Jump to content
Welcome to our new Citrix community!

Citrix ADC EPA preauthentication policy MAC ADDRESS


Recommended Posts

Hello everybody,

I'm trying to use a data set or data patern set to use in my epa preauthentication policy expression, using address mac filtering.

Because I have a lot of address mac to add and I do not want to add those in my native epa preauth policy.

 

Fisrt question: is there a caracters limitation in the expression ?

Second question, I try several syntaxes with data set or data pattern set but it seems that i'm not using the good one: if someone could help me to find the good expression to use, it would be great !

 

Thank you ! 

Fred

Link to comment
Share on other sites

This thread has a lot of examples on patternsets/datasets and the typecasting that you need (for IP addresses), but should get you started with both for mac addresses.

https://discussions.citrix.com/topic/409145-netscaler-policy-assistance/

 

I'll have to mock up a simpler example later that's for your specific question if you don't get a quicker response.

 

 

Link to comment
Share on other sites

Hello,

Thank you Rhonda.

One more simple question: is it possible to use pattern set in classic EPA preauthentication ? I saw on the forum it wasn't and I'm trying to use the syntaxe I saw in the topic you followed me but nothing works....

 

Do I have to use nfactor EPA advanced policy ? Same question, I'm not sure that I can use pattern set in thoses policies....

 

Fred

Link to comment
Share on other sites

Nope patternsets and datasets are advanced engine and not classic.

To do Preauth scans in the advanced engine you run them via the epa policies in an nfacotr/authentication vserver integration and the epa (for actual epa scans) or the mac address filter policies run before your authentication behavior.

 

For a large number of mac addresses a callout might be better.  

 

 

 

Link to comment
Share on other sites

Thanks, I understand.

Yes I would be interested by an example if it's possible for you, concerning the expressions that runs before....

 

For a large number of mac addresses a callout might be better => in fact, my customer wishes to enter the address mac of all the users....When you say "callout", what do you mean ? (excuse my poor english ;-))

 

 

Link to comment
Share on other sites

HTTP Callout is an advanced engine feature, that allows you to build a policy expression that is based on the results to a remote entity.

You can then build list of allowed (or denied) mac addressess in a remote server or database. Make a web frontend for it. Use the policy filter expression to look at the callout result (such as ip not in allowed mac list) and use that to drop or allow traffic.

 

You can usually involve callouts in responder policy filter decisions, so as long as we can either get it to run pre-authentication, then it should work (without needing the advanced engine equivalent of pre auth policies.)

 

Callouts are in the admin guide under "AppExpert".  

 

 

 

Link to comment
Share on other sites

Thank you for the time you spend to answer me.

I did not see your message: we may have 100 mac address to add, I think we won't go to the HTTP callout.

I tried to create a responder policy using the CLIENT.ETHER.SRCMAC.EQ(00:50:56:XX:XX:XX).NOT begining without the use of data set but it does not work anymore (ERR connection RESET) and I can't connect to my gateway because I think that the ADC does not see my MAC Address.

 

 

 

 

Link to comment
Share on other sites

You'll have to get to a console to remove the setting then.  

 

Yeah, I was focusing on just ip filters and callouts in general.  Your endpoint mac address is not seen when you are remote connecting to the gateway as you are connecting via routers and other intermediate devices.  So to do a mac filtering in-network its possible to filter this way; for remote; you would have to identify mac by epa scan.  Sorry, wasn't really thinking about remote gateway access in context of this question...just the syntax capabilities.

 

NOTE: Epa scans require the vpn universal license (not the ica proxy only license). And the use of the epa client (which the vpn client includes; but is only available for windows/mac and not mobile devices.)  Client certs would be another way to control device access.

 

 

 

Link to comment
Share on other sites

Ok thank you Rhonda.

If I resume and please, would you like to correct me if i'm wrong:

 

- To filter mac address with netscaler gateway, I have to use EPA scan

- The expression in EPA scan is limited to 1499 characters so I cannot add more than 9 mac address

- The use of Data Set or Pattern Set is not possible with EPA Expressions because they use classic syntaxe and Data Set or Pattern Set use default syntaxe

- Filtering mac address using a responder policy is only possible in internal network

 

Thank you again !

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...