| *** Troy__ has quit (Ping timeout: 245 seconds) | 01:33 | |
| *** denis_m (d94bc483@gateway/web/freenode/ip.217.75.196.131) has joined #wikid | 10:54 | |
| *** denis_m is now known as m_denis_demo | 10:55 | |
| m_denis_demo | hi to all | 10:55 |
|---|---|---|
| m_denis_demo | anyone got working wikid server with ms np server and active directory auth | 10:56 |
| m_denis_demo | for cisco vpn clients | 10:56 |
| m_denis_demo | afk for a bit | 11:01 |
| m_denis_demo | and back | 11:09 |
| m_denis_demo | sorry had to go, will try again later on | 11:11 |
| m_denis_demo | and back here | 11:50 |
| *** estranger (~russ@209.183.177.118) has joined #wikid | 13:56 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 14:14 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 14:36 | |
| *** mark__ (8f74745b@gateway/web/freenode/ip.143.116.116.91) has joined #wikid | 14:53 | |
| mark__ | Hello | 14:53 |
| mark__ | Nick are you here? | 14:53 |
| m_denis_demo | hi to all | 14:55 |
| m_denis_demo | need some help with ms npa server and ad and wikid, for cisco vpn authentication | 14:56 |
| m_denis_demo | basically need to add 2nd layer of authentication on existing solution | 14:56 |
| nowen | yes | 15:04 |
| nowen | m_denis_demo: you mean NPS? | 15:04 |
| m_denis_demo | yes sorry using abbreviation of server name | 15:05 |
| nowen | m_denis_demo: np. take a look at this pdf: http://www.wikidsystems.com/webdemo/Two-factor_Authentication_in_your_Network_eGuide.pdf | 15:05 |
| nowen | is your cisco already talking to NPS? | 15:05 |
| m_denis_demo | yes | 15:06 |
| m_denis_demo | from cisco side all is ok | 15:06 |
| nowen | ok - so all you need is the part from NPS to WiKID | 15:06 |
| m_denis_demo | but if I configure system acording to http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 15:06 |
| m_denis_demo | I get to enteer username and pass in cisco vpn client | 15:06 |
| m_denis_demo | that pass is sent to wikid server | 15:07 |
| m_denis_demo | but no access granted | 15:07 |
| nowen | you enter the username and WiKID OTP. no need for the AD password | 15:07 |
| nowen | the two factors are knowledge of the WiKID PIN and possession of the private key embedded in wikid | 15:07 |
| m_denis_demo | yess, I did it, username from ad, and otp pass from soft token (java based runing on computer) | 15:07 |
| nowen | what do you see in the WiKIDAdmin logs? | 15:08 |
| nowen | run 'tcpdump -v port radius' on the wikid server to see if the radius requests are getting to it. | 15:08 |
| nowen | also see this page: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests for setting up radius debugging | 15:09 |
| m_denis_demo | ok, I setup radius debbuging, just a sec to get all sistem back to wikid settings | 15:09 |
| nowen | I have to step out for a bit, but will be in and out. | 15:09 |
| m_denis_demo | ok | 15:10 |
| nowen | did you restart wikid after adding the nps as a network client? | 15:10 |
| m_denis_demo | yes, several times | 15:10 |
| mark__ | Nick when using 2FA with Juniper as a radius server is there a way to incorporate it to also validate with AD that a specific group exist? | 15:11 |
| nowen | mark__: you can do that via NPS, the AS radius server. I would think that Juniper could do it as well, but I'm not sure. | 15:11 |
| mark__ | so currently if i have an active 2FA account i could access VPN and not actually belong to an AD vpn group | 15:12 |
| nowen | I do have a resource I can ask, if oyu don't | 15:12 |
| nowen | if you have it set up that way. | 15:12 |
| nowen | take a look a this too: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps, it's just a good overview | 15:12 |
| nowen | what you want is authorization via AD and authentication via wikid. | 15:13 |
| mark__ | yes | 15:13 |
| mark__ | that is correct | 15:13 |
| nowen | if the juniper is a real radius server, it should be able to do it | 15:13 |
| nowen | if not, you can use nps | 15:13 |
| nowen | ok - gotta run. biab | 15:14 |
| mark__ | k | 15:14 |
| mark__ | later | 15:14 |
| *** mark__ has quit (Quit: Page closed) | 15:17 | |
| nowen | m_denis_demo any progress? | 15:46 |
| nowen | damn, gotta go again. sorry | 15:47 |
| *** nowen is now known as nowen_away | 15:47 | |
| *** nowen_away is now known as nowen | 16:39 | |
| nowen | back | 16:39 |
| *** nowen has quit (Ping timeout: 250 seconds) | 17:14 | |
| *** Troy__ (329b98a8@gateway/web/freenode/ip.50.155.152.168) has joined #wikid | 17:16 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 17:18 | |
| Troy__ | Hi Nick | 17:42 |
| Troy__ | I sent you an e-mail on the jnlp update.. let me know what you think or if you have any ideas on a workaround | 17:43 |
| *** tmg_ (~tmg@malal.pl) has joined #wikid | 17:45 | |
| *** tmg has quit (Read error: Connection reset by peer) | 17:46 | |
| nowen | Troy__: check out this http://stackoverflow.com/questions/5865832/versioning-in-java-web-start | 18:10 |
| nowen | looks like you need to rename the jar | 18:11 |
| nowen | name of jar file>__V<version number>.jar | 18:11 |
| Troy__ | OK.. i will test that now | 18:12 |
| Troy__ | ok.. i added the version to the file, wikidtoken__V3.1.25 and added the version="3.1.25" to the jnlp | 18:18 |
| Troy__ | that works fine.. however, web start downloads the full application each time the client connection changes | 18:18 |
| nowen | arg | 18:19 |
| Troy__ | i think just forces the download each time DNS updates | 18:19 |
| nowen | by client connection, you mean that if the user connection from a different isp? | 18:19 |
| Troy__ | no.. when the user is in the office versus coming from home | 18:20 |
| Troy__ | in the office 777777777777777 resolves to a different IP then from outside connection | 18:20 |
| nowen | yeah, but the domain id should matter to the jnlp, right? | 18:21 |
| nowen | oh | 18:21 |
| Troy__ | the app launches from Java cache fine as long as the IP stays the same | 18:21 |
| nowen | oh | 18:21 |
| nowen | yeah | 18:21 |
| Troy__ | not sure how to get around this or force Java web start to avoid re-downloading this | 18:22 |
| Troy__ | I even tried the download="lazy" parameter | 18:22 |
| Troy__ | -- Indicates if the jar must be downloaded before an application is launched (eager), or not (lazy). Default value is eager | 18:23 |
| Troy__ | let me know if you find anything else.. i'll keep digging | 18:24 |
| nowen | I'm looking at file:///media/bigdisk/nowen/Downloads/jnlp-1_5-mr-spec.pdf | 18:24 |
| nowen | oops | 18:25 |
| nowen | http://download.oracle.com/otn-pub/jcp/jnlp-1.5-mr-spec-oth-JSpec/jnlp-1_5-mr-spec.pdf?AuthParam=1391538393_741c7ad042f136cd06f54926112cfb5a | 18:25 |
| Troy__ | it's mainly an issue for folks that have low bandwidth outside | 18:25 |
| Troy__ | we are getting most folks upgraded to the full client which works fine in this situation | 18:25 |
| nowen | that doc says : <jar href="http://www.mysite.com/b.jar" version="2.3+"/> | 18:25 |
| nowen | I wonder that that needs to be in codebase line | 18:26 |
| Troy__ | i'll give that a try | 18:30 |
| Troy__ | i think the mysite.com is just an example for documentation | 18:35 |
| Troy__ | what is the b.jar ? | 18:35 |
| nowen | oh yeah, i was just thinking about the version part | 18:35 |
| Troy__ | the version seems to work fine in my current like | 18:36 |
| Troy__ | jar jnlp file | 18:36 |
| Troy__ | <jar href="wikidtoken.jar" main="true" version="3.1.25"/> | 18:36 |
| Troy__ | <property name="jnlp.versionEnabled" value="true"/> | 18:37 |
| nowen | oh | 18:37 |
| nowen | you're ahead of me again | 18:37 |
| Troy__ | and the filename is renamed to wikidtoken__V3.1.25 | 18:37 |
| nowen | what if you put the url in there | 18:37 |
| nowen | <jar href="http://777777777777.sanmina.com/wikid/webstart/wikidtoken.jar" main="true" version="3.1.25"/> | 18:38 |
| Troy__ | that is all working great.. it's just the changing connections (DNS) forces a full download still | 18:38 |
| Troy__ | ok.. let me try | 18:38 |
| nowen | I'm wondering if specifying the url will make a difference. | 18:38 |
| nowen | it looks like it is supposed to be URL/version-id | 18:39 |
| nowen | that is, if the URL/version-id match, it's not suppose to download. not sure why dns would matter. | 18:39 |
| Troy__ | the full URL works, but still forces the full download | 18:41 |
| Troy__ | hmmm | 18:41 |
| nowen | man | 18:41 |
| nowen | it doesn't match what the docs say. | 18:41 |
| Troy__ | let me dig a bit more.. i think we are getting closer | 18:42 |
| *** mark__ (8f74745b@gateway/web/freenode/ip.143.116.116.91) has joined #wikid | 18:48 | |
| mark__ | Nick you here | 18:49 |
| nowen | yes | 18:49 |
| mark__ | Android question | 18:49 |
| nowen | ok | 18:49 |
| mark__ | any issues you are aware of with the tokens | 18:52 |
| mark__ | we are able to enter passcode and pin but then it hangs and never returns a OTP | 18:52 |
| mark__ | only on androids so far | 18:53 |
| mark__ | trying to get people with other devices to verify | 18:53 |
| mark__ | works on wifi but not on cellular netwrok | 18:53 |
| mark__ | network | 18:53 |
| mark__ | Have tried verizon,sprint and at&t | 18:54 |
| nowen | are you having any connectivity issues with the server? | 18:54 |
| mark__ | well the desktops work fine, the phone work fine if on wifi | 18:55 |
| nowen | can you add 8888888888 on your android? | 18:56 |
| mark__ | sure | 18:56 |
| nowen | no crashes or issues reported via the android play store | 18:56 |
| nowen | but my android token isn't getting to your server either | 18:57 |
| mark__ | i add 888888888888 as a new domain and it just returns to the wikid screen with no new domain | 18:57 |
| mark__ | no registration code or anything | 18:58 |
| mark__ | when i hit next it returns back to the wikid app screen | 18:58 |
| nowen | it's odd. not like the android token code changed | 19:00 |
| nowen | it's fast if you pre-pend a * | 19:02 |
| nowen | and fast without now | 19:03 |
| mark__ | still not working for me | 19:04 |
| Troy__ | i get prompted for the pin, but then it just hangs requesting passcode... | 19:05 |
| mark__ | for 888888888888? | 19:06 |
| mark__ | or for ours? | 19:06 |
| nowen | oh, i was no wifi | 19:07 |
| nowen | but it hung once on wifi and then didn't | 19:07 |
| Troy__ | i just tested the 77777777777 | 19:07 |
| Troy__ | i don't have the 888 on my android yet | 19:07 |
| mark__ | ok | 19:07 |
| mark__ | yes that is what i get on the 777 | 19:07 |
| Troy__ | does this look like server issue or network / dns issue? | 19:08 |
| Troy__ | i think it's dns we would get the PIN prompt | 19:08 |
| nowen | I would say network / dns. | 19:08 |
| Troy__ | that's what i would think | 19:09 |
| nowen | the fact that it only happens on the cell networks makes me think dns. | 19:10 |
| Troy__ | let me see if I can get to the adreg page over cell network | 19:11 |
| nowen | also, if you pre-pend the * to the domain id, it is fast | 19:12 |
| nowen | it's almost like they are trying to route to 777.777.777.777 | 19:12 |
| Troy__ | it's working again on my phone | 19:20 |
| Troy__ | I also was able to get to the registration page.. just a bit slow | 19:20 |
| nowen | yeah, same here | 19:20 |
| Troy__ | Nick.. which cell network are you on? | 19:22 |
| nowen | t-mobile | 19:22 |
| Troy__ | ok | 19:22 |
| mark__ | working here as well | 19:24 |
| mark__ | verizon | 19:24 |
| nowen | hmm | 19:24 |
| Troy__ | this has happened a few times before | 19:27 |
| Troy__ | seems to work itself out eventually | 19:27 |
| nowen | odd that it would be multiple carriers | 19:28 |
| nowen | unless they rely on google for dns and they did it | 19:28 |
| Troy__ | not sure exactly if it's something not updating DNS properly on our end or the cell network providers are all using the same DNS service | 19:28 |
| nowen | it could be that all android is using google dns | 19:28 |
| Troy__ | that very well could be | 19:28 |
| nowen | my 888 domain was mis-configured. I updated it yesterday via rpm but forgot to change the ports | 19:35 |
| nowen | hmm | 19:39 |
| nowen | https://play.google.com/store/apps/details?id=uk.co.mytechie.setDNS | 19:39 |
| nowen | PLEASE DON'T INSTALL ON ANDROID 4.3 FOR THE MOMENT, THERE ARE PROBLEMS WITH THE WAY DNS HANDLING HAS BEEN CHANGED IN THE KERNEL. I'VE PULLED IT FROM THE MARKET FOR 4.3 DEVICES. | 19:39 |
| nowen | I was looking for an app to change dns and noticed that | 19:39 |
| nowen | I'm running 4.3 | 19:43 |
| Troy__ | ok.. i doubt if any of our corporate phones are running 4.3 | 20:14 |
| Troy__ | thanks for the heads-up. good to know | 20:14 |
| *** coolacid has quit (Remote host closed the connection) | 20:58 | |
| mark__ | Nick | 21:11 |
| mark__ | we have some employees on 4.3 | 21:11 |
| mark__ | so they will have to wait until you get it corrected correct? | 21:11 |
| mark__ | or are you saying that the setDNS app will not work | 21:12 |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 21:13 | |
| nowen | I'm not 100% sure that's the issue yet | 21:13 |
| *** coolacid has quit (Remote host closed the connection) | 21:15 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 21:16 | |
| mark__ | ok | 21:32 |
| mark__ | i am have one of the affected employees uninstalling the app | 21:32 |
| mark__ | then going to have him try to reinstall | 21:32 |
| mark__ | seems like most are now working though | 21:33 |
| nowen | have him add it with a * prepended | 21:33 |
| nowen | so *777777777777 | 21:35 |
| nowen | it will always go to dns first | 21:35 |
| mark__ | ok | 22:04 |
| mark__ | dropping off | 22:04 |
| nowen | ok | 22:04 |
| mark__ | will let you know when i here back | 22:05 |
| nowen | ok | 22:05 |
| *** mark__ has quit (Ping timeout: 245 seconds) | 22:09 | |
| *** Troy__ has quit (Quit: Page closed) | 22:49 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!