| *** coolacid has quit (Read error: Connection reset by peer) | 01:00 | |
| *** coolacid (~CoolAcid@2001:470:c025:f00d:8e89:a5ff:fe30:c728) has joined #wikid | 01:01 | |
| *** coolacid has quit (Changing host) | 01:01 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 01:01 | |
| *** Prasad (50a80b3e@gateway/web/freenode/ip.80.168.11.62) has joined #wikid | 08:46 | |
| Prasad | Hi, Prasad from Subex UK Ltd.. | 08:47 |
|---|---|---|
| Prasad | is there any contact number for wikid sales please? | 08:47 |
| *** Prasad has quit (Client Quit) | 08:51 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 12:52 | |
| *** JRorie (0c6ee002@gateway/web/freenode/ip.12.110.224.2) has joined #wikid | 14:10 | |
| nowen | hey Jason! | 14:10 |
| JRorie | Hey Nick. | 14:10 |
| JRorie | I am getting a page cannot be displayed after the install. | 14:10 |
| nowen | ok - hmm | 14:10 |
| nowen | run 'netstat -anp | grep 443' | 14:11 |
| JRorie | It didn't return anything | 14:12 |
| nowen | ok - so WiKID isn't starting. | 14:12 |
| JRorie | 80 did | 14:12 |
| nowen | what did it return? | 14:12 |
| JRorie | 2781/ntpd | 14:13 |
| JRorie | rg/kernel/udev/udevd | 14:13 |
| nowen | oh, ok. that's probably not on http port 80 | 14:13 |
| nowen | run 'more /opt/WiKID/tomcat/logs/catalina.out' and look for an error | 14:13 |
| JRorie | how do I start the service then? | 14:13 |
| nowen | ' wikidctl start' should do it | 14:14 |
| nowen | did you install the latest utilities rpm? | 14:14 |
| JRorie | morYes, I did. | 14:14 |
| JRorie | I started it and it wants a new password for WikID | 14:15 |
| JRorie | Or new Unix Password that is. | 14:15 |
| nowen | ok - you can enter whatever you like for that | 14:16 |
| nowen | are you doing this as root? | 14:16 |
| JRorie | yes | 14:16 |
| JRorie | It is wanting to go through creating a self signed cert now. Is this all part of the initial install? | 14:19 |
| JRorie | Maybe I just hadn't completed it. | 14:19 |
| JRorie | From within the Linux window. | 14:19 |
| nowen | yes - that is for the WiKIDAdmin UI | 14:20 |
| JRorie | Got it. | 14:20 |
| JRorie | Okay. The webpage came up! | 14:21 |
| nowen | awesome | 14:24 |
| JRorie | After installing my certificates and restarting the service it says Stopping Tomcat server...usr/bin/sudo: error while loading shared libraries libldap-2.3.so.0: cannot open shared object file: No such file or directory. Then when I try to enter the passphrase I created it comes back and says invalid passphrase. | 14:40 |
| nowen | hmm | 14:41 |
| nowen | run 'updatedb' and then 'locate libldap' | 14:42 |
| JRorie | neither one of those commands came back with anything. | 14:43 |
| nowen | I'm not sure why you would get that error, but we can probably fix it by running 'yum install openldap'. Also, go ahead and run 'yum -y update' | 14:44 |
| JRorie | Okay, it is running. Should I try starting after it completes? | 14:47 |
| nowen | yes | 14:47 |
| nowen | also, you can rerun updatedb and locate libldap. you should see them now | 14:47 |
| nowen | Is this a virtual machine? | 14:48 |
| JRorie | Yes | 14:49 |
| nowen | If you want to start fresh, I can send you the link for the appliance ISO. Some of these errors may be from removing WiKID. If this doesn't work, it might be easiest | 14:50 |
| JRorie | It took my password and had no errors this time. | 15:00 |
| nowen | nice - can you get to the ui? | 15:08 |
| JRorie | I have everything configured, but still cannot get a VPN to connect. | 15:16 |
| nowen | ok - what are you seeing? | 15:17 |
| JRorie | I see it hit the firewall, but nothing in the WiKID logs. What should the radius server address be on the firewall? The WiKID server? | 15:20 |
| nowen | yes - port 1812 udp | 15:20 |
| nowen | on the WiKID server you can run 'tcpdump -v port radius' and it will tell you if the packets are getting there | 15:20 |
| JRorie | I don't see anything hitting it.I am pretty sure my Watchguard is setup okay. | 15:27 |
| nowen | hmm | 15:27 |
| nowen | did you restart wikid after add the watchguard as a network client? | 15:28 |
| JRorie | Does the Watchguad have to be the network client or a Internal radius server? The guy before had a NPS server setup and that listed as the network client. | 15:30 |
| nowen | ahh - yes, it can be that way. In that case, the Watchguard points to NPS and NPS points to WiKID | 15:31 |
| JRorie | That is probably what is wrong | 15:31 |
| nowen | you would want NPS to be the network client | 15:31 |
| nowen | most likely. | 15:31 |
| nowen | check that the NPS has the new WiKID IP too | 15:32 |
| JRorie | It Does. It still doesn't seem to be working though. | 15:37 |
| nowen | well, NPS connection policies are a bit of a mystery | 15:37 |
| nowen | does it have the watchguard IP correct? | 15:37 |
| JRorie | It does. I has the IP of the NPS server | 15:40 |
| nowen | what is in the Event Viewer? | 15:40 |
| JRorie | The NPS event log has nothing new in it. Is there a way to do it without NPS? | 15:43 |
| nowen | yes, the Watchguard can talk directly to WiKID. The benefit of having NPS in the middle is that if you remove/disable a user in AD, they can no longer get remote access. If they talk directly, you have to disable the person in both NPS and WiKID | 15:45 |
| nowen | this doc might help: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 15:45 |
| nowen | of course, if you only have a few users, direct might be simplest | 16:15 |
| JRorie | We only have a few. I cannot get NPS to work for the life of me. | 16:57 |
| nowen | it's a pain | 16:57 |
| JRorie | So, how does the direct work then? | 17:02 |
| nowen | oh - just put the WiKID server in the watchguard as the server and put the watchguard in WiKID as a network client | 17:09 |
| JRorie | I tried that, and it isn't communicating from what I can see. | 17:15 |
| nowen | did you try that tcpdump command? | 17:15 |
| nowen | also, did you restart WiKID after putting the Watchguard in as a network client? | 17:17 |
| JRorie | I did restart the WiKID. How can you tell if anything came in after running the tcpdump? | 17:25 |
| nowen | well, you would see it there. run 'tcpdump port 443' and you'll see | 17:26 |
| nowen | run 'iptables -L -n' , do you see the Watchguard IP listed? | 17:26 |
| JRorie | I don't. | 17:27 |
| nowen | hmm | 17:27 |
| nowen | ok - run 'wikidctl stop' | 17:27 |
| nowen | and then 'killall -9 java | 17:27 |
| nowen | ' | 17:27 |
| nowen | and then 'wikidctl start' | 17:28 |
| JRorie | Did that and nada. Does this make a difference per Watchguards site? | 17:34 |
| JRorie | To establish the PPTP connection the user must be a member of a group named PPTP-Users.Once the user is authenticated, the Firebox keeps a list of all groups that a user is a member of. Use any of the groups in a policy to control traffic from the user. | 17:34 |
| nowen | got me, not very familiar with the watchguard | 17:34 |
| nowen | do you see the old NPS address listed in iptables? | 17:35 |
| JRorie | No, only 127.0.0.1 and 0.0.0.0 | 17:36 |
| nowen | run 'service iptables stop' and then the tcpdump command and try to login again | 17:37 |
| JRorie | No luck with that either. | 17:41 |
| JRorie | 0 packets captured. | 17:41 |
| nowen | so, I'm pretty sure it must be the watchguard. | 17:42 |
| nowen | you are using port 1812, right? | 17:56 |
| JRorie | Yes, I am. It's weird. I can see it allowing the traffic through | 18:00 |
| JRorie | Is it PPTP? | 18:02 |
| nowen | no - the radius traffic is 1812 for the watchguard to wikid auth traffic | 18:05 |
| nowen | the old port is 1645, so sometimes firewalls offer up both | 18:05 |
| JRorie | Using windows built in VPN client should work though, right? | 18:06 |
| nowen | yes | 18:07 |
| nowen | just wanted to check what your settings are the the radius server on the watchguard | 18:07 |
| nowen | what are the options under the authentication servers for the watchguard? | 18:08 |
| nowen | the watchguard may be one of the ones still using port 1645 | 18:17 |
| JRorie | It is 1812. I am going to try a firmware upgrade. | 18:18 |
| nowen | hmm | 18:19 |
| nowen | what errors do you get in the Watchguard logs? | 18:19 |
| JRorie | I get no errors at all. | 18:20 |
| nowen | but does the authentication fail? | 18:20 |
| JRorie | It never says whether it does or not. It never even says it is trying to authenticate. | 18:29 |
| nowen | we are way out of my area | 18:32 |
| JRorie | I opened a case with Watchguard too. I would think I would see something in the logs. It is almost like it is not sending the radius trafic | 20:05 |
| nowen | hmm | 20:05 |
| nowen | which watchguard model is it? | 20:06 |
| JRorie | XTM 505 I use it in other offices with Radius. | 20:07 |
| nowen | ok - so you know way more than I do. | 20:12 |
| nowen | time for me to check out | 21:42 |
| *** nowen has quit (Quit: Leaving.) | 21:46 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!