| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 12:30 | |
| *** Salik (45f6d450@gateway/web/freenode/ip.69.246.212.80) has joined #wikid | 15:32 | |
| *** ddreggors (~ddreggors@199.227.2.200) has joined #wikid | 15:33 | |
| Salik | hi nick. you there | 15:33 |
|---|---|---|
| nowen | hi Salik | 15:33 |
| nowen | yes I am | 15:33 |
| Salik | i am here with my coworker, David | 15:33 |
| Salik | we were going through the install | 15:33 |
| nowen | great | 15:33 |
| Salik | we were trying to login to the web interface but it doesnt seem to accept the pw we set | 15:33 |
| nowen | try WiKIDAdmin/2Factor | 15:34 |
| Salik | ok | 15:34 |
| Salik | oh ok. that worked. we didnt see that in the install documentation | 15:34 |
| nowen | once you have it installed, go to the full manual: http://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server | 15:35 |
| Salik | oh ok. i think we were looking at quick start | 15:36 |
| nowen | that works too | 15:36 |
| ddreggors | no we are on this page | 15:37 |
| ddreggors | http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-install-the-wikid-enterprise-rpms | 15:37 |
| ddreggors | and that did not say anything about 2Factor for password... | 15:37 |
| Salik | ok nick, so next question I had.. | 15:37 |
| Salik | the screen shot I sent you yesterday for network clients | 15:37 |
| ddreggors | thanks, we just did not know where to look | 15:38 |
| Salik | it showed 2 entries | 15:38 |
| Salik | one for a NPS server and one for the gateway server | 15:38 |
| nowen | I'll add a link to the manual form that page | 15:38 |
| ddreggors | thanks, we appreciate your help | 15:39 |
| nowen | Salik: yes, one of those will probably not work ;-) | 15:39 |
| Salik | i have a feeling our current setups are not correct. We currently have 2 wikid servers at different datacenters | 15:40 |
| Salik | both are configured pretty much like that screenshot I sent you | 15:41 |
| nowen | hmm | 15:41 |
| Salik | I logged into the NPS server | 15:41 |
| Salik | and looked at the logs | 15:41 |
| Salik | and i dont see anything in them | 15:41 |
| Salik | this was all setup maybe 5 years ago by a team that is no longer with the company | 15:41 |
| Salik | our second wikid server was configured the same way but pointing to another domain controller local to that data center | 15:42 |
| Salik | i logged into that server and it doesnt even have NPS installed on it | 15:42 |
| nowen | well, I'm glad you're looking into ti | 15:42 |
| Salik | so i have no idea how either of these working | 15:42 |
| nowen | well, let's do a couple to things | 15:42 |
| Salik | ok | 15:43 |
| nowen | do you use both servers or just one? | 15:43 |
| Salik | we use both | 15:43 |
| Salik | both are at different data centers | 15:43 |
| Salik | we will be shutting one datacenter down | 15:43 |
| Salik | and moving to a new datacenter | 15:43 |
| Salik | and that is the new server I am building | 15:44 |
| nowen | ok | 15:44 |
| Salik | we want a seperate wikid server / NPS at each location | 15:44 |
| nowen | on the server you're going to keep, run 'tcpdump port radius' | 15:44 |
| nowen | and then login | 15:44 |
| nowen | ie - login to your vpn to create a radius requst | 15:48 |
| nowen | that command will show you which network client IP is being used | 15:48 |
| Salik | ok running the command now. trying to get a user who has wikid installed to try logging in | 15:49 |
| Salik | i do believe we ran this before and saw no traffic | 15:50 |
| Salik | but we will verify right now | 15:50 |
| Salik | i dont know if you remember, but 2 weeks ago, we were talking about an issue where users were able to use AD credentials instead of wikid token and were able to connect fine | 15:51 |
| Salik | so maybe this is all related? | 15:51 |
| nowen | I think that was your PAM config. | 15:51 |
| Salik | ok. we never really made changes to PAM so that issue still exists | 15:52 |
| nowen | huh? I thought it was fixed? the /etc/pam.d/ssh file was the issue | 15:52 |
| Salik | we made a change and nobody could login | 15:52 |
| Salik | so we changed it back as it was | 15:52 |
| nowen | do you have access to that server? | 15:53 |
| Salik | yes | 15:53 |
| nowen | can you tell me what is in /etc/raddb/server? | 15:53 |
| Salik | so it has the IP for itself and a password and 3 | 15:55 |
| Salik | so our gateway server and wikid are running on the same server | 15:55 |
| nowen | ok | 15:55 |
| nowen | so that makes me think that NPS is not in the middle | 15:56 |
| nowen | because PAM is just talking straight to wikid | 15:56 |
| nowen | note that it is using the IP and not localhost - b/c wikid itself is using localhost for radius | 15:57 |
| Salik | maybe that is why we are seeing no RADIUS traffic | 15:57 |
| nowen | makes sense | 15:57 |
| nowen | I'm thinking that we should setup the new DC the way you want to work and then copy that set up to the existing one | 15:59 |
| Salik | yeah i think that is the best way | 16:00 |
| Salik | so we dont currently have a NPS server setup in the new DC | 16:00 |
| Salik | so that should be the next step? | 16:00 |
| Salik | i can install that role on one of our domain controllers | 16:00 |
| nowen | If you want to use AD for authorization, then you need NPS | 16:04 |
| nowen | Salik: is KOlson2 still the correct billing person? | 16:08 |
| Salik | hmm i dont think so | 16:09 |
| Salik | i will try to get an updated name for you | 16:09 |
| nowen | oh - wait sorry | 16:09 |
| nowen | wrong window and account ;-) | 16:09 |
| Salik | :) | 16:10 |
| Salik | ok i just got the NPS role installed. is there any documentation I can follow to configure that? | 16:10 |
| nowen | we have this: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 16:10 |
| nowen | but MS might have something better | 16:10 |
| Salik | we should get NPS configured completely first prior to configuring wikid? | 16:11 |
| nowen | doesn't matter. | 16:11 |
| Salik | ok | 16:11 |
| nowen | what you should think about is how to test it | 16:12 |
| nowen | so, you might want to have PAM talk radius to NPS using AD creds first | 16:12 |
| nowen | then add WiKID to NPS and test with an OTP | 16:12 |
| *** AccentureDan (3f7c1664@gateway/web/freenode/ip.63.124.22.100) has joined #wikid | 16:17 | |
| AccentureDan | hey Nick question for ya | 16:17 |
| nowen | AccentureDan: ok | 16:17 |
| AccentureDan | not sure how familiar you are with the Cisco ASA firewall and SSL VPNs, but more or less, I saw the instructional video that showed authenticating directly with WiKID | 16:18 |
| AccentureDan | I want to use the existing Network Policy Server framework I have set up so users are not directly communicating with WiKID, and credential routing is being done by NPS for AD and WiKID, then back out the ASA | 16:18 |
| AccentureDan | do you have any understanding of how this would work? | 16:19 |
| AccentureDan | or know someone that would? haha | 16:19 |
| AccentureDan | have already opened a TAC with Cisco, but just want to see if you would know anything | 16:19 |
| nowen | it's all NPS today | 16:19 |
| AccentureDan | HAH | 16:19 |
| AccentureDan | i love NPS | 16:19 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps | 16:19 |
| AccentureDan | I have the RADIUS server set up in NPS as the ASA | 16:19 |
| nowen | also this: http://www.wikidsystems.com/learn-more/white-papers | 16:19 |
| nowen | so WiKID will be a radius server on NPS | 16:20 |
| AccentureDan | but I think the question is, how to route the requests from the ASA to the NPS | 16:20 |
| nowen | oh | 16:20 |
| nowen | The NPS will be a radius server on the ASA | 16:20 |
| nowen | just replace the WiKID IPs that you see in that video with the NPS ip | 16:21 |
| AccentureDan | yup got that set up as well, sweeeeeeet | 16:21 |
| AccentureDan | i thought so just wanted to reach out first | 16:21 |
| AccentureDan | :-D | 16:21 |
| nowen | and you have WiKID setup in NPS as a server? | 16:22 |
| *** AccentureDan has quit (Quit: Page closed) | 17:05 | |
| *** AccentureDan (3f7c1664@gateway/web/freenode/ip.63.124.22.100) has joined #wikid | 17:10 | |
| AccentureDan | so security question for ya | 17:11 |
| nowen | ok | 17:11 |
| AccentureDan | there is a discussion going on right now about security of one-time passcode distribution...user's needing to request one-time passcodes would essentially hit our WiKID server via a port forward from our external-facing Internet IP address, pass through an IPS, then hit the WiKID server | 17:11 |
| AccentureDan | how do most of your customers do this to keep things as safe as possible? | 17:12 |
| nowen | seems pretty clean. I would block any traffic that is not going to /wikid/ from the outside | 17:12 |
| AccentureDan | precisely...during the NAT/Port forwarding, only the one port (random) on the outside gets forwarded to one port (internal) HTTP port on the WiKID server for one-time passcode requests | 17:13 |
| AccentureDan | figured this is the most safe...in between there an IPS analyzes traffic | 17:13 |
| nowen | yeah | 17:13 |
| AccentureDan | awesome just wanted some affirmation that you thought this was normal/safe | 17:14 |
| *** AccentureDan has quit (Quit: Page closed) | 17:24 | |
| Salik | nick, when we are generating the intermediate CA, we didnt receive any email | 17:54 |
| Salik | how is it sent out? | 17:54 |
| nowen | it should have come back in the same pop-up | 17:55 |
| nowen | hold on | 17:55 |
| Salik | oh ok never mind | 17:56 |
| Salik | misread something | 17:56 |
| Salik | we did get it in the popup | 17:56 |
| nowen | I have emailed it | 17:56 |
| ddreggors | I think again we misunderstood. The text on the page was saying it would email, but in fact as you said it was in the pop up | 18:23 |
| nowen | Salik: ddreggors: how goes the install? | 19:33 |
| ddreggors | we are still going but we got sidetracked by other issues | 19:37 |
| nowen | ok | 19:38 |
| *** ddreggors has quit (Quit: Leaving) | 21:24 | |
| *** nowen has quit (Quit: Leaving.) | 22:38 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!