| *** d1ZZy_ (c3fea40c@gateway/web/freenode/ip.195.254.164.12) has joined #wikid | 09:26 | |
| d1ZZy_ | does anyone know if you can integrate WIKID into Office365? | 09:30 |
|---|---|---|
| d1ZZy_ | my client is unable to obtain configuration | 11:30 |
| d1ZZy_ | i know the appropriate ports are open to the server | 11:30 |
| d1ZZy_ | firewall traffic is showing GREEN for HTTP connection | 11:34 |
| d1ZZy_ | server is sat in a 192 DMZ network | 11:35 |
| d1ZZy_ | One client is in the LAN / One client is external | 11:35 |
| d1ZZy_ | appropriate ports are opened and NAT'd | 11:35 |
| d1ZZy_ | Wikid server only has one interface (a 192 address) | 11:36 |
| d1ZZy_ | The server has a public IP and is NAT'd to the 192 address | 11:36 |
| d1ZZy_ | ports 80 and 443 are open on the internet | 11:36 |
| d1ZZy_ | i can browse to the portal | 11:36 |
| d1ZZy_ | both from the LAN and the internet | 11:37 |
| d1ZZy_ | i've also disabled IPTABLES for testing | 11:40 |
| d1ZZy_ | public firewall is only allowing 80 and 443 IN to the server | 11:40 |
| d1ZZy_ | i can also see the attempt when i tail the access log for today under /opt/wikid/tomcat/logs | 11:48 |
| d1ZZy_ | ive also noticed the unregistered device count is increasing | 11:58 |
| d1ZZy_ | and FYI im restarting and stopping the server with each change | 12:04 |
| d1ZZy_ | Log entry (with IP MASKED out of the url with XXXXXXXXXXXX); | 12:11 |
| d1ZZy_ | [09/Jan/2013:12:07:03 +0000] "POST /wikid/servlet/com.wikidsystems.server.InitDevice5AES?a=0&S=XXXXXXXXXXXX&lck=1&CT=0 HTTP/1.1" 200 | 12:11 |
| *** d1ZZy_ has quit (Ping timeout: 245 seconds) | 15:17 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 15:32 | |
| *** d1zzy_ (c3fea40c@gateway/web/freenode/ip.195.254.164.12) has joined #wikid | 15:34 | |
| d1zzy_ | sorry got disconnected | 15:34 |
| d1zzy_ | nick if you can help!! | 15:34 |
| nowen | hey | 15:36 |
| nowen | token still not connecting to the domain? | 15:36 |
| d1zzy_ | nope | 15:37 |
| nowen | office365? | 15:38 |
| d1zzy_ | not yet | 15:38 |
| nowen | what happens when you browse to the url in that post | 15:39 |
| d1zzy_ | hi sorry got called away | 15:49 |
| d1zzy_ | lemme check hold on | 15:50 |
| d1zzy_ | you mean if i browse to http://FQDNwikid/servlet/com.wikidsystems.server.InitDevice5AES?a=0&S=XXXXXXXXXXXX&lck=1&CT=0 | 15:51 |
| nowen | yes | 15:51 |
| nowen | does it reach the server? | 15:51 |
| d1zzy_ | http status 405 | 15:52 |
| d1zzy_ | i believe it does get to thre server | 15:52 |
| nowen | what's the domain id? | 15:52 |
| nowen | did you limit the domain to any type of token or enter a registered url? | 15:52 |
| d1zzy_ | you mean the padded ip? | 15:52 |
| nowen | yes | 15:52 |
| d1zzy_ | no neither | 15:52 |
| d1zzy_ | 195.254.164.180 | 15:52 |
| d1zzy_ | my public server on http and https | 15:53 |
| d1zzy_ | want to connect to it? | 15:53 |
| d1zzy_ | im watching the log | 15:53 |
| nowen | 195254164180 ? | 15:53 |
| d1zzy_ | yes but you browse to 195.254.164.180 you mean | 15:54 |
| d1zzy_ | 50.194.249.125 - - [09/Jan/2013:15:54:06 +0000] "POST /wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=195254164180&CT=1 HTTP/1.1" 200 1 50.194.249.125 - - [09/Jan/2013:15:54:12 +0000] "GET /wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=195254164180&CT=1 HTTP/1.1" 405 1112 50.194.249.125 - - [09/Jan/2013:15:54:13 +0000] "GET /favicon.ico HTTP/1.1" 200 290 | 15:54 |
| d1zzy_ | i guess thats ur ip? | 15:54 |
| nowen | is the domain identifier 195254164180? on the WiKID server, that is | 15:55 |
| d1zzy_ | sorry i deleted them, will readd now.... | 15:55 |
| nowen | you deleted what? | 15:55 |
| d1zzy_ | sorry the domain and network clients | 15:56 |
| d1zzy_ | let me re-add | 15:56 |
| d1zzy_ | what do i put in network client for any ip? | 15:56 |
| d1zzy_ | 0.0.0.0 ??? | 15:56 |
| nowen | just do the domain first | 15:56 |
| nowen | one step at a time | 15:56 |
| nowen | which doc are you working off of? | 15:56 |
| nowen | I recommend: http://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server | 15:57 |
| d1zzy_ | http://www.wikidsystems.com/support/support/videos | 15:57 |
| nowen | more details in the manual | 15:57 |
| d1zzy_ | added domain, just restarting server | 15:58 |
| d1zzy_ | and its back up | 15:58 |
| nowen | you only need to restart after adding a radius network client | 15:58 |
| nowen | and now it is working | 15:58 |
| d1zzy_ | oh ok | 15:59 |
| d1zzy_ | no not working | 15:59 |
| d1zzy_ | im trying the android client | 15:59 |
| d1zzy_ | to try to connect publicly | 15:59 |
| d1zzy_ | hmmm | 16:03 |
| d1zzy_ | ? | 16:03 |
| d1zzy_ | i dont have a network client configured yet though | 16:03 |
| nowen | if your tokens are working, then I think you can add a network client | 16:03 |
| d1zzy_ | so for clients connecting from many different ip addresses what do i put in the network client? | 16:04 |
| nowen | the token clients don't know about the network clients | 16:04 |
| d1zzy_ | can you confirm the following for me please? | 16:05 |
| d1zzy_ | 1. My server is in a DMZ (192 address). It has one ethernet interface. It is NAT'd to a public IP. Is this ok? | 16:06 |
| d1zzy_ | 2. Ports 80 and 443 are open for ANY to public IP -> NAT'd -> server | 16:06 |
| d1zzy_ | is that correct? | 16:06 |
| d1zzy_ | for testing I have disabled IP tables | 16:07 |
| nowen | that depends on what you want. Do you want the WiKIDAdmin UI open to the internet? | 16:07 |
| d1zzy_ | not really | 16:07 |
| d1zzy_ | i just need the token client to able to communicate to receive the OTP | 16:07 |
| d1zzy_ | ive had this working all in the same network segement | 16:17 |
| d1zzy_ | doesn't seem to like NAT or DMZ | 16:17 |
| nowen | what's not working | 16:17 |
| nowen | ? | 16:17 |
| nowen | token works for me | 16:17 |
| d1zzy_ | oh | 16:18 |
| d1zzy_ | is it my token client then? | 16:18 |
| nowen | are you on the lan? | 16:18 |
| d1zzy_ | im on the lan | 16:18 |
| d1zzy_ | my phone is on an ADSL connection | 16:18 |
| nowen | can you access the serve UI? | 16:18 |
| d1zzy_ | yes | 16:18 |
| nowen | on the external IP | 16:18 |
| d1zzy_ | on both the external and DMZ ip addresses | 16:19 |
| nowen | and you can't get an OTP? | 16:19 |
| d1zzy_ | no | 16:19 |
| d1zzy_ | sorry i thought i said that | 16:19 |
| nowen | what about on your android via the cell network? | 16:20 |
| d1zzy_ | same | 16:20 |
| d1zzy_ | if i try to add a domain with the padded IP it tries then goes back to the original screen | 16:21 |
| nowen | Trans 2FA external is you domain name? | 16:21 |
| d1zzy_ | i did notice in the log when you connected you get 3 lines in the log / im only getting 1 line | 16:21 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-run-the-token-in-debug-mode | 16:21 |
| d1zzy_ | again i see ur connection | 16:21 |
| nowen | clearly some networking issue on your end | 16:21 |
| d1zzy_ | how if you're connecting? | 16:22 |
| nowen | you are trying to add 195254164180 to the token? | 16:22 |
| d1zzy_ | plus im trying from my cells network and from a seperate adsl connection | 16:22 |
| d1zzy_ | yes | 16:22 |
| nowen | what do the logs say when you connect? What's the debug output from your token? | 16:23 |
| d1zzy_ | ill have to disconnect my laptop and use the adsl connection | 16:23 |
| d1zzy_ | 50.194.249.125 - - [09/Jan/2013:16:21:03 +0000] "POST /wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=195254164180&CT=1 HTTP/1.1" 200 426 50.194.249.125 - - [09/Jan/2013:16:21:08 +0000] "POST /wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=1&D=1119504358160292377&S=195254164180&CT=1 HTTP/1.1" 200 528 50.194.249.125 - - [09/Jan/2013:16:21:18 +0000] "POST /wikid/servlet/com.wikidsystems.server.WikidCode3AES?S=1952541 | 16:24 |
| d1zzy_ | first three logs are urs | 16:24 |
| d1zzy_ | last one is my mobile cell network | 16:24 |
| d1zzy_ | 82.132.237.205 - - [09/Jan/2013:16:23:30 +0000] "POST /wikid/servlet/com.wikidsystems.server.InitDevice5AES?a=0&S=195254164180&lck=1&CT=0 HTTP/1.1" 200 - | 16:24 |
| nowen | this is the | 16:26 |
| nowen | community edition? | 16:26 |
| nowen | http://www.wikidsystems.com/community-version/support/wikid-support-center/faq/whats-the-difference-between-the-community-release-and-enterprise-release/?searchterm=what%20is%20the%20difference | 16:26 |
| d1zzy_ | yes | 16:26 |
| nowen | smart phone tokens are not supported. we use a 3rd party package for encrpytion | 16:27 |
| d1zzy_ | desktop tokens supported? | 16:31 |
| nowen | yes | 16:34 |
| d1zzy_ | brb to test | 16:35 |
| *** d1zzy_ has quit (Ping timeout: 245 seconds) | 16:40 | |
| *** d1zzy123 (5189d267@gateway/web/freenode/ip.81.137.210.103) has joined #wikid | 16:46 | |
| d1zzy123 | still same | 16:46 |
| d1zzy123 | i have uninstalled the client | 16:46 |
| d1zzy123 | can you suggest which one to use | 16:46 |
| d1zzy123 | im on the adsl connection now | 16:46 |
| nowen | which one are you using? | 16:47 |
| d1zzy123 | 3.1.23 bundle installer | 16:48 |
| d1zzy123 | from the sourceforge website | 16:48 |
| d1zzy123 | ive also tried the executable | 16:48 |
| nowen | and you're running it in debug mode? | 16:48 |
| d1zzy123 | unlocked client | 16:48 |
| d1zzy123 | no i will do now...... | 16:49 |
| d1zzy123 | damn gotta go to a meeting will try tonight and report back | 16:50 |
| d1zzy123 | i do appreciate your help nick | 16:51 |
| d1zzy123 | enjoy ur evening | 16:51 |
| d1zzy123 | bye | 16:51 |
| nowen | later | 16:51 |
| *** d1zzy123 has quit (Client Quit) | 16:51 | |
| *** Mustio has quit (Ping timeout: 245 seconds) | 20:53 | |
| *** d1zzy_ (569ff3d8@gateway/web/freenode/ip.86.159.243.216) has joined #wikid | 22:27 | |
| d1zzy_ | good evening | 22:27 |
| nowen | hi | 22:27 |
| d1zzy_ | you there nick? | 22:27 |
| d1zzy_ | well | 22:27 |
| d1zzy_ | i tried the client from my home windows 7 pc | 22:27 |
| d1zzy_ | worked fine | 22:27 |
| d1zzy_ | it must be somethign to do with my laptop | 22:27 |
| d1zzy_ | how can i completely remove any reference to any save settoings for the token client | 22:28 |
| d1zzy_ | everytime i try a new client it remembers details from initial setup even after ive uninstalled and deleted files from program files | 22:28 |
| nowen | well, you can delete the wikidtoken.wkd file | 22:28 |
| d1zzy_ | where is that stored by default? | 22:28 |
| nowen | I can't remember on windows | 22:29 |
| nowen | not sure that would be it | 22:29 |
| d1zzy_ | lol | 22:29 |
| nowen | more likely you have a firewall or anti-malware tool running | 22:29 |
| nowen | esat? | 22:29 |
| d1zzy_ | esat ? | 22:29 |
| nowen | esat is an anti-spyware tool | 22:29 |
| d1zzy_ | nope | 22:29 |
| d1zzy_ | windows firewlal isnt running | 22:30 |
| nowen | something blocking the token from writing a file | 22:30 |
| d1zzy_ | ive got an antivirus client | 22:30 |
| d1zzy_ | my account is local admin | 22:30 |
| d1zzy_ | it must be my antivirus maybe | 22:33 |
| d1zzy_ | ill see if i can disable it tomorrow | 22:34 |
| d1zzy_ | one more thing | 22:34 |
| d1zzy_ | in order to get the token do i only need tcp 80 open on the internet? | 22:34 |
| d1zzy_ | i dont really want the portal live on the internet | 22:34 |
| nowen | yes, only port 80 | 22:34 |
| d1zzy_ | ok ill test tomorrow and see what happens ill let you know | 22:35 |
| d1zzy_ | thanks again | 22:35 |
| d1zzy_ | GETTING THERE! | 22:35 |
| nowen | glad to hear! | 22:35 |
| d1zzy_ | the vpn client failed to authenticate on a challenge response | 22:37 |
| d1zzy_ | probably a config error with tacacs+ setup on the actual firewall | 22:38 |
| nowen | I doubt you will need challenge response | 22:38 |
| d1zzy_ | C:\Documents and Settings\adiscala\Application Data\WiKID | 22:39 |
| d1zzy_ | thats where the file is | 22:39 |
| d1zzy_ | bollox | 22:39 |
| d1zzy_ | lol | 22:39 |
| d1zzy_ | it wortks now | 22:41 |
| d1zzy_ | must have been a corrupt wkd file maybe? | 22:41 |
| d1zzy_ | :p | 22:41 |
| nowen | maybe | 22:41 |
| d1zzy_ | well im glad we have figured it out! got there eventually | 22:44 |
| d1zzy_ | thanks for all ur help | 22:44 |
| nowen | np | 22:44 |
| d1zzy_ | ive added a network client | 22:44 |
| d1zzy_ | but what ip do i put in? | 22:44 |
| nowen | the IP of your vpn or whatever the network client is | 22:45 |
| d1zzy_ | so i am at home | 22:45 |
| d1zzy_ | would i have to give the ip of my home connection? | 22:45 |
| d1zzy_ | that would be very difficult to track with remote users and dynamic ips | 22:46 |
| nowen | no, you're not understanding the architecture | 22:46 |
| d1zzy_ | the ip address of the firewall | 22:47 |
| nowen | what are you trying to do? protect a VPN with 2fa, right? | 22:47 |
| d1zzy_ | yes | 22:47 |
| nowen | the IP of the VPN | 22:47 |
| nowen | then the VPN needs to talk to the WiKID server | 22:47 |
| *** bman1 (~burrutia@64.19.224.6) has joined #wikid | 22:47 | |
| d1zzy_ | so if the vpn resides on the firewall would it be the internal ip of the firewall or its public ip? | 22:47 |
| nowen | internal | 22:48 |
| bman1 | is there a paritcular port that wikid connections come in on? I have a task of putting some boxes behind an LB and need to know the port to send the connections thru besides the default https | 22:48 |
| d1zzy_ | thanks | 22:48 |
| nowen | bman1: the tokens use port 80 | 22:48 |
| bman1 | ok thanks | 22:49 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/what-ports-are-needed-for-wikid-how-do-i-know-if-the-listener-running-on-the-server?searchterm=what+ports+do+ | 22:49 |
| bman1 | thanks | 22:49 |
| nowen | depends on your setup, of course | 22:49 |
| bman1 | well from firewall to load balancer is my concern | 22:50 |
| bman1 | all others will have backend connection | 22:50 |
| d1zzy_ | thanks again nick | 22:53 |
| d1zzy_ | night | 22:53 |
| nowen | good night | 22:53 |
| *** d1zzy_ has quit (Quit: Page closed) | 22:54 | |
| *** nowen has quit (Quit: Leaving.) | 23:15 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!