| *** joevano_ (~joevano@bzflag/developer/JoeVano) has joined #wikid | 11:50 | |
| *** joevano has quit (Ping timeout: 260 seconds) | 11:51 | |
| *** nowen (~nowen@172.56.1.105) has joined #wikid | 12:51 | |
| *** Wilbo (d457565d@gateway/web/freenode/ip.212.87.86.93) has joined #wikid | 13:18 | |
| Wilbo | Hi, anyone have experience of setting up a WiKID Auth server with a Watchguard Firebox? | 13:19 |
|---|---|---|
| nowen | Wilbo: should not be too hard | 13:32 |
| nowen | will you be using a radius server such as NPS or just WiKID? | 13:33 |
| Wilbo | Hi Nick. Just WiKID. I have WiKID up and running, have purchased the licence and have the client on different end devices. Users are able to get a token from the server and login to bring up the vpn tunnel. I just cant get any traffic to move through the tunnel. | 14:00 |
| nowen | hmm | 14:00 |
| Wilbo | its as if I have some kind of cross up with authentication somewhere. If i drop back to my old authentication method for vpn all works fine | 14:00 |
| nowen | sounds like more of a watchguard issue. you see the successful auths on the WiKID server? | 14:01 |
| Wilbo | Yes I see the auths on the server. I also see the tunnel come up on the watchguard. Do i have to modify any of the return attributes in WiKID for the watchguard? | 14:03 |
| nowen | I wouldn't think so. | 14:03 |
| nowen | is that required for non-WiKID auth? | 14:03 |
| Wilbo | No. | 14:04 |
| nowen | I can't imagine why the watchguard would handle radius vs non-radius auth differently | 14:04 |
| *** WiKIDLogBot (~WiKIDLogB@ec2-54-83-0-181.compute-1.amazonaws.com) has joined #wikid | 14:19 | |
| barjavel.freenode.net | Topic for #wikid is: two-factor authentication. If no one is here, you can try the forums: http://www.wikidsystems.com/support/support/wikid-forums. Please lurk around - your question may not be answer immediately. This channel is logged: http://www.wikidsystems.com/webdemo/irclogs/index.html. | 14:19 |
| barjavel.freenode.net | Users on #wikid: WiKIDLogBot Wilbo @nowen joevano_ coolacid Qasker- @ChanServ | 14:19 |
| nowen | so, the radius attribute 11 is filter-id | 14:19 |
| nowen | "The group attribute value is used to set the attribute that carries the User Group information. You must configure the RADIUS server to include the Filter ID string with the user authentication message it sends to the XTM device. For example,engineerGroup or financeGroup. This information is then used for access control. The XTM device matches the FilterID string to the group name configured in the XTM device policies." | 14:20 |
| Wilbo | sounds promising | 14:21 |
| Wilbo | so i just need to add filter-id to assigned return attributes for my main group on the WiKID server? | 14:23 |
| nowen | I think you can add it at the Network client tab | 14:23 |
| nowen | that way it will affect all your users and you won't have to manage groups on the WiKID server | 14:24 |
| Wilbo | ok, ill try that now | 14:24 |
| nowen | but do you have groups on the Watchguard already? | 14:25 |
| Wilbo | i have a group of users for its internal VPN auth, which i am replacing with WiKID 2fa. for radius there is a group called Radius which refers to the WiKID server | 14:27 |
| *** coolacid has quit (*.net *.split) | 14:27 | |
| nowen | so, would the filter-id be 'radius'? | 14:27 |
| *** nowen has quit (*.net *.split) | 14:28 | |
| *** joevano_ has quit (*.net *.split) | 14:28 | |
| Wilbo | sounds plausible, will try now | 14:28 |
| *** Qasker- has quit (*.net *.split) | 14:30 | |
| *** Wilbo has quit (*.net *.split) | 14:31 | |
| *** ChanServ has quit (*.net *.split) | 14:31 | |
| *** WiKIDLogBot is now known as 17SAA3MVK | 14:32 | |
| *** WiKIDLogBot (~WiKIDLogB@ec2-54-83-0-181.compute-1.amazonaws.com) has joined #wikid | 14:32 | |
| *** Wilbo (d457565d@gateway/web/freenode/ip.212.87.86.93) has joined #wikid | 14:32 | |
| *** nowen (~nowen@172.56.1.105) has joined #wikid | 14:32 | |
| *** joevano_ (~joevano@bzflag/developer/JoeVano) has joined #wikid | 14:32 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 14:32 | |
| *** Qasker- (ask@gateway/shell/elitebnc/x-lrwmprxsuvxowwwv) has joined #wikid | 14:32 | |
| *** ChanServ (ChanServ@services.) has joined #wikid | 14:32 | |
| Wilbo | Ok. The watchguard needs the name of the vpn policy returned in that attribute - works a charm now | 14:33 |
| Wilbo | cheers | 14:33 |
| *** 17SAA3MVK (~WiKIDLogB@ec2-54-83-0-181.compute-1.amazonaws.com) has joined #wikid | 14:33 | |
| Wilbo | Really appreciate your help with this - thanks! | 14:33 |
| nowen | sweet. I'll update our watchguard doc | 14:33 |
| nowen | no problem | 14:34 |
| nowen | also, did you see the patch email? | 14:34 |
| Wilbo | Really appreciate your help with this - thanks! | 14:34 |
| nowen | sweet. I'll update our watchguard doc | 14:34 |
| nowen | no problem | 14:34 |
| nowen | also, did you see the patch email? | 14:34 |
| nowen | you might have been missed | 14:34 |
| nowen | you might have been missed | 14:34 |
| nowen | it's not urgent for you guys as it takes three years to be an issue | 14:35 |
| nowen | it's not urgent for you guys as it takes three years to be an issue | 14:35 |
| Wilbo | i havent no, i also didnt receive anything else after purchasing my license - should I have done? | 14:35 |
| Wilbo | i havent no, i also didnt receive anything else after purchasing my license - should I have done? | 14:35 |
| nowen | no - we track that based on the cert you created. We're working on a better, more communicative system | 14:35 |
| nowen | no - we track that based on the cert you created. We're working on a better, more communicative system | 14:35 |
| Wilbo | ok cool. Well, it does exactly what I want now - thanks again | 14:36 |
| Wilbo | ok cool. Well, it does exactly what I want now - thanks again | 14:36 |
| nowen | I recommend you subscribe to our email list, bottom right corner: https://www.wikidsystems.com/ | 14:36 |
| nowen | I recommend you subscribe to our email list, bottom right corner: https://www.wikidsystems.com/ | 14:36 |
| nowen | also i'm catching up on the accounting so now you're in that system. We can send emails to that list too | 14:36 |
| nowen | also i'm catching up on the accounting so now you're in that system. We can send emails to that list too | 14:36 |
| Wilbo | ok great | 14:37 |
| Wilbo | ok great | 14:37 |
| *** WiKIDLogBot has quit (Remote host closed the connection) | 14:39 | |
| *** WiKIDLogBot (~WiKIDLogB@ec2-54-83-0-181.compute-1.amazonaws.com) has joined #wikid | 14:40 | |
| holmes.freenode.net | Topic for #wikid is: two-factor authentication. If no one is here, you can try the forums: http://www.wikidsystems.com/support/support/wikid-forums. Please lurk around - your question may not be answer immediately. This channel is logged: http://www.wikidsystems.com/webdemo/irclogs/index.html. | 14:40 |
| holmes.freenode.net | Users on #wikid: WiKIDLogBot Wilbo @nowen joevano_ coolacid @ChanServ Qasker- | 14:40 |
| *** Wilbo has quit (Quit: Page closed) | 14:45 | |
| *** nowen has quit (Ping timeout: 272 seconds) | 16:04 | |
| *** nowen (~nowen@172.56.1.105) has joined #wikid | 16:27 | |
| *** nowen has quit (Ping timeout: 260 seconds) | 19:52 | |
| *** nowen (~nowen@172.56.1.105) has joined #wikid | 20:14 | |
| *** nowen has quit (Quit: Leaving.) | 20:30 | |
| *** nowen (~nowen@172.56.1.105) has joined #wikid | 20:30 | |
| *** nowen has quit (Quit: Leaving.) | 22:11 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!