| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 15:31 | |
| bman1 | anyone in here? | 19:21 |
|---|---|---|
| nowen | yes | 19:24 |
| bman1 | hello Nowen, ok so I have a question on how using ADRegister, after thats setup which works fine, once the wikid client connects and gets a a token if the user still utilizes that or their ad creds to authenticate say via a firewall | 19:25 |
| bman1 | for example the client can get a token then I have a cisco fwsm which intercepts the request to auth and then should connect back to 2factor to the wikid server | 19:26 |
| bman1 | however that final stage I am still wondering what the best method to auth is, i.e. via ldap or tacas? | 19:27 |
| bman1 | i would think ldap | 19:27 |
| nowen | ADRegister is completely separate - it is registering a token. the firewall process is authentication | 19:27 |
| bman1 | ok right, so the register part is fine | 19:27 |
| nowen | radius! | 19:27 |
| bman1 | so when the client connects it gets a token, i assume i still use that | 19:27 |
| bman1 | radius is preferred? | 19:28 |
| nowen | technically, the use the token to get an OTP | 19:28 |
| bman1 | right | 19:28 |
| nowen | yes, radius is the best | 19:28 |
| bman1 | ok ill give that a try | 19:28 |
| bman1 | for radius i would have it go back to AD correct? I want to make sure I understand correctly | 19:29 |
| nowen | if you're using NPS | 19:30 |
| nowen | take a look at this guide: http://www.wikidsystems.com/webdemo/Two-factor_Authentication_in_your_Network_eGuide.pdf | 19:30 |
| nowen | it shows how to set up FW >> NPS/AD >> WiKID | 19:30 |
| bman1 | ok thanks | 19:31 |
| bman1 | hmm i was assuming it would go FW>>WIKID>> NPS/AD since it goes FW>>WIKID>>POSTGRES but will relook ( trying to minimize change from where/how our older arch is setup) | 19:40 |
| nowen | WiKID won't proxy anything to NPS. it's an authoritative endpoint | 19:41 |
| nowen | you can do FW >> WiKID, but then AD is out of the picture | 19:41 |
| bman1 | i see, so if i were to attempt ldap it would also be the same or could I do FW>> WIKID>>LDAP? | 19:44 |
| bman1 | the reason is also that windows is managed by another team in my co | 19:44 |
| bman1 | and they are not the most ... | 19:45 |
| nowen | you can't proxy from WiKID using any protocol | 19:45 |
| bman1 | well they are good people but we'd like to avoid having them manage more apps | 19:45 |
| bman1 | ok thanks | 19:45 |
| nowen | you can avoid windows altogether and have the users in WiKID | 19:45 |
| bman1 | yeah we have that already, thats not what we want however | 19:46 |
| nowen | yeah, then NPS is the way | 19:46 |
| bman1 | its ok, I'll figure it out | 19:46 |
| bman1 | thanks yeah | 19:46 |
| joevano | bman1: i set up nps lastweekend with wikid in about 15 minutes... very straight forward | 20:43 |
| nowen | joevano: what doc did you follow? one of ours or MS? | 20:47 |
| joevano | yours mostly | 20:55 |
| joevano | for the actual config... theirs for the install and some prelim research | 20:56 |
| nowen | I find that if you need a lot of details, our docs don't cut it. | 20:56 |
| nowen | but we aren't trying to replace theirs... | 20:56 |
| joevano | yeah, I read up on it first so I knew what was expected | 20:57 |
| bman1 | joevano thanks for your comment , however as I stated our windows team is different | 23:08 |
| bman1 | they are a sep unit and mostly desktop support | 23:08 |
| bman1 | its not so much as to how much time it would take or how many steps, its partially a wait thing | 23:09 |
| *** nowen has quit (Quit: Leaving.) | 23:31 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!