| *** joevano has quit (*.net *.split) | 02:44 | |
| *** joevano (~joevano@c-71-193-108-171.hsd1.in.comcast.net) has joined #wikid | 02:44 | |
| *** humanSupafly (d4826f72@gateway/web/freenode/ip.212.130.111.114) has joined #wikid | 12:54 | |
| humanSupafly | hi, after upgrade of the wikid client on ios 7 it works no more | 12:55 |
|---|---|---|
| humanSupafly | when i try to generate a passcode from the domain nothing happens | 12:56 |
| humanSupafly | is this a known bug? I tried on several ios devices | 12:57 |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 12:59 | |
| nowen | humanSupafly: it is working for me. | 13:01 |
| nowen | can you try this domain: 888888888888 | 13:01 |
| nowen | that should be 12 8s | 13:01 |
| humanSupafly | @nowen, yes it works ... so it must be something with our wikid server. | 13:09 |
| humanSupafly | thx alot ! | 13:09 |
| nowen | yeah, check with your admin | 13:12 |
| nowen | try 174129006100 | 13:12 |
| nowen | are you on wifi? or cell? | 13:12 |
| nowen | it could be a dns problem | 13:14 |
| *** nowen_ (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 13:34 | |
| humanSupafly | when i remove the dedicated domain attribute from the jw.propterties file it works from my win8 wikid client | 13:48 |
| humanSupafly | how can i see what is in that file on an ios? | 13:49 |
| *** eea (d4826f72@gateway/web/freenode/ip.212.130.111.114) has joined #wikid | 13:49 | |
| nowen | humanSupafly: there is no equivalent on ios | 13:50 |
| nowen | so, your domain is not working on either win8 or ios? | 13:50 |
| nowen | hmm. what is you domain id? | 13:52 |
| humanSupafly | 217074209204 | 13:52 |
| humanSupafly | it's not an ip no | 13:52 |
| humanSupafly | works only via dns | 13:52 |
| humanSupafly | @15:50 nor android ... win8 works after dedicated domain attribute was removed from jw.properties file | 13:53 |
| eea | any way to specify useIpBeforeDns=false on android/ios/win8 phone ? | 13:55 |
| nowen | this is specific to you'll only | 13:55 |
| nowen | hmm | 13:56 |
| eea | nick, we created the domain back when that domain ID was a valid IP | 13:56 |
| nowen | yes, I'm reviewing my emails | 13:56 |
| eea | we changed provider | 13:56 |
| humanSupafly | forum user eea is my colleague he will take over | 13:56 |
| nowen | why would the 888 domain work but not yours? | 13:56 |
| eea | works fine using dns | 13:57 |
| nowen | it is only ios? | 13:57 |
| eea | on PCs | 13:57 |
| eea | even if we don't specify useipbeforedns=false on PCs it works | 13:57 |
| eea | after the timeout | 13:57 |
| eea | it works instantly with the setting | 13:57 |
| eea | on iOS, android or windows phones | 13:58 |
| nowen | yes. works for me on pc and android | 13:58 |
| eea | on android ?! | 13:58 |
| eea | we couldnt make it work | 13:58 |
| humanSupafly | nope, eea, it doesnt work with ios | 13:58 |
| nowen | all the other dns based domains are working on ios7 for me | 13:59 |
| eea | with no configuration changes? | 14:00 |
| nowen | correct | 14:00 |
| nowen | you can try the 888888888888 domain | 14:00 |
| eea | we will try again on android and ios | 14:01 |
| nowen | I know it doesn't work on ios7. | 14:01 |
| nowen | works for me on android too | 14:02 |
| eea | thanks for confirming this. if we have more data we shall get back in contact | 14:02 |
| nowen | I would like to know what's going on. It is very odd | 14:03 |
| nowen | has your old IP been claimed? but if that were the case, all tokens would be affected | 14:04 |
| eea | no, ip is not used | 14:05 |
| eea | i'm trying with an android and is blocked on requesting domain configuration for a alooong time now | 14:05 |
| nowen | huh, I swear I just tried it on my android and got a pin request, but not mine is spinning too | 14:07 |
| eea | ok, pin dialog and a new long wait now ... | 14:07 |
| nowen | yes, same here | 14:07 |
| eea | 217074209204.wikidsystems.net is a CNAME to a host in our domain | 14:08 |
| eea | could this confuse phone clients | 14:08 |
| eea | ? | 14:08 |
| nowen | hmm | 14:09 |
| nowen | well. joevano's domain is also a cname and it works | 14:09 |
| nowen | I can change it to an ip if you like | 14:10 |
| eea | it worked | 14:10 |
| eea | i got a registration code | 14:11 |
| eea | it took forever but in the end ... | 14:11 |
| nowen | odd. so, could it be that your old IP is not failing fast enough? | 14:12 |
| eea | yes | 14:12 |
| eea | it's atimeout problem | 14:12 |
| eea | can you make the client configurable or use dns before ip by default ? | 14:13 |
| eea | maybe a special version for people like us ? | 14:13 |
| nowen | not really, because almost everyone uses IPs | 14:13 |
| nowen | why is your IP so slow to fail and not the others? | 14:14 |
| eea | I can make it fail faster | 14:14 |
| nowen | so you still have that IP? | 14:14 |
| eea | i can try to contact the old (banckrupt) isp | 14:15 |
| eea | and tell them to stop doing what they are doing with it | 14:15 |
| nowen | I wonder if they are server ads or something | 14:16 |
| eea | why a config variable in the software token would it be so wrong? | 14:16 |
| nowen | we can probably set a better timeout on the app | 14:16 |
| nowen | oh, it's not, it's just that we are working on a new edition and don't have the cycles. | 14:17 |
| nowen | http://217.74.209.204/ | 14:17 |
| nowen | The server at 217.74.209.204 is taking too long to respond. | 14:17 |
| nowen | if that means anything | 14:17 |
| eea | someone is doing a drop of packets somwhere | 14:18 |
| eea | i'll try contacting the old provider but ... | 14:19 |
| nowen | we can put a time out on it | 14:19 |
| eea | that would help | 14:19 |
| nowen | I'm opening a bug on it now. | 14:19 |
| eea | thank you | 14:20 |
| eea | that might solve it | 14:20 |
| nowen | np | 14:20 |
| eea | bye for now. I'll keep an eye out for a new version with short timeouts :) | 14:21 |
| nowen | wait | 14:21 |
| eea | waiting | 14:21 |
| nowen | is this only for new registrations or for OTPs too? | 14:21 |
| eea | OTPs too | 14:23 |
| nowen | ok | 14:23 |
| nowen | a traceroute to that IP goes to a blackhow | 14:23 |
| eea | actualy the registration on androided worked (very slow) but getting the pass doesn't | 14:23 |
| nowen | blackhole | 14:23 |
| eea | :) | 14:23 |
| eea | yes | 14:23 |
| nowen | the android token is not new though | 14:23 |
| nowen | has it been happening there longer? | 14:24 |
| eea | we haven't tried | 14:24 |
| nowen | not many android tokens/ | 14:24 |
| nowen | ? | 14:24 |
| eea | we are just implementing this for mobile devices. only used laptops | 14:24 |
| nowen | ahh | 14:24 |
| nowen | well, I suggest chatting with the isp. it would solve both issues. | 14:25 |
| eea | let's see if i can stil find anyone there. other than lawyers i mean | 14:26 |
| nowen | ugh | 14:27 |
| eea | i'll try in the morning | 14:27 |
| eea | (it's 16:30 here) | 14:27 |
| nowen | not the best time to get a lawyer on the phone | 14:27 |
| eea | yap | 14:27 |
| eea | by danish standards working day is over ;) | 14:28 |
| nowen | on a friday, same here! | 14:28 |
| eea | oh. didn't realise it's f | 14:28 |
| eea | so, back on this issue on monday | 14:28 |
| nowen | hmmm | 14:29 |
| eea | a timeout clientside would help anyway | 14:29 |
| nowen | is there any other option? | 14:29 |
| nowen | it took a week for apple to approve this new version | 14:29 |
| eea | windows and android might be faster :) | 14:30 |
| nowen | windows is working right? | 14:30 |
| eea | not windows phone | 14:30 |
| eea | if we can make jw.properties it works | 14:30 |
| eea | if we cannot ... depends on the default timeout on the OS | 14:31 |
| nowen | how many registered users do you have? | 14:33 |
| eea | i'm back. we have about 70 active. we shall go to 200 or a bit more with mobile devices | 14:41 |
| nowen | do you expect many windows mobile users? | 14:42 |
| eea | not many. 10 perhaps | 14:42 |
| eea | more iPhones and androids | 14:43 |
| nowen | yeah. we would have to contract out the windows mobile. it's not a big platform for us | 14:43 |
| eea | android is almost working. i was able to get a PIN now. I wouldn't call it usable though | 14:44 |
| nowen | any interest in moving to an IP you control? | 14:44 |
| eea | that might prove tough! i'll talk to management about it | 14:45 |
| nowen | well, we're chatting about adding a dns first option to the tokens. | 14:45 |
| eea | we have people dispersed arround europe | 14:45 |
| nowen | eea: you think a checkbox on domain creation that says 'Use DNS First" would be good? | 14:50 |
| eea | yes | 14:50 |
| nowen | ok - digging into it | 14:50 |
| *** AccentureDan (0cfa9442@gateway/web/freenode/ip.12.250.148.66) has joined #wikid | 14:52 | |
| AccentureDan | nickkkkkkkkkkkkkkk | 14:52 |
| AccentureDan | sup man | 14:52 |
| nowen | hey AccentureDan | 14:52 |
| nowen | eea: Alternately, we could have them prefix the domain code with D. | 14:53 |
| nowen | eea: I like that because it is only you that is affected so far | 14:53 |
| eea | that would work aswell | 14:54 |
| AccentureDan | okay here we go, so i am trying to VPN in here | 14:54 |
| AccentureDan | i get through, then i get to verifying username and password | 14:54 |
| nowen | eea: but, it might confusing to PC users | 14:54 |
| AccentureDan | i checked the debug logs on the wikid server and it is saying MS-CHAP authentication failed | 14:54 |
| AccentureDan | and one other thing | 14:54 |
| AccentureDan | lemme get that | 14:54 |
| AccentureDan | Access is denied for WiKID\TestUser1 (WiKID is my domain) | 14:54 |
| eea | our PC users don't create the domains themselves. "we prepare distribution packs" wityh all options in jw.properties | 14:55 |
| nowen | AccentureDan: is WiKID\TestUser1 the name listed on the Users page in WiKID | 14:55 |
| AccentureDan | i redid a few things, got my environment to fully mimic my current environment for remote access | 14:55 |
| AccentureDan | well, it is just TestUser1...should i have it WiKID\TestUser1? | 14:55 |
| eea | i'm sure we can manage using the D prefix just for mobile tokens | 14:55 |
| nowen | AccentureDan: yes, or strip the domain before it is sent to wikid. easier to test changing the user name | 14:56 |
| nowen | eea: I think it sounds good | 14:56 |
| AccentureDan | absolutely lemme do that, one sec | 14:56 |
| AccentureDan | still failing | 15:02 |
| AccentureDan | have it matching completely | 15:02 |
| AccentureDan | :-/ | 15:02 |
| nowen | can you pastebin the logs? | 15:02 |
| AccentureDan | sorry for being a tard, but how do i do that? | 15:03 |
| eea | nowen: can you let us know when there is progress with this? I have to go now. Thank you! | 15:03 |
| nowen | are you using the WiKIDAdmin logs? | 15:03 |
| nowen | eea: will do | 15:03 |
| eea | bye | 15:03 |
| nowen | eea: have a nice weekend | 15:03 |
| AccentureDan | yup using those | 15:04 |
| eea | you too | 15:04 |
| *** eea has quit (Quit: Page closed) | 15:04 | |
| nowen | AccentureDan: just copy the pertinent logs, paste them here: http://pastebin.com/ and post the resulting url back here. Then i can see them all there. | 15:04 |
| AccentureDan | gotcha one sec | 15:07 |
| AccentureDan | http://pastebin.com/DFXX96ua | 15:09 |
| AccentureDan | sorry if that looks like crap | 15:09 |
| AccentureDan | if you need me to format it just let me know | 15:09 |
| nowen | are your logs set to debug? | 15:17 |
| nowen | https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 15:19 |
| nowen | 2013-10-10 19:58:15.878 INFO com.wikidsystems.radius.log.DBSvrLogImpl <9> Access-Accept(2) LEN=387 192.168.1.143:62894 Access-Request by TestUser1 succeeded | 15:22 |
| nowen | that's interesting | 15:22 |
| nowen | but then | 15:22 |
| nowen | 2013-10-10 20:03:13.008 INFO com.wikidsystems.radius.log.DBSvrLogImpl <11> Access-Request(1) LEN=394 192.168.1.143:62894 Access-Request by WIKID\TestUser1 Failed: AccessRejectException: Microsoft MS-CHAP failed authentication. | 15:22 |
| nowen | I wonder if the the WiKID\ part is the issue | 15:26 |
| nowen | yes it | 15:27 |
| nowen | is | 15:27 |
| nowen | you will need to strip the domain | 15:27 |
| nowen | AccentureDan: why is it being sent? | 15:27 |
| nowen | on my server WiKID\nowen becomes WiKIDowen | 15:27 |
| nowen | AccentureDan: is this request coming from the vpn or NPS? | 15:34 |
| AccentureDan | my bad | 15:38 |
| AccentureDan | hmmmmm | 15:38 |
| AccentureDan | NPS | 15:38 |
| AccentureDan | i have all requests coming in to VPN pass through my NPS, then it forwards all requests on to the WiKID server i have set up | 15:39 |
| nowen | ok, that's good | 15:39 |
| AccentureDan | good thing is WiKID is seeing it this time, did not before | 15:39 |
| AccentureDan | but for some reason it is failing ,where i am stuck | 15:39 |
| nowen | we just need to strip the domain name | 15:39 |
| AccentureDan | ahhhh okay let me give that a shot | 15:39 |
| AccentureDan | also | 15:39 |
| AccentureDan | when i do that, and then try to log in via VPN, do i just type the username and password and leave the domain blank? | 15:40 |
| nowen | http://technet.microsoft.com/en-us/library/cc731342%28WS.10%29.aspx | 15:40 |
| nowen | hmm - if you just enter the username and password, do you get authenticated? | 15:40 |
| nowen | if you don't enter it, you may not have to strip it | 15:40 |
| AccentureDan | i tried last time and it didnt work | 15:40 |
| nowen | what was the error? | 15:40 |
| AccentureDan | same error :( | 15:40 |
| AccentureDan | let me try again just to be 100 percent sure | 15:41 |
| AccentureDan | here is a good question | 15:41 |
| AccentureDan | when i set up my VPN client, should i be using a certain auth method? I only selected MS-CHAP-V2 since that is what we are using in our environment | 15:42 |
| AccentureDan | via L2TP over IPSec | 15:42 |
| nowen | shouldn't matter. ms-chapv2 is supported | 15:42 |
| AccentureDan | fantastic | 15:43 |
| AccentureDan | good to know | 15:43 |
| AccentureDan | okay lemme give this a shot. one sec | 15:43 |
| AccentureDan | hmmmm | 15:44 |
| AccentureDan | it worked | 15:44 |
| AccentureDan | :-P | 15:44 |
| nowen | yay! | 15:44 |
| AccentureDan | left the domain out and it worked!@ | 15:44 |
| AccentureDan | WOOT! | 15:44 |
| AccentureDan | :-D | 15:44 |
| AccentureDan | so that is a wrap? hahahaha | 15:44 |
| nowen | alright - that is awesome | 15:44 |
| nowen | lol! | 15:44 |
| AccentureDan | :-D! | 15:44 |
| AccentureDan | wow months of hair-ripping-out torture! hahahahahha | 15:45 |
| nowen | hehe | 15:45 |
| nowen | all we had to do was just do it right ;-) | 15:45 |
| AccentureDan | perfect man, perfect | 15:45 |
| AccentureDan | you got it pal! | 15:45 |
| AccentureDan | really appreciate all of your help throughout all of this :) | 15:45 |
| nowen | so, what's next? | 15:46 |
| AccentureDan | now i have the task of creating a design document and submitting it for project approval and then implementing it | 15:46 |
| AccentureDan | shouldnt take too long | 15:46 |
| nowen | when is your go-live deadline? | 15:46 |
| AccentureDan | we recently bumped up our virtual environment quota and user estimates so we are looking at around 150-175 users (eventually) | 15:47 |
| AccentureDan | hmmmmmm | 15:47 |
| AccentureDan | lemme ask real quick | 15:47 |
| nowen | have you played with example.jsp or adregister.jsp? | 15:49 |
| *** qu3sti0n (~QQQ@50.115.165.16) has joined #wikid | 15:54 | |
| qu3sti0n | digging through community download page | 15:54 |
| qu3sti0n | http://sourceforge.net/projects/wikid-twofactor/files/WiKID_Server/3.5/ | 15:54 |
| qu3sti0n | no .deb for the latest -utilities | 15:54 |
| qu3sti0n | must i build from tarball? | 15:55 |
| qu3sti0n | & will a .deb be made, sometime? | 15:55 |
| qu3sti0n | will be running on Ubuntu 12.04 LTS x64 or 14.04 LTS x64 once it is released | 15:57 |
| nowen | hmm | 16:00 |
| nowen | qu3sti0n: checking | 16:01 |
| qu3sti0n | kk | 16:01 |
| nowen | http://sourceforge.net/projects/wikid-twofactor/files/WiKID_Utilities/ | 16:01 |
| qu3sti0n | i have no problem building if i have to, but would appreciate any insight into building it for 64-bit arch ahead of time | 16:01 |
| qu3sti0n | ah | 16:01 |
| nowen | http://downloads.sourceforge.net/project/wikid-twofactor/WiKID_Utilities/wikid-utilities_3.4.3-1.deb?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fwikid-twofactor%2Ffiles%2FWiKID_Utilities%2F&ts=1381507315&use_mirror=softlayer-dal | 16:02 |
| qu3sti0n | thanks for direct link too ;) | 16:02 |
| qu3sti0n | easy to wget | 16:02 |
| nowen | ;-) | 16:02 |
| nowen | qu3sti0n: how did you hear about us? our traffic is up recently, but I don't know why | 16:03 |
| qu3sti0n | i was looking into different ftp servers. found a how-to on setting up vsftpd to auth with ssh&wikid. That got me looking into wikid, for ssh shell logins, which i am going to setup | 16:04 |
| qu3sti0n | in test environment, first | 16:04 |
| nowen | gotcha | 16:04 |
| qu3sti0n | is there a way to setup redundancy for the wikid servers? i would probably set it up on a small VPS, but would like redundancy so I could log in if that provider goes offline | 16:09 |
| qu3sti0n | which happens more often then it should | 16:09 |
| nowen | replication is real time, but you have to manually promote the secondary in case of failure | 16:10 |
| nowen | and it needs to get the IP address of the old server | 16:10 |
| qu3sti0n | so i would log into 'backup' wikid server, and run some command(with offline primary server IP) to promote it | 16:11 |
| nowen | yes, some people have scripted this | 16:11 |
| qu3sti0n | k. im looking for some docs on setting this up. are there any on http://www.wikidsystems.com/support/support/wikid-support-center | 16:12 |
| nowen | yes, https://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server | 16:13 |
| nowen | https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos | 16:13 |
| qu3sti0n | ah thanks, found this | 16:15 |
| qu3sti0n | https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-configure-wikid-for-replication | 16:15 |
| nowen | yep | 16:35 |
| AccentureDan | okay im back | 17:01 |
| AccentureDan | sorry about that | 17:01 |
| AccentureDan | just did a test and walkthrough with my infrastructure lead...he really likes it and we are going to be implementing it | 17:01 |
| AccentureDan | do you know much about prices? | 17:02 |
| AccentureDan | go-live is immediate, so figure after i submit my design document for approval i will throw it in line in the next few weeks | 17:03 |
| nowen_ | http://www.wikidsystems.com//pricing | 17:05 |
| nowen | it is pretty much $24/license/year | 17:15 |
| nowen | a license being a username in a domain | 17:15 |
| nowen | each username can have more than one token | 17:15 |
| AccentureDan | awesome man | 17:17 |
| AccentureDan | :) | 17:17 |
| AccentureDan | i dont think that will be a problem | 17:17 |
| nowen | too low. pondering some increases | 17:17 |
| AccentureDan | we are looking at around 175 users | 17:17 |
| AccentureDan | for now that is | 17:17 |
| nowen | especially for mega consulting corps | 17:18 |
| nowen | ;-) | 17:18 |
| AccentureDan | yeah dude you guys have any huge contracts? | 17:19 |
| nowen | yeah, but it's not too much of our thing | 17:19 |
| nowen | we don't respond to RFPs for example | 17:19 |
| AccentureDan | this is getting some massive exposure here...the county of Los Angeles security officers are looking in to it, might set it up for them if they like it, that would be tens of thousands | 17:19 |
| AccentureDan | ahhhhh i see | 17:19 |
| nowen | we have some close to that | 17:19 |
| AccentureDan | so basically give it to the users and let them set it up, then just charge for licensing | 17:20 |
| AccentureDan | sick gig man | 17:20 |
| nowen | what tends to happen is that they form a committee | 17:20 |
| nowen | the committee comes up with scenarios - "We need tokens for people that don't have PCs" | 17:20 |
| nowen | etc | 17:20 |
| AccentureDan | really like this solution, really really secure...will allow us to open up our VPN so we can allow different traffic...right now we just have VNC ports open | 17:20 |
| AccentureDan | ahhhhhh i c i c | 17:21 |
| nowen | What I see often is that we get a small deal at a large corp and it grows | 17:21 |
| AccentureDan | yeah dude i cant even imagine...what is your role within this company? Are you the main tech support lead? | 17:21 |
| nowen | AccentureDan: yeah, so then they want to know if we support SMS, which we don't because it is not secure or securable | 17:21 |
| nowen | AccentureDan: ;-) | 17:21 |
| nowen | yea | 17:21 |
| nowen | and mroe | 17:21 |
| AccentureDan | totally dude i completely understand...i really really like the fact we can use this for more than just VPN access...can use it for mutual auth and such, can grow with the solution over time as the application developers need it | 17:22 |
| AccentureDan | secure stuff internally as well | 17:22 |
| AccentureDan | it's really solid man | 17:22 |
| nowen | thanks ;-) | 17:22 |
| AccentureDan | you guys absolutely nailed it | 17:22 |
| nowen | tell your friends and twitter followes! | 17:22 |
| AccentureDan | hopefully i can get you guys more exposure...Accenture signed on with Symantec, friggin garbage | 17:22 |
| nowen | lol | 17:23 |
| nowen | you do know this channel is logged, right? | 17:23 |
| AccentureDan | but i know security is a huge thing now, and clients are always looking at ways to secure theirr data, so this might grow beyond our project and walls | 17:23 |
| AccentureDan | we shall see | 17:23 |
| AccentureDan | i dont mind | 17:23 |
| qu3sti0n | symantec is garbage lately | 17:23 |
| nowen | ;-) | 17:23 |
| AccentureDan | ;-) | 17:23 |
| nowen | your using the symantec authentication service? | 17:24 |
| AccentureDan | put it this way. we put it in line to be our next vpn solution, and even though it went go-live it still doesn't work on our managed PCs | 17:24 |
| AccentureDan | yup, just for VPN access to Accenture managed stuff | 17:24 |
| AccentureDan | we still have some hard token stuff with RSA but that is getting phased out | 17:24 |
| nowen | yeah, we're getting a lot of ex-rsa users | 17:25 |
| AccentureDan | yeah man | 17:26 |
| AccentureDan | hard tokens are just a pain | 17:26 |
| nowen | I don't think rsa is investing much in the platform. they say the server hasn't changed in decades | 17:27 |
| qu3sti0n | well even RSA says to not trust their stuff at this point | 17:28 |
| AccentureDan | sad, EMC used to OWN in multi factor auth | 17:28 |
| qu3sti0n | after NSA revelations | 17:28 |
| AccentureDan | LOL | 17:28 |
| nowen | yeah, btrust | 17:28 |
| nowen | not so much | 17:28 |
| qu3sti0n | open-source in security related software is KEY | 17:28 |
| nowen | but, to be honest, if they are in the RNGs of the operating systems, we and everyone has isssues | 17:28 |
| AccentureDan | i agree with question | 17:29 |
| AccentureDan | especially having this located on a linux OS | 17:29 |
| nowen | also, since our keys are generated on the token devices there's no risk to you if we get owned | 17:29 |
| AccentureDan | even though it will be facing externally i can sleep better at night | 17:29 |
| AccentureDan | exactly | 17:29 |
| AccentureDan | and they need a pin and passcode JUST to get the OTP | 17:29 |
| AccentureDan | and then and ONLY THEN can they gain access | 17:29 |
| AccentureDan | combine that with a strong NPS policy and you have a secure solution | 17:29 |
| AccentureDan | really like how it flows | 17:30 |
| AccentureDan | wont be too difficult to implement | 17:30 |
| nowen | right - better to notice excessive PIN attempts on the auth server than on the access server | 17:30 |
| AccentureDan | exactly, those can be logged, including logs on the authentication servers for AD and whatnot | 17:30 |
| AccentureDan | just easier from a systems admin standpoint | 17:30 |
| AccentureDan | okay question | 17:43 |
| AccentureDan | so for pleasant aesthetics how would we go about letting users put in the domain, and having it work | 17:44 |
| AccentureDan | you mentioned stripping it? | 17:44 |
| nowen | many radius servers provide the option of stripping the realm or domain | 17:45 |
| AccentureDan | ahhh okay | 17:46 |
| AccentureDan | so that document you sent me will show me | 17:46 |
| AccentureDan | not really familiar with variables | 17:46 |
| AccentureDan | will take a look | 17:46 |
| nowen | yeah. | 17:46 |
| nowen | the key is to have it be nowen@domain.com | 17:46 |
| nowen | and not domain\nowen | 17:46 |
| nowen | Check out ADRegister too | 17:46 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-let-users-add-themselves-using-ad-credentials | 17:47 |
| nowen | and example.jsp http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 17:48 |
| nowen | i highly recommend this! | 17:48 |
| nowen | I have a meeting - I'll be back in a about 1.5 hours | 17:48 |
| AccentureDan | kk you got it man | 17:49 |
| AccentureDan | thanks again | 17:49 |
| nowen | glad it is working | 17:49 |
| AccentureDan | working on adregister now :) | 17:50 |
| nowen | ok | 17:50 |
| nowen | biab | 17:50 |
| *** nowen has quit (Quit: Leaving.) | 17:50 | |
| *** nowen (~nowen@172.56.4.84) has joined #wikid | 17:54 | |
| *** nowen has quit (Client Quit) | 17:54 | |
| *** nowen_ has quit (Ping timeout: 248 seconds) | 17:58 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 19:59 | |
| nowen | AccentureDan: occurred to me: if your users are registered as username@domain.com in adregister, then that is how they would need to login to the VPN | 20:05 |
| AccentureDan | hey man | 20:11 |
| AccentureDan | yeah was just gonna say | 20:11 |
| AccentureDan | im having issues with that JSP | 20:11 |
| AccentureDan | it keeps erroring even though i have it set up right in the file | 20:11 |
| nowen | what's the error? | 20:11 |
| AccentureDan | theoretically they log in that way with the VPN already...isnt WiKID\user the same as user@WiKID.local? | 20:12 |
| AccentureDan | one sec lemme get it for ya | 20:12 |
| AccentureDan | authentication to the directory failed for user@WiKID.local | 20:12 |
| AccentureDan | also does LDAP have to be enabled as a protocol within WiKID? | 20:14 |
| nowen | no it doesn't | 20:14 |
| AccentureDan | okay i will disable it | 20:14 |
| nowen | what is the error in AD? | 20:14 |
| AccentureDan | i also added my DC as a network client as recommended since this JSP will exist on the WiKID server | 20:14 |
| AccentureDan | lemme check | 20:14 |
| nowen | adding as a network client just forces the firewall to open the port | 20:15 |
| AccentureDan | yeah dide that just in case | 20:15 |
| nowen | can that user login to windows with that password? | 20:15 |
| AccentureDan | havent tried, lemme give it a shot | 20:15 |
| AccentureDan | yup | 20:19 |
| AccentureDan | i can | 20:19 |
| nowen | hm | 20:21 |
| nowen | did you restart wikid after adding AD as the network client? | 20:21 |
| *** nowen_ (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 20:30 | |
| nowen | you can run 'iptables -L -n' to see if the port is open for your AD server | 20:37 |
| AccentureDan | yup i did | 20:42 |
| AccentureDan | sorry about that | 20:42 |
| AccentureDan | okay lemme check one sec | 20:42 |
| AccentureDan | yep its open | 20:43 |
| AccentureDan | lemme restart wikid | 20:43 |
| nowen | hmm | 20:44 |
| nowen | if the port is open, no need to restart | 20:44 |
| *** nowen_ has quit (Quit: ZNC - http://znc.in) | 20:45 | |
| AccentureDan | man weird | 20:48 |
| AccentureDan | yeah keep getting errors | 20:48 |
| AccentureDan | okay lets walk throug hthis | 20:49 |
| AccentureDan | the config file | 20:49 |
| AccentureDan | so i can access the JSP file from outside the domain, good to go there | 20:49 |
| AccentureDan | in the file itself is this | 20:49 |
| AccentureDan | https://<yourWiKIDServer>/wikid/ADRegister/ADRegister.jsp | 20:50 |
| AccentureDan | woops | 20:50 |
| AccentureDan | wrong thing | 20:50 |
| AccentureDan | sorry | 20:50 |
| AccentureDan | directorydomain suffix is "WikID.local" | 20:50 |
| AccentureDan | ldapURL = "ldap://WikIDServerTest.WikID.local:389" | 20:51 |
| *** wikiduser (26536222@gateway/web/freenode/ip.38.83.98.34) has joined #wikid | 20:51 | |
| AccentureDan | domainCode = "010067106071" | 20:51 |
| AccentureDan | WikidIPAddress = "127.0.0.1" | 20:51 |
| wikiduser | any known issues with the new 3.7 update to the WiKID iPhone app? | 20:51 |
| AccentureDan | left the cert location alone, gave the cert password the one i set up in the beginning | 20:52 |
| nowen | wikiduser: seems to be | 20:52 |
| AccentureDan | my domain is WikID.local, my domain controller's name is WikIDServerTest.WikID.local | 20:52 |
| wikiduser | any workarounds or ETA for a fix or anything? guess we should have users generate new tokens with a different client for now.. | 20:53 |
| nowen | are you with gdsx? | 20:53 |
| wikiduser | yes | 20:53 |
| nowen | what is your domain identifier? | 20:54 |
| *** wikiduser has quit (Ping timeout: 250 seconds) | 20:57 | |
| nowen | WiKIDLogBot: what is your domain identifier? I need to know if it is ip based or dns based. | 21:01 |
| nowen | it is not part of the security of the system as it is public on the internet, pretty much | 21:01 |
| nowen | oops, here I am chatting with the logbot. | 21:03 |
| AccentureDan | LMAO | 21:04 |
| AccentureDan | yeah, logbot, WHAT IS IT?!?!?!?! | 21:04 |
| AccentureDan | :-P | 21:05 |
| nowen | WiKIDLogBot: ANSWER ME! | 21:05 |
| AccentureDan | LMAO! | 21:05 |
| AccentureDan | sorry did you need my domain identifier? | 21:05 |
| nowen | clearly ready for coctail hour | 21:05 |
| nowen | hehe - no not yours | 21:05 |
| qu3sti0n | it is what records me going on the official record saying 'Symantec sucks now' | 21:05 |
| AccentureDan | we all are :) | 21:06 |
| AccentureDan | LOL | 21:06 |
| AccentureDan | i again happen to agree with qu3sti0n :) | 21:06 |
| nowen | AccentureDan: try this, try using the IP address of your AD server instead of the name | 21:07 |
| nowen | I hope he got his iphone working, because I can't imagine they have the same problem as the eu guys | 21:07 |
| qu3sti0n | i was looking at the 'droid app, and not like i put much stock in reviews from anonymous people on the internet, but most recent reviews reporting problems with that version too | 21:08 |
| nowen | yeah. some are legit, but many are people that don't know you need a server for it | 21:09 |
| nowen | also, while I'm pissed that apple forced us to make an update for ios7, I'm also pissed at google for all the versions they have | 21:11 |
| AccentureDan | LOL | 21:13 |
| AccentureDan | wait, we need a server?!?!?! | 21:13 |
| AccentureDan | :-P | 21:13 |
| nowen | while I'm raging, the worst are the blackberry errors. they send them from the BB and most are from countries where we don't have any customers | 21:14 |
| AccentureDan | Blackberry is also garbage | 21:15 |
| nowen | we've been dealing with them for a long time. they never gave a crap about devs | 21:16 |
| nowen | that being said, we can do better on the mobile front | 21:17 |
| nowen | qu3sti0n: did you see this: http://www.wikidsystems.com/support/wikid-support-center/faq/whats-the-difference-between-the-community-release-and-enterprise-release | 21:18 |
| AccentureDan | true but BB, honestly | 21:19 |
| AccentureDan | look at them now | 21:19 |
| AccentureDan | down the tubes...they were supposed to wow us with 10 and all they did was make the same product, very disappointing | 21:20 |
| AccentureDan | anywho, any idea about the JSP problems? | 21:20 |
| nowen | yeah. we tried to get them to drop rsa tokens for something that ran on their own devices. they did not comprehend | 21:20 |
| AccentureDan | LOL | 21:20 |
| AccentureDan | the big wigs got scared that something might work ;-) | 21:20 |
| nowen | try using the IP of your domain server instead of the dns | 21:20 |
| AccentureDan | for the ldap? | 21:20 |
| nowen | yeah | 21:21 |
| AccentureDan | kk one sec | 21:21 |
| AccentureDan | yup worked | 21:23 |
| AccentureDan | i kind of thought | 21:24 |
| AccentureDan | seeing as there was no way to decipher my DNS name in Linux | 21:24 |
| AccentureDan | good man Nick! | 21:24 |
| AccentureDan | two problems solved in one day, you need to mark this one down in the record book hahahahaha | 21:24 |
| qu3sti0n | yeah i looked at that. just 3rd party code that can not be released under gpl | 21:27 |
| qu3sti0n | which is fine w me | 21:27 |
| qu3sti0n | i wont know what im missing ;) | 21:27 |
| nowen | ;-) | 21:27 |
| AccentureDan | alright man i have to prepare documentation for this solution so i am heading out of here, have a great weekend | 21:35 |
| AccentureDan | ill keep you posted on how things go :) | 21:35 |
| AccentureDan | thanks agian for all of your help! | 21:35 |
| nowen | no problem. | 21:35 |
| qu3sti0n | see ya | 21:35 |
| AccentureDan | later fellas! | 21:35 |
| nowen | later | 21:35 |
| *** AccentureDan has quit (Quit: Page closed) | 21:35 | |
| nowen | I'm gonna check out too. today has been unusually busy | 21:40 |
| qu3sti0n | kk | 21:42 |
| qu3sti0n | see ya | 21:42 |
| nowen | laer | 21:42 |
| nowen | later | 21:42 |
| *** nowen has quit (Quit: Leaving.) | 21:42 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!