| *** d1ZZy_ (c3fea40c@gateway/web/freenode/ip.195.254.164.12) has joined #wikid | 10:34 | |
| d1ZZy_ | hi | 10:34 |
|---|---|---|
| d1ZZy_ | anyone about? | 10:35 |
| d1ZZy_ | im getting the following error during the wikidctl setup | 10:43 |
| d1ZZy_ | opt/WiKID/sbin/make_tomcat_ssl_cert.sh: line 17: /usr/java//bin/keytool: No such file or directory | 10:43 |
| d1ZZy_ | opt/WiKID/sbin/make_tomcat_ssl_cert.sh: line 18: /usr/java//bin/keytool: No such file or directory | 10:43 |
| d1ZZy_ | so the setup wont complete | 10:43 |
| d1ZZy_ | ive installed the WIKID community edition image | 10:45 |
| d1ZZy_ | taken from here; | 10:45 |
| d1ZZy_ | http://sourceforge.net/projects/wikid-twofactor/files/VMware%20Image/3.3.10/ | 10:45 |
| *** d1ZZy_ has quit (Ping timeout: 245 seconds) | 11:27 | |
| *** d1ZZy_ (c3fea40c@gateway/web/freenode/ip.195.254.164.12) has joined #wikid | 11:49 | |
| d1ZZy_ | anyone about yet? | 11:49 |
| joevano | d1ZZy_: nowen usally shows up any time between now and the next hour and a half | 13:10 |
| joevano | I would think it is a java issue, but I don't really know | 13:10 |
| joevano | d1ZZy_: here is something... http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-enterprise-rpms | 13:12 |
| joevano | it deals with the enterprise edition but seems to address the same issue | 13:12 |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 13:49 | |
| d1ZZy_ | hi thanks for that | 13:51 |
| d1ZZy_ | is RADIUS not supported in the community edition? | 13:51 |
| nowen | d1ZZy_: no, we use a 3rd party piece of software for that | 13:52 |
| d1ZZy_ | when i try to enable the radius protocol its ssay unsupported in this version | 13:53 |
| nowen | d1ZZy_: also, that vmware image is probably quite old | 13:53 |
| d1ZZy_ | yeah i stopped using that | 13:53 |
| d1ZZy_ | ive installed the community edition directly onto a centos 6 box | 13:53 |
| d1ZZy_ | thanks nick just got your email | 13:58 |
| nowen | ;-) | 13:58 |
| nowen | so, are you testing both? | 13:58 |
| d1ZZy_ | my end goal is to setup 2FA to allow remote users access | 13:58 |
| d1ZZy_ | nick so how can i use RADIUS with the community edition? | 14:03 |
| nowen | you can write a plugin for freeradius using the api | 14:04 |
| d1ZZy_ | lol - im not that good :p | 14:04 |
| nowen | yeah. me neither | 14:06 |
| d1ZZy_ | well i guess this going to put a stopper on me using wikid | 14:07 |
| nowen | you have no budget? | 14:07 |
| d1ZZy_ | well i had some budget, which has now been placed on hold. Was hoping i might be able to use this.... | 14:09 |
| nowen | and what type of vpn do you use? | 14:09 |
| d1ZZy_ | one of the leading firewall vendors :p | 14:10 |
| nowen | do they support tacacs? | 14:10 |
| d1ZZy_ | brb hold on | 14:10 |
| d1ZZy_ | yes it supports tacacs | 14:12 |
| nowen | that might work | 14:12 |
| nowen | our tacacs implementation is a bit kludgy | 14:12 |
| nowen | but it works | 14:12 |
| d1ZZy_ | tacacs+ | 14:13 |
| d1ZZy_ | is that the same as tacacs | 14:13 |
| nowen | we use tacacs+ | 14:13 |
| d1ZZy_ | what do you mean by kludgy? | 14:13 |
| nowen | the only open source package we could find requires a text file with current valid passcodes. | 14:13 |
| d1ZZy_ | so not as secure | 14:14 |
| nowen | we rewrite the file periodically, but it makes it less one-time than our other protocols | 14:14 |
| d1ZZy_ | ahhh so potentially exploited easier | 14:14 |
| nowen | yes, but the risk is minimal IMO. If someone can get the OTP and use it in less than say a minute, then they can likely get access an easier way | 14:15 |
| d1ZZy_ | lol | 14:19 |
| d1ZZy_ | true | 14:19 |
| d1ZZy_ | when adding a network client and choosing tacacs+ / where does the shared secret come from? | 14:23 |
| d1ZZy_ | or do i just create on there and then for each client? | 14:23 |
| nowen | you have to configure the domain to be a tacacs+ domain first | 14:27 |
| d1ZZy_ | so as long as my firewall points to the internal server, the WIKID server should need to be public? | 14:29 |
| d1ZZy_ | or does it need the second interface for the token client? | 14:29 |
| nowen | the tokens need to talk to the WiKID server. so it needs an external IP, but it can be NAT'd | 14:30 |
| d1ZZy_ | great | 14:32 |
| d1ZZy_ | do you have to configure the client to point to the public server? | 14:32 |
| nowen | yes | 14:32 |
| d1ZZy_ | thanks | 14:32 |
| nowen | the token client | 14:32 |
| d1ZZy_ | what protocol does it need to come in on? | 14:40 |
| d1ZZy_ | 443? | 14:40 |
| d1ZZy_ | for NAT | 14:40 |
| d1ZZy_ | also, would you advise putting the WIKID server into a DMZ? | 14:44 |
| nowen | the token client uses http on port 80 | 14:44 |
| d1ZZy_ | ive been trying to install wikid community all day | 16:41 |
| d1ZZy_ | it goes through the setup and starts | 16:42 |
| nowen | any errors? | 16:42 |
| d1ZZy_ | then when i try going to it in the browser it just doesn't load | 16:42 |
| nowen | check in /opt/WiKID/tomcat/logs/catalina.out | 16:42 |
| d1ZZy_ | im rebuilding the server and starting from scratch | 16:42 |
| d1ZZy_ | so if i have same problem ill check there | 16:42 |
| d1ZZy_ | i was trying to install it on a cloned vm | 16:43 |
| d1ZZy_ | also, is it acceptable to have one interface | 16:43 |
| d1ZZy_ | ? | 16:43 |
| d1ZZy_ | eth0 | 16:43 |
| nowen | yes | 16:43 |
| d1ZZy_ | thanks | 16:43 |
| d1ZZy_ | trying to install now | 17:14 |
| d1ZZy_ | on a clean build server fully updated.... | 17:14 |
| d1ZZy_ | and | 17:16 |
| d1ZZy_ | it wont connect to the server | 17:16 |
| nowen | what version of the rpm? | 17:17 |
| d1ZZy_ | wikid-server-community-3.5.0.b1333-1.noarch.rpm | 17:17 |
| d1ZZy_ | wikid-utilities-3.4.2-1.x86_64.rpm | 17:17 |
| nowen | is the port open? | 17:17 |
| d1ZZy_ | how can i check? | 17:18 |
| nowen | 'iptables -L -n' | 17:18 |
| nowen | look for 443 | 17:18 |
| nowen | also run 'netstat -anp | grep 443 | 17:18 |
| nowen | on the server | 17:18 |
| d1ZZy_ | tcp 0 0 :::443 :::* LISTEN 3007/jsvc.exec | 17:19 |
| nowen | so the listener is up | 17:20 |
| nowen | it might be the self-signed cert | 17:20 |
| d1ZZy_ | i used the FQDN for the name | 17:20 |
| nowen | what browser> | 17:20 |
| d1ZZy_ | ie and firefox | 17:20 |
| d1ZZy_ | http://FQDN/WiKIDAdmin/ | 17:21 |
| nowen | try https | 17:21 |
| d1ZZy_ | nope same | 17:21 |
| d1ZZy_ | even with ip instead of fqdn | 17:22 |
| nowen | does iptables list 443? | 17:22 |
| d1ZZy_ | ive just nmap'd localhost and it ssays its open | 17:23 |
| d1ZZy_ | ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited | 17:23 |
| nowen | try 'service iptables stop' and see if it works | 17:24 |
| d1ZZy_ | LOL | 17:25 |
| d1ZZy_ | it worked | 17:25 |
| nowen | ;-) | 17:25 |
| *** Mustio (1fdd0284@gateway/web/freenode/ip.31.221.2.132) has joined #wikid | 17:28 | |
| Mustio | Hi | 17:29 |
| nowen | hi | 17:29 |
| d1ZZy_ | c u tomorrow | 17:30 |
| d1ZZy_ | thanks for your help nick!! | 17:30 |
| nowen | ok d1ZZy_ | 17:30 |
| nowen | np | 17:30 |
| Mustio | I was wondering if you can help me. We are looking for Two Factor Authentication Solution | 17:30 |
| *** d1ZZy_ has quit (Quit: Page closed) | 17:30 | |
| nowen | Mustio: ok | 17:30 |
| Mustio | And I have been reading about Wikid | 17:30 |
| Mustio | But I am struggling to know where the two factor authentication is coming into this.. | 17:31 |
| nowen | Mustio: the two factors are knowledge of the PIN and possession of the private key embedded in the token | 17:31 |
| nowen | you can think of WiKID compared to certs. But this cert is only used to encrypt a PIN and send it to your server | 17:32 |
| Mustio | ok | 17:32 |
| nowen | but there are no white/black lists to deal with and you get a password which can be used on all interfaces | 17:32 |
| nowen | is this for PCI compliance? | 17:32 |
| Mustio | yes | 17:33 |
| Mustio | exactely | 17:33 |
| nowen | most of our customers are using WiKID for pci compliance ;-) | 17:33 |
| Mustio | Ok | 17:33 |
| Mustio | Please help me understand this. I want an overview picture. Say I have VPN client running my PC/Laptop. Where do I connect to first and what do I need.. | 17:36 |
| Mustio | Jump host? | 17:36 |
| nowen | you first start the WIKID token. You enter your PIN and you get back an one-time passcode | 17:36 |
| nowen | you start your VPN client and enter your username and OTP | 17:37 |
| nowen | the VPN server passes the credentials to the WiKID server for validation. | 17:37 |
| nowen | if they are valid, the VPN server grants access | 17:37 |
| Mustio | Ok | 17:38 |
| nowen | you could also run the authentications through AD using the MS radius plugin NPS | 17:39 |
| Mustio | ok | 17:40 |
| Mustio | When you say you start the WIKIN token? Is this another client? There is no fob involved right? | 17:42 |
| nowen | correct. we have only software tokens. for window, mac, linux, iphone/pad, android etc | 17:43 |
| Mustio | sorry WIKID | 17:43 |
| Mustio | So is this correct process flow: | 17:44 |
| Mustio | 1: Start Wikid client to obtain OTP | 17:44 |
| Mustio | 2: Use the password in the VPN | 17:45 |
| Mustio | So is this correct process flow: | 17:45 |
| Mustio | So is this correct process flow: | 17:46 |
| nowen | yes | 17:48 |
| Mustio | 3: VPN server passes the credentials to the WiKID server for validation. | 17:48 |
| Mustio | Which means I need to client running on my Laptop to get remote access 1: VPN client 2: Wikid client | 17:50 |
| nowen | yes, or the WiKID token on a smart phone | 17:51 |
| Mustio | Oh Smart phone.. that sounds good. -:) So I will start the Wikid application on my phone get the OTP and use it in my VPN client.. | 17:53 |
| nowen | yes | 17:53 |
| nowen | that's an option | 17:53 |
| Mustio | Ok | 17:55 |
| Mustio | What is the other option? | 18:02 |
| nowen | the PC token | 18:02 |
| joevano | Mustio: our users love it over hardware tokens (our previous 2fa) | 18:05 |
| Mustio | ok | 18:08 |
| Mustio | The PC token is a client running on your PC/Laptop right? | 18:09 |
| nowen | what vendor are you using? | 18:09 |
| nowen | yes | 18:09 |
| Mustio | Vendor for which hardware? | 18:10 |
| Mustio | firewall? | 18:10 |
| nowen | for the hardware tokens? | 18:11 |
| Mustio | We are not using any hardware tokens at the moment. This is will be our first 2fa | 18:12 |
| nowen | oh - oops, I didn't notice that it was joevano speaking ;) | 18:12 |
| Mustio | Ok thanks | 18:13 |
| Mustio | Guys | 18:13 |
| Mustio | I will do some reading :-) | 18:14 |
| Mustio | now | 18:14 |
| nowen | ok | 18:14 |
| nowen | I recommend you download and test the server too | 18:14 |
| Mustio | Ok will do. | 18:14 |
| Mustio | We can run it only linux right. i,e, ubuntu | 18:15 |
| Mustio | server | 18:15 |
| nowen | yes, but we recommend centos | 18:15 |
| nowen | or rhel | 18:15 |
| nowen | our ISO has all the software you need toi | 18:15 |
| nowen | it is based on centos | 18:15 |
| Mustio | ok | 18:16 |
| Mustio | Thanks | 18:16 |
| *** nowen has quit (Quit: Leaving.) | 23:24 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!