| *** Rudy6 (~Rudy6@213.132.115.194) has joined #wikid | 11:50 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 12:53 | |
| *** Rudy6 has quit (Quit: Leaving) | 16:33 | |
| *** AccentureDan (3f7c1664@gateway/web/freenode/ip.63.124.22.100) has joined #wikid | 16:45 | |
| AccentureDan | hey Nick quick question | 16:45 |
|---|---|---|
| nowen | ok | 16:45 |
| AccentureDan | working on getting the flow of traffic going via the firewall | 16:45 |
| AccentureDan | so we opened 1812/1813 for RADIUS between the firewall and the NPS box, works great | 16:46 |
| AccentureDan | where does 8388 communicate? | 16:46 |
| nowen | 8388 is for our API. | 16:46 |
| AccentureDan | also, do we need LDAP enabled for any reason? the NPS box authorizes locally so dont think so | 16:46 |
| AccentureDan | okay so that is local, that doesnt need to communicate to anything | 16:46 |
| nowen | So, if you have a wAuth client it uses 8388 | 16:46 |
| nowen | correct | 16:46 |
| AccentureDan | awesome | 16:46 |
| nowen | I would not enable LDAP | 16:46 |
| AccentureDan | are there any ports WiKID needs to use to communicate anything back to NPS? | 16:47 |
| AccentureDan | i am getting an access denied error on the WiKID box | 16:47 |
| nowen | the tokens use port 80 | 16:47 |
| nowen | and the WiKIDAdmin uses 443 | 16:47 |
| AccentureDan | got that, one time passwords work great | 16:47 |
| AccentureDan | got that, i can access the website without issue | 16:47 |
| nowen | what port is giving you an access denied? | 16:47 |
| AccentureDan | i am getting an Access Denied error | 16:47 |
| AccentureDan | lemme check | 16:48 |
| nowen | oh, you mean for radius? | 16:48 |
| AccentureDan | 50392 | 16:48 |
| AccentureDan | it says this | 16:48 |
| AccentureDan | <1> Access-Request(1) LEN=82 10.67.109.246:50392 Access-Request by daniel.m.greer Failed: AccessRejectException: Access Denied | 16:48 |
| nowen | are you enabled? | 16:48 |
| AccentureDan | HAH | 16:48 |
| AccentureDan | lemme try again | 16:48 |
| AccentureDan | :-P | 16:48 |
| AccentureDan | no go | 16:49 |
| AccentureDan | 2014-04-18 09:49:28.960INFOcom.wikidsystems.radius.access.WikidAccess4Access denied for daniel.m.greer, domain code: 010067123060 client: /10.67.109.246 2014-04-18 09:49:28.960INFOcom.wikidsystems.radius.log.DBSvrLogImpl<2> Access-Request(1) LEN=82 10.67.109.246:50392 Access-Request by daniel.m.greer Failed: AccessRejectException: Access Denied 2014-04-18 09:49:25.234INFOcom.wikidsystems.server.DeviceTransactionExecI | 16:49 |
| AccentureDan | so passcode works great, but when i enter my username in to the field, then the password it fails | 16:50 |
| nowen | daniel.m.greer is the username? | 16:50 |
| AccentureDan | yup | 16:50 |
| nowen | 10.67.109.246 is nps? | 16:50 |
| AccentureDan | yup | 16:50 |
| AccentureDan | wait | 16:51 |
| AccentureDan | think i may know | 16:51 |
| AccentureDan | 1812 and 1813 need to be enabled between NPS and WiKID right? | 16:51 |
| nowen | well, it looks like WiKID is getting the radius requests fine, so I don't think it's the ports | 16:51 |
| AccentureDan | gotcha | 16:51 |
| AccentureDan | any reason it would reject? | 16:51 |
| nowen | 010067123060 is the correct domain? | 16:52 |
| AccentureDan | the username in AD is the same as the username in WiKID | 16:52 |
| AccentureDan | yup | 16:52 |
| nowen | set your logs to debug and try again. http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 16:53 |
| AccentureDan | 2014-04-18 09:54:26.749INFOcom.wikidsystems.radius.log.DBSvrLogImpl<4> Access-Request(1) LEN=82 10.67.109.246:50392 Access-Request by daniel.m.greer Failed: AccessRejectException: Access Denied 2014-04-18 09:54:26.748INFOcom.wikidsystems.radius.access.WikidAccess4Access denied for daniel.m.greer, domain code: 010067123060 client: /10.67.109.246 2014-04-18 09:54:23.088DEBUGcom.wikidsystems.server.WikidCode3AESPasscode | 16:54 |
| nowen | there should be more detail in their somewhere. | 16:54 |
| nowen | post it all to pastebin.com if you want | 16:55 |
| AccentureDan | sure | 16:55 |
| AccentureDan | where on pastebin? | 16:56 |
| AccentureDan | just paste it in then send you the link? | 16:56 |
| nowen | yep | 16:56 |
| AccentureDan | http://pastebin.com/qEKhyvRR | 16:56 |
| nowen | which loggers do you have set for debug? I think you are missing some | 16:57 |
| AccentureDan | com.wikidsystems, com.wikidsystems.server.wauth, com.wikidsystems.radius.access.WiKIDAccess4 | 16:58 |
| AccentureDan | just added the radius one | 16:58 |
| nowen | ok | 16:58 |
| nowen | try again | 16:59 |
| AccentureDan | gotcha one sec | 16:59 |
| AccentureDan | http://pastebin.com/ygshj9iy | 17:01 |
| nowen | add com.wikidsystems.client.wClient too | 17:01 |
| AccentureDan | http://pastebin.com/n2XnidnA | 17:03 |
| nowen | hmm | 17:04 |
| AccentureDan | also NPS gives me a unique error | 17:04 |
| nowen | not much difference is there | 17:04 |
| nowen | what's that? | 17:04 |
| AccentureDan | The RADIUS Proxy received a response from server 10.67.123.60 with an invalid authenticator. | 17:04 |
| nowen | check your shared secrets | 17:04 |
| AccentureDan | you got it | 17:04 |
| AccentureDan | WORKS! | 17:07 |
| AccentureDan | woot! | 17:07 |
| AccentureDan | production IN | 17:07 |
| AccentureDan | LINE | 17:07 |
| AccentureDan | :-D | 17:07 |
| AccentureDan | thanks for all of your help sir! | 17:07 |
| nowen | I note that's still an internal IP you're using for the domain | 17:07 |
| AccentureDan | yes sir | 17:52 |
| AccentureDan | we limited all this stuff | 17:52 |
| AccentureDan | ill send you our design doc so your mind can be scrambled eggs | 17:52 |
| AccentureDan | beyond complicated...but the more complicated it is for us, the harder it should be for a hacker to get through all the walls of Fort Knox | 17:52 |
| AccentureDan | :-D | 17:52 |
| nowen | sounds good | 18:16 |
| *** AccentureDan has quit (Quit: Page closed) | 18:22 | |
| *** coolacid has quit (Ping timeout: 258 seconds) | 18:24 | |
| *** AccentureDan (3f7c1664@gateway/web/freenode/ip.63.124.22.100) has joined #wikid | 19:26 | |
| AccentureDan | okay got it all working, real quick question though | 19:27 |
| AccentureDan | we are hardening up the servers | 19:27 |
| nowen | ok | 19:27 |
| AccentureDan | when the user is presented to the WiKIDAdmin page, and they go to log in | 19:27 |
| AccentureDan | we nly have 443 enabled...but it times out logging in...do we need wAuth open as well? | 19:27 |
| AccentureDan | is that what it is used for? | 19:27 |
| nowen | what page are the users going to? | 19:28 |
| nowen | is this for Admins or the users? | 19:28 |
| AccentureDan | nope just for the admin console | 19:28 |
| AccentureDan | just for the admins to add users and such | 19:28 |
| nowen | will they be on the inside network? | 19:28 |
| AccentureDan | yup no outside access | 19:29 |
| AccentureDan | all internal | 19:29 |
| AccentureDan | and only our domain controllers can talk to the WiKID Admin console | 19:29 |
| nowen | not sure why it would time out | 19:29 |
| nowen | 8388 is not needed | 19:29 |
| nowen | just 443 | 19:30 |
| AccentureDan | gotcha | 19:32 |
| AccentureDan | lemme check | 19:32 |
| AccentureDan | going to restart the server, needs it any way after all the testing crap we have done today | 19:33 |
| AccentureDan | solved it | 19:35 |
| AccentureDan | haha | 19:35 |
| nowen | cool | 19:36 |
| AccentureDan | question, again haha | 19:37 |
| nowen | ;-) | 19:38 |
| AccentureDan | what version of Java would you recommend we have user's utilize for the JAR non-installable token client? | 19:38 |
| AccentureDan | this will be going on the client PCs | 19:38 |
| nowen | the latest | 19:38 |
| AccentureDan | gotcha, good to know | 19:39 |
| AccentureDan | as for the proxy | 19:40 |
| AccentureDan | for the token client | 19:40 |
| AccentureDan | i see HTTP, SOCKS, and System...we opened a random high-end TCP port that is being port-forwarded to 80...would System be the one to use? | 19:41 |
| AccentureDan | not sure which one would be the best haha | 19:41 |
| nowen | system just uses the one that the OS uses | 19:42 |
| AccentureDan | okay so probably HTTP...that would mimic a TCP port, correct? | 19:42 |
| nowen | it's not for a random port, it's for a proxy | 19:42 |
| AccentureDan | hm i used it before on a random port worked fine...just trying to test if Verizon opened that port on their Internet gateway | 19:43 |
| nowen | the smartphone tokens don't support proxies, just so you know | 19:44 |
| AccentureDan | thats fine no one will be using those haha | 19:44 |
| AccentureDan | doesnt look like they have made their changes just yet...we just filed the ticket yesterday, no worries | 19:46 |
| AccentureDan | will keep ya updated, should be good to go | 19:46 |
| nowen | ok | 19:46 |
| AccentureDan | all the internal testing is done, works like a charm | 19:46 |
| AccentureDan | going to table this til Monday, thanks again for your help man have a great weekend! | 19:46 |
| nowen | you too! | 19:47 |
| *** AccentureDan has quit (Ping timeout: 240 seconds) | 19:51 | |
| *** nowen has quit (Quit: Leaving.) | 21:52 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!