Managing Wag #
Wag has a bunch of functionality, so this section is only going to define the most basic and most used actions you’ll be taking when using wag in your day to day.
List Devices #
Get a list of devices registered with wag.
Go to the devices page:
Then the devices are all information are listed in the table. Along with the actions you can take on said devices.
./wag devices -list
The result is returned as a CSV for ease of parsing:
[root@archlinux]# ./wag devices -list -socket /tmp/wag-2.sock
username,address,publickey,authattempts,endpoint
John,10.123.5.6,mUQT9Gk2sNqZIt31oId40EdWymvXkrv+ERui5LJLIHw=,0,<nil>
John,10.123.5.5,c1ypaBo6mkVUia4JYB0B/EIs9piEiFd07ARi+endjWk=,0,<nil>
asdasd,10.123.5.4,P8ObCdLuXw1T+YUBRGEa3NM9yYYE2ERQweOslymEHSU=,0,10.0.0.14:46268
bonk,10.123.5.3,rq+nDcQAxbKUbZ2dQjjXRF/tmOc+W4j8RUdUoFfC4hY=,0,<nil>
bonk,10.123.5.2,oUg/qoWKpRljLSuS7qHp4JcXgUXY8iwbox2KaLO+sD4=,0,<nil>
Unlock Device #
A device will become locked if a user attempts to authorize too many times (configurable with Lockout reference).
A user may have multiple devices, if one device goes over the lockout threshold this will not effect the other devices.
On the devices page select the device to unlock:
Click Unlock.
# Either unlock every device a user has, or a specific device by address
sudo ./wag devices -unlock -address 10.123.5.6
sudo ./wag devices -unlock -username John
Lock User Account #
Locking a user account means that no devices a user has are able to authorize.
Browse to the users page:
Select user:
Click Unlock:
./wag users -lockaccount -username John
Reset User MFA #
In the event that a user has lost their MFA device, whether it is TOTP, Webauthn or otherwise you may have to reset their session to re-register an MFA device.
Browse to the users page:
Select user:
Click Reset MFA:
sudo ./wag users -reset-mfa jordan_phone