS or freeradius? | 17:07 |
| jb____ | (SSH) Freeradius. I have PAM set up to pass ssh traffic to freeradius using the radius library. I have that working - I know because I can log into ssh with a user who is in my radius users file | 17:09 |
| djw1005 | i appreciate that | 17:09 |
| nowen | ok - and did you setup freeradius as a network client on the WiKID server? | 17:09 |
| jb____ | (SSH) Yes I did. | 17:09 |
| nowen | and did you restart WiKID after? | 17:10 |
| jb____ | I created the network client, and added the wikid server (which is on the same machine) to /etc/raddb/servers, with the same shared secret | 17:10 |
| nowen | is there a listener on 1812 udp? | 17:10 |
| jb____ | (SSH) Restarted several times | 17:10 |
| jb____ | (SSH) Let me check | 17:10 |
| jb____ | yes there is, trying to identify the process | 17:12 |
| jb____ | (SSH) Radiusd is listening on port 1812 | 17:13 |
| nowen | on the WiKID server? | 17:13 |
| jb____ | (SS) Both the wikid server and radius are running on the same machine - is that a problem? | 17:14 |
| jb____ | yeah | 17:14 |
| nowen | it is much more complex. what IP address did you use for the network client on WiKID? | 17:14 |
| jb____ | Checking. But first - if it would be easier to move the Wikid server elsewhere, I can do that instead | 17:16 |
| nowen | we recommend that - simplicity, but also security. we recommend WiKID run on a separate box | 17:16 |
| djw1005 | I am getting some logs now, | 17:17 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 17:17 |
| jb____ | (SSH) ok - and then I would add the new Wikid server's IP, on port 1812 as the secondary entry in /etc/raddb/server | 17:18 |
| nowen | yep | 17:18 |
| jb____ | ok. thanks | 17:19 |
| djw1005 | what should I be seeing | 17:20 |
| djw1005 | none of my domain users are in the system, is this why? | 17:21 |
| nowen | djw1005: we want to see if the radius requests are reaching wikid. get an otp, hit filter on the logs, try to login and hit filter again | 17:21 |
| jb____ | @nowen - thank you for your help. Much appreciated. | 17:23 |
| nowen | np | 17:23 |
| djw1005 | its never going to work, until I get the AD users in there, which again doesn't seem to work | 17:23 |
| nowen | as I say, pre-sales engineering > post-sales support | 17:23 |
| nowen | djw1005: do you have a user registered? | 17:23 |
| djw1005 | i have a few users registered, but none are AD accounts | 17:24 |
| nowen | so, yeah, that won't work | 17:24 |
| djw1005 | so how can I get the AD accounts in there | 17:24 |
| djw1005 | as the other tutorial to get them in doesn't work either | 17:25 |
| nowen | they just have to have the same name | 17:25 |
| nowen | so, if my AD username is nowen, my wikid account name needs to be nowen | 17:25 |
| nowen | djw1005: how many users will you have? | 17:29 |
| djw1005 | about 20 | 17:32 |
| *** jb____ has quit (Ping timeout: 245 seconds) | 17:35 | |
| djw1005 | going to give up for now got to go home | 17:36 |
| djw1005 | thanks for help | 17:36 |
| *** djw1005 has quit (Quit: Page closed) | 17:36 | |
| *** nowen has quit (Quit: Leaving.) | 22:43 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!