| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 12:25 | |
| *** nowen has quit (Remote host closed the connection) | 13:19 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 13:20 | |
| *** AccentureDan (0cfa9442@gateway/web/freenode/ip.12.250.148.66) has joined #wikid | 16:58 | |
| AccentureDan | sup Nick! | 16:58 |
|---|---|---|
| nowen | hey Dan! | 16:58 |
| nowen | how goes it? | 16:58 |
| AccentureDan | just a little status update...have the VPN in place in the test domain, all working and ready to go...currently have my DC with NPS as my RADIUS server, and my little VPN box as the client | 16:59 |
| AccentureDan | so am ready to work on this solution today to get WiKID in place with VPN | 16:59 |
| AccentureDan | going great man how ya doin? | 16:59 |
| nowen | ok - so you have it all working without WiKID? | 16:59 |
| AccentureDan | yup | 16:59 |
| nowen | doing well! | 16:59 |
| nowen | cool | 16:59 |
| AccentureDan | all working without wikid | 16:59 |
| AccentureDan | and i verified that wikid works internally | 16:59 |
| nowen | start simple, I say | 17:00 |
| AccentureDan | added a user, tested with that little java app | 17:00 |
| AccentureDan | absolutely, keep it simple | 17:00 |
| nowen | you mean example.jsp? | 17:00 |
| AccentureDan | yup | 17:01 |
| nowen | so, now you just have to add WiKID to NPS with a connection policy? | 17:03 |
| *** Mark__ (8f74745b@gateway/web/freenode/ip.143.116.116.91) has joined #wikid | 17:07 | |
| Mark__ | Nick are you here? | 17:07 |
| nowen | yes | 17:07 |
| Mark__ | hello | 17:07 |
| Mark__ | got a question | 17:07 |
| nowen | ok | 17:07 |
| Mark__ | all of our ATT cell phone users are having an issue | 17:08 |
| *** Troy__ (329b9bb1@gateway/web/freenode/ip.50.155.155.177) has joined #wikid | 17:08 | |
| nowen | oh my | 17:08 |
| Mark__ | their Wikid clients are being updated | 17:08 |
| Mark__ | and erasing their token | 17:08 |
| nowen | android or iphone? | 17:08 |
| Mark__ | Hello Troy | 17:08 |
| Mark__ | android | 17:08 |
| Troy__ | Hi there | 17:09 |
| Mark__ | do you use different versions for different carriers as well? | 17:09 |
| nowen | no | 17:09 |
| nowen | what version are they using? | 17:09 |
| Mark__ | Troy what version is it showing you on? | 17:09 |
| Troy__ | on my Android phone, I upgraded to 4.3 last week and lost my domain | 17:09 |
| Troy__ | sorry.. Token client for Android version 3.4 | 17:10 |
| Mark__ | on Verizon i am on 3.5.13 and not showing any updates available | 17:10 |
| nowen | you mean your OS updated and it deleted your token? | 17:10 |
| Troy__ | no.. just the WiKID app updated.. I'm on Jelly bean 4.11 and hasn't had an OS update since last december | 17:11 |
| nowen | I thought you had updated the WIKID token | 17:11 |
| nowen | ok | 17:11 |
| nowen | our current version is 3.5.12 | 17:11 |
| nowen | oops | 17:11 |
| nowen | 3.5.13 | 17:11 |
| Mark__ | whew okay so I am on hte latest on my phone | 17:12 |
| nowen | hmm | 17:12 |
| Mark__ | I have not had any issues but i am on verizon | 17:12 |
| Troy__ | I don't remember which WiKID app version I was running before.. last week or the week before the Google play store showed a WiKID client upgrade was available.. and I went ahead and upgraded | 17:13 |
| nowen | 3.5.1 was released Sep 27, 2012 | 17:13 |
| Troy__ | I'm going to remove the client and re-install from the play store | 17:13 |
| Mark__ | Troy what Android version are you on? | 17:13 |
| nowen | I was going to remove the latest from production to stop any upgrades, but it seems like you'll are on a later version | 17:14 |
| Troy__ | Android version 4.1.1 (jelly bean) | 17:14 |
| Troy__ | on a Motorolla Atrix HD | 17:14 |
| nowen | Troy__: and you say the WiKID version is 3.4? | 17:14 |
| Troy__ | yes.. it appears the upgrade actually downgraded me from WiKID 3.5.x down to 3.4 | 17:15 |
| Mark__ | that does not sound good | 17:15 |
| nowen | that's damn screwy | 17:15 |
| nowen | there's not some special at&t app store, right? | 17:16 |
| Troy__ | no.. i always remove those carrier stores | 17:16 |
| Troy__ | this was straight from Google play | 17:16 |
| nowen | I don't even see 3.4 on the developer app store | 17:16 |
| Troy__ | I just uninstalled WikiD app and re-installed and it's still WiKID 3.4 | 17:16 |
| Troy__ | let me try on my wifes Nexus 7.. it's running Android 4.3 | 17:17 |
| Mark__ | i have Android 4.1.2 | 17:18 |
| nowen | on the app store page, is the date published Aug 9th? | 17:18 |
| Troy__ | Yes.. Aug 9th, 2013 | 17:19 |
| Troy__ | that may have been when the update came though on my phone | 17:20 |
| Troy__ | Just did a fresh install of WiKID app on my wifes Nexus and it's showing Version 3.4 as well | 17:20 |
| Troy__ | this device hasn't had any version of WIkid app installed prior to now | 17:21 |
| nowen | hmm | 17:21 |
| Mark__ | is it ATT? | 17:21 |
| nowen | no, I've replicated it on my deviec | 17:21 |
| nowen | t-mobile | 17:21 |
| Troy__ | Mark.. what does your Play store show for a date? | 17:22 |
| Mark__ | okay | 17:22 |
| Mark__ | aug 9th 2013 | 17:22 |
| Troy__ | and doesn't it show an upgrade available? | 17:22 |
| Mark__ | no | 17:22 |
| nowen | it could be that the version in the source code is inaccurate | 17:22 |
| Mark__ | so when i open my about wikid it actually shows Token client for Android vers 3.4 | 17:25 |
| Troy__ | in the meantime, can you stop the upgrade? | 17:25 |
| nowen | trying | 17:25 |
| Troy__ | so folks aren't actually downgrading and losing their domain settings? | 17:25 |
| Mark__ | not sure but so far you, Matt and Rick have all lost yours when these auto updates run | 17:26 |
| Troy__ | i need to run for a bit to pick up my daughter from pre-school.. i'll be back in a few | 17:26 |
| nowen | I have removed it from the store | 17:26 |
| Mark__ | okay can you follow up in an email if you find out what is occuring | 17:28 |
| Mark__ | i need to drop off over in Europe this week and need to grab some dinner will leave this up and check back when i get back | 17:28 |
| nowen | ok | 17:30 |
| nowen | Troy__ or Mark__ - how many devices did this affect? | 18:07 |
| *** newbiw (41337b6e@gateway/web/freenode/ip.65.51.123.110) has joined #wikid | 18:31 | |
| newbiw | hi nick | 18:31 |
| nowen | hi | 18:32 |
| newbiw | i have the wikid server installed for radius and wikid's protocol | 18:32 |
| nowen | who is that? ;-) | 18:32 |
| newbiw | i setup a network client | 18:32 |
| newbiw | i setup a user | 18:32 |
| newbiw | the user is going to login into the network client , the network client is a ubuntu server | 18:33 |
| newbiw | i can see the pam radius is sending the request to wikid server | 18:33 |
| newbiw | but i dont see the user getting the request to enter its token | 18:33 |
| nowen | did you restart the WiKID service after adding the network client? | 18:33 |
| newbiw | yeah | 18:34 |
| newbiw | i can see the user account being sent to the wikid server | 18:34 |
| newbiw | i will restart wikid anyways now | 18:34 |
| nowen | you can see the radius request hitting wikid? | 18:35 |
| newbiw | no | 18:35 |
| nowen | are you running tcpdump on wikid? | 18:35 |
| newbiw | client is saying no one responding | 18:35 |
| newbiw | let me start it, port 1812 | 18:36 |
| nowen | run 'tcdump port radius' | 18:36 |
| nowen | ;-) | 18:36 |
| newbiw | wikid sent a 'reject' but the user got the login shell on ubuntu machine | 18:37 |
| newbiw | i believe this is more of network client configuration to have 2 factor authentication for the user | 18:37 |
| nowen | yeah, sounds like your pam radius config is off | 18:38 |
| *** AccentureDan has quit (Ping timeout: 250 seconds) | 18:38 | |
| nowen | run 'tail -f /var/log/auth.log' on the client to see what is happening | 18:39 |
| newbiw | do i have to copy pam_radius_auth.conf to /etc/raddb/server | 18:39 |
| nowen | I did not do that. | 18:39 |
| nowen | that should not be the issue as the requests are getting to WiKID | 18:40 |
| nowen | it is probably your /etc/pam.d/sshd | 18:40 |
| newbiw | so let me ask you a simpler question. what is the expected behivour | 18:40 |
| nowen | if WiKID sends a reject, the user is prompted for their password again | 18:40 |
| newbiw | yeah that didnt happen | 18:41 |
| newbiw | let me reload ssh again | 18:41 |
| nowen | auth.log will tell you what is happening | 18:42 |
| *** Troy__ has quit (Ping timeout: 250 seconds) | 18:42 | |
| newbiw | what am i supposed to put in , the local password or the wikid token. I am only getting a prompt to put in the password | 18:43 |
| newbiw | google auth token asks for password then passcode | 18:43 |
| newbiw | if i just put the passcode, i get Access Accept from WIKID | 18:44 |
| nowen | oh - just the WiKID OTP | 18:46 |
| newbiw | so i were to attempt to login from a different host into the client, i wont be allowed because otp is unique to my laptop | 18:47 |
| newbiw | no | 18:49 |
| nowen | mostly, the token on your laptop is valid for your username and PIN on WiKID. the private key in it is unique. You can also have another token on your phone that would be unique, but also be valid for your username and PIN | 18:49 |
| newbiw | should i create a password for the user on the local system ? | 18:49 |
| nowen | you should create an account, unless you are using ldap or something for that | 18:50 |
| newbiw | On this host i already have a few accounts | 18:50 |
| nowen | tell me, why do you not want to use google auth? I'm curious | 18:50 |
| newbiw | I dont want to because i cant get NX to work with it | 18:51 |
| nowen | ahh | 18:51 |
| newbiw | i want to secure the machine using Wikid | 18:51 |
| Mark__ | Nick i am back now | 18:51 |
| nowen | hey Mark__ | 18:51 |
| Mark__ | not sure at this moment i only know of 6 | 18:51 |
| nowen | Mark__: we are working on it. I think we may have signed the latest with a different key | 18:52 |
| Mark__ | I will have to do some research to find out a total number | 18:52 |
| Mark__ | okay | 18:52 |
| nowen | Mark__: it's ok. | 18:52 |
| nowen | newbiw: what do you see in your /var/log/auth.log | 18:53 |
| newbiw | <@nowen>Aug 28 18:55:53 wikid-client sshd[27175]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1930210624. | 18:56 |
| *** Mark__ has quit (Ping timeout: 250 seconds) | 18:56 | |
| nowen | hmm. that's not super helpful ;-) | 18:56 |
| newbiw | Accepted password for jsingh from 10.120.20.109 port 50072 ssh2 | 18:57 |
| nowen | ok - was that with the OTP? | 18:57 |
| newbiw | Yes | 18:57 |
| newbiw | I am logged in using the Wikid Server Token and not using the local password | 18:57 |
| nowen | ok - that's good right? | 18:58 |
| newbiw | i thought the tokens worked like google's system, where you had to put the password once then the token | 18:58 |
| nowen | hmm - is that what makes it not work for NX? | 18:59 |
| newbiw | yes | 18:59 |
| newbiw | i think so | 18:59 |
| newbiw | how is it supposed to work Wikid | 18:59 |
| nowen | because the NX client only wants one password | 19:00 |
| newbiw | request passcode , then ssh into machine and enter the passcode | 19:00 |
| newbiw | i want to make sure first that i have 2 factor with wikid | 19:00 |
| newbiw | how are we achieving that here sorry , i am not seeing that | 19:00 |
| newbiw | ubuntu ssh client is only asking for one password, shouldn't it be asking for two things | 19:03 |
| newbiw | please help me understand it | 19:03 |
| nowen | no - the two factors are represented in the OTP. possession of the private key embedded in the token and knowledge of the PIN | 19:03 |
| *** Troy (329b9bb1@gateway/web/freenode/ip.50.155.155.177) has joined #wikid | 19:04 | |
| newbiw | ok so this is a one time password , and since your account was setup with asysmetteric keys with wikid server on the client | 19:05 |
| nowen | yep | 19:06 |
| Troy | Nick.. i don't know for sure how many installed the Android WIKID update.. but I would say there are about 1,000 or so Android devices of the 4200+ devices (1227 users) | 19:07 |
| Troy | has the new source been updated in the play store? | 19:07 |
| *** Mark__ (51b7fb04@gateway/web/freenode/ip.81.183.251.4) has joined #wikid | 19:07 | |
| Mark__ | back got disconnected | 19:07 |
| nowen | Troy: not yet | 19:08 |
| Mark__ | Is there anyway to fix the users that have been affected besides having them re-register? | 19:08 |
| Troy | ok..last time I checked, the token client wasn't available | 19:08 |
| nowen | Troy: good - they said it might take a few hours to unpublish | 19:08 |
| nowen | Mark__: I have serious doubts about that | 19:09 |
| Mark__ | okay | 19:09 |
| *** nowen has quit (Remote host closed the connection) | 19:12 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 19:13 | |
| Mark__ | Nick when you think this is corrected can you send me an email so i can send a memo out ot all our users having them verify if they were affected and if so a quick reminder of how to register again | 19:15 |
| nowen | yes, will do | 19:15 |
| nowen | i'm very sorry about this | 19:15 |
| Mark__ | Is this only on Android? | 19:18 |
| nowen | yes | 19:18 |
| Mark__ | did it affect the IOS or Windows mobile device tokens? | 19:19 |
| Mark__ | okay | 19:19 |
| nowen | no - we have not updated those | 19:19 |
| newbiw | thanks nick | 19:24 |
| nowen | newbiw: is it all working? | 19:24 |
| newbiw | now i have to test the NX part | 19:27 |
| nowen | great | 19:27 |
| Mark__ | Nick I am dropping off just let me know when it is fixed so i can send out a memo to our users making them aware of this issue and thanks again for your prompt support | 19:35 |
| nowen | will do | 19:35 |
| *** Mark__ has quit (Ping timeout: 250 seconds) | 19:43 | |
| newbiw | Nick i am now getting access reject on radius | 20:49 |
| nowen | newbiw: check to see if the user is enabled | 20:49 |
| nowen | that happens in testing | 20:50 |
| newbiw | does it automatically gets disabled ? | 20:50 |
| nowen | if you exceed the limits on bad pins or otps | 20:50 |
| nowen | you can set the logs to debug: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 20:51 |
| nowen | and get more info | 20:51 |
| newbiw | he was disabled | 20:52 |
| nowen | people try stuff when testing and it adds up. I doubt you will see it much in prod | 20:53 |
| newbiw | cool | 20:54 |
| newbiw | NX now works with the token | 20:54 |
| newbiw | i will present it to the client next week | 20:54 |
| nowen | if you do, you can change the settings on the domain | 20:54 |
| nowen | nice! | 20:54 |
| nowen | are you using freenx or the commercial? | 20:54 |
| newbiw | i got the evaluation software | 21:02 |
| newbiw | i can create a new vm and try free nx tomorrow | 21:02 |
| newbiw | let them know both ways | 21:02 |
| nowen | have you checked out nx 4? | 21:02 |
| nowen | freenx is a bit old | 21:02 |
| nowen | but seems solid | 21:03 |
| newbiw | no my client is 3.5 | 21:03 |
| newbiw | let me check the server's version | 21:03 |
| newbiw | 3.5 also | 21:04 |
| newbiw | nx free is 3.5 also | 21:04 |
| newbiw | thanks | 21:06 |
| *** newbiw has quit () | 21:06 | |
| nowen | joevano: do you have an android token installed? or you coolacid | 21:59 |
| *** nowen has quit (Quit: Leaving.) | 22:06 | |
| *** Troy has quit (Quit: Page closed) | 22:08 | |
| *** AccentureDan (0cfa9442@gateway/web/freenode/ip.12.250.148.66) has joined #wikid | 22:27 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!