wyqjnm at gmail.com
Tue Apr 4 17:29:31 EDT 2006
I have created an account logon ID as machine$, however ACS does not
think it is a machine authentication, come back with an error message
"External DB user access denied (Machine Access Restriction)"
I can not create an account with the name like "host/xxx", therefore
this approach is also not viable.
Does anyone have an idea how to fool ACS that it is a machine
authentication with wpa_supplicant / hostapd?
>>I am also making assumption that if I set the identity to
>>"host/mychinename" then ACS(or AD) will think this is a machine
>>authentication (since I can see XP sending this as username in
>That's probably true; that's likely the only way it knows, actually.
>(Depending on your domain, it may be possible to authenticate as
>machinename$ instead of host/machine.dns.name, but I'd use the host/
>version instead if possible.)
>>Then I hope if I use the machine cert or machine password with the
>>hostname as identity it will make ACS believe it is machine
>I would guess that this is what happens on the ACS side. (However, I
>don't know how ACS maps that machine authentication to a user when the
>user tries to log on. Maybe it's just the MAC address that the AP adds
>(the RADIUS calling station ID attribute). That might be fragile though.)
More information about the HostAP