| *** goutam (7c1ec732@gateway/web/freenode/ip.124.30.199.50) has joined #wikid | 08:01 | |
| goutam | hi there | 08:01 |
|---|---|---|
| goutam | is there any one here? | 08:01 |
| *** JasonRorie (0c6ee002@gateway/web/freenode/ip.12.110.224.2) has joined #wikid | 11:58 | |
| JasonRorie | I have setup WiKID. I set it up to authenticate directly to the WiKID server, and now am authenticating through NPS. I can connect just fine, but when I go to access network file shares it almost acts like it is holding my WiKID password as my network password. It never connects on a Mac or a domain Windows 7 machine. I got it to bounce back on a Windows 7 workgroup machine asking for username and password, but that is the only mach | 12:15 |
| JasonRorie | Any advice? | 12:15 |
| *** JasonRorie has quit (Ping timeout: 250 seconds) | 12:22 | |
| *** jasonrorie (4b96d87d@gateway/web/freenode/ip.75.150.216.125) has joined #wikid | 12:36 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 13:06 | |
| jasonrorie | Okay. My problem is Windows authentication. I can connect directly to my NPS server and get to all of the network shares. If I have it hand off my authentication to the WiKID server, I cannot connect to the file shares. It is almost like it is retaining that login information that is within the VPN login for Windows authentication. | 13:13 |
| jasonrorie | Okay. My problem is Windows authentication. I can connect directly to my NPS server and get to all of the network shares. If I have it hand off my authentication to the WiKID server, I cannot connect to the file shares. It is almost like it is retaining that login information that is within the VPN login for Windows authentication. | 13:20 |
| nowen | morning | 13:20 |
| nowen | just saw your email | 13:20 |
| jasonrorie | Morning. | 13:21 |
| nowen | so, you can get a VPN connection via NPS and WiKID, but when you try to mount an SMB drive, no go? | 13:21 |
| jasonrorie | Correct. Same result as when connecting directly to the WiKID server | 13:22 |
| nowen | What is the event viewer telling you? | 13:22 |
| jasonrorie | On what? | 13:23 |
| nowen | windows event viewer - are there any logs saying why you're not able to mount them? | 13:24 |
| jasonrorie | Not that I can see. If I connect directly to the NPS, without using WiKID, I can connect to the drives fine. | 13:25 |
| nowen | any errors in the WiKID logs? | 13:25 |
| jasonrorie | No, it says it is successfully authenticated. | 13:26 |
| jasonrorie | Same on the NPS server. | 13:26 |
| nowen | and you're sure that is part of the SMB login? | 13:26 |
| jasonrorie | Sure that what is part of the SMB login. It never prompts me for a new username or password for the SMB with the VPN going with WiKID. If I connect in office, it prompts for username and password. | 13:29 |
| jasonrorie | It is like it is using my VPN login information to connect to the network shares. | 13:30 |
| jasonrorie | I tried setting Remote-RADIUS-to-Windows-User-Mapping to True, but it won't connect at all like that. | 13:31 |
| nowen | and you want it to use AD Creds | 13:31 |
| jasonrorie | I think that is what needs to be set. | 13:31 |
| jasonrorie | I turn that on, and it says it authenticates fine on the NPS and WiKID server, but the firewall kicks back and says CHAP authentication failed. | 13:32 |
| *** goutam has quit (Quit: Page closed) | 13:33 | |
| nowen | jasonrorie: can you access other resources over the vpn? is it just smb? | 13:40 |
| *** jasonrorie has quit (Ping timeout: 250 seconds) | 13:43 | |
| *** jasonrorie (0c6ee002@gateway/web/freenode/ip.12.110.224.2) has joined #wikid | 13:48 | |
| jasonrorie | Sorry, dropped off. I can ping the devices, just cannot SMB. It look like an authentication failure to the network share to me. | 13:48 |
| nowen | what firewall are you using? | 13:49 |
| jasonrorie | Watchguard | 13:49 |
| jasonrorie | Is there something that I need to setup on there for the Radius to Windows to work? | 13:50 |
| nowen | not sure | 13:50 |
| nowen | are you doing pptp, ssl, ipsec? | 13:51 |
| jasonrorie | PPTP | 13:51 |
| nowen | what version of watchguard? | 13:52 |
| jasonrorie | XTM 505 | 13:53 |
| nowen | what makes it look like an authentication error? | 14:01 |
| nowen | can you see the shared directories but not access them? | 14:06 |
| jasonrorie | I cannot access them. It never prompts for username and password, almost like it is trying to use the one from the VPN logon. | 14:24 |
| nowen | does it return some error? | 14:24 |
| nowen | http://social.technet.microsoft.com/Forums/windowsserver/en-US/235f5d83-bd6f-475e-a63e-db9a037fa18a/file-sharing-problem-through-vpn | 14:29 |
| nowen | I'm wondering if the smb is looking for user@domainname | 14:29 |
| jasonrorie | That is what I'm thinking is happening. | 14:38 |
| nowen | I feel like there should be an option to strip the domain part before sending the creds to wikid | 14:39 |
| nowen | brb | 14:41 |
| jasonrorie | 2013-09-16 10:40:34.670INFOcom.wikidsystems.radius.access.WikidAccess4Access granted for jrorie, domain code: 075150216125 client: /192.168.111.4 2013-09-16 10:40:34.670INFOcom.wikidsystems.radius.log.DBSvrLogImpl<2> Access-Accept(2) LEN=162 192.168.111.4:50191 Access-Request by jrorie succeeded | 14:42 |
| jasonrorie | 2013-09-16 10:40:34.670INFOcom.wikidsystems.radius.access.WikidAccess4Access granted for jrorie, domain code: 075150216125 client: /192.168.111.4 2013-09-16 10:40:34.670INFOcom.wikidsystems.radius.log.DBSvrLogImpl<2> Access-Accept(2) LEN=162 192.168.111.4:50191 Access-Request by jrorie succeeded | 14:42 |
| jasonrorie | 2013-09-16 09:38:18 admd Authentication of PPTP user [jrorie@RADIUS] from 12.110.224.2 accepted id="1100-0004" Event 2013-09-16 09:38:18 pptp auth: wgapi: rcved cmd=1 '/toAdmdClient/authResult' Debug 2013-09-16 09:38:18 pptp get into test_auth_prcs_status(): xpath=/toAdmdClient/authResult Debug 2013-09-16 09:38:18 pptp rcved auth reply: authResult=1 Debug 2013-09-16 09:38:18 pptp ---------<<<RESULT rcvd, [jrorie@RADIUS] A | 14:43 |
| jasonrorie | 2013-09-16 09:38:18 pppd Peer ENVOY\\jrorie failed CHAP authentication Debug 2013-09-16 09:38:18 pppd sent [CHAP Failure id=0x58 "E=691 R=1 C=e26e80c483c6281d88dbaf5240278699 V=0 M=Access denied"] Debug 2013-09-16 09:38:18 pppd sent [LCP TermReq id=0x5 "Authentication failed"] Debug 2013-09-16 09:38:18 pppd rcvd [LCP TermAck id=0x5 "Authentication failed"] Debug 2013-09-16 09:38:18 pppd Connection terminated. Debug | 14:43 |
| jasonrorie | When I enable radius to windows authentication, this is what happens. I have a feeling if I could get that to work, that it would put the domain information in there. | 14:44 |
| jasonrorie | If I authenticate directly to the NPS server, it works fine. | 14:50 |
| *** jasonrorie has quit (Ping timeout: 250 seconds) | 14:55 | |
| *** JasonRorie (0c6ee002@gateway/web/freenode/ip.12.110.224.2) has joined #wikid | 14:56 | |
| JasonRorie | Sorry. Dropped off again. | 14:59 |
| nowen | np | 14:59 |
| nowen | are your usernames in wikid sans domain? | 14:59 |
| nowen | ie, jrorie? | 14:59 |
| *** JasonRorie_ (0c6ee002@gateway/web/freenode/ip.12.110.224.2) has joined #wikid | 15:01 | |
| JasonRorie_ | Yes, they are the same username. | 15:01 |
| nowen | I wonder if you added a user to wikid that was username@domainname.com if it would work? | 15:01 |
| *** JasonRorie has quit (Ping timeout: 250 seconds) | 15:03 | |
| *** JasonRorie_ has quit (Ping timeout: 250 seconds) | 15:09 | |
| *** JasonRorie (0c6ee002@gateway/web/freenode/ip.12.110.224.2) has joined #wikid | 15:13 | |
| nowen | realm stripping; http://technet.microsoft.com/en-us/library/cc731342%28v=ws.10%29.aspx | 15:13 |
| nowen | I wonder if you added a user to wikid that was username@domainname.com if it would work? | 15:13 |
| JasonRorie | It lets me connect with that, still no dice on connecting to the server shares though. | 15:13 |
| JasonRorie | What does the Remote-RADIUS0to-Windows-User-Mapping do? | 15:17 |
| nowen | I thought it told nps to proxy to the radius server | 15:20 |
| nowen | do you have "Request must contain the message authenticator attribute" on? | 15:20 |
| JasonRorie | I do. I can't get it to connect at all with the Remote-Radius-to-Windows_User-Mapping on though. | 15:23 |
| nowen | hmm, because I once got an email from a customer saying that was what got it working for them | 15:29 |
| *** JasonRorie has quit (Ping timeout: 250 seconds) | 15:40 | |
| *** JasonRorie (0c6ee002@gateway/web/freenode/ip.12.110.224.2) has joined #wikid | 18:02 | |
| JasonRorie | Hey Nick. It turns out for some reason the Radius users got removed from my radius group on the firewall. I am not sure how I was navigating the network at all, at that point. I added the users back and everything looks good now. | 18:04 |
| nowen | great! | 18:05 |
| nowen | so, SMB is working? | 18:05 |
| JasonRorie | Yes, it is. | 18:05 |
| nowen | can you tell me your settings - is the radius mapping set to true? | 18:05 |
| JasonRorie | I am not sure why pings were working even. | 18:05 |
| JasonRorie | Radius Mapping is not set at all. | 18:05 |
| nowen | wow, I just can't figure out nps. I guess I need to spend more time with it | 18:06 |
| JasonRorie | I can forward you screens if you need them. | 18:06 |
| nowen | that would be great! | 18:07 |
| JasonRorie | Will do. | 18:07 |
| nowen | thanks JasonRorie | 18:15 |
| *** JasonRorie has quit (Quit: Page closed) | 18:23 | |
| *** nowen has quit (Quit: Leaving.) | 22:30 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!