Machine authentication

Jacky wyqjnm at gmail.com
Wed Mar 29 16:42:11 EST 2006 

Thanks for your response.

>Which EAP method are you using?
>
What EAP method should I use for machine authentication?
Actually the real question should be:
What Windows XP is using during the machine authentication?
I have:
1. enabled XP's 802.11x authentication in the network settings.
2. Used "Smart Card or other Certificate"
3. enabled "Authenticate as computer when computer information is available"
4. enabled "Use a certificate on this computer"
5. enabled "Use simple certificate selection (Recommended)"

>>More specifically, in Cisco's ACS, there is a setting called "Enable 
>>machine access restrictions". Does wpa_supplicant support that?
>>    
>>
>
>Could you please give more details on what this setting is supposed to
>do? Or at least provide ACS version number and location of that setting
>in its configuration UI.
>
>  
>

I am usgin ACS v3.1.  The setting is in External User Database -> 
Windows Database -> Configure -> Windows EAP Settings -> Machine 
Authentication
checked three options:
1. Enable PEAP machine authentication
2. Enable TLS machine authentication
EAP-TLS and PEAP machine authentication prefix: host/
3. Enable machine access restriction
    Aging time: 12
    Group map for successful user authentication without machine 
authentication: No Access

I have got an error for ACS when I enabled the machine access restriction :
"External DB user access denied (Machine Access Restriction).

The documentation for the above options show below
==========
Windows EAP Settings

The Windows EAP Settings table controls various options for EAP 
authentication.
Enable password change inside PEAP or EAP-FAST --
If you want to enable password changes with PEAP(EAP-MSCHAPv2), 
PEAP(EAP-GTC), and EAP-FAST(EAP-GTC), select this checkbox.

EAP-TLS Strip Domain Name --
If you want Cisco Secure ACS to remove the domain name from a username 
derived from the Subject Alternative Name (SAN) field in an end-user 
certificate, select this checkbox.

Enable PEAP machine authentication --
If you want to enable machine authentication using machine name and 
password with PEAP(EAP-MSCHAPv2), select this checkbox.

Enable EAP-TLS machine authentication --
If you want to enable machine authentication using machine certificates 
with EAP-TLS, select this checkbox.

EAP-TLS and PEAP machine authentication name prefix --
you want Cisco Secure ACS to substitute a different string of characters 
for the string "host/" at the beginning of any machine name being 
authenticated by PEAP(EAP-MSCHAPv2) or EAP-TLS, type the string in this box.

Enable machine access restrictions --
To use machine authentication as a condition for user authorization, 
select this check box. Microsoft PEAP and EAP-TLS users accessing the 
network with a computer that failed machine authentication are 
authenticated normally but receive only the authorizations defined by 
the group mapping list, below.

Aging time (hours) --
The number of hours that Cisco Secure ACS caches a successful machine 
authentication. For as long as successful machine authentication is 
retained in the cache, the machine access restrictions feature can use 
it to determine whether to limit a user to the group specified in the 
group mapping list, below.

Group map for successful user authentication without machine 
authentication --
When the machine access restrictions feature is enabled, this list 
specifies the user group whose authorizations are applied to an EAP-TLS 
or Microsoft PEAP user who passes authentication but uses a computer 
that failed machine authentication.
=========

More information about the HostAP mailing list