| *** coolacid has quit (Remote host closed the connection) | 01:43 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 01:55 | |
| *** coolacid has quit (Remote host closed the connection) | 02:06 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 02:12 | |
| *** coolacid has quit (Remote host closed the connection) | 03:02 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 03:07 | |
| *** KORG (~KORG@crytek.dream.net.ua) has joined #wikid | 08:43 | |
| *** KORG is now known as dkorzhevin | 08:44 | |
| *** dkorzhevin has quit (Quit: Leaving) | 13:12 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 13:41 | |
| *** coolacid has quit (Remote host closed the connection) | 14:14 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 14:28 | |
| *** coolacid has quit (Remote host closed the connection) | 14:33 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 14:36 | |
| *** coolacid has quit (Remote host closed the connection) | 14:37 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 14:42 | |
| *** mark_burger (8f74fa7d@gateway/web/freenode/ip.143.116.250.125) has joined #wikid | 14:53 | |
| mark_burger | Good morning | 14:53 |
|---|---|---|
| mark_burger | Nick are you here | 14:54 |
| nowen | yes | 14:54 |
| nowen | good morning | 14:54 |
| mark_burger | i ran the report | 15:00 |
| mark_burger | removed duplicates | 15:00 |
| mark_burger | 6417 is what wikid shows | 15:00 |
| mark_burger | 5929 after i remove duplicates | 15:01 |
| nowen | 6417 is from the home page? | 15:02 |
| mark_burger | yes | 15:02 |
| mark_burger | my steps are i go in to reports | 15:06 |
| mark_burger | run a csv report and include disabled tokens | 15:06 |
| mark_burger | then open in xls | 15:07 |
| mark_burger | and remove the duplicates | 15:07 |
| nowen | this is all one domain? | 15:08 |
| mark_burger | yes | 15:09 |
| mark_burger | we only have the one domain in production | 15:09 |
| nowen | duplicates are based on username, I assume. | 15:09 |
| mark_burger | yes | 15:09 |
| mark_burger | 19427 devices | 15:10 |
| mark_burger | so as you see based off of that we have loads of duplicates when eported | 15:10 |
| mark_burger | exported | 15:10 |
| nowen | did you guys upgrade the server yet? | 15:14 |
| nowen | mark_burger: what is your unregdevicettl? it's under Configuration / Set Parameters | 15:24 |
| mark_burger | no | 15:28 |
| mark_burger | we did not upgrade | 15:29 |
| mark_burger | 28 unregistered | 15:29 |
| *** PC_CTi (4589565b@gateway/web/freenode/ip.69.137.86.91) has joined #wikid | 15:33 | |
| PC_CTi | 'ello | 15:34 |
| nowen | hi PC_CTi | 15:35 |
| PC_CTi | I'm just here for now. i'm setting up a Radius and WiKID server this morning, and just haning out if I need a pointer or two | 15:36 |
| nowen | ok - sounds good | 15:36 |
| nowen | what radius server? | 15:36 |
| mark_burger | you think the upgrade will fix it? | 15:38 |
| nowen | not sure. I did replicate it, but now I can't. There's nothing in the upgrade that should | 15:38 |
| nowen | we might be able to get some additional reports in that help us figure it out | 15:38 |
| mark_burger | okay | 15:39 |
| PC_CTi | Server 2008R2 for Radius. Freshly installed DC + NPS | 15:39 |
| nowen | PC_CTi: I assume you're using the enterprise version | 15:40 |
| PC_CTi | I downloaded the ISO and installed it | 15:41 |
| nowen | mark_burger: if we had a report that listed unique users and their tokens would that help? | 15:42 |
| PC_CTi | Client plans on purchasing, I'm just doing the inital setup | 15:42 |
| nowen | ok | 15:42 |
| PC_CTi | When they purchase I assume we just swap the Certificate with a permanent one? | 15:49 |
| PC_CTi | nowen: how long does it take to get Certificate requests usually? | 15:54 |
| PC_CTi | can I move onto setting up the local certificate without installing the cert from you guys (least until I get it) | 15:54 |
| nowen | PC_CTi: they should be returned in the same pop-up | 15:55 |
| PC_CTi | hrm, IE11 strikes again | 15:55 |
| nowen | I'll email it | 15:55 |
| PC_CTi | got it thanks | 16:00 |
| PC_CTi | Can you restart the wikid services from the web admin, or is console the only way | 16:03 |
| nowen | console is the only way | 16:03 |
| PC_CTi | when setting up the Network Client, its asking for an IP Address. your demo video with bank.com is using a public IP. what IP do I put here? | 16:11 |
| nowen | use an internal IP | 16:11 |
| PC_CTi | for the WikID server? | 16:12 |
| PC_CTi | this is for authenticating firwall users (watchguard) for vpn. | 16:12 |
| nowen | no, the network client would be your VPN or whatever device .. | 16:12 |
| PC_CTi | kk so the firwall | 16:12 |
| nowen | yeah ,the watchguard ip | 16:12 |
| PC_CTi | okay so I'm confused now. | 16:14 |
| PC_CTi | I've setup Radius on the 2008R2 box, and created the shared key for it | 16:14 |
| PC_CTi | when do I enter that key? | 16:14 |
| nowen | oh soory | 16:14 |
| nowen | the NPS is your network client | 16:14 |
| PC_CTi | ahh okay | 16:15 |
| nowen | it should go watchguard >> NPS >> WiKID | 16:15 |
| mark_burger | Yes Nick that would help so that duplicates did not have to be removed | 16:15 |
| nowen | mark_burger: ok | 16:16 |
| PC_CTi | nick, what values should be returned to auth with a Watchguard? | 16:17 |
| nowen | PC_CTi: I would not use return attributes unless you know what you're doing. | 16:18 |
| PC_CTi | kk. I dont :D | 16:18 |
| PC_CTi | well I do, but not to that extent yet | 16:18 |
| nowen | I can't really help on them | 16:19 |
| PC_CTi | well I'm not to that point yet either way. | 16:22 |
| nowen | always best to start simple | 16:23 |
| PC_CTi | so I've setup Radius, and there are no users yet, how should I start to test it? | 16:23 |
| PC_CTi | I assume I can't try from my android device | 16:23 |
| PC_CTi | since I used the 12 digit IP 0 padded | 16:24 |
| nowen | well, you can run 'tcpdump -vv port radius' and see if the auths even get to the server | 16:24 |
| nowen | you used an internal ip? | 16:24 |
| PC_CTi | should I use the publicly available? | 16:24 |
| nowen | if you want users from the outside to get otps | 16:25 |
| PC_CTi | let me back up a bit | 16:25 |
| nowen | you can NAT the server, but the external IP should be used for the domain id | 16:25 |
| PC_CTi | what do I need to NAT for it | 16:26 |
| PC_CTi | right now, its a VM, single Nic on the internal network | 16:26 |
| nowen | ok - so the tokens talk to the WiKID server. PINs go in (encrypted) and OTPs get returned. | 16:26 |
| PC_CTi | ah, I would have thought your server would sort of be man in the middle. | 16:27 |
| PC_CTi | tokens to your server, to internal server | 16:28 |
| nowen | no, no, we don't want that responsibility! ;-) | 16:28 |
| PC_CTi | well for licensing purposes | 16:28 |
| PC_CTi | anyways. So what is the recommended configuration | 16:28 |
| PC_CTi | what do I need to NAT from the public IP to the wikid server | 16:29 |
| nowen | ok | 16:29 |
| PC_CTi | prefer to not do a blanket 1-to-1 | 16:29 |
| nowen | so, your tokens will contact your server. over port 80 (since we use asymmetric encryption). You want an externally routable IP address for the server | 16:30 |
| nowen | so | 16:30 |
| nowen | you're firewall would route those packets to your internal IP. | 16:30 |
| PC_CTi | so just port 80 needs to talk to wikid | 16:30 |
| nowen | yea | 16:30 |
| PC_CTi | allright | 16:31 |
| nowen | 443 is the admin, so you want it locked to the inside | 16:31 |
| nowen | same with radius | 16:31 |
| PC_CTi | and configure the Domain with the padded 0s public IP | 16:31 |
| nowen | yeah, exactly | 16:33 |
| nowen | ok - I gotta run for a lunch meeting. bbib | 16:47 |
| *** nowen has quit (Quit: Leaving.) | 16:48 | |
| *** PC_CTi has quit (Ping timeout: 245 seconds) | 17:33 | |
| *** mark_burger has quit (Ping timeout: 245 seconds) | 18:12 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 18:43 | |
| *** evfenij (~evfenij@195.78.108.76) has joined #wikid | 19:16 | |
| *** evfenij has quit (Remote host closed the connection) | 19:24 | |
| *** mark___ (8f74fa7d@gateway/web/freenode/ip.143.116.250.125) has joined #wikid | 19:35 | |
| mark___ | Hey Nick you back? | 19:35 |
| mark___ | by the way we have it set up I am showing 5842 licenses being used | 19:36 |
| mark___ | which after i scrub the duplicates seems to align | 19:37 |
| mark___ | however i do have a question | 19:37 |
| mark___ | we have some employees when they registered used lower case one time and upper case another time | 19:37 |
| mark___ | even though it is the same user would your main dashboard interpret that as two users? | 19:38 |
| nowen | hi | 19:51 |
| nowen | hmm | 19:51 |
| nowen | what did you do to change the licenses in use? clear out some dead ones? | 19:52 |
| nowen | mark___: ? | 19:55 |
| mark___ | sorry | 20:01 |
| mark___ | i am here | 20:01 |
| nowen | NP | 20:01 |
| mark___ | yes the licenses in use did go down some as we had some inactive accounts i removed | 20:01 |
| nowen | I was on the phone with amex discussing my wife's supposed charges to maturesingles.com | 20:02 |
| nowen | I think you are right about the caps | 20:02 |
| nowen | we used to be cap-sensitive, but changed it - was it for you'll? | 20:07 |
| nowen | mark___: could be tough - on AD they would be the same user, but not on linux | 20:15 |
| nowen | mark___: is there a way you can you count the dupes due to caps? | 20:16 |
| *** dystie (c631b428@gateway/web/freenode/ip.198.49.180.40) has joined #wikid | 20:17 | |
| mark___ | maybe | 20:18 |
| dystie | hey. | 20:18 |
| mark___ | and yes we had to do some changes on our registration side to make it work | 20:18 |
| dystie | nick, i am having a bad wikid day. | 20:19 |
| dystie | i can't get the phone client to let me enter my passphrase, so i'm blocked out of production | 20:19 |
| nowen | dystie: what's going on? | 20:19 |
| nowen | what? how is that? | 20:20 |
| dystie | and my nonprod instance you gave me the dns redirect for is timing out on requests, so i have people who can't get into servers that use wikid. | 20:20 |
| dystie | starting with phone. lemmie see if i can get a screenshot | 20:20 |
| nowen | let's start with the first. | 20:20 |
| dystie | iphone client. | 20:20 |
| nowen | mine's working | 20:27 |
| dystie | yeah. see screenshots. | 20:27 |
| dystie | me = locked out of production w/ no one to reset the tokens till tomorrow. | 20:27 |
| dystie | everyone is in australia or poland. | 20:27 |
| dystie | rebooting phone | 20:27 |
| dystie | k. rebooted and the text moved around and i can now log in | 20:30 |
| dystie | sending you a screenshot so you can log this as a known issue. | 20:31 |
| nowen | ok | 20:31 |
| dystie | next. | 20:31 |
| nowen | ok | 20:31 |
| nowen | can you also set up another token somewhere else? | 20:31 |
| dystie | i'd have to use the api, right | 20:31 |
| dystie | ? | 20:31 |
| nowen | yes | 20:31 |
| dystie | i can't do that through the gui. | 20:31 |
| nowen | example.jsp would do it | 20:31 |
| dystie | i think we've covered that I don't code. | 20:31 |
| nowen | can you edit in vi? or whatever? | 20:32 |
| dystie | i can edit files, yes. | 20:32 |
| dystie | if you walk me through it. | 20:32 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 20:32 |
| dystie | (not the editing, what i'd need to do.) | 20:32 |
| nowen | just follow that doc | 20:32 |
| nowen | all you need to do is change the domain identifier and the loclhost passphrase | 20:32 |
| *** PC_CTi (4589565b@gateway/web/freenode/ip.69.137.86.91) has joined #wikid | 20:33 | |
| dystie | k. let's come back to that, because the other issue is more urgent. | 20:33 |
| dystie | for our nonproduction (call it dc1) wikid, we had a ip change, and worked w/ you to put in a dns rule to redirect to the new ip address. | 20:34 |
| dystie | the problem is that w/ the redirect timeouts happen. | 20:34 |
| nowen | what's the new ip? | 20:34 |
| nowen | I have a 135.39 address | 20:34 |
| dystie | and today it is especially bad; i can't register a token, people who use wikid to sudo on linux systems can't, etc | 20:35 |
| dystie | so it has to be fixed. | 20:35 |
| nowen | doesn't look like it is dns | 20:35 |
| nowen | I can get to it fine | 20:35 |
| nowen | https://199255083008.wikidsystems.net/WiKIDAdmin | 20:35 |
| dystie | it is however not letting me register a token. | 20:35 |
| dystie | so that is not so cool. | 20:35 |
| dystie | so if not dns, the redirect timeouts from the old domain, to you, to our new ip. | 20:36 |
| nowen | hmm I just registered 4b4w3ASR | 20:36 |
| dystie | could not obtain configuration for: old. | 20:36 |
| dystie | onesec | 20:36 |
| dystie | k. so i have corp vpn, which backhauls to california and back to the server in dc1 | 20:37 |
| dystie | so that explains some of the latency, but we still have people who can't work. | 20:38 |
| nowen | what happens when you go to http://199255083008.wikidsystems.net/wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=199255083008&CT=1 | 20:38 |
| dystie | message HTTP method GET is not supported by this URLmessage HTTP method GET is not supported by this URL | 20:38 |
| dystie | not on vpn, that. | 20:38 |
| nowen | that the WiKID server responded | 20:38 |
| nowen | 'ding | 20:38 |
| nowen | sounds like you have routing issue on your vpn | 20:38 |
| dystie | if i were to take one of the dc's it's talking to | 20:40 |
| dystie | so it only has one dc, instead of two dcs. | 20:40 |
| dystie | and create a new domain. | 20:40 |
| dystie | what would be the impact? | 20:41 |
| dystie | [3/11/14 4:39:36 PM] Sarah Clarke: where are you connecting to dc1 from? [3/11/14 4:39:53 PM] Sarah Clarke: office hard connection, corp vpn, ? [3/11/14 4:40:46 PM] khusbu chhadwa: office [3/11/14 4:41:19 PM] Sarah Clarke: plugged into a wire at your desk? [3/11/14 4:41:33 PM] khusbu chhadwa: plugged in | 20:41 |
| dystie | that's the pro services lady who reported it; the hardwire is corp network, so it's latency i can't get around. | 20:42 |
| nowen | I don't understand. what is a dc? | 20:44 |
| dystie | domain controller | 20:45 |
| nowen | ok | 20:45 |
| dystie | right now the dc1 domain is talking to both dc1 domain controllers | 20:45 |
| dystie | if i were to disassociate one of the domain controllers and point it at a dc1-new domain (for examples) | 20:46 |
| dystie | would i then have two useable domains | 20:46 |
| dystie | and what would be the risks/benefits? | 20:46 |
| dystie | i want to transition people to a domain that doesn't require the dns redirect, because we have been experiencing problems we hadn't seen before since we had to put it in. | 20:46 |
| dystie | the other issue would be the vpn servers, and i can't cut those over because they're in HA / not standalone. | 20:47 |
| dystie | but if i can transition people to the new domain for wikid, then i know which problem kids are still using that vpn,and can take it away from them. | 20:47 |
| nowen | I'm not sure what's causing the issue | 20:48 |
| nowen | it seems to be a routing issue on your end, right? | 20:48 |
| nowen | if so, then, there must be a better way to solve it, right? | 20:48 |
| nowen | if it is a dns issue, can you create a DNS entry in your own dns servers? | 20:48 |
| dystie | call me? | 20:49 |
| nowen | I cannot - I have 4 chat windows up | 20:50 |
| dystie | k. i want to show you, so ping me when you're avail. | 20:50 |
| dystie | i have gotomeeting. | 20:50 |
| nowen | again, can you tell this is not an issue with your networking? | 20:50 |
| dystie | thinking through how to test that. | 20:54 |
| nowen | IDK, with some kind of networking tools? ;-) | 20:54 |
| dystie | i just moved the user to a phone based token. | 20:54 |
| dystie | [3/11/14 4:49:26 PM] Sarah Clarke: token is associated. [3/11/14 4:49:31 PM] Sarah Clarke: please test and make sure you can get into csdev and sudo [3/11/14 4:50:31 PM] khusbu chhadwa: does not work [3/11/14 4:53:23 PM] Sarah Clarke: is your phone on office wireless? [3/11/14 4:53:56 PM] khusbu chhadwa: nope | 20:54 |
| nowen | ok - so you're saying that you have a user that cannot get an OTP? | 20:54 |
| nowen | I didn't get that | 20:55 |
| nowen | what does "does not work" mean? | 20:55 |
| nowen | does the token not work? | 20:56 |
| dystie | she could get a code but it wouldn't work for auth | 20:57 |
| nowen | ok | 20:57 |
| nowen | that's more useful info | 20:57 |
| dystie | i just tried to add the domain to my iphone - got a unable to add domain to token | 20:57 |
| nowen | which issue do you want to focus on? | 20:57 |
| *** PC_CTi has quit (Ping timeout: 245 seconds) | 20:58 | |
| nowen | on your phone - try pre-pending the domain with an asterisk | 20:58 |
| dystie | the issue as i understand it is that people can't auth via wikid to systems that use wikid. | 20:58 |
| nowen | i see two issues - you can register and someone authentication is failing. | 20:58 |
| nowen | is that someone's authentication request getting rejected by the wikid server? | 20:59 |
| nowen | is that user enabled on the wikid server? | 20:59 |
| nowen | is the authentication request even getting to the WiKID server? | 20:59 |
| dystie | checking logs | 21:00 |
| nowen | you can also run 'tcpdump -vv port radius' to see if the requests are getting to wikid. I'm assuming radius | 21:15 |
| *** PC_CTi (32f1ca0a@gateway/web/freenode/ip.50.241.202.10) has joined #wikid | 21:21 | |
| PC_CTi | nowen: Trying to delete a user, but it is not showing up in the list | 21:21 |
| PC_CTi | was a user I manualy validated, but haven't actually used | 21:21 |
| nowen | and you're saying it's no longer showing up on the user tab? did you ctrl-shift reload? | 21:21 |
| PC_CTi | has never shown up on the users tab | 21:21 |
| nowen | tell me how you registered them? | 21:22 |
| PC_CTi | when I try to delete the Domain, it shows 1 user, gota delete first | 21:22 |
| PC_CTi | used android token, which worked, and clicked the manually validate user | 21:22 |
| nowen | huh, so no users showing but you can't delete the domain? is there an outstanding reg code? | 21:23 |
| *** mustafa (~mustafa@91.213.72.152) has joined #wikid | 21:23 | |
| PC_CTi | no | 21:23 |
| PC_CTi | I checked back, and there is none | 21:23 |
| PC_CTi | I only tried once | 21:23 |
| PC_CTi | I'm changing the public IP | 21:23 |
| PC_CTi | which is why I'm doing this | 21:23 |
| nowen | hmm, well you don't have to delete the domain, but you should be able it. I just did this yesterday | 21:23 |
| *** mustafa has quit (Remote host closed the connection) | 21:24 | |
| *** effekt (~effekt@91.217.162.251) has joined #wikid | 21:35 | |
| *** effekt has quit (Remote host closed the connection) | 21:36 | |
| PC_CTi | mkay | 21:36 |
| PC_CTi | so I created a new one | 21:36 |
| PC_CTi | when I look under Manualy Validate | 21:36 |
| PC_CTi | I see the reg code that matched the tolken | 21:36 |
| PC_CTi | however the | 21:36 |
| PC_CTi | EmbededID is blank | 21:36 |
| PC_CTi | is that normal? | 21:36 |
| nowen | hold on | 21:40 |
| nowen | yes. | 21:41 |
| *** coolacid has quit (*.net *.split) | 21:43 | |
| *** Qasker has quit (*.net *.split) | 21:43 | |
| *** nowen has quit (*.net *.split) | 21:49 | |
| *** joevano has quit (*.net *.split) | 21:51 | |
| *** PC_CTi has quit (*.net *.split) | 21:52 | |
| *** dystie has quit (*.net *.split) | 21:52 | |
| *** mark___ has quit (*.net *.split) | 21:52 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!