| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 13:30 | |
| *** vladdy (~vladdy@host-31-180-205-198.stv.ru) has joined #wikid | 14:54 | |
| *** nowen has quit (Quit: Leaving.) | 15:13 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 16:28 | |
| *** vladdy has quit (Ping timeout: 265 seconds) | 16:46 | |
| *** vladdy (~vladdy@host-31-180-205-198.stv.ru) has joined #wikid | 16:48 | |
| *** vladdy has quit (Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/) | 17:55 | |
| *** johndbro1 (d0fef13f@gateway/web/freenode/ip.208.254.241.63) has joined #wikid | 20:42 | |
| johndbro1 | Hello | 20:42 |
|---|---|---|
| nowen | hi | 20:42 |
| johndbro1 | two questions for you: first - is the Wikid Radius network client only listening to localhost connections? | 20:42 |
| nowen | not sure I understand the question - the listener is on localhost, but it will talk to any network client | 20:43 |
| johndbro1 | So it will accept connections from other servers on the network | 20:44 |
| nowen | yes, they need to be entered as network clients. then you have to restart the wikid server so they are added to the cache | 20:44 |
| johndbro1 | ok. interesting. I have not had any luck connecting to my wikid server's radius listener from other machines on my LAN | 20:45 |
| nowen | ok - a few tricks | 20:45 |
| nowen | 1. you might need to run 'wikidctl stop' then start | 20:46 |
| nowen | and maybe 'killall -9 java' in between for good measure | 20:46 |
| johndbro1 | Ok. I've been doing a restart and it seemed to start cleanly, but I'll give that a shot | 20:46 |
| nowen | 2. set the logs to debug: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 20:46 |
| nowen | 3. run 'tcpdump port raidus' on the server to make sure the request are getting there | 20:47 |
| nowen | 4. run 'netstat -anp | grep 1812' to make sure the listener is up | 20:47 |
| johndbro1 | I did 2 and 4 previously, but I'll double check | 20:48 |
| nowen | the logs revert to non-debug on restart unless you save the config | 20:48 |
| johndbro1 | interesting | 20:49 |
| nowen | well, debug creates a lot of info. enough to slow a server down depending on the box | 20:50 |
| johndbro1 | Yeah, I wasn't criticizing :) Just wasn't expecting it | 20:51 |
| nowen | gotcha | 20:55 |
| johndbro1 | Ok, the second question is timely now - can I use radtest from the freeradius package to test that WiKID can authenticate the WiKID user I set up, assuming I have the token and the shared secret? | 20:56 |
| nowen | yeah, I've used that and radlogin | 20:56 |
| johndbro1 | Ok. I used radtest on my Wikid server, and I gave it the current passcode, and it presents this in the logs: Server returns passcode: -1 | 21:01 |
| nowen | hmm | 21:01 |
| johndbro1 | along with other stuff, but that seems to be the key line | 21:01 |
| nowen | that's in the WiKIDAdmin logs? | 21:02 |
| johndbro1 | asdfas | 21:02 |
| johndbro1 | opt/wikid/log/radius.log | 21:02 |
| johndbro1 | I forgot about leading / being meta-commands in IRC. Been a long time | 21:03 |
| nowen | heeh | 21:03 |
| nowen | I find it to be a great support tool | 21:03 |
| johndbro1 | Yeah, this is pretty nice - unless you get a bunch of people in here, I would imagine it would get pretty confusing then | 21:03 |
| nowen | or perhaps, step one is 'get on irc' and that limits access! | 21:03 |
| johndbro1 | yeah, probably | 21:04 |
| johndbro1 | any thoughts on that return code? | 21:06 |
| nowen | can you check in the WiKIDAdmin logs? could be non-radius | 21:06 |
| johndbro1 | sure - the logs in the Web admin include: Server returns passcode: -1 and then | 21:09 |
| johndbro1 | <111> Access-Request(1) LEN=76 127.0.0.1:42833 Access-Request by johnbr Failed: AccessRejectException: Access Denied | 21:09 |
| nowen | and you're getting the OTP ok? | 21:09 |
| johndbro1 | yeah, no problems there. I see that in the logs as well | 21:09 |
| nowen | is the log level set to debug? | 21:09 |
| johndbro1 | yes sir | 21:10 |
| johndbro1 | both of those lines were debug level logs | 21:10 |
| johndbro1 | Oh - I do not have postgres set up - is that required for this to work? | 21:12 |
| nowen | haha, yes | 21:12 |
| nowen | how did you install without it? | 21:12 |
| nowen | how do you login without it? | 21:12 |
| johndbro1 | everything just works - I can log in, view logs, create domains, etc | 21:12 |
| nowen | then postgres is setup | 21:12 |
| nowen | did you get a cert from us? | 21:13 |
| johndbro1 | Yeah - I filled out a form on my wikid server, and then pasted something on your site, and you emailed me back a cert | 21:13 |
| johndbro1 | or something like that | 21:13 |
| nowen | ok | 21:13 |
| nowen | hmm | 21:13 |
| nowen | is the user enabled? | 21:14 |
| johndbro1 | yes | 21:15 |
| nowen | what version of WiKID is this? | 21:15 |
| johndbro1 | And I can verify that postgres is running. There are some logs that look like they're saying it isn't | 21:15 |
| johndbro1 | but I think they must be from the initial install. | 21:15 |
| johndbro1 | wikid-server-enterprise-3.5.0-b1359 | 21:16 |
| johndbro1 | well, I was enabled before, but when I just checked now, I was disabled. Let me try my test again | 21:19 |
| nowen | just run 'wikidctl restart' | 21:19 |
| nowen | it will start all the needed services | 21:20 |
| johndbro1 | I meant my user - johnbr - was marked disabled | 21:20 |
| nowen | ahh | 21:20 |
| johndbro1 | but now, having double checked that the johnbr account is enabled, I still get the same result - server returns passcode -1 | 21:21 |
| nowen | and in the logs you see: "Issued passcode to device ..." | 21:23 |
| nowen | and then that error? | 21:23 |
| johndbro1 | Issued passcode to device 1020415903309832264 | 21:24 |
| johndbro1 | then a bunch of protocol stuff | 21:24 |
| nowen | can you paste the pertinent log to pastebin? | 21:24 |
| johndbro1 | http://pastebin.com/E8qUF9Bq | 21:26 |
| nowen | can you double-check your shared secrets? | 21:27 |
| johndbro1 | you bet | 21:27 |
| johndbro1 | They are the same - when I use radtest with a slightly different secret, it doesn't respond at all | 21:29 |
| nowen | hmm | 21:34 |
| johndbro1 | Glad to know I'm not just being dumb, at least so far | 21:36 |
| nowen | can you upgrade to this: http://wikidsystems-dl.com/wikid-server-enterprise-3.5.0.b1373-1.noarch.rpm | 21:39 |
| nowen | just use rpm -Uvh to upgrade | 21:39 |
| johndbro1 | ok | 21:42 |
| johndbro1 | BTW, I looked at the curr_codes table in the database, and I can confirm that the curr_codes entry in the table is the same as what I'm using in my radtest call | 21:42 |
| johndbro1 | ok, upgraded and restarting | 21:44 |
| johndbro1 | still rejecting the passcode, in the same way | 21:51 |
| nowen | ok, can you add a new user and try again? | 21:51 |
| johndbro1 | sure | 21:52 |
| johndbro1 | yay, that worked | 22:00 |
| nowen | huh | 22:00 |
| johndbro1 | I created a new user, ann, and she was granted access | 22:00 |
| nowen | any thoughts on what might have happened? could the user have been disabled, but the page not refreshed? | 22:01 |
| johndbro1 | I'm thinking that I may not have properly configured johnbr during the registration process - maybe I never properly attached him to a registration code or something | 22:01 |
| johndbro1 | but he was definitely enabled | 22:02 |
| nowen | hmm | 22:02 |
| johndbro1 | I think I may have done the 'Create New Domain' thing on the client a couple of times - perhaps I clicked on the wrong registration code on the Admin screen when I was completing the loop | 22:03 |
| johndbro1 | in which case, he was attached to a 'stale' registration code | 22:03 |
| johndbro1 | In any case, I am much, much closer to my goal now. Thank you for that! | 22:06 |
| johndbro1 | as soon as I can reproduce ssh-with-wikid with a different PC, I think I'll be ready to buy the licenses and move into production | 22:07 |
| johndbro1 | Thanks again for your all your help. Take care | 22:08 |
| *** johndbro1 has parted #wikid (None) | 22:08 | |
| *** nowen has quit (Quit: Leaving.) | 23:13 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!