Machine authentication

Jacky wyqjnm
Tue Apr 4 14:29:31 PDT 2006


Hi Bryan,

I have created an account logon ID as machine$, however ACS does not 
think it is a machine authentication, come back with an error message
"External DB user access denied (Machine Access Restriction)"

I can not create an account with the name like "host/xxx", therefore 
this approach is also not viable.

Does anyone have an idea how to fool ACS that it is a machine 
authentication with wpa_supplicant / hostapd?

Jacky

>  
>
>>I am also making assumption that if I set the identity to 
>>"host/mychinename" then ACS(or AD) will think this is a machine 
>>authentication (since I can see XP sending this as username in
>>Ethereal log).
>>    
>>
>
>That's probably true; that's likely the only way it knows, actually.
>(Depending on your domain, it may be possible to authenticate as
>machinename$ instead of host/machine.dns.name, but I'd use the host/
>version instead if possible.)
>
>  
>
>>Then I hope if I use the machine cert or machine password with the 
>>hostname as identity it will make ACS believe it is machine
>>authentication.
>>    
>>
>
>I would guess that this is what happens on the ACS side.  (However, I
>don't know how ACS maps that machine authentication to a user when the
>user tries to log on.  Maybe it's just the MAC address that the AP adds
>(the RADIUS calling station ID attribute).  That might be fragile though.)
>  
>





More information about the Hostap mailing list