| *** JRorie has quit (Ping timeout: 250 seconds) | 11:54 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 12:12 | |
| *** NickS_ (540c8c38@gateway/web/freenode/ip.84.12.140.56) has joined #wikid | 15:00 | |
| nowen | Hey NickS_, I see you just downloaded the server | 15:02 |
|---|---|---|
| NickS_ | Hi, w're an existing enterprise customer, been using WiKID for a few years now. | 15:03 |
| nowen | yeah - is Mark still with you? | 15:03 |
| NickS_ | We have WiKID installed on VMWare from a Centos ISO | 15:03 |
| NickS_ | Yes, Mark is still here. | 15:04 |
| nowen | excellent. tell him Hi | 15:04 |
| NickS_ | Will do, he's in a meeting at the moment | 15:04 |
| nowen | ok - what's up? Anything wrong? | 15:04 |
| NickS_ | Nothing wrong with the current installation, but I'm trying to migrate our VMware image into OpenStack. | 15:05 |
| nowen | interesting. | 15:05 |
| NickS_ | We use VMware's convertor, import the VMDK into OpenStakc, and create an instance but it fails to boot | 15:06 |
| nowen | hmm. how many users do you have? would it be easier to start fresh? | 15:07 |
| NickS_ | Well that's a possibility, probably using an unbuntu DEB, which is why I started down the route of downloading ir. | 15:08 |
| NickS_ | But it looks like we'd have to start again from scratch? | 15:08 |
| NickS_ | I think we've got 10 or so users | 15:08 |
| nowen | not at al. I can also help you move the data to a fresh install | 15:09 |
| nowen | I'm guessing that vmware's importer isn't much of an exporter ;-) | 15:09 |
| nowen | is there a specific error you get on booting? | 15:09 |
| NickS_ | We found other reports of people having problems with Centos. We have successfully booted Ubuntu VMware images. ubuntu is our preferred OS | 15:10 |
| NickS_ | Specfic errors are; | 15:10 |
| nowen | I worry about moving the data from centos to ubuntu - differences in the postgresql setup | 15:10 |
| NickS_ | mount: could not find filesystem 'dev/root' | 15:10 |
| NickS_ | no fstab.sys mounting internal defaults | 15:11 |
| NickS_ | setuproot: error mounting /proc | 15:11 |
| NickS_ | A few others, and than a Kernel panic | 15:11 |
| nowen | yeah, seems bad | 15:11 |
| NickS_ | Yep | 15:12 |
| NickS_ | So, your not keen on a Centos to Ubuntu migration? | 15:12 |
| nowen | well, maybe if you do a psql data dump it would work. | 15:13 |
| nowen | here are the options as I see them: | 15:13 |
| nowen | 1. set up a centos wikid server same version as your current (update to latest, first). copy the db files and certs to new server, set IP and start | 15:14 |
| nowen | 1. Setup replicant server on openstack, replicate existing server to slave, promote slave (essentially the same as above, but uses our scripts) | 15:15 |
| nowen | ooops - that was 2. ;-) | 15:15 |
| NickS_ | ;-) | 15:15 |
| nowen | 3. use postgresql tools to dump db, restore to new ubuntu server, copy over certs etc and see | 15:15 |
| nowen | 4. start fresh with ubuntu setup | 15:16 |
| nowen | really a question of the time you want to spend on something that might not work | 15:16 |
| NickS_ | Okay. | 15:18 |
| NickS_ | and I guess 4 could follow 3 by resetting the DB if 3 fails | 15:19 |
| NickS_ | ? | 15:19 |
| nowen | yes, and you can probably do, 3, then 2 or 1. 3 should not damage the database at all | 15:19 |
| nowen | though you might lose data during the process | 15:19 |
| nowen | but mostly likely it would be logging info and not, say, new user registrations | 15:20 |
| NickS_ | You mean lose data during a replication, not during an export? | 15:20 |
| nowen | you should not lose data during replication nor export | 15:21 |
| nowen | well | 15:21 |
| nowen | let's say you export the db at 2:00 pm | 15:21 |
| nowen | it works and you start the new server at 3:00 pm | 15:21 |
| nowen | that hour of data is not on the new server | 15:22 |
| NickS_ | Okay, that's fine. We accept that. | 15:23 |
| nowen | you can leave the WiKID server off and you won't lose any data ;-) | 15:23 |
| NickS_ | We'll get compaints ;-( | 15:25 |
| NickS_ | Okay, I'll have a think and discuss with Mark. | 15:25 |
| nowen | hehe, well, glad to hear you are using it! | 15:25 |
| nowen | ok | 15:25 |
| NickS_ | Are there any docs on migrating the DB and certificates? | 15:25 |
| nowen | no, we have some on replication, but I would have to walk you through it. let me check though | 15:26 |
| NickS_ | Okay, thanks | 15:27 |
| nowen | it's really just two directories. /opt/WiKID/private and /var/lib/pgsql/data. | 15:27 |
| nowen | for postgres, I think it would be something like pgdump/pgrestore | 15:27 |
| NickS_ | Okay. I guessing we'll go for option 3 in the first instance. | 15:28 |
| nowen | ok | 15:28 |
| NickS_ | There's a spelling mistake on your website | 15:29 |
| nowen | oh - where? | 15:29 |
| NickS_ | Under "View our wuick links": | 15:29 |
| NickS_ | New! WIKID Installation Videos! 15 minites to two-factor authentication! | 15:29 |
| NickS_ | should be "minutes"? | 15:29 |
| nowen | oh, yes it should | 15:30 |
| NickS_ | Ok, thanks. I might be back! | 15:30 |
| nowen | np, I will be here | 15:30 |
| NickS_ | Bye | 15:30 |
| nowen | later | 15:30 |
| NickS_ | Hello again | 16:04 |
| nowen | hi | 16:04 |
| NickS_ | I'm looking for our existing postgress login details | 16:04 |
| NickS_ | Are they fixed, or where can I find them? | 16:04 |
| nowen | if you are root on the box , you should be able to 'su - postgres' | 16:04 |
| nowen | it is locked to the server localhost | 16:04 |
| NickS_ | ok, hang on | 16:04 |
| NickS_ | Thanks. That's got me going. | 16:15 |
| nowen | ok | 16:15 |
| *** NickS_ has quit (Quit: Page closed) | 16:31 | |
| *** AccentureDan (0cfa9442@gateway/web/freenode/ip.12.250.148.66) has joined #wikid | 16:54 | |
| nowen | Hey AccentureDan | 16:54 |
| AccentureDan | hey bud | 16:54 |
| AccentureDan | so working on this thing again | 16:54 |
| nowen | how goes it? | 16:54 |
| AccentureDan | good man hbu? | 16:54 |
| AccentureDan | so i had to swap some configuration around in my test domain because of how I plan on implementing wikid, just need some help | 16:55 |
| nowen | ok | 16:55 |
| AccentureDan | again, my test domain has a VPN jump box VM with two network adapters, one for external (10.67.x.x) network and one for internal (192.168.x.x) network | 16:55 |
| AccentureDan | my wikid is purely on the 192.168.x.x network and my Domain Controller is purely on the 192.168.x.x network | 16:56 |
| AccentureDan | should i have my Wikid auth server facing the 10.67.x.x network? all i want to do is have the user use TFA plus their AD credentials when they VPN in | 16:57 |
| AccentureDan | i think you sent something my way but i cannot seem to find it | 16:57 |
| AccentureDan | one more question...when i set up the domain server ID, should that be the ID of an internal 192.168.x.x address or the external facing adapter address (10.67.x.x)? | 16:57 |
| nowen | ok, so the server needs to communicate with the tokens which are outside your FW | 16:58 |
| nowen | the domain id should use the External IP | 16:58 |
| AccentureDan | yup | 16:58 |
| AccentureDan | ohhhhh okay i thought so | 16:58 |
| AccentureDan | one sec lemme go edit this up | 16:58 |
| nowen | so, even though you might NAT the server, the domain id is the external | 16:58 |
| AccentureDan | okay the only external IP address right now that i have is the external IP address of the VPN that users from the external network are connecting to | 16:59 |
| AccentureDan | basically which server would be best suited as the domain server ID? the domain controller, the wikid auth server, or my VPN jump box? | 17:00 |
| nowen | well, if your VPN can handle it, you can route any traffic on port 80 going to /wikid to the WiKID server | 17:00 |
| AccentureDan | should be able to, i turned off everything for testing purposes | 17:00 |
| AccentureDan | firewalls and such | 17:00 |
| AccentureDan | i mean for best practices, should i have my wikid auth server as the domain ID and have that NATd to the external network? | 17:01 |
| nowen | yes | 17:01 |
| nowen | that's the way it has to be | 17:01 |
| AccentureDan | fantastic, that clears that up...this will take a few minutes, have to add a virtual network adapter and all that jazz | 17:01 |
| AccentureDan | brb man, thx for the advice :) | 17:01 |
| nowen | otherwise the tokens won't be able to reach it | 17:01 |
| nowen | np | 17:01 |
| AccentureDan | awesome | 17:01 |
| AccentureDan | thanks :) | 17:01 |
| AccentureDan | okay all created...so question regarding network clients | 17:30 |
| AccentureDan | just a bit confused on what will be requesting stuff from WiKID | 17:30 |
| nowen | your VPN | 17:30 |
| AccentureDan | i only have my domain controller added as of now | 17:30 |
| AccentureDan | okay should it be the internal or external address for the VPN? | 17:31 |
| nowen | you AD server doesn't talk to WIKID | 17:31 |
| AccentureDan | okay, just the VPN? | 17:31 |
| nowen | or do you have NPS on it? | 17:31 |
| AccentureDan | i have NPS | 17:31 |
| nowen | ahh | 17:31 |
| nowen | ok | 17:31 |
| nowen | sorry, then it should go: VPN >> NPS >> WiKID. | 17:31 |
| AccentureDan | ahhhhh okay one sec | 17:32 |
| AccentureDan | NPS for RADIUS and VPN for LDAP? | 17:32 |
| nowen | nope | 17:32 |
| nowen | no need for LDAP at all | 17:32 |
| AccentureDan | fantastic | 17:32 |
| nowen | the VPN talks to NPS | 17:32 |
| nowen | not WiKID | 17:32 |
| AccentureDan | awesome | 17:32 |
| AccentureDan | then NPS routes to WiKID | 17:33 |
| nowen | NPS will proxy the credentials to WiKID after authorizing the user based on their username | 17:33 |
| AccentureDan | as i have that set up from the installation manual | 17:33 |
| nowen | yes | 17:33 |
| nowen | the user will enter their username and OTP into the VPN. | 17:33 |
| AccentureDan | okay awesome, so the only network client i should have is the NPS client? | 17:33 |
| nowen | vpn send that to NPS | 17:33 |
| AccentureDan | ahhhhh okay | 17:33 |
| nowen | yes | 17:33 |
| AccentureDan | sweet! | 17:33 |
| AccentureDan | let me dump this in to the test domain, one sec bud | 17:33 |
| nowen | NPS does the AuthZ, if that goes ok, NPS sends credentials to WiKID for AuthN | 17:34 |
| nowen | the tricky part is the connection request policy in NPS, IMO | 17:34 |
| AccentureDan | yeah its a pain lmao | 17:36 |
| AccentureDan | okay so design question | 17:36 |
| AccentureDan | back to NPS | 17:36 |
| nowen | ok | 17:36 |
| AccentureDan | i set the client as my external IP for the VPN, got that | 17:36 |
| AccentureDan | the remote radius server is WiKID | 17:36 |
| AccentureDan | should i set the internal IP address of WiKID or external? | 17:36 |
| nowen | wait - what do you mean by 'client'? | 17:36 |
| AccentureDan | okay in NPS when you set up a VPN you set up both a client and a server...normally my RADIUS server would be my domain controller to proxy AD credential auth requests, but i have it set up as my WiKID server to proxy OTP requests | 17:38 |
| AccentureDan | the RADIUS client i have set as my external IP for my VPN | 17:38 |
| AccentureDan | to service VPN requests | 17:38 |
| AccentureDan | does that sound correct? | 17:38 |
| nowen | on NPS, the VPN should be the client and WiKID the Server | 17:38 |
| AccentureDan | fantastic | 17:38 |
| AccentureDan | got that down then | 17:38 |
| AccentureDan | just one quick question | 17:38 |
| AccentureDan | i just added another card with an external address to the WiKID server instead of NATting because of the way I have it set up, ease of use basically...would i set up the RADIUS server with the external or internal IP address of the WiKID server? | 17:39 |
| nowen | NPS is your radius server. It would be a Network Client on WiKID, using it's internal IP address | 17:40 |
| AccentureDan | fantastic | 17:40 |
| AccentureDan | one sec | 17:40 |
| AccentureDan | okay so theoretically this seems to all be set up correctly | 17:41 |
| AccentureDan | just want to go over one last thing before I test | 17:41 |
| nowen | ok | 17:41 |
| nowen | so, when you test, run 'tcpdump -v port radius' on the WiKID server | 17:48 |
| nowen | it will show you if your radius requests are getting from NPS to WiKID | 17:49 |
| AccentureDan | nothing getting to WiKID | 17:55 |
| AccentureDan | have it listening and no radius requests received | 17:56 |
| nowen | anything in the Windows event log? | 17:56 |
| AccentureDan | let me check one sec | 17:56 |
| AccentureDan | yep got a remote access errort | 17:57 |
| AccentureDan | one sec | 17:57 |
| AccentureDan | the user wikid\newuser1 has connected and failed to authenticate oon port VPN3-127 | 17:57 |
| nowen | is the Remote-RADIUS-to-Windows-User-Mapping set to True? | 17:58 |
| AccentureDan | wikid is my test domain's name | 17:58 |
| AccentureDan | nope i was just about to ask about that work around | 17:58 |
| AccentureDan | can you forward me the link to set that up? | 17:58 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps is what we have | 17:58 |
| AccentureDan | thanks man! | 17:58 |
| nowen | you may get better info from MS | 17:58 |
| AccentureDan | okay still a no go, but got a different error | 18:04 |
| nowen | ? | 18:04 |
| AccentureDan | the user wikid\newuser1 connected from 10.67.x.x but failed an authentication attempt due to the following reason: the connection was prevented because of a policy on your RAS/VPN server | 18:06 |
| nowen | that's kinda helpful actually! | 18:06 |
| AccentureDan | Specifically, the authentication method used by the authentication server...blah blah blah | 18:07 |
| AccentureDan | hahahaha | 18:07 |
| AccentureDan | yay! | 18:07 |
| AccentureDan | any idea? | 18:12 |
| nowen | your connection request policy isn't allowing it to pass to auth | 18:12 |
| nowen | do you see the last image on our nps page? | 18:12 |
| AccentureDan | sorry im back | 18:22 |
| AccentureDan | yup | 18:22 |
| AccentureDan | i just set that up | 18:22 |
| nowen | that Route to WiKID basically limits request to anytime | 18:22 |
| AccentureDan | let me restart RRAS | 18:22 |
| AccentureDan | okay good news | 18:29 |
| AccentureDan | i am getting RADIUS stuff in tcpdump | 18:29 |
| nowen | ok! | 18:29 |
| AccentureDan | bad news, still not authenticating | 18:29 |
| AccentureDan | ;-) | 18:29 |
| nowen | is the user enabled? | 18:29 |
| AccentureDan | so im assuming the username is wrong | 18:29 |
| AccentureDan | let me check | 18:29 |
| nowen | well that could be it. the username needs to be the same in WiKID and NPS/AD | 18:30 |
| AccentureDan | okay lemme check | 18:32 |
| AccentureDan | okay i enabled the user, that was wrong, and made sure it matched as a user who is enabled with dial-in permissions in AD | 18:34 |
| AccentureDan | should i be putting the domain before the username? | 18:34 |
| nowen | I don't think so. | 18:35 |
| nowen | if you run that tcpdump command with -vvv you might see what name is coming through | 18:35 |
| nowen | if not, do this: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 18:35 |
| AccentureDan | okay it is passing what i enter, wikid\newuser1 | 18:42 |
| AccentureDan | let me try newuser1 instead | 18:42 |
| AccentureDan | okay still getting a policy error | 18:43 |
| AccentureDan | i dont have any network policies or health policies in place, at ALL...all i have is the route to wikid | 18:44 |
| nowen | and that's the error in Event logger? | 18:44 |
| AccentureDan | well i am getting a warning and error | 18:45 |
| AccentureDan | the same warning as i typed above, but now i get this error | 18:45 |
| AccentureDan | "The following error occurred in the Point to Point Protocol module: VPN-127 | 18:46 |
| AccentureDan | The connection was prevented because of a policy on your RAS/VPN server | 18:47 |
| AccentureDan | might have been there before, just figured i would add it | 18:47 |
| AccentureDan | in my VPN connection settings should i be forcing a certain setting? | 18:47 |
| AccentureDan | for the client that is | 18:47 |
| AccentureDan | the VPN settings within the client | 18:47 |
| nowen | do you get that same error if you login with the domainname/username? | 18:48 |
| AccentureDan | yup same exact error and warning | 18:48 |
| nowen | is the user getting auth'd by WiKID? | 18:49 |
| AccentureDan | should i enable debugging to figure that out or would that be listed in tcpdump? | 18:50 |
| nowen | you have to enable debugging | 18:54 |
| AccentureDan | okay i checked with the example.jsp and it is accepting the OTPs from the client | 18:57 |
| AccentureDan | should i enable debugging? | 18:57 |
| AccentureDan | not sure if that works or not | 18:57 |
| nowen | yes. it will show you much data | 18:57 |
| AccentureDan | okay let me enable debugging then | 18:57 |
| AccentureDan | same one as the link you sent me? | 18:57 |
| nowen | yes | 18:58 |
| AccentureDan | okay one sec | 18:58 |
| AccentureDan | hm where are these logs? | 19:00 |
| AccentureDan | i found a few spots | 19:00 |
| AccentureDan | do i configure these within a file? | 19:00 |
| nowen | ok - in the WiKIDAdmin, top right cornter | 19:00 |
| AccentureDan | ohhhhhhhhhh i see | 19:00 |
| nowen | web ui | 19:00 |
| AccentureDan | i was in terminal hahahaha | 19:00 |
| nowen | ;-) | 19:01 |
| AccentureDan | okay set to debug and all that jazz | 19:02 |
| AccentureDan | should i restart the server or start another authentication request? | 19:03 |
| nowen | ok - start by getting an otp | 19:03 |
| AccentureDan | okay one sec | 19:03 |
| AccentureDan | got one | 19:03 |
| AccentureDan | should i check the logs? | 19:04 |
| nowen | yes | 19:04 |
| nowen | you should see the otp getting delivered | 19:04 |
| nowen | now try to login, then refrest | 19:04 |
| AccentureDan | okay i see a bunch of stuff one sec | 19:06 |
| AccentureDan | yep i see issued passcode to device | 19:06 |
| AccentureDan | awesome let me try and VPN in | 19:06 |
| AccentureDan | okay what should i be looking for here | 19:09 |
| AccentureDan | i let the VPN connect and it failed again | 19:09 |
| AccentureDan | just trying to filter through the logs | 19:09 |
| nowen | do you see log data after the OTP delivery? | 19:09 |
| AccentureDan | yup | 19:10 |
| nowen | a rejection or success? | 19:10 |
| AccentureDan | lots of BasicResourcePool and NewProxyConnection yellow boxes | 19:10 |
| AccentureDan | if that is right | 19:10 |
| AccentureDan | all yellow boxes after the passcode was sent to me | 19:10 |
| AccentureDan | no gray ones | 19:11 |
| nowen | nothing from com.wikidsystems.radius.log.DBSvrLogImpl | 19:11 |
| nowen | do you have the Log Level set to debug? | 19:12 |
| AccentureDan | yeah man have that added in there and set to debug | 19:14 |
| AccentureDan | but nothing coming out of it | 19:14 |
| AccentureDan | i created it just like i was supposed to | 19:14 |
| nowen | it's not all javascripty either, you have to set it and hit filter again | 19:14 |
| AccentureDan | ohhh ok | 19:14 |
| AccentureDan | weird | 19:15 |
| AccentureDan | not showing up in the log list | 19:15 |
| AccentureDan | even though i hit apply changes | 19:16 |
| AccentureDan | do i have to do something for it to show up in the log list? | 19:16 |
| AccentureDan | the log drop down that is\ | 19:16 |
| nowen | does tcpdump show the connection coming in? | 19:16 |
| AccentureDan | yep shows it is coming in | 19:20 |
| AccentureDan | i get a bunch of stuff in the logs of tcpdump | 19:20 |
| AccentureDan | showing it is passing the credentials in to WiKID it looks like | 19:21 |
| AccentureDan | i just dont know how to read it | 19:21 |
| nowen | did you add com.wikidsystems.radius.log.DBSvrLogImpl and set it to debug? | 19:21 |
| AccentureDan | yup | 19:22 |
| AccentureDan | thing is, it is in the list of logs to debug | 19:22 |
| AccentureDan | but when i go to the drop-down for filtering it doesnt show up | 19:22 |
| nowen | hm | 19:23 |
| nowen | ok - go to the Configure Loggers page | 19:23 |
| nowen | do you see com.wikidsystems.radius.log.DBSvrLogImpl listed? | 19:24 |
| AccentureDan | yes sir! | 19:27 |
| nowen | and it's set to debug? | 19:27 |
| AccentureDan | yup | 19:28 |
| nowen | run 'service iptables stop' and try to login again | 19:29 |
| nowen | you should see something like User-Name (1), Length: 7, Data: [nowen], 0x6E6F77656E Acct-Session-Id (44), Length: 18, Data: [1378323787N15dhy], 0x313337383332333738374E3135646879 NAS-IP-Address (4), Length: 6, Data: [IP 127.0.0.1], 0x7F000001 NAS-Identifier (32), Length: 11, Data: [Localhost], 0x4C6F63616C686F7374 NAS-Port (5), Length: 6, Data: [# 0], 0x00000000 Calling-Station-Id (31), Length: 12, Data: [1115551212], 0x3131313535 | 19:31 |
| nowen | here is what I see on tcpdump: http://pastebin.com/Ey6Lq8tF | 19:46 |
| nowen | and my logs look like http://pastebin.com/zVzmnfKM | 19:46 |
| AccentureDan | sorry about that im back | 20:15 |
| AccentureDan | checking out your stuff | 20:15 |
| nowen | 0o | 20:15 |
| nowen | ok | 20:15 |
| AccentureDan | my tcpdump is 10 times longer | 20:16 |
| AccentureDan | it receives 12 packets | 20:16 |
| AccentureDan | friggin weird | 20:16 |
| AccentureDan | do you want to see the logs? | 20:16 |
| nowen | yes | 20:17 |
| AccentureDan | okay good news | 20:20 |
| AccentureDan | restart the wikid service and that log i created is showing up | 20:20 |
| nowen | ok | 20:20 |
| AccentureDan | let me try and VPN in and see if it shows something | 20:20 |
| AccentureDan | getting somewhere! | 20:22 |
| AccentureDan | logs show i was accepted | 20:22 |
| AccentureDan | but i am failing MS-CHAP authentication | 20:22 |
| AccentureDan | okay so i just typed in NewUser1 and the OTP | 20:24 |
| AccentureDan | and it said access granted | 20:24 |
| nowen | in WiKID? | 20:24 |
| AccentureDan | but i get the VPN window popping up saying windows could not connect using the current username and password, try again | 20:24 |
| AccentureDan | yep in WiKID it works, grants me access | 20:24 |
| AccentureDan | but then it seems like Windows AD cannot auth me | 20:24 |
| nowen | check the Windows event logs | 20:24 |
| AccentureDan | okay one sec | 20:25 |
| AccentureDan | same friggin policy error | 20:25 |
| AccentureDan | errrrrrrrrrrrrrrrrrr | 20:25 |
| AccentureDan | so it gets through to the WiKID, once it is does with WiKID what does it do? | 20:25 |
| nowen | WiKID sends it back to NPS | 20:26 |
| AccentureDan | hmmmm | 20:26 |
| AccentureDan | so that last part is where we are snagging | 20:27 |
| AccentureDan | hey what time are you going to be on for? | 20:29 |
| AccentureDan | i am going to grab some lunch real quick, give my eyes a break, been glued to this screen all day | 20:29 |
| nowen | until about 6ish easter | 20:29 |
| AccentureDan | fantastic | 20:29 |
| nowen | eastern | 20:29 |
| AccentureDan | ill be back around 515ish your time | 20:29 |
| nowen | ok | 20:29 |
| AccentureDan | thanks again for all of your help man...all this time and effort once it works will get thrown to my boss for approval, your efforts wont go wasted for free ;-) | 20:30 |
| nowen | np | 20:30 |
| nowen | lol | 20:30 |
| AccentureDan | brb ma man | 20:30 |
| AccentureDan | alrighty im back | 21:22 |
| nowen | ok | 21:22 |
| AccentureDan | so i was thinking, with regards to NPS | 21:22 |
| AccentureDan | it uses the connection policy to allow a connection, but does there need to be a network policy in place to allow authentication? | 21:23 |
| AccentureDan | there were two native ones that came with NPS but were disabled by default, i usually just delete them | 21:23 |
| nowen | sounds reasonable | 21:24 |
| AccentureDan | okay going to do some research | 21:25 |
| AccentureDan | one sec | 21:25 |
| AccentureDan | what information is being sent back to NPS? | 21:37 |
| AccentureDan | it doesnt require any password authentication from AD right? | 21:37 |
| nowen | no, | 21:37 |
| AccentureDan | okay | 21:37 |
| nowen | nps should get the Access-Accept | 21:37 |
| AccentureDan | so the only thing it is authenticating is the username from AD? | 21:37 |
| nowen | and go with it | 21:37 |
| AccentureDan | okay i kind of figured | 21:38 |
| nowen | yes - but technically that is authorization - not authn | 21:38 |
| AccentureDan | i think if no network policy is defined in NPS it just defaults to allow, im going to check | 21:38 |
| AccentureDan | yep got cha | 21:38 |
| AccentureDan | in order for the AD auth to work, does NPS have to reside on that server? | 21:44 |
| nowen | I don't think so. | 21:44 |
| AccentureDan | i normally put NPS on my DCs as recommended, but i did not this time because of experimentation from last project i was working on | 21:44 |
| AccentureDan | okay one sec | 21:44 |
| nowen | but I really don't know | 21:44 |
| AccentureDan | its okay i think i know what the problem was | 21:45 |
| AccentureDan | nevermind, wasnt it | 21:50 |
| nowen | rats | 21:50 |
| AccentureDan | i think its getting lost | 21:50 |
| nowen | what is the error again? | 21:51 |
| AccentureDan | my AD is on my domain controller, but my VPN is not on my domain...i added it to DNS where it wasnt before, dur | 21:51 |
| AccentureDan | forgot how i had it set up | 21:51 |
| AccentureDan | im just getting the username and password problem, i think its trying to authenticate on the VPN box | 21:51 |
| AccentureDan | i might have to add another server route so it knows to send the second request to authorize the username to the domain controller from the VPN box | 21:52 |
| nowen | hm | 21:56 |
| nowen | what do you have under Network Policies? | 22:05 |
| nowen | do you have Ignore User Dial-in Properties as true? | 22:05 |
| AccentureDan | nope never set that up | 22:09 |
| nowen | try that | 22:09 |
| AccentureDan | okay one sec | 22:09 |
| AccentureDan | where is this located? | 22:11 |
| AccentureDan | okay so i moved NPS to my domain controller for authentication purposes, just as a trial | 22:14 |
| AccentureDan | bear with me | 22:14 |
| nowen | ok - unde Network Policy Server > policies > Network Policies, I have a policy called Restrict Access | 22:15 |
| nowen | the conditions are windows groups, Remote Access Group | 22:15 |
| nowen | under constraints, I have ms-chap2and ms-chap | 22:16 |
| *** nowen has quit (Remote host closed the connection) | 22:16 | |
| *** nowen (~nowen@50-194-249-124-static.hfc.comcastbusiness.net) has joined #wikid | 22:28 | |
| nowen | my X server crashed | 22:28 |
| nowen | now on a back computer | 22:28 |
| nowen | AccentureDan: can we pick this up tomorrow? | 22:36 |
| nowen | ok - I gotta go. | 22:39 |
| *** nowen has quit (Quit: Leaving.) | 22:39 | |
| *** AccentureDan has quit (Ping timeout: 250 seconds) | 23:36 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!