Machine authentication

[Bryan Kadzban]

Jacky wrote:
> ACS will allow certain operation only if machine authentication is
> successful (for example allow user authentication only if machine
> authenticated).

Oh.  Well, that's going to be hard to duplicate, then, considering the
nature of the machine password (AD and the machine know it, but AFAIK
you can't get it out of either of them once it's been changed) and the
machine cert (not being flagged as exportable).

Unless someone can figure out a patch to advapi32.dll so that the "don't
allow exporting this key" flag doesn't get set in the actual cert key,
that is.  (If someone can, I'd like to see it too.)  Maybe I'll look
into it, but I don't know a ton about Windows assembly, so it may not
work out.

> I am also making assumption that if I set the identity to 
> "host/mychinename" then ACS(or AD) will think this is a machine 
> authentication (since I can see XP sending this as username in
> Ethereal log).

That's probably true; that's likely the only way it knows, actually.
(Depending on your domain, it may be possible to authenticate as
machinename$ instead of host/machine.dns.name, but I'd use the host/
version instead if possible.)

> Then I hope if I use the machine cert or machine password with the 
> hostname as identity it will make ACS believe it is machine
> authentication.

I would guess that this is what happens on the ACS side.  (However, I
don't know how ACS maps that machine authentication to a user when the
user tries to log on.  Maybe it's just the MAC address that the AP adds
(the RADIUS calling station ID attribute).  That might be fragile though.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060330/912f2bbd/attachment.pgp