| *** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid | 08:25 | |
| *** joevano has quit (Read error: Connection reset by peer) | 09:57 | |
| *** joevano (~joevano@bzflag/developer/JoeVano) has joined #wikid | 09:58 | |
| *** Mohammed (c3e2f521@gateway/web/freenode/ip.195.226.245.33) has joined #wikid | 09:59 | |
| Mohammed | Hello Guys ! | 09:59 |
|---|---|---|
| *** Mohammed is now known as Guest59096 | 09:59 | |
| Guest59096 | i am unable to understand how WIKID is working as 2FA | 10:00 |
| Guest59096 | could anyone help me understand it | 10:01 |
| laszlof | whats your question | 12:22 |
| Guest59096 | how does WIKID works ? | 12:23 |
| laszlof | Basically you setup the server, and link it up to an application, whether it be a router/firewall, | 12:24 |
| laszlof | or a web application like intranet, wordpress, etc | 12:24 |
| Guest59096 | Let us assume Cisco ASA Firewall | 12:25 |
| laszlof | once thats done, you download the token client to your device, and generate a OTP to use in conjunction with your existing login credentials | 12:25 |
| laszlof | right, those do radius I believe. | 12:25 |
| Guest59096 | where is OTP generated ? | 12:25 |
| laszlof | on the wikid server itself, and is sent (securely) to the mobile token client. | 12:26 |
| Guest59096 | what is mobile Token Client here ? | 12:26 |
| laszlof | there are also offline tokens, but I havent done much with those | 12:26 |
| Guest59096 | i have not seen such thing in the doc. | 12:26 |
| laszlof | https://wikidsystems.com/downloads/token-clients | 12:26 |
| Guest59096 | in short the the server setup is such complex i am unable to understand | 12:27 |
| Guest59096 | and got completely confused | 12:28 |
| laszlof | its a bit to take in, but once you get into it, its really not too bad | 12:28 |
| laszlof | my first deployment had a bit of a learning curve | 12:29 |
| Guest59096 | yes i believe but i am badly stuck | 12:29 |
| laszlof | well, where are you at? | 12:29 |
| laszlof | I might be able to help, but its been a while since I've done a deployment | 12:29 |
| laszlof | I mostly just do dev stuff now. | 12:29 |
| Guest59096 | i successfully completed till RADIUS initialzation | 12:29 |
| laszlof | ok, so you're trying to get it to talk radius to your firewall | 12:29 |
| Guest59096 | No no | 12:30 |
| Guest59096 | i am following the doc from WIKID and i am still doing server configuration and stuck there | 12:30 |
| laszlof | https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-a-cisco-asa-5500 | 12:30 |
| Guest59096 | because i cannot blindly follow and do the configuration | 12:30 |
| laszlof | have you seen that? | 12:30 |
| laszlof | ok, so you're on the setup stage | 12:31 |
| Guest59096 | i saw that but i am saying the sever config is not yet complete | 12:31 |
| laszlof | i see. | 12:31 |
| Guest59096 | https://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server/referencemanual-all-pages | 12:31 |
| laszlof | gotcha. have you logged into the web admin yet? | 12:31 |
| Guest59096 | i am stuck at "Creating a WIKID Authentication Domain" | 12:32 |
| Guest59096 | yes i did | 12:32 |
| laszlof | ok. The domain is basically what the token clients will use to connect to the wikid server. | 12:33 |
| *** nowen (~nowen@2602:306:3ae5:cbf0:6e62:6dff:feb0:8f07) has joined #wikid | 12:33 | |
| laszlof | the domain identifier should be the IP address of the wikid server, without dots, and padded by zeros | 12:33 |
| laszlof | so 127.0.0.1 would become 127000000001 | 12:34 |
| nowen | yes | 12:34 |
| nowen | though only a token on the localhost would be able to get to it ;-) | 12:35 |
| laszlof | :) | 12:35 |
| laszlof | the domain name is basically a textual description of the domain.. it can really be anything.. device domain name is meant to be like a hostname | 12:35 |
| laszlof | but again, I dont think it matters | 12:35 |
| laszlof | Guest59096: nowen is probably the best person to ask specific questions, as hes the head honcho over there. ;) | 12:36 |
| Guest59096 | then Network Clients ? | 12:37 |
| laszlof | network clients are what are used to connect wikid to your device | 12:37 |
| laszlof | by device, i mean your firewall | 12:37 |
| Guest59096 | Oh great Hello nowen | 12:37 |
| laszlof | name can be anything.. like "Cisco ASA Firewall" or whatever | 12:38 |
| laszlof | IP address is obviously the IP address of the firewall | 12:38 |
| nowen | hi | 12:38 |
| laszlof | protocol would probably be radius, and then you assign domains that can access it. | 12:38 |
| Guest59096 | IP should be the exact iP | 12:38 |
| laszlof | correct | 12:38 |
| nowen | yes - especially with radius | 12:38 |
| laszlof | for reference WAUTH is used for custom integrations where you may be using the API to build your own login system. | 12:39 |
| Guest59096 | getting it | 12:39 |
| Guest59096 | then what | 12:39 |
| laszlof | did you create your certificates? | 12:39 |
| laszlof | (Configuration Menu) | 12:39 |
| Guest59096 | yes did long back | 12:39 |
| laszlof | k. thats about it for the basics, excluding the specific Cisco ASA stuff you need to do. | 12:40 |
| laszlof | download/install a token client and give it a shot | 12:40 |
| Guest59096 | may be did a mistake there by given FQDN as "localhsot" | 12:40 |
| Guest59096 | i just did already | 12:40 |
| Guest59096 | thanks to you for that | 12:40 |
| nowen | You need to restart the wikid service after adding the network client | 12:40 |
| nowen | what's going wrong? | 12:41 |
| laszlof | he was just a bit lost on the setup | 12:41 |
| nowen | ok | 12:41 |
| Guest59096 | i mean to say when i generated Intermedia Certificate i gave fqdna as "localhsot" | 12:41 |
| laszlof | you probably want to use the servers actual hostname for that | 12:41 |
| laszlof | im pretty sure it wont break anything using localhost though | 12:42 |
| nowen | if everything starts fine, it might not be an issue | 12:42 |
| nowen | for testing | 12:42 |
| Guest59096 | yes everything started well | 12:42 |
| Guest59096 | so once after i created a network client you are telling most of the job is done | 12:43 |
| laszlof | well, i havent done a setup on an ASA before | 12:43 |
| nowen | yes | 12:43 |
| laszlof | but theres probably some stuff you have to do there. | 12:43 |
| nowen | the ASA is not hard | 12:43 |
| nowen | will you be using NPS? | 12:43 |
| Guest59096 | yes | 12:44 |
| laszlof | but you should be able to test the clients at this point and make sure you can get a token | 12:44 |
| Guest59096 | i want this for ASA & Windows | 12:44 |
| laszlof | erm, get a OTP | 12:44 |
| Guest59096 | so for testing client i need to enter server code i created while adding domain in my Token Client | 12:44 |
| Guest59096 | right ?> | 12:44 |
| laszlof | yes | 12:44 |
| Guest59096 | thats all ? | 12:45 |
| laszlof | it will give you a code. | 12:45 |
| laszlof | you need to go into the user menu, and you should see that code | 12:45 |
| laszlof | at which point you can assign it to a specific username | 12:45 |
| laszlof | (Click manually validate a user, in the user menu) | 12:45 |
| *** Mohammed (c3e2f521@gateway/web/freenode/ip.195.226.245.33) has joined #wikid | 12:46 | |
| Mohammed | I am back | 12:47 |
| *** Mohammed is now known as Guest92085 | 12:47 | |
| nowen | welcome back ;-) | 12:47 |
| laszlof | did you see my last message? | 12:47 |
| Guest92085 | no lost it | 12:47 |
| laszlof | 12:45 < laszlof> it will give you a code. | 12:47 |
| laszlof | 12:45 < laszlof> you need to go into the user menu, and you should see that code | 12:47 |
| laszlof | 12:45 < laszlof> at which point you can assign it to a specific username | 12:47 |
| laszlof | 12:45 < laszlof> (Click manually validate a user, in the user menu) | 12:47 |
| Guest92085 | Ok i just logged in to the GUI and creating a domain | 12:48 |
| laszlof | Yup. then just link up a network client. | 12:49 |
| Guest92085 | OK domain craeted | 12:49 |
| Guest92085 | the Client IP is the IP of my Firewall righ t? | 12:50 |
| laszlof | correct. | 12:50 |
| laszlof | it needs to be accessible by the wikid server (radius) | 12:50 |
| Guest92085 | what is now Shared-Secret key and all that stuff | 12:51 |
| Guest92085 | yes yes its accessible | 12:51 |
| Guest92085 | Assign Return Attribute: | 12:51 |
| laszlof | you need that from your ASA | 12:51 |
| laszlof | its the key used to connect to radius on it | 12:51 |
| laszlof | as for the others, those are specific to the ASA, i didnt need any additional stuff in there | 12:52 |
| Guest92085 | is that important and if yes how can i get that | 12:52 |
| laszlof | the ASA guide I linked earlier should show that, if any. | 12:52 |
| laszlof | https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-a-cisco-asa-5500 | 12:52 |
| laszlof | doesnt look like you need any additional values | 12:53 |
| laszlof | just the shared secret | 12:53 |
| Guest92085 | Ok i will use a basic one | 12:53 |
| Guest92085 | done | 12:54 |
| Guest92085 | how can i test now the token client | 12:54 |
| laszlof | which client are you using? | 12:55 |
| nowen | doesn't the ASA have a radius test option? | 12:55 |
| Guest92085 | IOS | 12:55 |
| Guest92085 | i dont know about that | 12:55 |
| laszlof | ya, just run it, set a passphrase, and add a domain | 12:55 |
| laszlof | (in the ios client) | 12:56 |
| Guest92085 | i tried its saying Unable to add domain to token | 12:56 |
| nowen | did you use a routable IP address? | 12:57 |
| Guest92085 | what do you mean ? | 12:57 |
| laszlof | the IP address/domain needs to be publicly available. | 12:57 |
| laszlof | port 443, to be exact. | 12:57 |
| laszlof | and 80? | 12:57 |
| nowen | 80 ;-) | 12:57 |
| laszlof | ah right | 12:58 |
| nowen | 443 for the WiKIDAdmin, 80 for the tokens | 12:58 |
| laszlof | ah, thats right | 12:58 |
| Guest92085 | you mean WIKID should be publicily available ? | 12:58 |
| laszlof | port 80 on the wikid server is used for token clients to connect and get their OTP | 12:58 |
| nowen | the token communicate with the server | 12:58 |
| Guest92085 | i did add a NAT rule for WIKID Server | 13:03 |
| Guest92085 | how the Token Client know to communicate my server only | 13:03 |
| nowen | that should work, did you use the external IP for the domain identifier? | 13:03 |
| laszlof | the domain code does a couple things, it checks for DNS at wikidsystems.net, if that fails, it converts the domain code to a dotted IP address and connects that way | 13:04 |
| laszlof | and ya, like nowen said, your domain code will (usually) have to be the external IP of the NAT box. | 13:05 |
| Guest92085 | i am confused here again | 13:12 |
| Guest92085 | are you saying my domain identifier should be my PUblic IP | 13:13 |
| laszlof | without the dots, padded by zeros, yes | 13:13 |
| Guest92085 | example : if its 10.10.10.10 so 1010101010 | 13:13 |
| laszlof | no | 13:13 |
| laszlof | 100100100100 | 13:13 |
| laszlof | erm | 13:14 |
| laszlof | 010010010010 | 13:14 |
| laszlof | domain identifiers are always 12 digits | 13:14 |
| Guest92085 | like 172.16.14.19 : 172016014019 | 13:14 |
| laszlof | correct | 13:14 |
| Guest92085 | what about domain name and device domain name ? | 13:15 |
| Guest92085 | i cannot update my Domain Identifier | 13:15 |
| nowen | domain is internal to the server, device names shows up on the token | 13:16 |
| nowen | you can just create a new domain | 13:16 |
| Guest92085 | so what should i use for domain and device domain name ? | 13:20 |
| laszlof | whatever you want, really. The Domain name is just a reference in the admin | 13:22 |
| laszlof | the device domain name shows up on the token clients. | 13:22 |
| laszlof | so you might want to use your company name for that. | 13:23 |
| laszlof | or something like "Widgets Inc Secure Access" | 13:23 |
| laszlof | or whatever | 13:23 |
| nowen | domain name is only on he WiKID server so "stupid users vpn" , device shows on the token so, "Executive VPN" ;-) | 13:23 |
| laszlof | haha | 13:23 |
| laszlof | the names of these items are probably a little misleading | 13:24 |
| laszlof | but you have to take "Domain" out of the context of a URL | 13:24 |
| laszlof | think more of a domain like a PDC on windows | 13:24 |
| Guest92085 | Oh i got is working | 13:24 |
| nowen | nice | 13:24 |
| Guest92085 | my token client is generating codes | 13:24 |
| Guest92085 | wohooo !! | 13:24 |
| laszlof | the token client should give you a reg code. did you add the user? | 13:25 |
| nowen | it needs to be registered to a user on the WIKID server for auth to work | 13:25 |
| Guest92085 | so that registration code i have to apply to the network client you mean to verify | 13:25 |
| laszlof | the "Users" menu, manually validate a user. | 13:26 |
| laszlof | you should see that reg code listed. | 13:26 |
| Guest92085 | yes i can se | 13:26 |
| laszlof | click it, and assign it to a username. this username should probably be the same as what the user uses to auth with the firewall. | 13:26 |
| Guest92085 | that can be any username ? | 13:27 |
| laszlof | I dont think theres any limitation on it. | 13:27 |
| nowen | no limits | 13:29 |
| nowen | you may want it to match your AD username for later reasons | 13:29 |
| Guest92085 | i think only one username can be mapped with one reg id | 13:30 |
| Guest92085 | you mean this user should also be in AD ? | 13:30 |
| laszlof | you can have multiple tokens for the same user. | 13:31 |
| laszlof | but each token can only have 1 user | 13:31 |
| Guest92085 | yes i off-course | 13:34 |
| Guest92085 | so now all i have to do is follow the ASA link you have me | 13:34 |
| nowen | ssl vpn or ipsec? | 13:34 |
| Guest92085 | IPSEC | 13:35 |
| laszlof | pretty much. the token client should work for generating codes at this point. | 13:35 |
| Guest92085 | yes its generating | 13:35 |
| Guest92085 | yes it it | 13:35 |
| nowen | https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-a-cisco-asa-5500-ipsec-vpn | 13:35 |
| Guest92085 | OMG so its a hell or job | 13:38 |
| Guest92085 | so this means at the end of the day if there is no internet the whole process will not work | 13:38 |
| laszlof | if theres no internet, they probably wont be able to access the firewall anyways. but yes. there are offline tokens, though I've never used them | 13:40 |
| laszlof | christ, freenode is having issues today | 13:40 |
| Guest92085 | what are those ? | 13:42 |
| Guest92085 | and how i can register them ? | 13:42 |
| nowen | many of the tokens will default to the offline challenge-response mode if there's no internet connection | 13:42 |
| nowen | this comes sometimes during testing as sys admins wonder about it, but I can tell you it never comes up in production. people need internet for vpn and if they have internet they have cell or wifi | 13:43 |
| Guest92085 | yes may be | 13:55 |
| Guest92085 | does this works with Yubikey | 13:55 |
| Guest92085 | Its a USB Token | 13:55 |
| laszlof | no | 14:01 |
| *** Guest59096 has quit (Ping timeout: 246 seconds) | 14:02 | |
| Guest92085 | i see | 14:04 |
| *** ricardoamaro has quit (Read error: Connection reset by peer) | 14:54 | |
| *** ricardoamaro (~ricardoam@drupal.org/user/74228/view) has joined #wikid | 14:54 | |
| nowen | Guest92085: I was just tweeting with someone about adding yubikey support | 14:55 |
| laszlof | that would be interesting | 15:05 |
| laszlof | so, the yubi key would basically bypass the passphrase/pin needed for the token? | 15:05 |
| laszlof | or just the former | 15:06 |
| Guest92085 | Ok i understand | 15:35 |
| nowen | not sure, I really haven't looked at it | 15:37 |
| *** Guest92085 has quit (Ping timeout: 246 seconds) | 16:00 | |
| nowen | got to run out for lunch = bbiab | 16:13 |
| *** nowen has quit (Quit: Leaving.) | 16:13 | |
| *** nowen (~nowen@2602:306:3ae5:cbf0:6e62:6dff:feb0:8f07) has joined #wikid | 17:13 | |
| *** Mohammed (bc47fc50@gateway/web/freenode/ip.188.71.252.80) has joined #wikid | 19:59 | |
| Mohammed | Hello there | 19:59 |
| *** Mohammed is now known as Guest10001 | 19:59 | |
| nowen | hi | 20:00 |
| Guest10001 | @nowen this is mohammed we had a discussion some hours back you remember | 20:00 |
| nowen | yes, I recall | 20:00 |
| Guest10001 | @laszlof was responding me alot | 20:01 |
| nowen | yes | 20:01 |
| Guest10001 | that point of time ended with successfully generating tokens and i was going to do the ASA part if you remeber | 20:02 |
| nowen | right | 20:02 |
| Guest10001 | i have done some part and stuck again | 20:02 |
| Guest10001 | i mean unable to understand | 20:02 |
| nowen | ok | 20:02 |
| Guest10001 | https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-a-cisco-asa-5500-ipsec-vpn | 20:02 |
| Guest10001 | i have done RADIUS Server and Server group part | 20:03 |
| Guest10001 | i had already one ipsec profile and changed the user authentication to use the created RADIUS | 20:04 |
| Guest10001 | because i already added a network client i skipped that part | 20:04 |
| nowen | ok | 20:05 |
| nowen | and what happens when you test it? | 20:05 |
| Guest10001 | hence my sooftphone is generating the pins right | 20:05 |
| nowen | ok | 20:05 |
| Guest10001 | but when test it fails | 20:06 |
| nowen | what's the error? | 20:06 |
| Guest10001 | "That's it for the ASA. It is ready for two-factor authentication. At this point, you should configure NPS for two-factor authentication. We recommend you first test the ASA/NPS connection using AD passwords and then add the WiKID server as a radius server on NPS. Once that is complete, the users will login with their AD user name and the OTP. NPS will perform authorization based on the user name alone. No sense in requiring a | 20:06 |
| Guest10001 | what is part in the doc. ? | 20:06 |
| nowen | if you want to incorporate AD as the directory, then you would use NPS - the MS radius server | 20:06 |
| Guest10001 | no i dont have any AD | 20:07 |
| Guest10001 | So i am using the username from users tab and using the password from my softphone token | 20:07 |
| nowen | ok | 20:08 |
| nowen | What time to do some debugging: https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 20:08 |
| nowen | on the WiKIDAdmin logs page, set the log level to debug and hit filter | 20:09 |
| nowen | what's the last log entry? | 20:09 |
| Guest10001 | when i test it "Authentication test to host xxx.xxx.xxx.xxx failed : Following error occured Error : Authenticated rejected : AAA failure" | 20:09 |
| Guest10001 | Ok wait lemme check that log | 20:10 |
| Guest10001 | you want that me to paste here | 20:10 |
| nowen | just the last line | 20:11 |
| Guest10001 | 2015-04-27 23:08:54.558INFOcom.wikidsystems.radius.log.DBSvrLogImpl<3> Access-Request(1) LEN=65 192.168.0.1:64923 Access-Request by sismail Failed: AccessRejectException: Access Denied | 20:11 |
| nowen | ok - on the user page make sure sismail is enabled | 20:11 |
| Guest10001 | yes its enabled | 20:12 |
| nowen | hmm, and you're entering sismail and the one-time passcode you get back on the token? | 20:13 |
| Guest10001 | yes exactly | 20:13 |
| nowen | hmm | 20:15 |
| nowen | double-check the shared secrets | 20:15 |
| Guest10001 | where > | 20:16 |
| nowen | on WiKIDAdmin > Network Clients > Edit and on the Cisco ASA | 20:16 |
| Guest10001 | you mean the one i use in network client and ASA | 20:17 |
| Guest10001 | same | 20:18 |
| nowen | hmm | 20:18 |
| nowen | ok - go into Logs/Configure Loggers and set com.wikidsystems.radius.access.WikidAccess4 and com.wikidsystems and com.wikidsystems.wauth to debug | 20:19 |
| nowen | then try to login again | 20:19 |
| nowen | and look at the logs for more info | 20:20 |
| Guest10001 | it worked | 20:22 |
| Guest10001 | i had to restart the service | 20:22 |
| Guest10001 | i did that because i remember you saying restart it after creating a network client before | 20:23 |
| nowen | nice! | 20:23 |
| Guest10001 | i did that but if you remember i made mistake in first domain creation and then created new domain | 20:23 |
| Guest10001 | since then i did not restarted | 20:23 |
| nowen | ahh | 20:24 |
| Guest10001 | so now i though of doing that and tested it work | 20:24 |
| Guest10001 | Wohooo !!1 | 20:24 |
| nowen | yes, radius caches info, so it needs a restart | 20:24 |
| Guest10001 | how can i test with VPN Client ? | 20:25 |
| nowen | you should be to login with a vpn client if the radius test passes | 20:27 |
| Guest10001 | i have to use sismail as username | 20:29 |
| nowen | yes | 20:29 |
| nowen | or add another user | 20:30 |
| Guest10001 | so where is two factor here ? | 20:30 |
| nowen | knowledge of the PIN and possession of the private key embedded in the software token | 20:30 |
| nowen | the tokens use encryption - like PGP | 20:31 |
| nowen | you can think of WiKID as like certs, but they only do PINs and OTPs. Using those means you don't need to use the 'infrastructure' of PKI | 20:31 |
| Guest10001 | see i can connect using VPN but no access and it disconnects after 15 secs | 20:35 |
| nowen | hmm | 20:35 |
| laszlof | you could arguably build out a system with AUTH to first authenticate against the local creds, then do the wikid auth, for a more traditional 2FA setup | 20:35 |
| laszlof | erm, WAUTH | 20:35 |
| nowen | anything in the cisco logs? | 20:35 |
| nowen | laszlof: no need to make the user enter something they know twice, it's just more of the same factor | 20:36 |
| nowen | and a worse user experience | 20:36 |
| laszlof | *shrug* thats basically how Duo and GA do it anyways | 20:36 |
| Guest10001 | lols | 20:37 |
| Guest10001 | now i cannot even connect | 20:37 |
| nowen | laszlof: that's because they don't have both factors included in their OTP | 20:38 |
| nowen | Guest10001: now maybe the user is disabled - check that again | 20:38 |
| Guest10001 | though the RADIUS test is Ok | 20:38 |
| laszlof | too many failed login attempts will disable the user | 20:39 |
| Guest10001 | no enabled only | 20:39 |
| Guest10001 | Ok i found that VPN Client Services were stop due to unkwon reasons | 20:43 |
| Guest10001 | when i restarted them i can see i can ping inside resources | 20:43 |
| Guest10001 | Woohooooooo !! | 20:43 |
| nowen | great | 20:48 |
| Guest10001 | so guys Cisco VPN is working great now | 21:07 |
| Guest10001 | could you share with me for Windows Login | 21:07 |
| nowen | Do you mean for ctrl-alt-del? | 21:08 |
| Guest10001 | configuring 2fa for widows server 2008 login | 21:09 |
| nowen | that's a lot tougher | 21:09 |
| nowen | MS doesn't make that easy | 21:09 |
| Guest10001 | OMG ! | 21:09 |
| Guest10001 | do we have any doc. for that | 21:09 |
| nowen | our pci customers that need this use remote access solutions | 21:10 |
| Guest10001 | what do you mean by remote access solutions ? | 21:11 |
| nowen | Are these servers in pci scope? | 21:11 |
| nowen | Something like RDP | 21:11 |
| Guest10001 | there are 3 servers in PCI Sco[e | 21:12 |
| Guest10001 | and we want RDP to be 2fa | 21:12 |
| nowen | ok - RDP gateway supports radius | 21:12 |
| Guest10001 | based on PCI as you already know | 21:12 |
| nowen | Do you have RDP Gateway? | 21:13 |
| Guest10001 | heard about it but newer ued | 21:14 |
| Guest10001 | used | 21:14 |
| nowen | hmm | 21:15 |
| Guest10001 | see we want our users to login through 2fa (inside or outside of office using VPN) | 21:16 |
| nowen | I bet the ciscos will do rdp... | 21:16 |
| Guest10001 | and i think rdp gateway eliminates the VPN concept itself | 21:16 |
| Guest10001 | you mean rdp gateway | 21:16 |
| nowen | well, I was thinking about the cisco ssl-vpn in the ASA | 21:17 |
| Guest10001 | oh not that | 21:17 |
| Guest10001 | don't we have solution for widows rdp login ? | 21:18 |
| nowen | only if you go through RDP-gateway, then you can user radius | 21:18 |
| Guest10001 | you mean WiKID RADIUS | 21:18 |
| nowen | well, RADIUS is just the protocol. both rdp gateway and WiKID support it. but just rdp doesn't | 21:19 |
| Guest10001 | what if we create a windows RADIUS and create a separate domain in WiKID and users login from there | 21:20 |
| nowen | the GINA doesn't support radius | 21:20 |
| nowen | GINA is the ctrl-alt-del mechanism | 21:20 |
| Guest10001 | so what is the suitable solution now ? | 21:22 |
| Guest10001 | RDP Gateway ? | 21:22 |
| nowen | well, that's my guess. We have a lot of PCI customers, so i know they are doing something, but I'm not sure they require 2FA for local access | 21:23 |
| nowen | you can replace the gina with something that does: http://pgina.org/ | 21:23 |
| Guest10001 | it will be tough for me it seems | 21:24 |
| Guest10001 | brb | 21:25 |
| nowen | ok | 21:25 |
| Guest10001 | yes | 21:44 |
| Guest10001 | so if we donot have the options | 21:45 |
| Guest10001 | how about having rdp gateway then ? | 21:45 |
| Guest10001 | can we do that ? | 21:45 |
| nowen | yes, I don't have a doc on that, but I know it works | 22:01 |
| Guest10001 | is it simple ? | 22:13 |
| nowen | well, it is Microsoft... | 22:14 |
| nowen | We can do a Teamviewer session if you want some help - I haven't done it but I know what to look for | 22:14 |
| Guest10001 | great | 22:15 |
| Guest10001 | check my message on the website chat | 22:15 |
| nowen | hmm - I don't see it... | 22:16 |
| Guest10001 | i wrote to Nick actually ;) | 22:16 |
| nowen | ;) | 22:17 |
| Guest10001 | gotem ? | 22:17 |
| nowen | but I really have no message - I have 'Visitor has left the conversation" | 22:17 |
| Guest10001 | OH | 22:18 |
| Guest10001 | its offline it seems | 22:20 |
| nowen | ok - got it now. | 22:20 |
| nowen | via email | 22:20 |
| nowen | Not sure why they have me as offline | 22:20 |
| Guest10001 | lol | 22:20 |
| nowen | tomorrow work ok? | 22:21 |
| Guest10001 | yes very Ok | 22:21 |
| Guest10001 | what are the prerequisites ? | 22:21 |
| nowen | I prefer Teamviewer | 22:24 |
| *** Guest10001 has quit (Ping timeout: 246 seconds) | 22:47 | |
| *** nowen has quit (Quit: Leaving.) | 22:57 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!