- Citrix Gateway
Objective
This article contains information about how to configure NetScaler Gateway EPA to scan the Media Access Control (MAC) address to authenticate the IP address of the user.
Background
When authenticating the (MAC address of an internet user against predefined combinations of MAC addresses and IP addresses, the network-based MAC address scan fails. This is because the network traffic from the internet does not contain the actual MAC address of the user. The MAC address available with the network traffic is that of a gateway or an intermediate appliance.
Therefore, to scan the MAC address from the computer of the user, registry-based scan or a Client Security scan must be performed.
Instructions
Registry Based Method
Complete the following procedure to perform a registry-based scan for the MAC address of an internet user to authenticate them against predefined combinations of MAC addresses and IP addresses:
Note: The following procedure contains a sample configuration with registry scan to search the MAC address or an equivalent entry in the registry of the computer.
Search the MAC address in the registry of the computer.The exact match of the MAC address might not be easy to search. However, you can search for an equivalent entry for the MAC address. To search, run the following command on from the command prompt:
net config rdr
The following is the sample output of the command:The command completed successfully.
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
Run the following command from the command prompt to start the Registry Editor utility:
regedt32
Note: Do not use the regedit command to start the Registry Editor utility. You cannot make the appropriate search if you run the regedit command.Search the key identified in the Step 1, such as A38A41F5-783E-4AED-9035-A2798922CE33, in the registry of the computer.The search for the sample entry displays that the key exists at the following location in the registry:
The following screen shot displays the location of the key in the Registry Editor Window:
In addition, the search shows that the sub key for this entry is NetCfgInstanceId. To locate the actual network interface card (NIC), ensure that you check all the options available under the entry. In the preceding screen shot, the Status Bar of the Registry Editor Window displays the complete path of the sub key.
Run the following command from the command line interface of the NetScaler appliance to add the path that is identified in the preceding steps of the procedure:
add aaa preauthenticationpolicy scan_epa q/CLIENT.REG(HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass
{4D36E972-E325-11CE-BFC1-08002BE10318}
0011_NetCfgInstanceId).VALUE '
{ A38A41F5-783E-4AED-9035-A2798922CE33}
' && REQ.IP.SOURCEIP 10.103.0.42/ EPAIn this command, scan_epa is the name of the policy and EPA is the name of the action.
Run the following command from the NetScaler CLI to enable pre-authentication checks:
set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_trueNote: Use this procedure to authenticate a small group of users. However, it might not be practical to add each of the large number of Secure Access (SSL VPN) users.
Non-Registry Based Method
The following is the preauthentication policy for MAC address and domain check:
EPA MAC Check CLIENT.SYSTEM('MAC_ADDR_anyof_XXXXXXXXXXXX[COMMENT: MAC Address]') EXISTS – no colons or spaces or dashes in the MAC address.
To enable preauthentication policy for MAC address, run the following command from CLI:
add aaa preauthenticationpolicy <policy name> 'CLIENT.SYSTEM('MAC_ADDR_anyof_<MAC address>[COMMENT: MAC Address]') EXISTS' <Action Name>
Additional Resources
MAC's MAC addres filter in EPA will be as below
CLIENT.SYSTEM(MAC-MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]) EXISTS
where as for Windows it appears as
MAC_ADDR_anyof_<MAC-addr>[COMMENT: MAC Address]
Mac Address In Registry
Disclaimer
Many people have a wrong conception that changing MAC Address of a computer is not possible or it requires a complex software. But it is not true. Changing MAC or Physical address of your computer is very simple. MAC (Media Access Control) address, Ethernet Hardware Address (EHA), hardware address, adapter address or physical address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number. Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most of today’s hardware, an action often referred to as MAC spoofing.
Now getting to the point we can change MAC by using your Windows Registry Editor. The method has been successfully tested in different Wired Ethernet Adapters, Wireless Adapters etc.
Change Mac Address In Registry
Follow the steps below and your MAC will be changed in seconds:
Step 1: Open Registry Editor (Press Start + R, Type regedit and Enter). If you get a message like “Your Registry Editor Has Been Disabled By Your Administrator” then you need to enable it. To Enable Registry Editor Visit: How to enable registry Editor
Step 2: After opening Registry Editor successfully, see the left pane of your registry editor. You can find a series of registry keys. You have to follow the path as:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlClass{4D36E972-E325-xxxx}
Regedit Mac Download Full
For the last key search for the red highlighted part in your Editor. You can refer the image below:
Step 3: After opening the last Key you will see a set of keys like 0000, 0001, 0002 etc. You have to open each key and search for values which corresponds to your network adapter. For example, I have an Intel(R) PRO/100 VE Network Connection. So in the right side of the editor i found a value which is containing this name. This is how we identify the key for the network adapter. For me i got the key in 0007.
Step 4: Now search for the value NetworkAddress inside the key you have found. If you cant find it right click and create a new String Value of the name NetworkAddress.
Regedit Mac Download Free
Step 5: Now change the value as your MAC Address. After Changing the value you can close Registry Editor.
Regedit Mac Address
Step 6: Now Go to Network Connections and Disable your Adapter. Right Click and select Disable
After it is disabled Double click on the Network Adapter and it will Enable it.
Step 7: Now go to status of the Adapter and Check The MAC address.
You will find your desired MAC Address. Now you have changed your Physical Address successfully.
Important:
1. This method Will not work for Windows Network Bridges.
2. If you keep an invalid MAC address value then your Adapter will not function properly.