| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 14:49 | |
| *** remo (50eed09e@gateway/web/freenode/ip.80.238.208.158) has joined #wikid | 15:08 | |
| nowen | hi remo! | 15:08 |
|---|---|---|
| remo | hi Nick :) | 15:08 |
| nowen | how goes the testing? | 15:09 |
| remo | well, I do have a quick question... | 15:09 |
| remo | if I run wikid on a vm behind a firewall and want to allow people to use it to authenticate from outside, I asume that I give the server the ID of the external IP I will map it to, but what ports need to be NATed/forwarded by the FW? | 15:10 |
| nowen | 80 | 15:10 |
| nowen | the tokens use asymmetric encryption, so no need for ssl | 15:10 |
| remo | ok, cool. is there a way to get the clients to use anything other than 80? | 15:12 |
| remo | 80 is overloaded already^^ | 15:12 |
| nowen | not on the client side, but you can have the server listen on another port and route requests to it | 15:12 |
| nowen | something like: RewriteRule ^/wikid/(.*) http://localhost:8090/wikid/$1 [P] | 15:13 |
| nowen | then on the WiKID server, you need to change tomcat to listen to 8090 instead of 80 | 15:13 |
| remo | ok, but the question came about more because I have port 80 on the EXTERNAL Ip already forwarded somewhere else... I don't see an issue on the server side... | 15:14 |
| nowen | are you running apache for the external? | 15:14 |
| remo | nope, some kinda krap embedded thingy... but I just noticed that I should be able to route 80 exclusively to wikid for now, access to the other server from outside isn't really critical... | 15:16 |
| nowen | ok - well we use apache and it can route things based on, well, anything I guess | 15:17 |
| remo | jup | 15:19 |
| remo | ok, I got it to the point where an external 80 request goes to the server (I get the wikid favicon and an empty page, which seems right). However the client can't add the domain through the server key... how can I troubleshoot? | 15:37 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-run-the-token-in-debug-mode | 15:40 |
| nowen | so the token is getting to the server? | 15:41 |
| nowen | the token needs to be able to write a file to the system too | 15:42 |
| nowen | sometimes anti-spyware can intefere | 15:42 |
| *** nowen has quit (Remote host closed the connection) | 15:55 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 15:56 | |
| remo | token on iphone :) | 16:05 |
| nowen | what's your domain identifier? I'll try it from here | 16:06 |
| remo | 080238208158 | 16:13 |
| nowen | works for me | 16:13 |
| nowen | I get the PIN prompt | 16:13 |
| nowen | this is the Enterprise version, right? | 16:13 |
| remo | gnaa, I think I know the problem... my iphone had wlan on and used the local network instead of 3g | 16:14 |
| nowen | ahh | 16:14 |
| nowen | OK - I have lunch meeting way outside of town I have to get to. | 16:15 |
| nowen | I'll be back around 2ish | 16:15 |
| *** nowen has quit (Quit: Leaving.) | 16:15 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 19:38 | |
| remo | wb | 19:48 |
| nowen | thx | 19:49 |
| nowen | any progress? | 19:49 |
| remo | currently having fun trying to get apache and tomcat working on the wikid vm... | 19:50 |
| nowen | hmm | 19:50 |
| nowen | why? | 19:50 |
| remo | using mod_proxy doesn't really work as tomcat keeps redirecting to 127.0.0.1 | 19:51 |
| remo | currently trying mod_proxy_ajp | 19:51 |
| nowen | what are you trying to accomplish? | 19:51 |
| remo | I need a php-serving webserver on the same machine... | 19:52 |
| nowen | ok | 19:52 |
| nowen | that redirect I posted before should work | 19:52 |
| remo | nope, it doesn't... | 19:52 |
| nowen | and did you change the tomcat listen port? | 19:53 |
| nowen | in /opt/WiKID/tomcat/conf/server.xml? | 19:53 |
| remo | yes, to 8090 | 19:53 |
| nowen | it works on our webserver with our test wikid server | 19:54 |
| remo | lucky you :) | 19:54 |
| nowen | lol | 19:54 |
| remo | The main challenge is that is has to work with /WiKIDAdmin/, too, and that misbehaves somehow... | 19:55 |
| nowen | did you move ssl to another port? | 19:56 |
| remo | not really... can you check whether you can still see the server with a token client? | 19:58 |
| nowen | sure | 19:58 |
| nowen | nope | 19:58 |
| nowen | http://80.238.208.158/wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=080238208158&CT=1 | 19:59 |
| nowen | is the page I get | 19:59 |
| remo | how about now? | 20:00 |
| nowen | yes | 20:00 |
| remo | ah... ok... so the pure http redirect/reverse proxy works now and the admin stuff I got to solve differently because it uses ssl (or can I change it to non-ssl and do the ssl stuff at the apache level?) | 20:01 |
| nowen | I would just put it on another port | 20:02 |
| nowen | <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" | 20:02 |
| nowen | maxThreads="150" scheme="https" secure="true" | 20:02 |
| nowen | keystorePass="changeit" keystoreFile="/ebs/opt/WiKID/conf/tomcatKeystore" keyAlias="tomcat" | 20:02 |
| nowen | clientAuth="false" sslProtocol="TLS" /> | 20:02 |
| nowen | in //ebs/opt/apache-tomcat-6.0.20/conf/server.xml | 20:02 |
| remo | hm, I'll look at that next week, now it's time for my Friday beer... :) | 20:05 |
| nowen | heeh | 20:05 |
| nowen | enojy! | 20:05 |
| remo | thank you very much for your help, have a good weekend! | 20:05 |
| nowen | you too | 20:05 |
| *** remo has parted #wikid (None) | 20:07 | |
| *** remo (50eed09e@gateway/web/freenode/ip.80.238.208.158) has joined #wikid | 20:48 | |
| remo | I'm back... got another question... | 20:49 |
| remo | no beer :( | 20:49 |
| nowen | that's allowed | 20:49 |
| remo | ^^ | 20:49 |
| nowen | the question, that is | 20:49 |
| nowen | the lack of beer is an issue | 20:49 |
| remo | I used the php example and have a question: the wclient needs a .pem certificate, but through the admin IF, i created a p12 for the local host... I can convert this using openssh, but I get an error from wclient.inc.php that it can't set local cert chain.. what am i missing? | 20:51 |
| nowen | perms? | 20:51 |
| remo | of what? | 20:51 |
| nowen | and you do mean openssl, right? | 20:51 |
| nowen | the .pem | 20:51 |
| nowen | can apache read it | 20:51 |
| remo | the pem is 644 | 20:52 |
| remo | and yes, openssl... | 20:52 |
| nowen | do you have the cacertstore in the directory too? | 20:52 |
| remo | nope | 20:53 |
| remo | [Fri Jan 11 21:54:03 2013] [error] [client 10.255.255.127] PHP Warning: stream_context_get_options() expects parameter 1 to be resource, null given in /var/www/html/wClient.inc.php on line 336 [Fri Jan 11 21:54:03 2013] [error] [client 10.255.255.127] PHP Warning: stream_socket_client() [<a href='function.stream-socket-client'>function.stream-socket-client</a>]: Unable to set local cert chain file `lh.pem'; Check that your cafile/capa | 20:54 |
| nowen | I haven't touched the php stuff | 20:54 |
| remo | no worries, I'll deal with it some other time... | 20:57 |
| nowen | did you restart apache? | 20:57 |
| remo | ? why should I do that? | 20:59 |
| nowen | if you changed perms on the file or most anything | 20:59 |
| remo | didn't do that... it can read the file just fine, but the file must contain the wrong stuff... | 21:00 |
| nowen | is there any info on converting the p12 in the example.php or other docs in that package? | 21:00 |
| remo | nope | 21:02 |
| remo | the only hint is that the file contains "example.pem" instead of the generated "localhost.p12" | 21:02 |
| remo | contains = references | 21:02 |
| nowen | hmm | 21:02 |
| remo | hm... maybe the server isn't listening on port 8388? | 21:07 |
| nowen | the WiKID server? | 21:07 |
| nowen | hmm | 21:07 |
| nowen | 'netstat -anp | grep 8388' | 21:07 |
| nowen | or perhaps it is confused. what IP did you use to create the network client? | 21:08 |
| nowen | because if this is on the same server, you could probably just use the localhost cert | 21:08 |
| remo | that's what I'm doing... | 21:08 |
| remo | the server is listening, btw... | 21:09 |
| nowen | oh, yeah, otherwise you probably wouldn't even get that cert error | 21:09 |
| remo | ah... just saw that the CA cert is hardcoded in the example further down (after all the config stuff)... | 21:13 |
| remo | ok, got it... the example is kind of unintuitive... but once you convert some certs and move them around, it seems to work :) | 21:17 |
| remo | cool, now I can go to bed :) | 21:19 |
| remo | cu | 21:19 |
| nowen | what about that beer? | 21:19 |
| joevano | nowen: what are groups used for? | 21:39 |
| nowen | joevano: sending back specific radius attributes | 21:39 |
| joevano | ah... | 21:40 |
| nowen | by group rather than the whole network client | 21:40 |
| joevano | trying to figure out how I might use WiKID for authentication on our HP switches without having to add another domain | 21:40 |
| joevano | HP doesn't have any kind of user management when configured with RADIUS... just pass back the access level (by group, I've heard) | 21:42 |
| joevano | with our firewall it uses both windows AND the radius server so we control access through AD and auth with Wikid | 21:44 |
| nowen | so, can the switches also talk to AD/nps? | 21:44 |
| joevano | I wish | 21:44 |
| joevano | well I guess it could talk to NPS... but it is one or the other NPS or Wikid | 21:45 |
| joevano | one primary and up to two failovers | 21:45 |
| nowen | can't you set all your networking equipment to talk radius to NPS and then have nps talk to wikid? | 21:46 |
| joevano | oh, you can do that? | 21:46 |
| joevano | well yes that would work | 21:46 |
| nowen | worth checking into | 22:06 |
| nowen | ok - time for me to fly. | 22:06 |
| nowen | see ya'll next week | 22:07 |
| *** nowen has quit (Quit: Leaving.) | 22:07 | |
| *** remo has quit (Quit: Page closed) | 22:24 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!