| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 13:15 | |
| *** nowen has quit (Remote host closed the connection) | 16:03 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 16:04 | |
| *** nowen has quit (Quit: Leaving.) | 17:34 | |
| *** AccentureDan (0cfa9442@gateway/web/freenode/ip.12.250.148.66) has joined #wikid | 18:03 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 18:22 | |
| nowen | hey AccentureDan | 18:23 |
|---|---|---|
| nowen | did you make any progress? | 18:23 |
| nowen | hey - I have to check out again for about 25 mins. I'll be back. | 18:24 |
| *** nowen has quit (Client Quit) | 18:24 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 18:51 | |
| nowen | back | 18:52 |
| *** AccentureDan_ (3f7c1664@gateway/web/freenode/ip.63.124.22.100) has joined #wikid | 19:05 | |
| AccentureDan_ | hey Nick | 19:05 |
| AccentureDan_ | sorry got cut off in my other session when I successfully VPNed in remotely | 19:05 |
| AccentureDan_ | so good news, everything works, bad news, not the way i want it to | 19:05 |
| nowen | you got it to work? | 19:05 |
| AccentureDan_ | yep it works | 19:05 |
| nowen | how does it work? | 19:05 |
| AccentureDan_ | i figured out what is going on | 19:05 |
| AccentureDan_ | so I can VPN in if i have the Route to WiKID set up, it authorizes the passcode, and i can sign on as NewUser1...BUT | 19:06 |
| *** AccentureDan has quit (Ping timeout: 250 seconds) | 19:06 | |
| AccentureDan_ | that user has to reside on the VPN jump box, once i added that user on the jump box and added a network policy allowing access to the group that user is a part of, it worked | 19:06 |
| AccentureDan_ | problem 1: that computer is not part of the domain, so it really is only authenticating the user against NewUser1, and not whether the user is a part of Active Directory or not...not a HUGE problem but it may be | 19:07 |
| AccentureDan_ | problem 2: the user is authenticating locally and I cannot figure out how to push the username to my domain controller for authentication, then allow the connection to complete | 19:07 |
| nowen | sounds like NPS isn't really doing it's job | 19:10 |
| AccentureDan_ | i mean from a security standpoint this VPN box is in our DMZ, so i cannot allow it to join to the domain...i mean even enforcing NPS from there is a security risk...but i cannot find a way to 1.) run NPS from another machine separate from the VPN box and have it work correctly (even to WiKID) | 19:10 |
| AccentureDan_ | yeah man that is where i am sticking | 19:10 |
| AccentureDan_ | i mean WiKID is working perfectly | 19:10 |
| AccentureDan_ | everything within WiKID is working like a charm | 19:10 |
| nowen | hmm. | 19:10 |
| nowen | nps is on the RRAS box? | 19:11 |
| AccentureDan_ | and i have GUARANTEED the green thumb is being given by the WiKID server because by adding that user it allows the VPN to complete | 19:11 |
| AccentureDan_ | yup | 19:11 |
| AccentureDan_ | i tried yesterday to get NPS to work on the domain controller, and have that enforced but was not working | 19:11 |
| AccentureDan_ | thinking it wont work because the VPN box is not on the domain | 19:11 |
| AccentureDan_ | i know this is more of a Windows question, sorry for bugging you about this | 19:11 |
| nowen | will the VPN box talk radius to NPS when it is not on the domain? | 19:12 |
| AccentureDan_ | its possible it wont, let me check, one sec | 19:12 |
| nowen | when I tested this, I used a non-MS VPN or a radius test client | 19:12 |
| AccentureDan_ | okay the short of it is YES it will work | 19:15 |
| nowen | ok - so you can have RRAS in the DMZ and NPS in the domain? | 19:16 |
| AccentureDan_ | so in VPN set up on RRAS, i can select (which i have) to have the VPN point to other RADIUS servers | 19:16 |
| AccentureDan_ | i have it set that way, and pointed to WiKID, really cant check right now since i am locked out because i initiated that VPN connection remotely but i will double-check | 19:16 |
| AccentureDan_ | but when it comes to VPN set up to work with remote RADIUS servers, do you have any idea which one it should point to initially? I would assume WiKID | 19:17 |
| nowen | no, I think you should point it to NPS | 19:17 |
| AccentureDan_ | basically, which authentication/authorization occurs first? WiKID or AD? | 19:17 |
| AccentureDan_ | yep you are right | 19:17 |
| nowen | NPS does authZ through AD first, then AuthN through WiKID | 19:17 |
| AccentureDan_ | okay so have the VPN point directly to the NPS | 19:17 |
| AccentureDan_ | ohhhhhhhhhhhhhhhhhhhhh | 19:17 |
| AccentureDan_ | okayyyyyy | 19:17 |
| AccentureDan_ | so if i had the NPS sitting on the DC, and had my VPN point directly to that NPS, then had the route to WiKID set, it should work | 19:19 |
| nowen | it should | 19:19 |
| AccentureDan_ | theoretically that is | 19:19 |
| AccentureDan_ | okay i am going to give it a shot once my coworker disconnects the VPN | 19:19 |
| AccentureDan_ | ill keep ya posted ma man | 19:19 |
| nowen | ok | 19:20 |
| *** AccentureDan_ has quit (Ping timeout: 250 seconds) | 19:28 | |
| *** Accenture_Dan (a689d192@gateway/web/freenode/ip.166.137.209.146) has joined #wikid | 19:39 | |
| Accenture_Dan | Sorry just going over this in my head | 19:39 |
| Accenture_Dan | so once the RADIUS request is forwarded to my RADIUS (NPS) on my domain controller, it will immediately try an verify the authenticity of the user name, then forward to WiKID to authorize the passcode, then initiate the VPN connection correct? | 19:40 |
| nowen | yes | 19:40 |
| Accenture_Dan | fantastic...i am gonna work on this and let you know | 19:46 |
| *** coolacid has quit (Read error: Connection reset by peer) | 19:57 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 19:57 | |
| *** Accenture_Dan has quit (Ping timeout: 250 seconds) | 20:41 | |
| *** nowen has quit (Quit: Leaving.) | 22:16 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!