| *** nowen (~nowen@2601:0:9f80:a700:5d1d:ef63:f5b3:a6e0) has joined #wikid | 14:01 | |
| *** intymike01 (~teladm01@47.19.119.130) has joined #wikid | 14:59 | |
| nowen | hi intymike01 | 14:59 |
|---|---|---|
| intymike01 | hi there | 14:59 |
| intymike01 | how are you? | 14:59 |
| nowen | pretty good, and you? | 15:00 |
| intymike01 | pretty good thx. | 15:00 |
| intymike01 | Im having an issue with a WikID setup. Im trying to get my astaro security gateway to use radius for authentication... | 15:01 |
| nowen | ok | 15:01 |
| intymike01 | when I add my WikiD info, the astaro device never talks to the WIKID id server , port 1812 | 15:01 |
| intymike01 | welll. im not sure if it talks, but the astor times out and says it received nothing | 15:01 |
| intymike01 | is there a way I can see in WikID my test request? | 15:02 |
| nowen | did you restart wikid after creating the astaro as a network client? | 15:02 |
| intymike01 | yes | 15:02 |
| nowen | check out this page: https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 15:02 |
| nowen | tcpdump is a good first start | 15:03 |
| intymike01 | heading there now | 15:03 |
| intymike01 | yeah, I'll do a tcpdump | 15:03 |
| nowen | also note that the WiKIDAdmin logs are not javascripty so you have to hit the filter button to see the action | 15:03 |
| intymike01 | I only so far verified that ports 1812,1813 were indeed listening | 15:03 |
| nowen | ok - that's good | 15:03 |
| nowen | radius requires that the IP of the network client be what's expected | 15:04 |
| intymike01 | got it | 15:04 |
| intymike01 | good, tcpdump shows my astaro is talking to the WikID system: gw1.ct.tdoc.com.44591 > vault1.ct.tdoc.com.radius: RADIUS, length: 20Access Request (1), id: 0xe5, Authenticator: 225a32b02f330f16657e0ee91daa40fc. | 15:26 |
| intymike01 | I didnt see anything in the debug log. | 15:27 |
| nowen | is the last thing you see the OTP request? | 15:27 |
| intymike01 | no, i dont beleive so | 15:28 |
| nowen | is the level set to Debug? | 15:29 |
| intymike01 | yes. | 15:29 |
| nowen | Source is None? | 15:29 |
| intymike01 | Im going to restart again, to make sure the log settings load | 15:29 |
| nowen | log settings will reset on restart unless you save them not to | 15:29 |
| intymike01 | i chose "Save currrent configuration as startup configuration" | 15:30 |
| nowen | yes, but I doubt that's the problem | 15:30 |
| intymike01 | ok | 15:31 |
| nowen | can you see the IP address of gw1.ct.tdoc.com in the radius request? | 15:31 |
| intymike01 | no IP address in the request (as seen in tcpdump) | 15:32 |
| nowen | what do you have on the network client's page? the ip or the dns? | 15:33 |
| intymike01 | the ip address of "192.168.70.99" | 15:33 |
| intymike01 | which is the IP address of my widiD system, not the astaro, which is 192.168.70.1 | 15:34 |
| nowen | ahh - you want the astaro there | 15:34 |
| intymike01 | ah, doh! | 15:34 |
| nowen | ;-) | 15:34 |
| intymike01 | yeah, got it. | 15:34 |
| nowen | make the change and restart | 15:34 |
| nowen | radius cachese | 15:34 |
| intymike01 | doing it now | 15:34 |
| intymike01 | ok, i went through the config and veirifed everything again. logging, I see: Access-Request(1) LEN=20 192.168.70.1:34147 PACKET DROPPED - Packet type of Access-Request(1) is unknown to the Acct port from unknown NAS [192.168.70.1] | 15:51 |
| nowen | hmm | 15:51 |
| nowen | what port do you have configured on the Astaro? 1812? | 15:51 |
| nowen | that makes it sound like it's trying to send on the accounting port which is 1813 | 15:52 |
| intymike01 | basically the Astaro has a "test" area in which you put the secret passcode into, then press "test". I have it set to use port 1812 | 15:52 |
| nowen | does it say anything in the WiKIDAdmin logs? | 15:53 |
| intymike01 | dbmigrations.log-- log4j:ERROR Could not connect to remote log4j server at [localhost], wauth.log-- log4j:WARN No appenders could be found for logger (com.wikidsystems.biz.licence.parser.LicenceParserImpl). log4j:WARN Please initialize the log4j system properly.Server Ready to Accept Secure Client Requests. | 15:58 |
| intymike01 | nothing glaring | 15:58 |
| nowen | that can be ignored | 15:58 |
| nowen | do you see "Issued passcode to device ..."? | 15:59 |
| intymike01 | in the tcpdump, I did see this, when someone else tried to login to the vpn (outside of my test) Access Request (1), id: 0xe5, Authenticator: 38fa6f4e72d48c8a27928e09efcacb37 | 16:00 |
| intymike01 | Username Attribute (1), length: 10, Value: ghochron Password Attribute (2), length: 18, Value: NAS ID Attribute (32), length: 5, Value: ssl | 16:00 |
| nowen | Are you getting an OTP from the token before you try to login? | 16:01 |
| intymike01 | ugh, i cant get my wikidtoken client to connect at the moment | 16:03 |
| nowen | are you inside the FW? | 16:04 |
| intymike01 | sorry, I had the wrong server ID. | 16:05 |
| nowen | np | 16:05 |
| nowen | ;-) | 16:05 |
| intymike01 | I go "registration successful" from the WikiD client. and I see the OTP | 16:05 |
| nowen | ok - and is the token also registered on the server? | 16:05 |
| intymike01 | yes, I see the registration. in the user management page | 16:07 |
| intymike01 | so, obviously the issue lies within the astaro. | 16:08 |
| nowen | ok - you click on reg # and enter in the username | 16:08 |
| intymike01 | "UserID testuser Registered. " | 16:09 |
| nowen | ok - is that for the token you are using? | 16:11 |
| intymike01 | yes | 16:11 |
| nowen | ok - what loggers do you have set for debug? | 16:11 |
| intymike01 | com.wikidsystems, com.wikidsystems.radius.log.DBSvrLogImpl | 16:12 |
| nowen | hmm, when I have the log level set to debug I see Issued passcode to device -8823594947368976249 in the logs. | 16:16 |
| nowen | how did you install? ISO? or a package? | 16:16 |
| intymike01 | package | 16:16 |
| nowen | rpm? | 16:16 |
| intymike01 | yes, rpm. I also have a setup from ISO i can play with | 16:17 |
| nowen | date is correct on the server? | 16:17 |
| intymike01 | in the log i see: Issued registration code 3qxU5xh0 / 5uiTCzqI to deviceID 8096762888817259232 | 16:18 |
| intymike01 | I just had an issue in viewing the log entries in the web page | 16:18 |
| nowen | ok - now get an OTP from the token and hit the filter button again | 16:18 |
| intymike01 | ok | 16:18 |
| intymike01 | Issued passcode to device 8096762888817259232 | 16:20 |
| nowen | Yay! | 16:20 |
| nowen | ok - now try the astaro again | 16:20 |
| intymike01 | will do | 16:20 |
| intymike01 | "Error: receive failed" is seen in the astaro | 16:21 |
| intymike01 | im guessing, the way I registered my desktop, I need to so something similar on the astaro so it acts a client? | 16:22 |
| nowen | well, the Astaro should be a "network client' on the WiKID server using the radius protocol and specifying the domain that the user is registered to | 16:23 |
| nowen | when you create a network client it tells radius to accept packets from that IP on 1812 and it opens up the firewall for that address | 16:24 |
| intymike01 | got it | 16:25 |
| intymike01 | basically I followed this document: http://www.howtoforge.com/add-wikid-two-factor-authentication-to-astaro-security-gateway | 16:26 |
| intymike01 | I have a version 8, but its all applicable | 16:26 |
| nowen | what doc did you follow for the WiKID setup? | 16:27 |
| intymike01 | https://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server | 16:28 |
| nowen | ok | 16:28 |
| nowen | so you get "Error: receive failed" on the astaro, but you don't see anything in the WiKIDAdmin logs? | 16:29 |
| intymike01 | correct | 16:30 |
| nowen | can you re-try and use the -vvv flag on tcpdump | 16:31 |
| intymike01 | 11:32:43.992039 IP (tos 0x0, ttl 64, id 35488, offset 0, flags [DF], proto UDP (17), length 48) ct-edge1.25042 > vault1.ct.td.com.radius: [bad udp cksum dde5!] RADIUS, length: 20 | 16:34 |
| intymike01 | Access Request (1), id: 0xe5, Authenticator: 5a7c9413d3c322d71a3d7869247bf70b | 16:34 |
| intymike01 | 11:32:55.938247 IP (tos 0x0, ttl 64, id 47434, offset 0, flags [DF], proto UDP (17), length 48) ct-edge1.31221 > vault1.ct.td.com.radius: [bad udp cksum f740!] RADIUS, length: 20Access Request (1), id: 0xe5, Authenticator: dab696638ae85b5b33638c55926176a3 | 16:34 |
| intymike01 | WIKID:11:32:55.939685 IP (tos 0x0, ttl 64, id 47434, offset 0, flags [DF], proto UDP (17), length 48) gw1.ct.td.com.31221 > vault1.ct.td.com.radius: [udp sum ok] RADIUS, length: 20 Access Request (1), id: 0xe5, Authenticator: dab696638ae85b5b33638c55926176a3 | 16:34 |
| nowen | so it looks like WiKID is not responding, right? Otherwise, we would see some < traffic | 16:35 |
| intymike01 | yeah | 16:36 |
| nowen | what do you have on the Astaro? Are you using the IP Address of WiKID? or DNS? | 16:36 |
| intymike01 | the IP address of WIKID is defined as an object | 16:38 |
| intymike01 | you do see that tcpdump captures something over 1812....i just dont see anything going bak from the wikid | 16:39 |
| nowen | not sure the implications of that are, but I'm guessing that WiKID is rejecting the packets because it is not coming from the expected network client | 16:39 |
| nowen | usually you would see the IP address in tcpdump | 16:40 |
| intymike01 | oh | 16:40 |
| intymike01 | tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | 16:41 |
| intymike01 | 11:41:07.998969 IP (tos 0x0, ttl 64, id 15206, offset 0, flags [DF], proto UDP (17), length 48) | 16:41 |
| intymike01 | 192.168.70.1.44004 > 192.168.70.103.radius: [udp sum ok] RADIUS, length: 20Access Request (1), id: 0xe5, Authenticator: 6dcce44d89bf605f7ea45d85dcef84e4 | 16:41 |
| intymike01 | (tcpdump -n ) | 16:41 |
| nowen | hmm. ok - and 192.168.70.1 is listed as the Network Client? | 16:42 |
| intymike01 | yes, it is listed as the network client | 16:42 |
| nowen | odd | 16:42 |
| intymike01 | indeed | 16:42 |
| nowen | run 'iptables -L -n' | 16:42 |
| nowen | does it show 192.168.70.1? | 16:42 |
| intymike01 | yes, | 16:43 |
| intymike01 | it is acceping 1812,1813,8388, and others | 16:44 |
| intymike01 | for 192.168.70.1 | 16:44 |
| nowen | hmm | 16:45 |
| nowen | and you created a localhost cert? | 16:45 |
| intymike01 | yes | 16:45 |
| nowen | what the heck | 16:47 |
| intymike01 | yeah, sorry | 16:48 |
| nowen | is it the only network client? | 16:48 |
| nowen | no problem - I like a good puzzle ;-). sorry for you | 16:48 |
| intymike01 | it is the only network client | 16:49 |
| intymike01 | but what is interesting, I see another IP address in iptables "192.168.70.44" | 16:49 |
| nowen | huh | 16:49 |
| intymike01 | I am assuming it is from some mac OSX laptop on my network | 16:49 |
| nowen | ok | 16:50 |
| intymike01 | im confused why it shows up in iptables, but I assume if any system tries to use radius for auth, it finds my WiKID server | 16:50 |
| nowen | it should only be network clients | 16:51 |
| intymike01 | interesting | 16:51 |
| intymike01 | OMG . I restarted, and I see "server test passed" | 16:55 |
| nowen | lol | 16:55 |
| intymike01 | now i'll just test my OTP with my user | 16:56 |
| intymike01 | so now im in a good state. I go on further with my testing. | 16:58 |
| intymike01 | I appreciate you working with me. | 16:59 |
| nowen | great! | 16:59 |
| intymike01 | I'll let you know how it goes. | 16:59 |
| nowen | please do | 16:59 |
| nowen | btw, how did you find us? | 16:59 |
| intymike01 | have a happy holiday if I dont talk to you by then | 16:59 |
| nowen | you too | 16:59 |
| intymike01 | oh, well | 16:59 |
| intymike01 | I typed in "Astaro 2 factor vpn" in google | 17:00 |
| nowen | ahh | 17:00 |
| intymike01 | I also heard of you before, but never installed it. | 17:00 |
| nowen | ok - thanks | 17:00 |
| intymike01 | once I get this working, I'll get all of my users on here (200+) | 17:00 |
| nowen | glad people are hearing about us. we're not great at marketing | 17:00 |
| nowen | sweet! | 17:00 |
| intymike01 | no problem. Im quite excited that your product exists. | 17:00 |
| intymike01 | bye for now | 17:01 |
| nowen | I am too ;-) | 17:01 |
| nowen | later | 17:01 |
| *** intymike01 has quit (Quit: Leaving) | 17:01 | |
| *** linuxgeek_ (~linuxgeek@2a03:b0c0:2:d0::5f:2001) has joined #wikid | 19:08 | |
| *** linuxgeek has quit (Ping timeout: 244 seconds) | 19:08 | |
| *** linuxgeek_ is now known as Guest52852 | 19:08 | |
| *** intymike01 (~teladm01@47.19.119.130) has joined #wikid | 19:55 | |
| intymike01 | hi there nowen. | 19:55 |
| intymike01 | Im back. I cam able to use two factor on my SSL vpn and pptp vpn now. | 19:56 |
| intymike01 | I just have one issue where I can only register my device when im connected to the office network. | 19:56 |
| intymike01 | How can I make it so devices can register over cellular, or interent | 19:57 |
| intymike01 | ? | 19:57 |
| nowen | hmm | 19:57 |
| nowen | did you use an external IP for the domain identifier? | 19:57 |
| intymike01 | no | 19:57 |
| intymike01 | it was a little confusing in the setup docs. | 19:57 |
| intymike01 | I recall it saying "do not expose radius over the internet" | 19:58 |
| intymike01 | then I was thinking how can users devices get to me then? | 19:58 |
| nowen | the tokens communicate with the server in order exchange keys and get OTPs etc. If you use an external IP - it can be NAT'd or proxied - external tokens would work | 19:58 |
| intymike01 | ok, I'll set up the domain to use the external IP address | 19:59 |
| intymike01 | which means creating a new domian with the server code representing the external IP? | 20:00 |
| nowen | we have some jsp pages that can allow users to reg themselves after logging in with their AD creds, but they are meant to be used on the internal network | 20:00 |
| nowen | yes | 20:00 |
| intymike01 | ok, I created the new domain. do I forward a port to the wikid server from the firewall? | 20:03 |
| nowen | yes - port 80 for the tokens. | 20:03 |
| intymike01 | ok | 20:03 |
| nowen | WiKIDAdmin uses 443, so don't open that one | 20:03 |
| intymike01 | cool | 20:04 |
| nowen | see this page: https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-let-users-add-themselves-using-ad-credentials?searchterm=ADreg | 20:04 |
| nowen | on use reg | 20:04 |
| nowen | you may have read about example.jsp in the manual too. that has all the api functions | 20:05 |
| intymike01 | oh, nice | 20:05 |
| nowen | also: https://www.wikidsystems.com/support/wikid-support-center/faq/how-can-i-configure-wikid-to-start-automatically?searchterm=start+autom | 20:09 |
| *** nowen has quit (Quit: Leaving.) | 22:35 | |
| *** intymike01 has quit (Quit: Leaving) | 23:10 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!