| *** Angel_ has quit (Ping timeout: 250 seconds) | 00:44 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 13:54 | |
| *** angel_ (ccc2ed16@gateway/web/freenode/ip.204.194.237.22) has joined #wikid | 15:24 | |
| angel_ | Hi Nick | 15:27 |
|---|---|---|
| nowen | hi angel_ | 15:27 |
| nowen | any luck with that last tip? | 15:27 |
| angel_ | No the deviceID did not work. | 15:27 |
| nowen | did you try with the example.jsp page? | 15:28 |
| angel_ | You suggested using example.jsp to test. Have'nt used it before. Where do I go? | 15:28 |
| nowen | take a look at this: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 15:28 |
| nowen | essentially, it is all the API functions working in a jsp page | 15:29 |
| nowen | on /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp | 15:29 |
| nowen | if you look at the page, it is very well documented | 15:29 |
| angel_ | Will check it. | 15:31 |
| nowen | basically, if your reg doesn't work via the example.jsp page either, we know it is a bug on our end and not your code. | 15:32 |
| angel_ | thanks | 15:36 |
| angel_ | unable to get the example.jsp to work. for the host option is localhost ok to use? Or must it be the IP? | 16:40 |
| nowen | the only things you need to change are the defaultservercode and the localhost passphrase | 16:41 |
| nowen | so change the 127000001 to 008028117051 | 16:42 |
| angel_ | Yep did that already. | 16:42 |
| nowen | oh - did you restart wikid? | 16:42 |
| angel_ | Ah. no | 16:43 |
| nowen | ok - the old page was probably cached | 16:43 |
| *** rick__ (48c40b51@gateway/web/freenode/ip.72.196.11.81) has joined #wikid | 16:46 | |
| rick__ | hello, have an ssl question, can i use a entrust wildcard cert instead of the self signed one? | 16:47 |
| nowen | rick__: no, that will be an issue down the road. We're planning on updating the cert system | 16:48 |
| rick__ | ok | 16:48 |
| nowen | wait | 16:48 |
| nowen | do you mean the WiKIDAdmin ssl cert or the intermediate CA? | 16:48 |
| rick__ | wikidadmin ssl | 16:48 |
| nowen | oh - yeah, you can replace that | 16:48 |
| rick__ | mainly the adregister.jsp page | 16:48 |
| nowen | ahh - yes. that makes sense | 16:49 |
| rick__ | so the users will not get the ssl warning | 16:49 |
| rick__ | ok | 16:49 |
| nowen | you are encouraged to move that page too | 16:49 |
| rick__ | oh | 16:49 |
| nowen | so it won't get written over in an rpm update | 16:49 |
| rick__ | makes sense | 16:49 |
| nowen | but people rarely do ;-) | 16:50 |
| rick__ | just create a new tomcat context? | 16:53 |
| nowen | that should work | 16:53 |
| *** rick__ has quit (Ping timeout: 250 seconds) | 17:21 | |
| *** angel_ has quit (Ping timeout: 250 seconds) | 17:24 | |
| *** DanAccenture (0cdbfd3a@gateway/web/freenode/ip.12.219.253.58) has joined #wikid | 17:34 | |
| DanAccenture | Hey Nick | 17:34 |
| DanAccenture | question for ya | 17:34 |
| DanAccenture | I have a small domain set up with one DC w/ AD, another member server with RRAS/VPN/LDAP/NPS, and then another machine with WiKID server on it...i have it all set up but am trying to figure out the topology to use, and how to integrate WiKID | 17:36 |
| DanAccenture | i have an outside private network (10.67.xxx.xxx) able to see the 192.168.xxx.xxx internal network (where my three servers are hosted) | 17:37 |
| DanAccenture | i have VPN set up and DirectAccess | 17:37 |
| DanAccenture | I am trying to test the VPN functionality, but I am unable to authenticate when trying to connect | 17:37 |
| DanAccenture | i have the WiKID route set up in NPS as well, followed the guide | 17:38 |
| DanAccenture | I guess what I am trying to get at is how do I present a user outside the domain and ip address scheme where hte WiKID server and AD server lie with the ability to enter a one-time password while authenticating via VPN | 17:38 |
| DanAccenture | this is our main goal...eventually deploying this solution to individual applications will be another, but that is down the road...for now we want something that can be baseline, something to prompt the user to enter a one time password to authenticate via VPN and RDP | 17:39 |
| nowen | DanAccenture: sorry - just back from a meeting | 17:51 |
| nowen | did you test the VPN without WiKID first? | 17:52 |
| nowen | You can also set the radius logging to debug: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests?searchterm=radius+debug | 17:54 |
| nowen | DanAccenture: If the last thing you see is the OTP request in the logs, then the radius request isn't getting to WiKID | 17:55 |
| DanAccenture | Hey Nick sorry stepped away...I am back | 17:56 |
| nowen | also, on the wikid server, you can run 'tcpdump port radius' to see the actual packets | 17:56 |
| nowen | np | 17:56 |
| DanAccenture | one second | 17:56 |
| DanAccenture | i did not...let me change the route method and give it a shot, see if it connects | 17:56 |
| nowen | that's one thing I like about irc ;-) | 17:56 |
| DanAccenture | you know it! :) | 17:56 |
| DanAccenture | just so i understand | 17:58 |
| DanAccenture | so if a user is using VPN to connect remotely to this network, when they set up the initial VPN connection, do they already have to be an authenticated user in WiKID before they can connect? | 17:59 |
| *** axisys (~axisys@unaffiliated/axisys) has joined #wikid | 18:00 | |
| nowen | no - the tokens do need to be able to talk to the WiKID server | 18:04 |
| nowen | think of it like a triangle - the token talks to the WiKID server over port 80 on the internet, then the user enters the creds into the VPN, which completes the triangle by confirming the creds with the wikid server | 18:06 |
| nowen | axisys: long time no see | 18:13 |
| axisys | nowen: :-) | 18:16 |
| axisys | nowen: tired of working with RSA | 18:16 |
| nowen | hehe | 18:16 |
| nowen | we can get you switched in no time | 18:16 |
| axisys | nowen: trying the VM | 18:16 |
| nowen | hmm - is it a zip file? | 18:17 |
| axisys | nowen: need to someday convince my new manager to switch to it | 18:17 |
| axisys | nowen: iso | 18:17 |
| nowen | ok - good, that's the latest, I hope | 18:17 |
| axisys | wikid-enterprise-3.5.0-b1438-install.iso | 18:18 |
| nowen | excellent | 18:18 |
| DanAccenture | ohhhh i see | 18:18 |
| DanAccenture | so basically this WiKID server needs to be on an RRAS server on the edge facing the internet in order to authenticate | 18:18 |
| nowen | you can NAT the external IP. | 18:19 |
| DanAccenture | i c i c | 18:19 |
| DanAccenture | i have that running as a host-only, but i can NAT the address to see if that works | 18:19 |
| DanAccenture | currently i only have my member server configured with two network adapters to bring in both traffic | 18:20 |
| nowen | and you can create an internal ip domain for testing internally if you want | 18:20 |
| DanAccenture | should i just have the Wikid server set like that? | 18:20 |
| DanAccenture | should i have* | 18:20 |
| nowen | that's what we recommend | 18:20 |
| DanAccenture | yep that is what i did | 18:20 |
| DanAccenture | ohhhhhh okay i see, let me give that a go here and see if i can get it working | 18:20 |
| DanAccenture | one sec | 18:20 |
| axisys | nowen: i see you have instructions for fortinet .. how about apcon ? | 18:20 |
| nowen | I've never heard of it! | 18:21 |
| nowen | but basically - use radius | 18:21 |
| axisys | nowen: new guy in town.. with RSA I could get the VSAs for fortinet, but no luck with apcon | 18:23 |
| nowen | what are VSAs? | 18:23 |
| axisys | RSA is absolutely no help beyond the steps on how to setup and if it does not work, no help | 18:23 |
| axisys | Vendor Specific Attributes with RADIUS Access-Accept | 18:24 |
| nowen | ahh | 18:24 |
| axisys | basically the atrribute value pairs that are vendor specific and radius server returns those with accept pkt | 18:25 |
| axisys | we can't switch to freeradius since we need two factor auth | 18:25 |
| axisys | rsa radius is steel-belted radius which juniper bought | 18:26 |
| DanAccenture | so just to make sure, and sorry for all of the questions (im new to all of this) | 18:26 |
| axisys | what radius do you guys use? | 18:26 |
| axisys | nowen: ^ | 18:26 |
| DanAccenture | if i have my wikid server (192.168.1.x) bridged to my (10.67.106.x) network to become visible to them, and point my WiKID domain server to that IP, everyone on the 10.67.106.x addresses should be able to authenticate via WiKID, thus enabling me to VPN in after they authenticate? | 18:27 |
| nowen | axisys: we use a java-based radius tool called AXL, but it is embedded and seamless to you. | 18:28 |
| nowen | DanAccenture: no, only users with *registered*, valid tokens can authenticate | 18:29 |
| nowen | axisys: for VSA, we have Ascend, Cisco, and MS | 18:30 |
| nowen | we have all the standard attributes too | 18:30 |
| DanAccenture | okay have a few more questions but have to step away...brb | 18:30 |
| nowen | np | 18:31 |
| axisys | nowen: i dont need any if you did not have those.. i usually request the dictionary file and then add it | 18:31 |
| axisys | I will check if apcon definition works for me | 18:32 |
| axisys | with yours | 18:32 |
| axisys | apcon definition is google searchable :-) | 18:32 |
| axisys | apcon VSAs rather | 18:32 |
| nowen | do you need vendor-specific? can you use the radius standard attributes? | 18:33 |
| DanAccenture | so in order, the user downloads the token client, adds the domain as the 10.67.106.xxx address set for the WiKID server, registers, and receives a registration number...the user then requests a passcode, and is given one...where does this user enter that one time password? also, after they are registered in the WiKID server, can they initiate the VPN connection? | 18:34 |
| axisys | I need to return a value between 0 to 6 for the attribute Apcon-User-Level | 18:34 |
| axisys | so that is pretty simple | 18:35 |
| axisys | VM is up | 18:35 |
| nowen | DanAccenture: so, the token can get an OTP before registering, but they won't work. That reg code needs to back to the WiKID server in some way | 18:35 |
| axisys | I like how the VM is setup | 18:35 |
| axisys | will need some time to play with it, before I can ask some questions | 18:36 |
| nowen | DanAccenture: if you look on the Users > Manually validate a user, you will see the list of current registrations. | 18:36 |
| DanAccenture | yup so the user requests registration and you see that in the users panel | 18:36 |
| DanAccenture | got that far internally which is nice | 18:37 |
| DanAccenture | just trying to figure out how clients obtain registration from outside the network | 18:37 |
| DanAccenture | im not worried about the internet, just figuring out private ip to private ip | 18:37 |
| DanAccenture | basically the same priciple though haha | 18:38 |
| nowen | DanAccenture: not sure i follow, do you mean how the token finds the WIKID server? | 18:38 |
| DanAccenture | but i think once i face the WiKID server to the 10.67 IP address range, they should be able to see it since I bridged it to that network from the 192.168 range | 18:38 |
| DanAccenture | sorry thinking out loud | 18:38 |
| nowen | haha, np | 18:38 |
| DanAccenture | one sec going to test this theory | 18:38 |
| DanAccenture | sorry | 18:38 |
| axisys | nowen: do you know what the password for this http://localhost.localdomain/WiKIDAdmin/ ? | 18:41 |
| nowen | WiKIDAdmin/2Factor | 18:41 |
| axisys | nowen: thanks | 18:41 |
| axisys | nowen: our license only offers on domain with RSA appliance | 18:42 |
| axisys | nowen: heh | 18:42 |
| nowen | and how much does it cost? ;-) | 18:42 |
| axisys | do not remember, but I would think total was less than 30k for two rsa appliances | 18:47 |
| axisys | for 1500 user license | 18:48 |
| nowen | seems a bit low to me | 18:49 |
| axisys | I want to see if I can add new vendor attributes | 18:58 |
| nowen | nope | 18:58 |
| axisys | nowen: hmm.. | 19:00 |
| nowen | shouldn't be hard for us to add them though | 19:00 |
| nowen | although, I would say that you're better off using the standard ones | 19:01 |
| axisys | nowen: apcon expects those custom attributes.. just like fortinet does.. but you do have a doc on fortinet.. may be that will show how | 19:02 |
| axisys | brb | 19:02 |
| nowen | no - it doesn't include VSAs | 19:03 |
| *** Angel (ccc2ed16@gateway/web/freenode/ip.204.194.237.22) has joined #wikid | 19:04 | |
| Angel | Hi Nick, unfortunately I'm still stuck don't know why example.jsp does not want to work for me. | 19:04 |
| nowen | just sent you an email. take a look | 19:05 |
| *** Angel has quit (Ping timeout: 250 seconds) | 19:09 | |
| axisys | nowen: do not see it | 19:19 |
| axisys | nowen: btw, this fortinet doc does not cover vendor attr | 19:19 |
| axisys | nowen: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-a-fortinet-vpn | 19:19 |
| axisys | nowen: oops you just said that above , *sigh* | 19:20 |
| nowen | yes, I know that. Hardly any of our users use vendor attrs | 19:20 |
| nowen | ;-) | 19:20 |
| axisys | nowen: hmm.. we achieve granularity in user access level by mapping to particular attrbiute value | 19:21 |
| axisys | ofcourse we could use TACACS+ .. never used RSA appliance TACACS+.. seems pretty limited as well | 19:22 |
| nowen | can you use acct-status-type? | 19:22 |
| nowen | so, you have 6 types of users? | 19:22 |
| axisys | for fortinet we have to send those attributes.. we cant go back now | 19:22 |
| axisys | we have major installation already in place.. :-) | 19:23 |
| axisys | for apcon may be | 19:23 |
| nowen | just trying to understand what you are sending | 19:23 |
| axisys | I will give an example | 19:23 |
| axisys | Fortinet-Access-Profile:adom-rw-utm | 19:24 |
| axisys | Fortinet-Group-Name:RADIUS | 19:24 |
| axisys | Fortinet-Vdom-Nam:AMERI | 19:25 |
| axisys | so that is one profile | 19:25 |
| axisys | and lets call it fortinet-foo as the radius profile name | 19:25 |
| axisys | and assign it to me | 19:25 |
| axisys | so when I login to fortinet .. those attributes gets mapped to some internal rules | 19:26 |
| axisys | and that gives me a specific privilege to the gateway | 19:26 |
| axisys | so those AVPs returned by the radius server with access-accept | 19:27 |
| nowen | are you dropping the fortinet for the apcon? | 19:28 |
| axisys | when you do tcpdump, you will see them as Vendor Specific Attribute (26) | 19:28 |
| axisys | in the Access Accept (2) pkt | 19:28 |
| axisys | nowen: no, we are using both | 19:29 |
| nowen | ok | 19:29 |
| axisys | fortinet is all good. still testing apcon | 19:29 |
| nowen | wait - you mean fortinet and wikid? | 19:29 |
| DanAccenture | okay i am back...i set up my WiKID server to face to the outside network and was able to get someone on that network to register with the WiKID server...now that they user is registered and can pass tokens, i need to get the user's AD credentials to authenticate with my Domain Controller...I am getting an error when trying to log on via VPN telling me my username and password is wrong | 19:34 |
| DanAccenture | i guess this comes down to how i set up the network policy server and RRAS | 19:34 |
| nowen | DanAccenture: I recommend you start simple | 19:35 |
| nowen | DanAccenture: can you have the user login with wikid only? | 19:35 |
| DanAccenture | so once the user is a part of the WiKID server and can generate legit passcodes, does the WiKID server then forward the request on to Active Directory for authentication? | 19:35 |
| nowen | get that first, then add complexity | 19:35 |
| DanAccenture | yep did that through the example jsp | 19:35 |
| DanAccenture | that isnt an issue | 19:35 |
| nowen | DanAccenture: example.jsp is wauth, not radius. I recommend you test VPN > radius > WiKID | 19:36 |
| DanAccenture | oh i see woops my bad | 19:36 |
| nowen | then, do VPN > radius > NPS/AD > radius > VPN | 19:36 |
| DanAccenture | 'okay one second | 19:36 |
| nowen | then do VPN > radius > NPS/AD > radius > wikid | 19:36 |
| nowen | or really, VPN > radius > NPS/AD > radius > wikid > radius > nps/ad > radius > vpn | 19:37 |
| DanAccenture | lol first time really messing with remote access so bear with me | 19:37 |
| nowen | np | 19:37 |
| nowen | axisys: are you saying that you have tested Fortinet and WiKID? | 19:39 |
| axisys | nowen: sorry was on the phone... no not wikid, only rsa | 19:42 |
| nowen | ok - so you need us to add Fortinet and apcon radius dictionaries? | 19:43 |
| axisys | nowen: well, as long as that does not mean I will get a bill in the mail :P | 19:44 |
| *** Angel (ccc2ed16@gateway/web/freenode/ip.204.194.237.22) has joined #wikid | 19:44 | |
| nowen | axisys: will you get a bill eventually, is my question | 19:44 |
| axisys | heh | 19:44 |
| Angel | howdy | 19:44 |
| Angel | Still no go | 19:45 |
| nowen | welcome back Angel | 19:45 |
| axisys | on RSA I add new dictionary myself | 19:45 |
| nowen | yeah, we need to add it into the jsp pages, etc | 19:45 |
| nowen | axisys: any way we can get a better lock on things before we commit to programming? | 19:47 |
| nowen | Angel: what error are you seeing in the logs? | 19:47 |
| *** Angel_ (417113c2@gateway/web/freenode/ip.65.113.19.194) has joined #wikid | 19:49 | |
| *** Angel has quit (Ping timeout: 250 seconds) | 19:49 | |
| Angel_ | Any ideas on my problem. | 19:51 |
| nowen | Angel_: what error are you seeing in the logs? | 19:51 |
| Angel_ | which logs? | 19:51 |
| Angel_ | should I look at? | 19:51 |
| nowen | WiKIDAdmin logs | 19:51 |
| Angel_ | com.mchange.v2.c3p0.management.ActiveManagementCoordinatorA C3P0Registry mbean is already registered. This probably means that an application using c3p0 was undeployed, but not all PooledDataSources were closed prior to undeployment. This may lead to resource leaks over time. Please take care to close all PooledDataSources. 2013-07-02 12:20:24.172ERRORcom.wikidsystems.client.wClientERROR: java.io.IOException: PKCS12 key store mac | 19:52 |
| Angel_ | ERROR: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file. | 19:53 |
| Angel_ | When I ran the key tool it was successful | 19:56 |
| nowen | Angel_: sent you an email | 19:56 |
| DanAccenture | Hey Nick...how do i check to see if the user can log in with WiKID only? via RADIUS? | 19:56 |
| nowen | DanAccenture: yes - on your VPN set WiKID as the Radius server. On WiKID, set the VPN as the network client using radius, then restart | 19:57 |
| nowen | Angel_: did that make sense? | 20:15 |
| Angel_ | Just sent you an email | 20:17 |
| DanAccenture | so once that is set, try to VPN in to the network? | 20:18 |
| nowen | DanAccenture: yes | 20:18 |
| DanAccenture | Where it wants a password, do i enter one I generate via the token client? | 20:18 |
| nowen | correct | 20:18 |
| DanAccenture | sorry for making you hold my hand lol | 20:19 |
| nowen | np | 20:19 |
| nowen | often easier than troubleshooting later | 20:19 |
| DanAccenture | i completely agree | 20:21 |
| DanAccenture | not able to login...first snag haha | 20:21 |
| DanAccenture | says connection denied because the user name and password is not recognized | 20:21 |
| DanAccenture | hmmmmm | 20:22 |
| DanAccenture | just to double-check here | 20:22 |
| DanAccenture | within the VPN properties, which encryption protocols are supposed to be used? | 20:22 |
| nowen | DanAccenture: we don't care. Go to the WiKIDAdmin logs and look for an error | 20:23 |
| nowen | DanAccenture: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests?searchterm=radius+debug | 20:23 |
| nowen | Angel_: that makes no sense | 20:24 |
| Angel_ | I agree | 20:25 |
| nowen | Angel_: lol | 20:25 |
| nowen | I can run it on my server fine - the only dfference is the passphrase | 20:25 |
| nowen | what version of the server is this? | 20:25 |
| Angel_ | Here is my version: wikid-server-enterprise-3.5.0-b1421 | 20:26 |
| Angel_ | Would that make a difference? | 20:26 |
| nowen | mm | 20:27 |
| nowen | possibly - and possibly with the other error | 20:27 |
| Angel_ | I've tried changing the IP on the .jsp page to the actual ip instead of local host and it does not work either. Trying different things. | 20:27 |
| nowen | can we upgrade you to the latest and create new certs? | 20:28 |
| Angel_ | ok. I can do tonight after hours. | 20:30 |
| nowen | ok - I'll email you the commands | 20:30 |
| nowen | before I do - can you run 'rpm -qa | grep wikid' and let me know what it returns | 20:31 |
| DanAccenture | okay set up the debug and trying to filter through them | 20:31 |
| DanAccenture | what should i be looking for here? | 20:31 |
| nowen | DanAccenture: if the last thing you see is a token request, then the radius packets aren't getting to wikid | 20:32 |
| nowen | you can also run 'tcpdump port radius' on the command line | 20:32 |
| Angel_ | wikid-appliance-3.5.0.b1403-1 wikid-utilities-3.4.2-1 wikid-server-enterprise-3.5.0.b1421-1 | 20:32 |
| nowen | ok | 20:33 |
| DanAccenture | hm i see where i restarted the server...then i see a bunch of BasicResourcePool sources...all Debug operations...I see an INFO level where a passcode was issued to a device, then a bunch of BasiceResourcePool and two C3P0PooledConnectionPool Debug operations in there | 20:34 |
| DanAccenture | hard to make out what to look at | 20:34 |
| DanAccenture | nothing explicit to my eyes that says a token request was processed or sent | 20:35 |
| nowen | set the loglevel to debug and get an OTP | 20:35 |
| nowen | you'll see 'issued passcode to device...' | 20:36 |
| DanAccenture | yep already see that in the log | 20:39 |
| DanAccenture | got that | 20:39 |
| DanAccenture | okay so the radius packets arent getting to wikid | 20:40 |
| nowen | ok - if there is nothing after that, then the radius req isn't getting to WiKID | 20:40 |
| nowen | yes | 20:40 |
| DanAccenture | lemme troubleshoot here | 20:40 |
| DanAccenture | thx! | 20:40 |
| nowen | try the tcpdump command | 20:40 |
| nowen | because the packets might not be coming from where wikid expects | 20:40 |
| DanAccenture | yep no ip traffic from the 10.xxx address...analyzing and messing with some things | 20:46 |
| DanAccenture | might be firewall, going to check | 20:46 |
| DanAccenture | thanks, one sec | 20:46 |
| nowen | k | 20:46 |
| joevano | nowen: tomorrow looks to be a big sales day for you ;-) | 21:14 |
| nowen | joevano: lol! | 21:21 |
| nowen | it is my birthday. | 21:21 |
| joevano | well Happy Birthday! Enjoy your holiday as well! | 21:22 |
| nowen | everyone gets the next day off! | 21:22 |
| joevano | I just remembered that my 21st Anniversary is Thursday and I should probably plan something | 21:22 |
| nowen | oh my yes | 21:23 |
| joevano | you would think having it on a holiday would make it easier... | 21:23 |
| nowen | yes, yes I would | 21:24 |
| joevano | but it just didn't click in my head | 21:24 |
| nowen | Isn't 21 the year of a new phone? | 21:24 |
| joevano | looked at the calander on my phone around noon today and though "OH #$@%" | 21:24 |
| joevano | it was almost the year of the new husbawd | 21:25 |
| nowen | My wife is always "happy anniversary" and I'm "it's june 1st already?!?!" | 21:25 |
| joevano | hehe | 21:26 |
| *** nowen has quit (Quit: Leaving.) | 22:27 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!